On Dec. 7, 2016, a well-known Egyptian women's rights activist was arrested at her home by police forces. A few hours later, while she was still being interrogated, several of her colleagues at a prominent Egyptian organization, as well as other activists, started receiving emails that appeared to include a link to her arrest warrant, according to a new investigation by a digital rights group.
That link, however, didn't really lead to her arrest warrant, but to a fake login page designed to trick the targets into giving away their Dropbox credentials, according to Citizen Lab, which published the investigation on Thursday.
The wave of phishing attacks following the arrest of Azza Soliman is just a small part of an extensive, weeks-long hacking campaign carried out by a group, dubbed Nile Phish by Citizen Lab, that targeted dozens of human rights workers, activists, dissidents, and even some lawyers and journalists in Egypt, according to the report by Citizen Lab, a digital rights research group at the University of Toronto's Munk School of Global Affairs.
"We are witnessing the widest, most sophisticated, and dangerous phishing and spearphishing campaign against independent human rights groups and activists in Egypt," Ramy Raoof, the senior research technologist at Egyptian Initiative for Personal Rights (EIPR), one of the targeted organizations, told Motherboard in an online chat.
The campaign started in late November and is still ongoing. In fact, as I was chatting with Raoof, he had to interrupt our interview because he had detected a new attack.
"Those guys are persistent :)" Raoof said.
Overall, Citizen Lab, with the help of Raoof, and other Egyptian NGOs, observed as many as 92 attacks from November until Thursday, although the researchers are afraid that given the massive scale of the campaign there are many unknown victims out there.
"We are witnessing the widest, most sophisticated, and dangerous phishing and spearphishing campaign against independent human rights groups and activists in Egypt."
The phishing attempts caught the attention of Citizen Lab researchers because they were particularly well-crafted.
"What caught our attention about this phishing is how well the Nile Phish operators seemed to understand their targets," John Scott-Railton, a senior researcher at Citizen Lab, told Motherboard,. "The Nile Phish operators know when people are arrested, and incorporate this into phishing immediately after. They know who is organizing meetings. They know what NGO staffers are worried about."
The phishing attempts also seemed to hone in specifically on people who are also targets of a controversial government lawsuit against human rights NGOs, known as Case 173.The lawsuit accuses half a dozen NGOs of illegally receiving foreign funding and harming national security, and is part of what some have described as the worst clampdown on civil liberties in Egypt's recent history. An effort made not only of this lawsuit, but also travel bans, an ultimatum to close independent NGOs in Egypt, restrictions that forced one NGO to relocate to Tunisia, and an asset freeze imposed by courts.
As is often the case, it's hard to know exactly who was behind the hacking campaign. Citizen Lab didn't point any fingers, but given who the hackers were going after, and the incredible timeliness of some of the attacks, "there is at least good level of coordination between the state and Nile Phish," Raoof said.
"The Egyptian security agencies are obviously behind the attack."
For some of the victims, however, there's no doubt.
"The Egyptian security agencies are obviously behind the attack," Ziad Abdel Tawab, deputy director of the Cairo Institute for Human Rights Studies, told Motherboard in an email.
The Egyptian embassies in London and Washington, DC did not respond to a request for comment.
This hacking campaign shows once more than often, there's no need to use fancy hacking techniques when users can still relatively easily be convinced to give up their credentials. As the noted security expert known as The Grugq once said, "Give a man an 0day [an unknown software flaw] and he'll have access for a day, teach a man to phish and he'll have access for life."
Small time hackers know this. And government hackers know this very well too. Citizen Lab, as well as countless security companies, have seen how sophisticated hacking groups, even those working for governments such as Iran, Ethiopia, Russia, regularly use phishing to target victims.
"Sometimes we hear 'oh well it's just phishing.' That's true," Scott-Railton said. "But a threat doesn't need to be exotic in order for it to deserve your attention. Phishing just works. And it is ignored at everyone's peril."
Get six of our favorite Motherboard stories every day by signing up for our newsletter .