 Egypt civil society under attack. I believe that a lot of people only in the year 2011 became aware of the Egyptian state attacking activists and survey them and use technology for that. But of course, there were surveillance of activists before and after that. The government has changed a couple of times since then, but surveillance of activists has not. And this talk gives us some insights into how these state actors work, how they survey and target activists. And it's actually going to be super interesting, I believe, because there was an OPSEC fail and nothing is more interesting than OPSEC fails, especially when our enemies make them. And our speaker is Asil Kayal, and she's a malware analyst. She studied computer science and she researched cyber attacks in the Middle East. So basically she's who I want to be in my next life. Super cool. Please have a big, warm round of applause for Asil and enjoy the talk. Thank you very much. Thank you. Imagine you live in a place where you witness corruption all around you. You see innocent people being thrown into prison over made-up charges. Newspapers being censored and shut down. Their websites becoming inaccessible. And the worst part is you have to be silent about it because each word you say, each social media post you share and each action you take can and will be used against you. That is the reality people face daily in Egypt. Hello, everyone. My name is Asil and thank you for coming to my talk, The Eye on Denial. Like Najou mentioned, I am a malware analyst at Checkpoint. A few words about me. I work in the threat intelligence department and I am mostly interested in researching advanced threats and state-sponsored attacks and cyber attacks in the Middle East region. And so it's not surprising that reading this report that was published by Amnesty International back in March discussing phishing attacks against Egypt's civil society got me really curious. And the phishing attacks discussed in this report are not your typical ones because basically in this case, the attackers set up third-party applications for popular mailing services like Outlook or Gmail or Yahoo Mail. And they would send links for those applications to the victims to fix a security issue in their account. But the third-party applications would request permissions to read, write, send and delete all of the emails in the victim's inbox. So basically if the victim grants the app the requested permissions, the attacker gets unlimited access to their inbox. Later on, some of the victims received official warnings from Google telling them that government-backed attackers are trying to access their accounts. And the report mentioned that the attacks were mainly targeting human rights defenders and prominent civil society members staff in Egypt. And reading that, I knew I wanted to get involved in that research. I knew I wanted to contribute to it. And I didn't know how. How do you investigate a wave of attacks after it is over? Now, Amnesty International didn't really share a lot of technical information about those attacks, but luckily they shared a list of websites that they saw were operated by the attackers and that appeared in those emails. And naturally, looking over at them after a while, they were all dead. They were down. And I started gathering in that case and trying to see the information I can get about the history of those websites, how they were used, any public information about them. And soon enough, I noticed that a lot of them had subdomains that mentioned the services they were trying to impersonate. So things like Outlook or Yahoo Mail or sign-in services to try and appear more legitimate in those phishing attempts. And I saw that there was one subdomain that stood out. And looking at that at first, it might appear to you as if this is a random combination of letters and numbers. But really, each character in this subdomain corresponds to a letter in Arabic. And writing that in the right order from right to left, because Arabic is from right to left, results in a phrase called the popular movement. And looking up the English transliteration that appeared in the subdomain led to one result only in Google. A telegram channel using the same name and promoting a popular movement in Egypt. And that channel was sharing messages like these, which were basically telling the members, you should go out on the streets, you should get angry, you should start a second revolution, you should join this popular movement. But most importantly, make sure you contact the admins and provide them with all of your information or they will contact you. So at a very early on stage of my investigation of this infrastructure, I knew that it was devoted to try and target or to locate people who are possibly interested in opposing the Egyptian regime or possible dissidents. One other thing I noticed while looking over this infrastructure is that a lot of the websites resolved to the same IP addresses. And those IP addresses were in the same range or in the same net block. And I started monitoring those IP addresses. And I saw on your websites being registered and resolving to the same addresses. And one of those websites that was associated with such an IP address also followed the same naming convention as the malicious websites. So again, using the words mail and login to appear like a legitimate mailing service. But what was really special about this website is that it had an open directory indexing. So I was able to see everything that the attacker stored on this website, which was nice for me. Now, the folders in this website contained mainly PHP scripts, which as you would probably know, if you're accessing the open directories in the browser, you cannot really view the source code. But there was a zip file that contained the exact same folders on this website that I could download and view all of the PHP source code. And I did. And looking over the folders that I found in this archive, I saw that each one had a different purpose. The first one that I looked into called WS served as a control panel for the attackers of some sort. So the attackers could send this control panel remote requests and with an action called parameter or with a parameter called action, they could specify certain tasks for this control panel to perform on the server. So again, they would be able to gather certain statistics from the data that is stored there. They could delete certain things or certain information that they stored on the server and so on and so forth. And there were a few interesting moments in this control panel code. For example, I could see the credentials for the attackers database. So I could see the username and the password that they set. And I also saw that the attackers defined the default time zone of the server to be that of Cairo. Interesting. The control panel would also count the amount of requests that it received and it would check the total amount of requests over three hours. And if that amount exceeds 30 requests, it's considered to be a bit high so they think there might be some suspicious activity or someone is trying to mess with the server. And in that case, an