Researchers at Check Point discovered that Egypt ‘ government has been spying citizens in a sophisticated surveillance program

Researchers at Check Point discovered that the Egyptian government has been spying on activists and opponents as part of a sophisticated surveillance program.

The list of victims is long and includes journalists, politicians, activists and lawyers.

The expert started their investigation after Amnesty International published a report in March that provided details on targeted attacks against journalists and human rights activists in Egypt.

The Egyptian government conducted most of the spying activities using mobile apps, some of which are also delivered via Google Play.

Check Point has identified tens of victims that were tricked into download the malicious apps that offered useful services.

Some of the apps used by the attackers were Secure Mail, a Gmail add-on to improve the security, iLoud200%, a smart storage solution that would free up storage space on the victim’s device, and the IndexY callerID service.

Using these apps the government cyber spies were able to gather login credentials to email accounts, bypass privacy settings, and store call logs.

These apps were available through the official Play Store and bypassed the security checks implemented by Google.

Experts provided details of the command and control infrastructure over the time. Attackers used a range of domain names that included words like “ secure ” and “verify” in their names to avoid raising suspicion of the victims.

“The full list of indicators belonging to this campaign and shared by Amnesty on GitHub showed multiple websites that used keywords such as “mail”, “secure”, or “verify”, possibly not to arouse any suspicions and to masquerade as legitimate mailing services.” reads the report published by Check Point.

“By visualizing the information available about each of these websites, we saw clear connections between them: they were registered using NameCheap, had HTTPS certificates, and many of them resolved to the same IP addresses.”

One of the domains analyzed by the researchers, maillogin [ . ] live, left a directory unsecured online , allowing the expert to analyze its content, a collection of files uploaded between May and June.

“By downloading the contents of this directory, we got our hands on many PHP scripts, API clients, SQL files and configuration files from the server. Looking into them revealed several aspects about the inner workings of this operation, the functionalities that were implemented on this server and possibly others, and lastly some information about the perpetrators behind it all.” continues the analysis.

“For example, we realized that the attackers can control the operation by sending commands to one of the PHP scripts. The script allowed the attackers to query the data stored on the server, but it had self-destructing capabilities as well, such as removing an existing campaign or deleting all of the information collected from victims”

The researchers also discovered a Telegram channel that advertised itself as supporting the opponents of the regime in Egypt, but that is likely under the control of the intelligence services.

Check Point was not able to attribute the operation to the Egyptian intelligence, but the nature of the victims, the level of sophistication of the attacks and other evidence such as a server registered to the Ministry of Communications and Information Technology in Egypt.

“We discovered a list of victims that included handpicked political and social activists, high-profile journalists and members of non-profit organizations in Egypt.” concludes Check Point.

“The information we gathered from our investigation suggested that the perpetrators are Arabic speakers, and well familiar with the Egyptian ecosystem. Because the attack might be government-backed, it means that we are looking at what might be a surveillance operation of a country against its own citizens or of another government that screens some other attack using this noisy one.”

Pierluigi Paganini