The Easy and Affordable Way to Undertake Cyber Espionage

I am pleased to announce a new Citizen Lab report, entitled “Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society,” authored by the Citizen Lab’s John Scott Railton, Bill Marczak, and Etienne Maynier, in collaboration with Ramy Raoof of the Egyptian Initiative for Personal Rights.

The full report is here:  https://citizenlab.org/2017/02/nilephish-report/

When most of us think of state cyber espionage, what likely comes to mind are extraordinary technological capabilities: rare un-patched software vulnerabilities discovered by teams of highly skilled operators, or services purchased for millions from shadowy “cyber warfare” companies.  To be sure, some cyber espionage fits this description, as any perusal through the Snowden disclosures or our recent “Million Dollar Dissident” report will show. But not all of them do.  More often than not, cyber espionage can be surprisingly low-tech and inexpensive, and yet no less effective, than the glitzy stereotypes.

The Egyptian “Nile Phish” campaign is a case in point.

An authoritarian country racked with domestic insecurity and political turmoil, the Egyptian government has mounted a growing crackdown on civil society.  Part of that crackdown involves investigations of alleged “foreign funding” of Egyptian NGOs — known within Egypt as “Case 173.”

Beginning in November 2016, Egyptian NGOs and their staff under Case 173 investigation simultaneously began receiving identical, legitimate looking emails in their inboxes.  Fortunately, technical staff at one such NGO, the Egyptian Initiative for Personal Rights, suspected something wasn’t right, and reached out to us at the Citizen Lab for further investigation.

With EIPR’s assistance, we began analyzing the suspicious emails and discretely contacting other Egyptian organizations and individuals who received them.  What we discovered was an elaborate, coordinated, and multi-phased “phishing” campaign in which legitimate looking emails are sent to unsuspecting users in an attempt to trick them into entering their passwords into fraudulent websites controlled by the operators.

If this type of activity sounds familiar, it is because phishing is widely used as a tactic in the world of everyday cyber crime.  Just yesterday, I received a warning from the University of Toronto’s IT support unit about a malicious email sent to faculty and staff with a notice about a non-existent “Campus Security Notification.”  It may also sound familiar because it was precisely this type of phishing tactic that Russian hackers used to compromise the gmail account of the chairman of the 2016 Hillary Clinton campaign, John Podesta (illustrating the principle that even Great Powers sometimes pick cheap seats as long as it gets them where they want to go).

In the case of #NilePhish, Egyptian NGOs and individuals received emails with an invitation to attend a workshop about Case 173.  The operators used language from a real NGO statement that had been circulating among the community, and included as co-sponsors some of the very NGOs that were targeted.  A second wave of phishing emails included what purported to be a list of individuals subject to a travel ban under Case 173 (who among Egyptian civil society wouldn’t be tempted to check if they were included on that list?).  Alongside these carefully crafted emails — and seemingly just to mix things up — generic phishing attempts were sent with email security or fake courier delivery notifications.

Led by John Scott Railton, our team analyzed the emails and the server infrastructure in detail.  Dozens of fake but legitimate sounding domains were used by the operators to host websites that appeared to be Dropbox login pages or Gmail “failed login” warning messages.  Emails were sent from addresses like fedex_tracking[@]outlook.sa and dropbox.notfication[@]gmail.com.

Because of mistakes made on the part of the attackers, and our team’s use of multiple data sources and methods that are outlined in the report, we were able to eventually link more than 90 messages sent to seven NGOs and individuals as part of a single concerted campaign.  While we were unable to definitively attribute the campaign to an Egyptian government agency, strong circumstantial evidence exists that support it.  For example, we observed phishing against the colleagues of the Egyptian lawyer Azza Soliman, within hours of her arrest in December 2016. The phishing claimed to be a copy of her arrest warrant.  It is highly unlikely a random cyber criminal would be privy to such details, but quite likely someone connected to her arrest is.

Phishing may be an example of “poor man’s” cyber espionage, but the reason it’s used by everyone from Ukrainian securities fraudsters to Russian hackers to para-state groups is because it works.   From a government perspective, why bother with expensive wire transfers, complicated end user license agreements, third party resellers, and export controls, when a handful of cleverly constructed emails and websites will do the job?

The flip side is that there are cheap and easy ways to defend against phishing: users can be educated not to click on links or open emails that look legitimate and to spot giveaways of their malicious nature; tech companies can put in place two-factor authentication for access to their services by default; and NGOs can employ dedicated technologists who can manage their networks and alert their staff to the latest alerts.

Fortunately for Egyptian civil society, EIPR is just such an organization.

#NilePhish is ongoing, and we strongly suspect that there may be other targets of this campaign we have not yet identified.  We hope that the detailed indicators we are publishing can be used by systems administrators and others to find more evidence of targeting and alert potential victims.

Read the full report here: https://citizenlab.org/2017/02/nilephish-report/

Read EIPR’s report on #NilePhish in Arabic: http://eipr.org/nilephish