Hack-for-Hire Phishing Campaign Targets Egyptian Journalists, Exposing Risks to Civil Society in MENA
A recent investigation has unveiled a sophisticated hack-for-hire campaign aimed at two prominent Egyptian journalists and vocal critics of the government, Mostafa Al-A’sar and Ahmed Eltantawy. This campaign involved a series of spear-phishing attacks, a targeted form of phishing that focuses on specific individuals or organizations rather than a broader audience. The attackers employed messages that appeared to originate from trusted contacts and services, attempting to compromise the victims’ online accounts.
The attacks occurred between 2023 and 2024, targeting individuals who have previously faced political imprisonment and harassment. Al-A’sar and Eltantawy are both recognized for their critical stance against the Egyptian government, making them prime targets for such digital assaults. Eltantawy, in particular, has been previously targeted with spyware, highlighting the ongoing risks faced by journalists in the region.
Understanding the Attack Methodology
To gain insights into these attacks, collaboration with the mobile security firm Lookout was essential. Their forensic analysis revealed that unknown entities utilized a hack-for-hire organization with connections to Asia to conduct espionage against civil society figures in the MENA region. Evidence suggests that the attackers may have leveraged the same infrastructure to deliver spyware and exfiltrate sensitive data.
The investigation also contributed to an analysis by SMEX, a nonprofit organization focused on advancing digital rights in West Asia and North Africa. This analysis detailed a similar attack in 2025 against a Lebanese journalist, indicating that the same threat actor may be responsible for multiple incidents.
As civil society faces increasingly sophisticated digital threats, it is crucial to share knowledge and resources to safeguard communities. The investigation provides background information and highlights the need for effective digital security measures to mitigate such attacks.
Profiles of the Targeted Journalists
Mostafa Al-A’sar is an award-winning independent journalist and human rights advocate who spent nearly four years as a political prisoner due to his work. After fleeing to Lebanon, he eventually sought asylum in Canada. His commitment to journalism and human rights has made him a significant figure in the fight for freedom of expression in Egypt.
Ahmed Eltantawy, formerly a journalist and now a politician, served as the editor-in-chief of Al-Karama, an independent weekly publication. He has been a prominent challenger to the current Egyptian president, Abdel Fattah al-Sisi. Eltantawy announced his presidential ambitions in 2023 but faced severe repercussions, including the arrest of supporters and family members, which ultimately led to his withdrawal from the race and subsequent imprisonment.
Technical Aspects of the Phishing Campaign
The spear-phishing campaign aimed to compromise Al-A’sar and Eltantawy’s online accounts, specifically targeting their Apple and Google accounts. The attackers impersonated legitimate contacts, investing time to build rapport with the targets through various communication channels. The investigation uncovered a persistent infrastructure for these attacks, revealing overlapping domains and similarities in code.
This infrastructure not only facilitated phishing attempts but also had the potential to deliver Android spyware capable of accessing and extracting files, contacts, messages, and even enabling device microphones and cameras. The attackers created fake profiles and messages to mimic trusted services, including the messaging app Signal, which has since issued warnings about phishing campaigns.
In one instance, Al-A’sar received a message that appeared to be from Apple. After entering his credentials, he received a suspicious two-factor authentication (2FA) notification from an unusual location, prompting him to seek assistance. The attackers failed to compromise either Al-A’sar’s or Eltantawy’s accounts. Had they succeeded, the attackers would have gained access to sensitive personal and professional information, potentially endangering the victims and their networks.
Attribution and Implications
Lookout’s threat intelligence team assessed that the attacks were carried out by a hack-for-hire group linked to Asia. Attribution in such cases is complex, especially when attackers outsource their activities. While definitive conclusions about the involvement of specific governments remain elusive, the profile of the victims and the technical findings suggest a possible connection to state-sponsored surveillance efforts.
Multiple investigations highlight the Egyptian government’s history of acquiring surveillance technologies from Canadian and European firms. Reports from organizations such as the Citizen Lab and Amnesty International have documented the use of spyware like Intellexa’s Predator against dissidents, including previous attacks on Eltantawy.
Recommendations for Digital Security
To mitigate the risks associated with phishing attacks, civil society members are encouraged to adopt several best practices. Awareness of social engineering tactics is crucial, as attackers often rely on psychological manipulation to trick victims into divulging sensitive information. Trusting one’s instincts and verifying the legitimacy of communications can prevent falling victim to such schemes.
Implementing two-factor authentication (2FA) correctly is another essential step. Users should never share their 2FA codes and must ensure they input them only on official websites. Advanced 2FA options, such as security keys or Google Passkeys, are recommended for enhanced security.
Additionally, users should be vigilant about consent-based login pages that may be used for phishing attacks. Regularly reviewing linked third-party applications and validating their origins can help safeguard accounts.
For those facing heightened risks, enrolling in programs designed for high-risk users can provide additional layers of security. Google and other providers offer settings that flag users who may be targeted for sophisticated attacks.
Conclusion
The recent spear-phishing campaign against Al-A’sar and Eltantawy underscores the vulnerabilities faced by journalists and civil society in the MENA region. As digital threats continue to evolve, it is imperative for individuals and organizations to remain vigilant and proactive in their cybersecurity measures.
For further insights and resources on digital security, visit Access Now.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
