A woman uses her iPhone in front of the building housing the Israeli NSO group near Tel Aviv. (JACK GUEZ/AFP via Getty Images)

Targeted Digital Threats in the Middle East and North Africa

07/10/2020 . By Joey Shea

Targeted digital attacks throughout the Middle East have evolved considerably over the past decade. New tools and attack vectors have dramatically increased in sophistication, while underlying political dynamics of attacks remain. [1] These attacks are carried out by nation-states, non-state armed groups, cybercriminals, private companies, and internal threat actors. Human rights defenders, civil society organizations, journalists, and activists are particularly vulnerable and are highly targeted by a range of actors.

Targeted digital threats are defined as the persistent, targeted intrusion and compromise of an account, device or system; they are targeted at specific individuals and communities and have political motivations. In an important study that mapped the landscape of targeted digital threats against civil society organizations, three models demonstrating the specific capabilities and techniques of different actors conducting targeted digital attacks were articulated:

(1) Threat actors with the capacities and resources to conduct their own operations, usually states or groups receiving government support;

(2) Commercial spyware where companies exclusively sell governments sophisticated surveillance tools;

(3) Repurposed crimeware, mostly relying on Remote Access Trojans (RATs) that are frequently used by criminals and hackers.[2]

These models are useful to understand the range of targeted digital attacks documented throughout the Middle East over the past decade.

Phishing

Phishing is a targeted digital attack that utilizes a variety of social engineering methods to gain access to a target’s account.[3] Attackers masquerade as a legitimate entity—a real person, a trusted company, a service provider—to trick the target into clicking a link or granting access to their account. Phishing attacks can be motivated by a variety of reasons including financial, social, and political. The most well-studied phishing campaigns targeting civil society in the Middle East occurred in Egypt, with two separate attacks between 2016 and 2019. While both shared similar features, there was a notable increase in the level of technical sophistication of the second campaign.

The first large-scale phishing attack that was documented in Egypt occurred between November 2016 and January 2017. A 2017 report published by the Egyptian Initiative for Personal Rights (EIPR) and the Citizen Lab found that seven different Egyptian nongovernmental organizations (NGOs) were targeted, particularly those affiliated with Case 173—Egypt’s longstanding foreign funding case. The joint investigation documented 92 phishing messages that demonstrated a deep familiarity with the dynamics of Egypt’s NGOs.

The phishing emails contained references to various aspects of Case 173 and the ongoing suppression of Egyptian civil society. Some included an invitation to speak at a panel event to discuss Case 173. Upon inspection by security researchers, it became clear the panel was fake and had been concocted to dupe targets into clicking on the affiliated link. The messages were sent by Gmail accounts that were made to look like Google Drive or Dropbox document sharing services.

The campaign was low-cost and technically unsophisticated. Researchers found that it used an open-source phishing framework originally designed to be used defensively, as part of anti-phishing trainings for organizations. A version of this campaign could be deployed with little technical knowledge and could be easily adapted to fit the motivations of any attacker. Because the attack did not hinge on the deployment of a tool that could be connected with a company or other threat actor, attribution is difficult.

The second large-scale phishing attack targeting Egyptian NGOs occurred between January and February 2019. While the targets of this campaign mirror those of the first campaign—namely, Egyptian NGOs, human rights defenders, and media organizations—the tactics and techniques differ in important ways.

Most importantly, the 2019 attack demonstrated a noted development in the techniques of the phishing campaign itself. The campaign relied on “OAuth Phishing”—a tactic which exploits a feature that allows third party applications to directly access an account. The phishing emails that were part of this campaign imitated a security warning from Google and asked the targets to apply a security update to their Gmail account. If the targets clicked to apply the security feature, they were redirected to an OAuthorization page, which initiated the authorization process of a malicious third-party app, named “Secure Email.” The target was asked to log into their Google account and authorize the app to have full access to their account.

This change in technique demonstrates an increase in the level of sophistication of the campaign. The final report by Amnesty International concluded that the attack was likely launched by government-backed bodies. This conclusion was based on a number of factors including the identities of those targeted, the timing of the attacks, and an authentic notification from Google that alerted the targets about the existence of a “state-sponsored” attack.

Malware

Malware is a broad umbrella term that includes any malicious software that has been deliberately developed to damage, disrupt, or perform unwanted actions on devices, data, and systems. Malware can be installed into a device, thereby infecting it, through a variety of different mechanisms. Infection can occur through an infected link that arrives in an email, text or other message. It may also occur through physical access to a device itself. Different kinds of malware can perform a broad range of activities, including the corruption of files, damage to entire networks, or the discreet collection of sensitive information. Malware infections are also directed by a variety of actors, including opportunistic hackers, criminal organizations, or governments; they are motivated by a similarly diverse mix of objectives.

There are many different types of malware, including Spyware and Remote Access Trojans (RATs). Oftentimes, malware is implanted onto devices via software vulnerabilities known as exploits. Exploits capitalize vulnerabilities in systems, software, or data in order to infect that particular device. Zero-day exploits are particularly impactful because they take advantage of an exploit that is unknown to the developers of a device or application.

Malware – Spyware

Commercial spyware has been routinely documented throughout the Middle East, particularly for its use against human rights defenders and civil society. These products are marketed as “lawful intercept” services and are usually restricted in their sale to governments, law enforcement, and intelligence agencies. Due to these restrictions, and their extremely high cost, attacks attributed to commercial spyware products are regularly linked with state sponsors. Over the last decade, there has been a notable pattern of authoritarian states in the region deploying these technologies against human rights defenders. The most notorious tool in recent years is Pegasus, which was developed by the Israeli company, NSO Group.

