New Google Cyberattack Blamed On Egypt—But ‘It’s Complicated’

[steven36]

As nation-state cyberattacks go, few have been more amateurish than the cyberattack on Egyptian civil rights activists and journalists that has been traced back to the Egyptian government. Based on in-depth research by cyber powerhouse Check Point, published on October 3, attackers installed apps on victims’ smartphones, providing access to emails, contacts, phone records and location information. All the indicators, and there were many, pointed at Egypt’s General Intelligence Service—its spy agency.

 

But it might not be that simple. It is more likely that this attack was not down to Egypt at all, that this was a so-called “false flag” operation using Egypt as a foil. Attribution in cyberwarfare is much more difficult than its physical parallels. There is no hardware to trace, no attacks to film. What is left is the victimology—who was attacked and why, and the cyber weapons, the apps or exploit code. And it’s much easier to disguise lines of code than fragments of missiles.

 

The narrative with this attack builds on Egypt’s clampdown on civil rights activists within the country, and follows a March 2019 report by Amnesty International into “phishing attacks using third-party applications against Egyptian civil society organizations.” The victims—human rights activists and journalists—were warned by Google of a “government-backed” attempt to steal their credentials. Rather than using straight emails to execute the phishing campaign, third-party apps with access to mail platforms were exploited instead.

 

It was Amnesty’s report that prompted Check Point’s research. On the surface there can be no doubt that Egypt’s haphazard GIS was responsible. The central attack server which gathered hacked information was registered to Egypt’s Ministry of Communications and Information Technology, one of the software platforms used in the attack initialised itself with a geolocation traced to a “government or military complex” in Cairo, a Telegram group used in the attack is wholly Egyptian.

 

Case closed? Maybe not. To mount a cyberattack of any sort, but especially a nation-state intel operation, around a server registered to the attack organization itself is akin to running a phishing email campaign from your own, legitimate email address or to ram-raiding an electronics store with your own car.

 

“We saw too many obvious fingerprints,” Check Point’s Lotem Finkelstein tells me, “in this operation, the infrastructure, the servers, the applications that carried the attack. Fingerprints that led us to the Egyptian government—the server registered to the Ministry, the coordinates in Cairo.” Finkelstein, one of the lead researchers on the report, repeats himself to make sure the point is clear. “It was so obvious,” he says, “we are afraid someone is trying to put this on Egypt.”

 

Finkelstein can’t get past the hacking server, that is the step too far. “It was too weird for us,” he says, “the basic thing is to register the service to someone else or hide your identity.” The location information buried within the iLoud app could have been overlooked, missed in the handover from the malware team to the operational team. But the server could not be missed. “It’s the very first thing you do, even newbies in the cybercrime domain know that. And so we got curious, is someone else doing it.”

 

The attack itself endured for some time. “From 2016,” Finkelstein explains, “the attackers were determined their weapons hit their targets, determined to infect targets with all kinds of malicious exploits—like mobile apps and also plug-ins to mail applications like Gmail and Outlook.” And given the nature and scale of information harvested, “the cyber operation must be a government-backed intelligence unit capable of digesting data in different formats, including emails and locations and call records, translate it into operational intelligence that can be used.”

 

A nation-state actor. Not necessarily the obvious nation-state actor.

 

Finkelstein references the Olympic Destroyer attack, wiper malware that initially targeted the Winter Olympic Games in South Korea and which carried North Korea’s fingerprints. “But when we analysed the operation,” Finkelstein says, “we saw that the North Korean flags were false and actually the operation was Russian.”

 

Lessons learned. “After that, we try to be cautious when we see fingerprints that are that big, that obvious, that can mislead you, make you think you’re looking at something Egyptian when it’s something else.” Which leads to a discussion on who might be responsible. “It may be someone monitoring Amnesty or other activist groups in their own country, trying to divert attention to Egypt.”

 

The attack had a specific focus on information from outside Egypt, the call records database structure was skewed towards foreign calls, times, dates, durations. Check Point doesn't have access to the data, and so the countries remain unknown, but the database shell they can see.

 

The attack didn’t carry specific hallmarks of known threat actors, nor did it introduce any “new attack vector—but it was sophisticated enough to get apps onto Google Play, adding credibility to the operation, as well as to introduce plug-ins to Microsoft and Google that went unnoticed for a long time. Until we reported it to Microsoft, no-one knew there were malicious plugins introduced over and over again.” And this element of sophistication jars with the exceptional amateurishness that left so many traces.

 

Back to attribution, no surety but some clues. “We know the Iranians are big fans of mobile apps, specifically Android, although we haven't seen much on Google Play—they use unofficial app stores.” This contrasts with threat groups in China that are more focused on attacks on “PCs and routers and supply chains.”

 

You believe, I suggest to Check Point’s Finkelstein and Ekram Ahmed, that on balance this isn’t Egypt, this is more likely to be Iran.

 

“Yes,” the say in unison, before Ahmed adds “definitely, probably likely, but unsure we can be exact. There’s something deeper here, there are some things we can be sure about, some things that are more speculative.”

 

I ask whether they have seen any similar cyberattacks from Egypt before. They have not. What they have seen is activism by private actors, attacks on Israel in the main, to embarrass its government. And reports of state-backed social media campaigns.

 

“We don’t see many Egyptian cyber operations,” Finkelstein says before we break, “maybe this is the first one. And the fingerprints are too obvious. With attribution we must stop and question ourselves. There’s evidence it’s Egypt—but it’s too obvious.”

 

And so, I suggest, if there was a “false flag” operation, then you think it would look very much like this.

 

Yes, they both say.

 

Source