email is sent to this devd at gmail account telling them, hey, would you mind coming and taking a look at the server? Something might be off. And so seeing that I realized that this gmail account is probably again affiliated with the attackers or created by the attackers. You might also notice that the code snippets I'm showing you have a lot of comments. These aren't ones that I've added. These were left there by the attackers documenting almost every line of the code and telling what it does. Which was really helpful for me going over all of this PHP code and trying to understand what it does so it helped me analyze that in a way. But mainly, a lot of the comments had very, very bad English. So they would make a lot of mistakes and a lot of spelling mistakes and grammatical mistakes and so on. And I think my favorite mistake that they made was this one. When the attackers misspelled the word buffering and instead wrote buffering. Now, if you know Arabic, you would know that we don't really have the letter P in the alphabet. So a lot of us would confuse the letters P and B and that's a classic mistake we make. Sorry. And I think this tweet really explains this better than I do by Ahmed Zidan who says, well, if you know anyone from Egypt, this typo is conclusive evidence that whoever wrote this code is Egyptian. Next up, another folder on the server served as a link shortening service of some sort that was called shorten me. And basically, the attackers would send this script long URLs, usually phishing URLs. This script would generate a very short token, add that to another link, creating a much shorter URL as it promises. Now, the attackers decided to store all of the long URLs they've submitted to the service in a database. And the database was stored on the server and I had access to everything on the server. So I could see all of the long URLs that they've submitted. And the first one that was there was apparently a test of some sort and the email and it mentioned the Gmail account that we have seen before. And this was apparently again, the attackers testing out the script. But then the following entries in the database had other email addresses, real accounts, hotmail and Gmail accounts, which I have redacted in this case, but looking them up led me to the real identity of the individuals behind them. And I was able to identify more than 30 targets that received those phishing links or that were targeted by this attack. And all of those targets were lawyers, journalists, professors, NGO members and prominent figures from Egypt. And while I do not know if those attacks were successful and if their accounts were compromised, again it could just mean that they were targeted and received those links but not really clicked them or were a victim of the actual attacks. I do know that some of the victims I was able to identify in this list were arrested months later for criticizing the Egyptian authorities. And the remaining folders in the server were devoted to setting up phishing apps or third-party applications like the ones that were seen in the Amnesty International Report. So again, the attackers would set up those third-party applications and links to the victims and in return gain access to everything in their accounts. And we saw such an app for Outlook that was set up back in 2018. And again, you can see it requesting crazy permissions for the victim's inbox or email. And there were also two other applications and in this case, they were targeting Google Drive. So again, we also see a shift of the attackers not just trying to monitor messages or emails but also trying to see which files are stored potentially on the victim's drives. And in Gmail, clicking the third-party application's name would show you information about its developer and clicking both of these names showed the same Gmail account was used to create both of those applications, the same account we have seen before. But this screenshot also shows that the apps are supposed to redirect the victim after they grant them the permission to a website called drivebackup.co. And this website wasn't known anywhere else before, it wasn't seen in a malicious context whatsoever. And when I saw it in the configuration files of those third-party applications and I tried to access it, once again, it was down. And while I was trying not to get frustrated again and find out more things about this website, I came across an interesting finding. An Android application that was submitted to VirusTotal and that communicated with this website, drivebackup.co. So plot thickens. And just in case you're lost at this point, let's recap what we've done so far. So we've started out with an old infrastructure that led us to a new website, MailLogin.Live, that we believe are operated by the same attackers. This website was used to store phishing applications and third-party applications that redirected to drivebackup.co, this website. And now we have an Android application in the equation contacting this website. So the question is, what the hell is this Android app and is it related to that other side? To try and answer that question, I installed the app on an Android device. And the displayed name for the app was Iloud 200%. Now, when I installed this app, it had no icon. So it looked like this. And also the file name or the APK name was v1.apk or version one. And these two things can tell us that this app is probably still in early development phases. And the app would show the user messages that their ringtone is 100% louder. Whereas in fact, it did nothing with the ringtone at all in the code. So digging a bit deeper into the code of this app, I saw that the internal name or the package name for it was iRoute, not iloud, iRoute. And that it requested permissions for the device's internet connection, location, and to be automatically started after the device is rebooted. And what it did with those permissions is that it constantly monitored the device's location. And it did that by contacting drivebackup.co and constantly uploading the device's coordinates, local time, and battery statistics to that website. And if the user would try to stop the application from running or stop the service that does this, it had a persistence mechanism to start over again and make sure that the device is constantly monitored and its location is known. So again, this is ideal for someone who wants to know where a device is at at all times. And because it was impersonating this different service and pretending to be this ringtone app whatsoever, this started to look very, very bad. And to make matters more complicated, I saw from VirusTotal that this app was downloaded from a website called indexy.org. And going into this website, I saw that it was still there. For once, something is up, something is active. Not only that, there was also an administration panel for this app on that website. And here it was referred to as iTrack. So again, it has three names now. Now I didn't log into this panel on this website, I didn't do that. But poking around this website, I saw that the styles directory of this panel is exposed. So I could not log in and see the data