Ahmed Eltantawy, a former member of Egypt’s parliament, has found himself in a situation tangled with Egypt’s ongoing political struggles and disagreements.
On September 21, 2023, Apple resolved three zero-day vulnerabilities that were being used as a way to get a spyware called Predator into iPhones. This secret operation mainly targeted Ahmed Eltantawy, occurring between May and September 2023.
This cyberattack happened after Eltantawy publicly announced his plans to run for President in Egypt's 2024 elections. Citizen Lab is pretty certain that the Egyptian government is behind this attack because they have been known to use this kind of spyware before.
Citizen Lab and Google's Threat Analysis Group (TAG) figured out that this spy tool was likely sent through links in SMS and WhatsApp messages. Their study shows the use of such sneaky tech tools and the big problems connected with these hidden efforts, especially when governments are involved.
Background
Ahmed Eltantawy, once a Member of Parliament and head of Egypt’s al-Karama political party, got a lot of attention in March 2023 when he announced he wanted to run for president to offer a “democratic” option to the current government. Since then, he, his family, and his followers have faced ongoing harassment and reported arrests. This tough situation is part of the wider harsh environment created by Egypt’s current president, Abdel Fattah el-Sisi, since he came to power in 2014 after the military removed President Mohammed Morsi. El-Sisi’s time in power has been marked by harsh actions against disagreement, civil society groups, and political opponents.
Aspiring Leader Eltantawy's Encounter with Stealth Spyware
Within a politically charged atmosphere, the uneasy concerns of Eltantawy regarding the sanctity of his communications came to the fore. The comprehensive scrutiny undertaken by Citizen Lab brought to light relentless incursion endeavours, where Eltantawy's device became a field for deploying the notorious Predator spyware by Cytrox. This occurrence isn’t isolated; there have been documented instances by Citizen Lab of similar spyware deployment against other distinguished Egyptian personalities including the exiled politician, Ayman Nour, and an undisclosed news presenter.
Fusion of Political Suppression and Cyber Espionage:
The precise and extensive intrusion attempts, coupled with the exploitation of zero-day vulnerabilities to unleash Predator spyware on Eltantawy, highlight the intertwining of political subjugation and cyber espionage in Egypt’s contemporary political milieu. This alarming association raises profound concerns about the malicious application of technology to muzzle democratic dialogues and violate personal freedoms. The episode underscores the urgent necessity for bolstered international standards and advanced protective digital protocols to counteract the proliferation and utilisation of such aggressive cyber mechanisms in political retaliations and monitoring endeavours.
Stealth Network Manipulation:
During August and September 2023, Eltantawy, while accessing non-HTTPS websites via his mobile device on a Vodafone Egypt connection, found himself involuntarily rerouted to a potentially malicious domain (c.betly[.]me) through a clandestine network injection. This domain matched the fingerprints associated with Cytrox’s Predator spyware. The network injection was executed contingent on the HTTP Host header's specified website and the User-Agent header's value. This inconspicuous manoeuvre was orchestrated by an intervening middlebox, resulting in the suppression of the legitimate response from the server, thereby rendering Eltantawy a silent victim to this surreptitious cyber manoeuvre.
The following reply was injected by an on-path middlebox, and the legitimate reply from the server was suppressed:
Analysis and Implications:
The multiplicity of these incidents renders them emblematic of the broader patterns of surveillance and repression persisting in Egypt under the el-Sisi regime. The targeted digital intrusions on Eltantawy and others resonate as a manifestation of the overarching intent to suppress political diversity and dissent. It accentuates the paradigm where the digital domain becomes a contested space for political control, intimidation, and a medium for perpetuating autocratic norms, significantly impacting democratic principles, human rights, and international diplomatic relations.
The convergence of political tensions and cyber espionage in Eltantawy’s case is representative of the escalating global concern over the abuse of digital tools for political gains, particularly by government entities. This scenario necessitates not only a closer examination of the ethical ramifications of digital surveillance technologies but also a concerted effort to foster international dialogue to establish robust cyber norms and protect democratic values and human rights.
Expanded Analysis with Technical Details:
While assisting Eltantawy in dissecting the intricate web of espionage he was entangled in, Citizen Lab, in conjunction with Google’s Threat Analysis Group (TAG), unearthed a zero-day iOS exploit chain meticulously crafted to target him. The revelations from this discovery prompted immediate coordinated disclosure to Apple, addressing the vulnerabilities imbued within the chain.
iOS Exploit Chain Vulnerabilities:
