Check Point Traces Cyberattacks On Egyptian Activists To Government

A series of sophisticated cyberattacks targeting Egyptian journalists, academics, lawyers, opposition politicians and human rights activists has been traced to Egyptian government offices, according to new research published today by Check Point Research.  The attackers installed malware on the phones of the target people, enabling them to read victims’ files and emails, track their locations, identify who they contacted and when, according to Check Point.

Two activists who were targeted by the cyberattack were arrested in a roundup of prominent opposition figures last month as part of Egypt’s crackdown on anti-government protests.  Researchers found the central server used in the attacks was registered in the name of the Egyptian Ministry of Communications and Information Technology, also that geographic coordinates embedded in one of the applications used to track the activists corresponded to the HQ of Egypt’s main spy agency, the General Intelligence Service.

The cyberattack began in 2016, according to Check Point. The number of victims is unknown but Check Point identified 33 people, mostly well-known civil society and opposition figures, who had been targeted in one part of the operation.  “We discovered a list of victims that included handpicked political and social activists, high-profile journalists and members of nonprofit organizations in Egypt,” said Aseel Kayal, Check Point security analyst.

The cyberattack on the phones and email accounts of activists employed a shifting array of slick software applications to trick users.  An app for Gmail, called Secure Mail, informed targets that their accounts had been compromised, then lured them into revealing their passwords.  Another app, iLoud200%, promised to double the volume of cellphones. Instead, it gave the attackers access to the telephone’s location, even if the user turned off location services.

One of the more sophisticated apps, IndexY, claimed to be a free app for identifying incoming callers, along the lines of the well-known app Truecaller. But the app also copied the details of all calls made on the phone to a server controlled by the attackers, Check Point found, with the emphasis on the users’ communications with parties outside of Egypt.

Since its release early this year, IndexY became a popular app in the official Google Play Store, where it was downloaded 5,000 times.  Getting placed in the Google Play Store, getting around the measures Google takes to vet new apps, shows the high degree of sophistication and the extensive efforts invested in its development, the Check Point researchers said. The application was available on the Google Play store until Check Point on July 15 raised its concerns with Google, which removed the app and “banned the associated developer” two weeks later.

The perpetrators made a number of mistakes that allowed Check Point to track the apps’ origins.  The pages and sites used to carry out the attacks were all connected to an IP address belonging to a Russian telecommunications company called Marosnet, and to a central server registered to “MCIT,” an apparent reference to Egypt’s Ministry of Communications and Information Technology.

The iLoud200% app, like most geolocation software, had default coordinates, a point that is generally set at the time and place of its initial activation by the developers. The default coordinates in the app matched those of the headquarters of the General Intelligence Service, Egypt’s equivalent of the C.I.A.

According to Check Point, other clues also pointed to state involvement in the attacks. The campaign’s long duration (since 2016), as well as the vast amounts of data collected, required significant financial and human resources. And the targets of the attack, who appear to have been selected for their political activity or beliefs, do not align with traditional cybercrime motivations, which usually focus on extracting money.

Two of the victims identified by Check Point were arrested after protests against Egypt’s president, Abdel Fattah el-Sisi, last month: Hassan Nafaa, a political scientist at Cairo University, and Khaled Dawoud, a former journalist and leader of the secular Constitution Party, a prominent el-Sisi critic.  A third victim, Dr. Shady al-Ghazaly Harba, a surgeon and opposition activist, was detained in May 2018 for his criticism of the government on Twitter.

The target list of 33 people that Check Point retrieved from the attack server includes Egyptians living in Canada, Britain and the United States.

The full details are available from:  https://research.checkpoint.com/the-eye-on-the-nile/