What is spearphishing?

Spearphishing is a type of cyberattack where attackers send fraudulent emails that are highly targeted and personalized to a specific individual or organization. Unlike general phishing attacks that are sent to many people, spearphishing messages often contain personal information about the target to make them appear more credible and trick the recipient into revealing sensitive information or downloading malware.

Who is the 'Shady Egyptian APT'?

The 'Shady Egyptian APT' is a designation used by security researchers at Access Now and Lookout to describe a sophisticated threat actor believed to be aligned with or sponsored by the Egyptian state. 'APT' stands for Advanced Persistent Threat. This group is known for its persistent and targeted cyberattacks against Egyptian journalists, lawyers, human rights defenders, and other members of civil society.

Why are journalists specifically targeted in these attacks?

Journalists are high-value targets for state-aligned actors because they often possess sensitive information, communicate with confidential sources, and work to expose inconvenient truths. By compromising a journalist's accounts, attackers can identify their sources, monitor their investigations, steal unpublished material, and ultimately suppress critical reporting, creating a chilling effect on press freedom.

Was spyware like Pegasus or Predator used in this attack?

The report from Access Now and Lookout did not confirm that spyware was successfully installed on the devices of these two journalists. However, it explicitly states that the methods and infrastructure used in this campaign are consistent with those previously used to deliver spyware. The credential theft achieved through phishing is often the first step before deploying advanced surveillance tools like Predator, which has been used against Egyptian civil society in the past.

State-aligned hackers target prominent Egyptian journalists in sophisticated phishing attack

Introduction

A highly sophisticated and targeted spearphishing campaign has been uncovered targeting two prominent Egyptian journalists, according to a new joint report from the digital rights group Access Now and mobile security firm Lookout. The attacks, observed between January and March 2024, utilized custom-built phishing kits and elaborate social engineering lures designed to steal credentials and pave the way for deeper surveillance, including the potential deployment of spyware.

The findings, detailed in the report "Phishing for Truth," point to a well-resourced threat actor with strong similarities to a group previously identified as the "Shady Egyptian APT." This campaign represents a significant escalation in the digital repression tactics used to silence independent voices and undermine press freedom in Egypt.

Background: A hostile environment for the press

The cyberattacks did not occur in a vacuum. For years, Egypt has been an increasingly dangerous place for journalists and human rights defenders. The government has systematically worked to control the narrative by arresting journalists, blocking hundreds of news and advocacy websites, and employing extensive surveillance measures against its citizens. This digital offensive is the modern frontier of a long-standing effort to quash dissent.

This context is essential for understanding the gravity of the recent attacks. The perpetrators are not random cybercriminals; they are part of a machinery of repression. Previous investigations by organizations like Citizen Lab and Amnesty International have documented the use of commercial spyware, such as Cytrox's Predator, against Egyptian civil society, making the threat of surveillance an ever-present reality for those who dare to report independently.

Technical analysis of the attack

The campaign against the two journalists demonstrates a high level of operational planning and technical capability. Unlike generic phishing blasts that target thousands, this was a spearphishing operation, meaning the attacks were meticulously tailored to the specific targets.

Deceptive lures and social engineering

The attackers employed a dual-pronged strategy to manipulate their targets. On one hand, they impersonated official government bodies, including the General Intelligence Service and the Ministry of Interior. Emails were crafted to look like official summons for questioning or warnings about national security threats, designed to induce fear and urgency, compelling the target to click a malicious link without thinking.

On the other hand, the attackers cynically impersonated trusted human rights organizations like Amnesty International. This tactic exploits the target's professional network, preying on their trust in advocacy groups to trick them into revealing sensitive information or credentials. By mimicking both the stick (government threats) and the carrot (human rights support), the attackers covered multiple psychological angles.

Custom infrastructure and credential harvesting

The core of the technical operation was a custom-developed phishing kit. When a target clicked on a link in a malicious email, they were redirected to a convincing replica of a legitimate login page for services like Gmail, Outlook, Proton Mail, or Facebook. These pages were not generic templates; they were carefully designed to mirror the real services, making them difficult to distinguish from the authentic sites.

The attackers registered a series of deceptive domains to host these phishing pages, such as smsgov[.]net and ahramonline-eg[.]com, blending official-sounding terms with familiar news outlet names to enhance their legitimacy. According to Access Now and Lookout, the infrastructure and methods align closely with past activities attributed to the "Shady Egyptian APT," a threat actor believed to be state-aligned and known for its persistent targeting of Egyptian activists and journalists.

While the immediate goal was credential theft, the report warns that this is often just the first step. Once attackers gain access to a target's accounts, they can monitor communications, identify sources, and exfiltrate sensitive data. More alarmingly, this access can be used as a foothold to deploy advanced spyware onto the target's devices, granting the attackers near-total control.

Impact assessment: A chilling effect on truth

The direct targets of this campaign are the two journalists, whose identities were withheld for their safety. A successful compromise could lead to the exposure of their sources, the theft of unpublished work, and constant surveillance of their private lives, placing them and their contacts in grave danger.

The broader impact, however, extends to the entire journalistic community in Egypt and beyond. Such high-profile attacks create a powerful chilling effect, forcing reporters to self-censor out of fear. When journalists know that their every digital move could be monitored by a hostile state actor, the process of independent investigation and reporting becomes fraught with peril. This undermines the very foundation of a free press and the public's right to access information.

Furthermore, the impersonation of both state and non-state entities erodes public trust. Citizens become wary of all digital communications, making it harder for legitimate organizations to operate and for individuals to discern real threats from fake ones.

How to protect yourself

For journalists, activists, and other high-risk individuals, defending against such sophisticated threats requires a diligent approach to digital security.

Assume you are a target: Maintain a healthy level of skepticism toward all unsolicited communications, especially those that create a sense of urgency, fear, or opportunity. Verify requests through a separate, secure communication channel before taking any action.
Strengthen account security: Use a password manager to generate and store strong, unique passwords for every online account. Most importantly, enable multi-factor authentication (MFA) on all critical accounts. Prioritize phishing-resistant methods like hardware security keys (e.g., YubiKey) over less secure SMS-based codes, which can be intercepted.
Scrutinize links and domains: Before clicking a link, hover over it to inspect the destination URL. Look for subtle misspellings or unusual domain extensions. Be cautious of link shorteners.
Enhance digital privacy: Use end-to-end encrypted messaging apps like Signal for sensitive conversations. A reliable VPN service can also add a critical layer of protection by masking your IP address and encrypting your internet traffic, making it harder for adversaries to track your online activities.
Keep software updated: Regularly update your operating systems, browsers, and applications. These updates often contain critical security patches that can protect you from attacks that exploit software vulnerabilities.

This campaign is a stark reminder that the fight for press freedom is increasingly being waged on a digital battlefield. The attackers' methods are advancing, and so too must the defenses of those who work to hold power to account.