Egyptian opposition politician hacked with Predator spyware, researchers confirm

The phone of Egyptian opposition politician Ahmed Eltantawy was recently targeted with Predator spyware, in a campaign that researchers at the digital forensics organization Citizen Lab believe was carried out with the knowledge of the Egyptian government.

Along with Google’s Threat Analysis Group, the University of Toronto-affiliated Citizen Lab published the results of the investigation on Friday, saying Eltantawy was targeted with spyware between May and September of this year. Three zero-day vulnerabilities patched by Apple on Thursday were exploited in the attacks.

The attempted surveillance began after Eltantawy, a former member of Parliament, announced that he would run for president in March, the report said. Twelve members of his family and his supporters have been arrested.

The Egyptian online news outlet Mada Masr first reported the hacks on September 14, and the researchers released the results of their investigation more than a week later.

🚨UPDATE your @Apple products now!

We @citizenlab w/TAG's @maddiestone caught #predator spyware attacks against a prominent pro-democracy Egyptian politician after he announced presidential ambitions.

Apple rushed a patch.

It gets crazier 1/ https://t.co/W7MVaeNHOa pic.twitter.com/TYQlLDyrcW

— John Scott-Railton (@jsrailton) September 22, 2023

Beginning in May, Eltantawy was targeted with SMS and WhatsApp messages carrying malicious links that would trigger installation of the spyware if clicked. This had already happened once before, in September 2021, when Eltantawy was also targeted with Predator spyware, Citizen Lab said.

Some of the newer messages were purportedly from WhatsApp itself, asking the recipient to “terminate” a login on a different device by clicking a link that was in fact malicious.

One apparently unsuccessful attack in June and July involved messages from someone pretending to be with the International Federation for Human Rights.

“I wanted elections even if it wasn’t fair or just, but sadly I can’t even see it as elections,” one message from “Angie Raouf” said, with a link purportedly to an article. “I know that you are very busy, but I would be grateful if you could help me in my research.”

‘Middlebox’ intrusion

In August and September, when Eltantawy visited a website without a secure HTTPS address, he was automatically redirected to a malicious website, resulting in installation of the spyware. These attacks were carried out via network injection, which researchers localized to “a link between Telecom Egypt and Vodafone Egypt.”

They couldn’t pinpoint the location of the “middlebox,” a device within a network that interferes with traffic, but “suspect that it is within Vodafone Egypt’s network, because precisely targeting injection at an individual Vodafone subscriber would require integration with Vodafone’s subscriber database.”

“Also, given that the injection is operating inside Egypt, the spyware is sold to government agencies, and Egypt is a known Predator customer, it is highly unlikely that this targeting occurred and that this setup was established outside of the purview of Egyptian authorities,” Citizen Lab wrote.

In July, the U.S. Commerce Department added Predator’s maker, Cytrox, to a blacklist for “threatening the privacy and security of individuals and organizations worldwide.” Cytrox and another spyware firm, Intellexa, are controlled by an Israeli former general, Tal Dilian.

The tool has wreaked havoc in Europe especially, where its victims include Greek journalist Thanasis Koukasis, former Meta employee Artemis Seaford and a member of European Parliament. Other known clients include Madagascar and Sudan.

In Egypt, exiled Egyptian politician Ayman Nour and a news host were targeted with Predator in 2021.

“The use of mercenary spyware to target a senior member of a country’s democratic opposition after they had announced their intention to run for president is a clear interference in free and fair elections and violates the rights to freedom of expression, assembly, and privacy,” Citizen Lab wrote. “It also directly contradicts how mercenary spyware firms publicly justify their sales.”