Two prominent Egyptian journalists targeted with elaborate spearphishing campaign

Two prominent Egyptian journalists were targeted in a sophisticated hack-for-hire spearphishing campaign, according to new research.

Digital civil rights nonprofit Access Now released a report on the findings with the mobile security company Lookout on Wednesday, saying they saw evidence the hackers may “use the methods and infrastructure associated with the attacks to deliver spyware and exfiltrate data.”

The spearphishing campaigns were sophisticated and targeted the victims' Apple and Google accounts beginning in October 2023 and continuing to January 2024, according to the report, which also said the investigation into the attacks only began recently.

The attackers pretended to be legitimate people and services and they used multiple channels to connect with the victims. Lookout and Access Now are not able to definitively say where the hack-for-hire organization is based, but said they believe it has ties to Asia.

“Our investigation showed that there is a persistent infrastructure for attacks; we found overlapping domains, hosting, and similarities in code,” the report said. 

“There is also evidence that this infrastructure can allow attackers to deliver Android spyware with the potential ability to access and extract victims’ files, personal contacts, text messages, and geolocation, and to enable device microphones and cameras, as well as installing malicious apps on a device.”

The attackers used phony account profiles, messages and other tactics to create fake personas and masquerade as legitimate services and platforms, including Signal, to deploy the malware, Access Now said.

Neither of the victims’ accounts were ultimately penetrated.

One victim received a message that was designed to appear as if it was from Apple. The target entered his account credentials, but stopped engaging after he received a “suspicious” two-factor authentication notification from a location in Egypt, Access Now said.

Both victims have been persecuted by Egyptian authorities and have challenged the Egyptian regime in the past.

Mostafa Al-A’sar is an Egyptian journalist and human rights defender who spent almost four years in an Egyptian prison before fleeing the country.

Ahmed Eltantawy, also a well-known journalist, covered the Egyptian government critically and later became a member of Parliament. 

He had planned to run against Egyptian President Abdel Fattah al-Sisi in 2023, but subsequently dropped his bid after dozens of his supporters and relatives were arrested and he was barred from campaigning, Access Now said. He was later jailed.

Citizen Lab, a digital forensic research institute, found that his phone had been targeted with Intellexa’s Predator spyware in September 2021 and again between May and September 2023.

“This hack-for-hire campaign exposes yet another weapon in the arsenal of malicious actors determined to crush dissent and silence truth-tellers in the region,” Marwa Fatafta, a director at Access Now, said in a statement.

“Spear-phishing attacks are often a cheaper alternative or a complementary tool to spyware, so we are raising the alarm — especially as a warning to journalists in the Middle East and North Africa — to exercise caution and shore up their digital practices.”