The first documentation of NSO’s Pegasus deployed against a human rights defender in the region was in 2016. The Citizen Lab published a report about UAE human right activist, Ahmed Mansoor, which detailed an unsuccessful attempt to infect Mansoor’s iPhone with Pegasus spyware. In August 2016, Ahmed Mansoor received two SMS text messages on his iPhone, promising information about tortured detainees in UAE prisons with an embedded link.

Mansoor forwarded the messages to Citizen Lab researchers, who found that the link belonged to a malicious website with a zero-day exploit that would have remotely jailbroken Mansoor’s phone and implanted NSO’s Pegasus spyware onto his device. iPhones are highly regarded for their superior security infrastructure. As a result, zero-day iPhone exploits are rare, sophisticated, and extraordinarily expensive. This further indicates that Mansoor ’s attacker was likely a government actor.

Researchers were able to understand how Pegasus functions based on documents contained in the 2015 leak of the Italian spyware company, Hacking Team. Included within the tranche of leaked Hacking Team files was a document titled “Pegasus -Product Description.” The document describes how targets first receive an “enhanced social engineering message” —a message designed to trick the target into clicking the malicious link. Once the target clicks on this link, they are redirected through a chain of anonymous nodes, called the Pegasus Anonymizing Transmission Network. This network is designed to conceal the attacker’s identity before ultimately reaching the final Pegasus server. Once the target arrives at the final Pegasus server, the server sends the exploit back to the target’s device and attempts to discreetly install the Pegasus spyware.

Once Pegasus is installed, the program can record and gather data, unbeknownst to the target. Pegasus can access calls made on the regular line, WhatsApp and Viber, and can access SMS messages and messages on WhatsApp, Facebook, Telegram, Gmail, and Skype. The program also gains access to other personal data, such as password keychains, contact lists, and calendar entries. Pegasus sends all of this data back to the attacker’s Command and Control server.[4]

Since the Citizen Lab’s first report on NSO’s Pegasus in 2016, the spyware has been repeatedly documented throughout the region, particularly in its use against human rights defenders and civil society. In 2018, Amnesty International documented an attempted Pegasus infection of their own researchers and of Saudi activist Yahya Assiri. Furthermore,  the Citizen Lab reported in 2018 that New York Times Beirut Bureau Chief Ben Hubbard and Saudi activist Omar Abdulaziz were targeted with Pegasus spyware. The spyware has also been documented in Morocco and Bahrain.

Malware – RAT

Remote Access Trojans (RATs) are another form of malware, modeled after legitimate remote access programs. Genuine tech support programs often enable remote access for authorized computers in order to provide assistance for users facing technical issues. Malicious RATs emulate this formula, but without the user’s consent or knowledge. RATs enable attackers to access and control a target’s computer. The capabilities and sophistication of RATs vary widely, but can include the remote logging of an infected computer’s keystrokes, remote screenshots, exfiltration of data, and remote access to webcams or microphones.

RATs were widely documented in the early years of the Syrian war, often against activists and groups affiliated with the Syrian opposition. These attacks and campaigns lasted many years and there was evidence to suggest they were conducted by pro-Syrian government actors. Beginning as early as 2011, these attacks utilized a variety of different tactics and tools, while also sharing similar themes. Oftentimes, the campaigns employed easily accessible RATs and were combined with social engineering elements. The campaigns included posting social engineering messages onto opposition media platforms with links to malicious RATs. The messages would be expertly crafted, demonstrating a deep understanding of Syrian opposition figures.

In June 2013, the Syrian opposition was targeted with a malicious installer of Freegate, an authentic Virtual Private Network circumvention tool designed for Windows OS. A Freegate link was posted in a private Facebook group belonging to Syrian opposition. The link contained a legitimate version of Freegate, but also included a malicious installation tool. If a target clicked on the link, the authentic version of Freegate would download, but it would also install an RAT implant. This particular RAT was called ShadowTech Rat and was widely available at the time. Requiring little sophisticated technical knowledge to implement, ShadowTech Rat has the ability to log keystrokes, access the target’s webcam, and exfiltrate files.

Another RAT campaign targeting the Syrian opposition occurred in September 2013. A pro-Syrian opposition Facebook group called “Revolution Youth Coalition on the Syrian Coast” was infiltrated by attackers, who posted a malicious link into the group offering information on a well-known Free Syrian Army commander. If a target clicked on the link, an RAT called Bladabindi would be downloaded onto their device. The Facebook group was previously infiltrated by the attackers because comments warning other users about the malicious link were repeatedly deleted.

Conclusion

Throughout the region, a wide range of targeted digital threats have been documented over the past ten years. Though these attacks have differed dramatically in the level of technical sophistication, threat landscape, and mode of targeting, certain patterns have emerged; most notably, the repeated targeting of civil society actors by state-sponsored or state-affiliated threat actors. While the tactics and techniques of targeted threats are likely to continue to evolve, these underlying political dynamics will persist. Civil society actors are also particularly vulnerable because they oftentimes lack the resources to invest in a robust security infrastructure and digital security training. Further investment in systems and training is the only way to protect against future attacks.

 

 

[1] Attack Vectors: The path or entry point through which an attacker gains unauthorized access to a computer system or network. (Citizen Lab, Communities at Risk Glossary)

[2] Citizen Lab, Communities @ Risk: Targeted Digital Threats Against Civil Society. November 11, 2014  https://targetedthreats.net/media/1-ExecutiveSummary.pdf

[3] Social Engineering: Psychologically manipulating or deceiving a target in order to gain unauthorized access to data; tricking a target into compromise through non-technical means. (Citizen Lab, Communities at Risk Glossary)

[4] Command and Control: A centralized server or computer that issues directives and data to devices infected with malware. (Citizen Lab, Communities at Risk Glossary)