Investigation Shows Egyptian Government Hacked A Dissident's Phone Twice, Using Two Different Companies' Malware – Techdirt

(Mis)Uses of Technology
Citizen Lab has uncovered more state-level spying targeting political opponents and journalists. There’s a twist to this one, though. One of those targeted had his phone infected by two forms of malware produced by two different companies. And yet another twist: both companies have their roots in Israel, which is home to at least 19 entities that develop phone exploits. Here’s the summary from Citizen Lab:
Two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known mercenary spyware developer Cytrox.
The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.
Both targets were hacked with Predator in June 2021, and the spyware was able to infect the then-latest version (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp.
Ayman Nour, the lucky recipient of two different strains of malware, is the head of an opposition group who ran against former Egyptian President Hosni Mubarak. Shortly after Nour’s election loss, he was jailed for allegedly forging signatures on petitions — a move generally recognized as retaliation from his victorious opponent.
The other target is a journalist now in exile who has been openly critical of Egypt’s new president.
Unsurprisingly, these attacks have been traced back to the Egyptian government. What’s more surprising is that attribution can be made since attackers using these powerful hacking tools usually do a little better covering their tracks.
We attribute the attacks on the two targets to the Egyptian Government with medium-high confidence. We conducted scanning that identified the Egyptian Government as a Cytrox Predator customer, websites used in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from Egyptian WhatsApp numbers.
Once again, powerful hacking tools deployed against government critics have been traced back to companies with an Israeli presence. NSO Group has always been located in Israel. Cytrox, however, has moved around, changing both its home base and its name several times to distance itself from its irresponsible malware sales. But the Times of Israel has the receipts.
Cytrox was part of a shadowy alliance of surveillance tech companies known as Intellexa that was formed to compete with NSO Group. Founded in 2019 by a former Israeli military officer and entrepreneur named Tal Dilian, Intellexa includes companies that have run afoul of authorities in various countries for alleged abuses.
Four executives of one such firm, Nexa Technologies, were charged in France this year for “complicity of torture” in Libya while criminal charges were filed against three company executives for “complicity of torture and enforced disappearance” in Egypt. The company allegedly sold spy tech to Libya in 2007 and to Egypt in 2014.
It appears there’s a healthy market for powerful phone exploits. But the market consists of unhealthy governments more interested in tracking and surveilling critics than engaging in counterterrorism or investigating serious criminal activity. NSO claims it only sells malware for those more acceptable reasons. Cytrox/Intellexa has never offered any such assurances, possibly because it has an international rap sheet that would immediately undercut its assertions.
It’s an ugly world out there. Plenty of companies operating out of free countries are willing to sell exploits to governments they know will abuse them to commit human rights violations. If NSO Group shuts down its malware arm, it won’t make things safer for dissidents, government critics, and journalists. There are plenty of companies willing to fill this void. And they’re very good about obscuring who they are and what they do.
But one thing is undeniable: malware merchants are enabling abusive governments and it’s going to take more than a few sanctions and fines to prevent this from happening in the future. So far, the countries these companies call home have done little about these residents who are making the world a worse place to live. That has to change. And it appears it’s going to be investigative journalists and security researchers applying the pressure through investigations and exposés. Governments need to stop abdicating their responsibilities and allowing private citizens with finite resources and zero power to do their work for them.
Filed Under: ayman nour, dissident, egypt, hacking, malware, pegasus, predator, spyware, surveillance
Companies: cytox, nso group
Perhaps we shouldn’t be so harsh. Using two different companies’ malware – including an Israeli one – is evidence that the Egyptians are trying to become more diverse and inclusive. OK, so it’s not a cause for celebration, but it’s the effort that counts, right?
If you have never played the game before, there’s no reason you shouldn’t. You can meet new people, play games, and socialize in this fast-growing gaming zone. It’s easy to meet new friends, and the F95Zone town of passion will give you many ways to connect with other players. You can even video call and chat with other players in your town! It’s the perfect place to hang out and make new friends
How much longer until we see history repeat itself.
I don’t remember the names but I do remember that there were malware that would uninstall competing malware on peoples computers & then install itself.
"state-level spying targeting political opponents and journalists" is unprecedented in world history!
oh,right — it’s actually extremely common in history.
who knew that technology would constanly advance to keep up with this heavy spying demand?
Is the copyright lawsuit between these malware purveyors. That should be entertaining.
That would be interesting except it won’t happen. They would have to disclose in court (pronounced "make public") what part of the other guy’s software infringed/mimics/rips off theirs, and prove that that part is, in fact, in their software. I think that they have to stick to slagging the other guy to potential customers.
Thank for sharing the information with us. I am very inspired with your post & how continuously you describe this topic. I have written a two blog hire freelance Web Developers and Hire wordPress Developers. I hope you will read it.
Your email address will not be published.
Have a Techdirt Account? Sign in now. Want one? Register here

Techdirt community members with Techdirt Credits can spotlight a comment as either the “First Word” or “Last Word” on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
Read the latest posts:
Read All »
Become an Insider!

This feature is only available to registered users.
You can register here or sign in to use it.


Leave a Reply

Your email address will not be published. Required fields are marked *