Investigation Shows Egyptian Government Hacked A Dissident's Phone Twice, Using Two Different Companies' Malware

from the doublecheck-your-work-I-guess dept

Citizen Lab has uncovered more state-level spying targeting political opponents and journalists. There’s a twist to this one, though. One of those targeted had his phone infected by two forms of malware produced by two different companies. And yet another twist: both companies have their roots in Israel, which is home to at least 19 entities that develop phone exploits. Here’s the summary from Citizen Lab:

Two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known mercenary spyware developer Cytrox.

The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.

Both targets were hacked with Predator in June 2021, and the spyware was able to infect the then-latest version (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp.

Ayman Nour, the lucky recipient of two different strains of malware, is the head of an opposition group who ran against former Egyptian President Hosni Mubarak. Shortly after Nour’s election loss, he was jailed for allegedly forging signatures on petitions — a move generally recognized as retaliation from his victorious opponent.

The other target is a journalist now in exile who has been openly critical of Egypt’s new president.

Unsurprisingly, these attacks have been traced back to the Egyptian government. What’s more surprising is that attribution can be made since attackers using these powerful hacking tools usually do a little better covering their tracks.

We attribute the attacks on the two targets to the Egyptian Government with medium-high confidence. We conducted scanning that identified the Egyptian Government as a Cytrox Predator customer, websites used in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from Egyptian WhatsApp numbers.

Once again, powerful hacking tools deployed against government critics have been traced back to companies with an Israeli presence. NSO Group has always been located in Israel. Cytrox, however, has moved around, changing both its home base and its name several times to distance itself from its irresponsible malware sales. But the Times of Israel has the receipts.

Cytrox was part of a shadowy alliance of surveillance tech companies known as Intellexa that was formed to compete with NSO Group. Founded in 2019 by a former Israeli military officer and entrepreneur named Tal Dilian, Intellexa includes companies that have run afoul of authorities in various countries for alleged abuses.

Four executives of one such firm, Nexa Technologies, were charged in France this year for “complicity of torture” in Libya while criminal charges were filed against three company executives for “complicity of torture and enforced disappearance” in Egypt. The company allegedly sold spy tech to Libya in 2007 and to Egypt in 2014.

It appears there’s a healthy market for powerful phone exploits. But the market consists of unhealthy governments more interested in tracking and surveilling critics than engaging in counterterrorism or investigating serious criminal activity. NSO claims it only sells malware for those more acceptable reasons. Cytrox/Intellexa has never offered any such assurances, possibly because it has an international rap sheet that would immediately undercut its assertions.

It’s an ugly world out there. Plenty of companies operating out of free countries are willing to sell exploits to governments they know will abuse them to commit human rights violations. If NSO Group shuts down its malware arm, it won’t make things safer for dissidents, government critics, and journalists. There are plenty of companies willing to fill this void. And they’re very good about obscuring who they are and what they do.

But one thing is undeniable: malware merchants are enabling abusive governments and it’s going to take more than a few sanctions and fines to prevent this from happening in the future. So far, the countries these companies call home have done little about these residents who are making the world a worse place to live. That has to change. And it appears it’s going to be investigative journalists and security researchers applying the pressure through investigations and exposés. Governments need to stop abdicating their responsibilities and allowing private citizens with finite resources and zero power to do their work for them.

Filed Under: , , , , , , , ,
Companies: cytox, nso group

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Investigation Shows Egyptian Government Hacked A Dissident's Phone Twice, Using Two Different Companies' Malware”

Subscribe: RSS Leave a comment
7 Comments
loftycoco says:

f95 zone town of passion

If you have never played the game before, there’s no reason you shouldn’t. You can meet new people, play games, and socialize in this fast-growing gaming zone. It’s easy to meet new friends, and the F95Zone town of passion will give you many ways to connect with other players. You can even video call and chat with other players in your town! It’s the perfect place to hang out and make new friends
https://loftycoco.com/f95zone-town-of-passion/

Flakbait (profile) says:

Re: What I'm waiting for...

That would be interesting except it won’t happen. They would have to disclose in court (pronounced "make public") what part of the other guy’s software infringed/mimics/rips off theirs, and prove that that part is, in fact, in their software. I think that they have to stick to slagging the other guy to potential customers.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...