A new report from the Citizen Lab at U of T's Munk School of Global Affairs uncovers Nile Phish, an ongoing and extensive phishing campaign against Egyptian civil society.
In recent years, Egypt has witnessed what is widely described as an “unprecedented crackdown” on both civil society and dissent. Amidst this backdrop, in late November 2016 Citizen Lab began investigating phishing attempts on staff at the Egyptian Initiative for Personal Rights (EIPR), an Egyptian organization working on research, advocacy and legal engagement to support basic freedoms and rights.
“The scale of the campaign and its persistence compound the many threats already faced by Egyptian NGOs,” says John Scott-Railton, senior researcher at the Citizen Lab.
With the collaboration and assistance of EIPR’s technical team, the investigation expanded to include seven Egyptian NGOs targeted by Nile Phish. These seven organizations work on human rights, political freedoms, gender issues and freedom of speech. Citizen Lab also identified individual targets, including Egyptian lawyers, journalists and independent activists.
With only a handful of exceptions, Nile Phish targets are also implicated in Case 173, a sprawling 5-year-old legal case brought against NGOs by the Egyptian government over issues of foreign funding. The phishing campaign also coincides with renewed pressure on these organizations and their staff by the Egyptian government, in the context of Case 173, including asset freezes, travel bans, forced closures, and arrests.
Citizen Lab is not in a position in this report to conclusively attribute Nile Phish to a particular sponsor. But the sponsor of Nile Phish clearly has a strong interest in the activities of Egyptian NGOs, specifically those charged by the Egyptian government in Case 173. Nile Phish is clearly familiar with targeted NGOs’ activities, staff concerns, and is able to quickly phish on the heels of action by the Egyptian government.
“When most of us think of state cyber espionage, what likely comes to mind are extraordinary technological capabilities: rare unpatched software vulnerabilities discovered by teams of highly skilled operators, or services purchased for millions from shadowy ‘cyber warfare’ companies,” says Professor Ron Deibert of the department of political science in the Faculty of Arts & Science, and Citizen Lab’s director. “To be sure, some cyber espionage fits this description, as any perusal through the Snowden disclosures or our recent ‘Million Dollar Dissident’ report will show. But not all of them do. More often than not, cyber espionage can be surprisingly low-tech and inexpensive, and yet no less effective, than the glitzy stereotypes. The Nile Phish campaign is a case in point.”
By exposing the Nile Phish operation, and providing technical indicators, Citizen Lab hopes to help potential targets and other investigators identify and mitigate the campaign.