Hack-for-Hire Spyware Campaign Targets Journalists in MENA

What Happened

A disturbing hack-for-hire spyware campaign has emerged, targeting journalists and activists across the Middle East and North Africa. This operation is suspected to be linked to the Bitter group, which has ties to the Indian government. Researchers from Access Now, Lookout, and SMEX collaborated to uncover the details of this ongoing espionage campaign. Recent findings indicate that two prominent Egyptian journalists were specifically targeted in a sophisticated spearphishing campaign that began in October 2023.

Who's Behind It

The Bitter group is known for its sophisticated cyber operations, primarily targeting government and military sectors in South Asia. Recent findings indicate that they are now extending their reach into the Middle East, focusing on civil society members, including journalists. The campaign employs advanced social engineering tactics, particularly through spearphishing, to deliver malicious software. The attackers are believed to have ties to Asia, although the exact location remains uncertain.

Tactics & Techniques

The attacks utilize ProSpy, an Android spyware, delivered via phishing links sent through fake social media accounts and messaging applications. Victims are often lured into clicking these links under the guise of job opportunities or other enticing offers. For instance, independent journalist Mostafa Al-A’sar received a suspicious link from a contact about a job, which he recognized as a potential threat given his previous targeting in 2018. Additionally, the attackers employed phony account profiles and messages, masquerading as legitimate services, including Apple and Signal, to deploy the malware.

New Victims

The recent report highlights two Egyptian journalists, Mostafa Al-A’sar and Ahmed Eltantawy, who were targeted through elaborate spearphishing tactics. Al-A’sar, a human rights defender, previously spent almost four years in an Egyptian prison before fleeing the country. Eltantawy, a critical voice against the Egyptian government, had planned to run against President Abdel Fattah al-Sisi but withdrew after facing severe repercussions. Both journalists received messages designed to extract their account credentials, but fortunately, neither account was ultimately compromised due to suspicious notifications.

Defensive Measures

The findings from this research highlight the urgent need for journalists and civil society groups to prioritize cybersecurity. As Al-A’sar pointed out, cybersecurity is not a luxury; it is essential for their safety and the integrity of their work. Organizations like the Committee to Protect Journalists have condemned these actions, emphasizing that spying on journalists can lead to broader patterns of intimidation and threats. Marwa Fatafta, a director at Access Now, stressed the importance of vigilance, stating that spear-phishing attacks serve as a cheaper alternative to spyware, raising alarms for journalists in the region to enhance their digital practices.

Conclusion

This espionage campaign has been operational since at least 2022 and continues to pose a significant threat to press freedom in the region. The collaboration between Access Now, Lookout, and SMEX has shed light on the tactics used by Bitter, underscoring the importance of vigilance and protective measures in the face of such threats.