A prominent Egyptian opposition politician who plans to challenge President Abdel Fatah El-Sisi in elections expected early next year was targeted with a previously unknown “zero-day” attack in an effort to infect his phone with Predator spyware, according to new research by Google and the University of Toronto’s Citizen Lab.
The discovery of the valuable zero-day exploit, designed to install Predator on iPhones running even the most up-to-date operating system, prompted Apple to push a security update to users on Thursday afternoon.
Citizen Lab said it had “high confidence” that the Egyptian government was responsible for the failed hacking attempt. The effort targeted journalist and former member of parliament Ahmed Eltantawy and was first reported by Mada Masr, an independent Egyptian news organization. Eltantawy had been living briefly in Lebanon but moved back to Egypt in May.
Zero-day exploits are particularly dangerous and valuable because they take advantage of as-yet-undiscovered security gaps. In this case, Eltantawy would not have had to click on anything to be infected.
“A full zero-day exploit chain like this, that’s capable of installing spyware on the latest and greatest iPhones — there’s not many of those that get caught, a few a year,” said Bill Marczak, a senior research fellow at Citizen Lab. “These things are very expensive to develop. If you look at brokers that buy and sell and publish price lists online, this would go for several million dollars.”
In July, the Biden administration blacklisted Cytrox, which makes Predator, and Intellexa, the business alliance to which Cytrox belongs, by adding them to the Commerce Department’s “entity list,” which places harsh licensing and trade restrictions on them. The administration said they trafficked “in cyber exploits used to gain access to information systems, thereby threatening the privacy and security of individuals and organizations worldwide.”
Once installed on a phone, Predator can steal passwords, log keystrokes, take data from various apps, copy chat messages and record calls, including those made within encrypted applications, Marczak said.
Like other high-end spyware vendors, Cytrox says it sells only to government agencies. Because Egypt is a known Predator customer and one of the infection attempts was made by a device physically located inside Egypt, Citizen Lab said it had “high confidence” that the Egyptian government was responsible for the attack.
Eltantawy, the former head of the left-wing Karama Party, is an outspoken critic of the Egyptian government. In March, he became the first politician to announce plans to challenge Sisi for the presidency.
Eltantawy told The Washington Post that he had first become concerned about his phone’s security in mid-September after receiving the suspicious messages containing links, and that a friend had advised him to contact Citizen Lab so his phone could be analyzed.
Representatives of the Egyptian government declined to comment or did not immediately respond to requests for comment.
According to Citizen Lab, the attempts to infect Eltantawy’s phone involved the use of a product called PacketLogic built by Sandvine, a Canada-based networking equipment company. In 2017, Sandvine was acquired by Francisco Partners, a private equity firm that until 2019 also owned NSO Group, the maker of Pegasus spyware, which governments have used to spy on journalists, activists, political opponents and others. Sandvine did not respond to requests for comment.
“This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users,” Google’s Threat Analysis Group wrote in a blog post.
Multiple attempts were made to install Predator on Eltantawy’s phone between May and September, after he announced his candidacy, according to Citizen Lab’s research. Starting in May, Eltantawy received text and WhatsApp messages with links to booby-trapped webpages. He evidently did not click on them, according to the researchers.
In August and September, Citizen Lab said, Eltantawy was subject to a more dangerous type of attack called a network injection, which did not require him to click on anything. According to Google’s Threat Analysis Group, this “man-in-the-middle” attack occurred when Eltantawy tried to visit any webpage with the “http” prefix. When he did, the attacker redirected him to an Intellexa website and then to a server that executed the exploit on his phone.
Citizen Lab said it had “high confidence” that the attacker used Sandvine’s PacketLogic program to redirect Eltantawy’s browser and that it was the first time they had seen a zero-day exploit delivered in this fashion. According to their analysis, the hack failed because Eltantawy had activated Apple’s “lockdown mode,” a protection setting introduced in 2022 that reduces a phone’s functionality but blocks many routes of attack.
Google said a different exploit would have been delivered to people using an Android device. The Android security flaw had been discovered and reported by someone else, and Google made a patch available for it on Sept. 5.
The attack on Eltantawy would have required PacketLogic to be installed on the network belonging to Eltantawy’s communications provider, Vodafone Egypt. While Citizen Lab did not allege that Vodafone was complicit in the attack, Marczak said that the “easiest” way to install PacketLogic on the Vodafone network would be with Vodafone’s cooperation.
“Egypt is not known for being the most democratic government,” he said. “You can imagine the government would be able to exert pressure on companies to cooperate.”
Vodafone Egypt did not respond to requests for comment.
In the course of its research, Citizen Lab also discovered that a previous phone owned by Eltantawy had been successfully infected with Predator in November 2021 through a text message containing a link.
Eltantawy declined to blame the Egyptian government for the attack but said he believed he had been targeted because of his political activities and speculated that the hacking attempt had been meant to find material to “defame” him.
“Simply put, there is nothing that can be used to shame me, even with two years of hacks,” he said.
Worse, Eltantawy said, has been the Egyptian government’s arrest of various people close to him. At least 35 volunteers for Eltantawy’s campaign have been arrested across the country since August, according to the Egyptian Initiative for Personal Rights. Two of Eltantawy’s uncles were among a dozen relatives arrested between April and May. The Egyptian Interior Ministry has denied arresting anyone for involvement in a presidential campaign.
Citizen Lab’s technologists researching the attack on Eltantawy were able to trigger a repeat of the infection on a test device after what Marczak called a “giant cat and mouse game” that involved tricking the booby-trapped website, which would have been tailored to target a specific victim only one time, into thinking it should deliver the exploit again. They compared the malicious software to a previous sample of Predator and found enough overlap to signify a match. Apple credited both Citizen Lab and Google’s Threat Analysis Group in the emergency patch issued on Thursday.
In 2021, Citizen Lab reported that two exiled Egyptians, including opposition politician Ayman Nour, were infected with Pegasus spyware though an exploit that required a click.
Earlier in September, Citizen Lab discovered that Pegasus spyware had infected the device of an employee of a D.C.-based civil society organization with international offices, prompting a security update from Apple. The lab’s research has prompted multiple recent patches from Apple outside its regular tempo of updates.