A prominent Egyptian opposition politician, who intends to challenge President Abdel Fatah El-Sisi in the upcoming elections, was recently targeted in a "zero-day" attack aimed at infecting his phone with Predator spyware. Google and the University of Toronto's Citizen Lab conducted research on the attack and discovered a previously unknown exploit that could install Predator on iPhones, even those with the latest operating system. As a result, Apple released a security update to address the issue. Citizen Lab has expressed "high confidence" that the Egyptian government was behind the failed hacking attempt, which targeted journalist and former parliament member Ahmed Eltantawy. Zero-day exploits are highly valuable because they exploit undiscovered security vulnerabilities. In this case, Eltantawy would not have needed to click on anything to be infected. The discovery of such an exploit is rare and prompted Apple to take immediate action. The Predator spyware, once installed on a phone, can steal passwords, log keystrokes, extract data from various apps, copy chat messages, and record calls, including those made within encrypted applications. Cytrox, the maker of Predator, was blacklisted by the Biden administration in July for trafficking in cyber exploits. Despite selling exclusively to government agencies, Citizen Lab believes that the Egyptian government was responsible for the attack due to Egypt's known history as a Predator customer and the physical location of the attacking device within Egypt. Ahmed Eltantawy, an outspoken critic of the Egyptian government, became concerned about his phone's security after receiving suspicious messages in mid-September and reached out to Citizen Lab for analysis. The Egyptian government has not commented on the incident. The attack on Eltantawy's phone involved the use of PacketLogic, a product developed by Sandvine, a Canadian networking equipment company. Sandvine was acquired by Francisco Partners in 2017, a private equity firm that also owned NSO Group until 2019. NSO Group is known for developing Pegasus spyware, which governments have used to surveil journalists, activists, and political opponents. The campaign against Eltantawy highlights the dangers posed by commercial surveillance vendors and their potential threats to online users' safety, according to Google's Threat Analysis Group.
According to research conducted by Citizen Lab, multiple attempts were made to install the Predator spyware on the phone of Egyptian presidential candidate Khaled Ali Eltantawy between May and September. Eltantawy received text and WhatsApp messages with links to malicious websites, but he did not click on them. In August and September, Eltantawy was subjected to a more dangerous type of attack called a network injection, which redirected him to an Intellexa website and then executed the exploit on his phone.
Citizen Lab stated that they have "high confidence" that the attacker used Sandvine's PacketLogic program to redirect Eltantawy's browser. This attack method was unique, as it was the first time they had seen a zero-day exploit delivered in this manner. However, the hack failed because Eltantawy had activated Apple's "lockdown mode," which reduced his phone's functionality but blocked many routes of attack.
Google revealed that a different exploit would have been delivered to Android users. The Android security flaw had been discovered and reported by someone else, and Google released a patch for it on September 5.
Citizen Lab did not accuse Vodafone Egypt, Eltantawy's communications provider, of being complicit in the attack. However, they mentioned that the easiest way for PacketLogic to be installed on the Vodafone network would be with Vodafone's cooperation. Vodafone Egypt did not respond to requests for comment.
Citizen Lab also discovered that a previous phone owned by Eltantawy had been infected with Predator in November 2021 through a text message containing a link.
Eltantawy believes he was targeted because of his political activities and speculates that the hacking attempt was meant to find material to defame him. He declined to blame the Egyptian government for the attack. However, he expressed concern about the government's arrest of people close to him, with at least 35 volunteers for his campaign being arrested since August.
Citizen Lab was able to trigger a repeat of the infection on a test device, which confirmed that the malicious software matched a previous sample of Predator. Apple credited both Citizen Lab and Google's Threat Analysis Group in an emergency patch issued in response to the attack.
In 2021, Citizen Lab reported that two exiled Egyptians, including opposition politician Ayman Nour, were infected with Pegasus spyware through a click-based exploit.
Earlier in September, Citizen Lab discovered that Pegasus spyware had infected the device of an employee at a D.C.-based civil society organization with international offices, leading to a security update from Apple. The lab's research has prompted multiple recent patches from Apple outside its regular release cycle.