A well-known US cybersecurity company has found evidence of Egyptian government involvement in a series of sophisticated cyber attacks targeting Egyptian journalists, academics, lawyers, opposition politicians and human rights activists, according to a New York Times report released today.
According to a preliminary version of a report to be released Thursday by Check Point Software Technologies, one of the world's largest cybersecurity companies, headquartered in southern San Francisco, attackers have installed software on the phones of the targeted people, enabling them to read files. Victims have their own emails, track their locations, and identify who they have contacted.

Two activists targeted during the cyber attack discovered by the security firm, prominent opposition figures last month, were arrested as part of Egypt's crackdown on anti-government protests.

Hassan Nafaa, a professor of political science at Cairo University, and Khaled Daoud, a journalist and former leader of the Constitution Party, a prominent critic of Sisi, were arrested, according to the New York Times.

The first evidence is in the Egyptian intelligence building
Check Point found that the central server used in the attacks was registered on behalf of the Egyptian Ministry of Communications and Information Technology, and that the geographic coordinates included in one of the applications used to track activists correspond to the headquarters of the main spy agency in Egypt, the General Intelligence Service.

33 people involved in the attack
According to the Chic Point report, the cyberattack began in 2016.The report says the total number of casualties is unknown, but the company identified 33 people, mostly well-known figures in civil society and the opposition, who were targeted in one part of the process discovered.

Synopsis of Hassan Nafaa, Hazem Hosni and Khaled Daoud (Links)

"We have discovered a list of victims, including carefully selected political and social activists, prominent journalists and members of non-profit organizations in Egypt," Aseel Kayal, an analyst at Check Point, told The New York Times.

The second guide Egyptian applications
The second attack was cyberattacks that used a range of malicious applications on phones and activist email accounts to trick users.

An application called Secure Mail has emerged claiming to be Gmail, warning the target people that their accounts have been compromised, and then deceiving them into revealing their passwords.

Another application, called iLoud200%, promises users to double the voice of mobile phones while breaching the geographic location, even if the user turns off location or location tracking services.

One of the most sophisticated apps was IndexY, and claimed to be a free app for identifying anonymous callers, such as the popular app Truecaller. But the app copied the details of all the calls made on the phone, stored them on a server controlled by the attackers, and Chic Point found that the focus was on users' communications with parties outside Egypt.

Since its release earlier this year, IndexWay has become a popular app in Google's official store, where it has been downloaded 5,000 times.

Researchers at Check Point said the mere ability of hackers to put it in the Google store, and circumvent Google's actions to test new applications, bears witness to a high degree of development and effort in developing it.

The app was available on the Google store until on July 15 ChicPoint shared its concerns with Google, where the app was removed and the "associated developer ban" was released about two weeks later.

General Intelligence is the site of Chic Point as a starting point for attacks that included opponents of Sisi (Al Jazeera)

Naive errors revealed
Despite the skill that developers used to avoid discovering their identity, the perpetrators seem to have made a number of errors that allowed Check Point to track the origins of applications.

All the pages and sites used to carry out the attacks were linked to an IP address of a Russian telecommunications company, Marosnet, and a central server registered under the name of MCIT, a clear reference to Egypt's Ministry of Communications and Information Technology.

Program "Index Way" on the Google store before it was deleted and used in the cyber attack (communication sites)

The iLoad 200% application, like most geolocation programs, contains initial default coordinates, a point set to indicate the time and location of the initial activation of developers. The default coordinates in the application matched those in the Egyptian General Intelligence Service headquarters. .

Checkpoint officials said that the coordinates could have been planted in the application by someone trying to implicate the Egyptian state, but the most likely explanation, according to officials, is that the coordinates were left by mistake, or laziness by the people who run the process.

Another evidence pointing to the state's involvement in the attacks is the duration of the campaign, which took several years, as well as the vast amount of data collected, and substantial financial and human resources, the Chic Point official said. In addition to the targets of the attack, which appear to have been chosen for their political activity or beliefs, which is not in line with the motives of traditional cyber crime, which tends to focus on sabotage or extortion.

In addition, Ms. Kayal of Chic Point said the investigation indicated that the perpetrators were Arabic-speaking, and that the default time used in applications was Egyptian time.

The Egyptian government did not respond to a request for comment on the New York Times article.