that was stored there. I could see the layout of the panel after the admins log in and which pages they get. And I saw that a bootstrap template was used for the design of this panel. And the disk directory in this open directory was used to store the default images of the bootstrap template, which looked like this, lovely pictures. But there was just one image in this directory that was not part of the default bootstrap template. And it was called logo.png. And it looked like this. And seeing that, I was like, hey, I've seen that word before. And you've seen that word before. I don't know if you remember. But it was used in the credentials for the attacker's database from the open directory. So this really gave me a nice connection between the phishing apps for the emails and the mobile application, besides them both being connected to drivebackup.co. But now indexy.org started to look very suspicious to me and I wanted to find out more information about this website. And once again, looking stuff up about indexy.org, I came across a mobile application that communicated with this website. But in this case, the mobile application was downloaded from Google's Play Store. And it was called indexy. And this indexy had more than 5,000 downloads on Google's Play Store. And while it could have been downloaded by anyone, the description of the app and also the default settings of it showed that it was mainly aimed at Egyptians. And that was the audience that was interested in. And it was supposed to provide a service that is similar to the known TrueCaller app. So again, you would look up a phone number and you would find out their owner's name and you would look up a name and you would find out their phone number. And to do that, it requested permissions to the user's contacts and call history. Which again, is fine if you're setting up a service that is similar to TrueCaller because you wanna improve your database and you want to have as many phone numbers as possible. What is not fine is that once again, there was an administration panel for this app on indexy.org. And once again, the styles directory was exposed. So I was able to see what was being done with that data after it is collected. And I saw that there were multiple pages in that admin panel that were storing the statistics and going through them. And basically I saw that the user's data was being monitored and inspected and there were logs of cross-country communication. So basically trying to see which user is calling someone from abroad for how long from which country and what is the duration of that call and what is that phone number. And that looked bad. And so we reported that to Google and the app was taken down from Google's Play Store and it is no longer available for download. So we've been through hell and back. We've covered a lot of things and a lot of layers for this deck, but I think we're still missing some pieces or some information. And we didn't look in depth into the indexy source code or the applications source code, and we won't, I promise. But there were some interesting things in that as well. I saw that some of the messages that this app logs were tagged with the word Shinno. And in the about section of this app, in a different window, there was another website that was mentioned, servegates.com, in addition to indexy.org. And this website, unlike the rest of the websites we have seen so far, had who is information. So I was able to see who registered this website. And it was supposedly an individual from Egypt who had the last name Shinnawi. And Shinno is a very common abbreviation for that last name. And the email address that was used or that appeared in the who is information here was used to register other websites. And one of those websites that it registered was called TXTips. And it was supposed to be this technical blog to provide developers with tips when they're using certain programming languages like, oh, if you're using MySQL, here is this bit of code for you. If you're using PHP, here's this and that. And all of the posts in this website were added by Shinno. And there was one post in this website that talked about using Google's API to maintain offline access to users' accounts. And this is the code snippet from this website, TXTips. And this is the code snippet from the open directory of the third-party phishing applications. And both of these look very, very, very similar. So again, this kind of shows us that everything is connected and really whoever wrote that code is also responsible for the code of indexy, which is related to everything else we have seen so far. But I wasn't really able to find out anything about this Shinno person or individual or if they're really a real person to begin with. But maybe I was asking myself the wrong questions. Maybe I shouldn't have been asking who is this person, but rather where is. Because what I forgot to mention, intentionally, is that in the admin panel of the iLoud application, there was a page that initialized the map that was supposed to collect all of the coordinates that this app got. And for that map to be initialized, it had to zoom in to a default location, to default coordinates that were hard-coded in the script. You see where it might be problematic. And those coordinates didn't just point to Egypt and they didn't just point to Cairo. They pointed to a very specific building there. And seeing that again for the first time and knowing how densely populated the city of Cairo is, I was like, well, this looks a bit weird. Like this building, this unnamed building that is walled off and surrounded by those fancy gardens. A bit suspicious. And I didn't know what this was before or if it is affiliated with the attackers. But later on we were able to find out that these are actually the headquarters of the Egyptian General Intelligence Services. So that might show us again that this attack is originating from Egypt and mainly targeting Egyptians for surveillance purposes, trying to track their emails, their location, their communications, calls. You name it. And if you think that's bad, if you think that's an invasion of people's privacy, Egypt has just started a new practice where people walking down the street can be stopped by officers, be asked to unlock their phones and be inspected to see if they were planning to participate in a protest, if they shared a post on Facebook criticizing something, or if they saw a video that they shouldn't have. So why bother build a mobile back door when you can do that, when you can inspect people's phones and exercise that power on them? And if someone opposes to that, like the woman in this video did, if you fail to comply, they're as bad as someone who was found with incriminating material on their phone. And if it's just, again, normal people, random people, anyone walking on the street being disviolated, it is no wonder that journalists, lawyers, and activists, people who are supposed to defend and stop those violations, it's no wonder that they're being targets to such an attack that we have seen. And with that, thank you. Thank you for the phenomenal talk. Thanks for taking us along on this super exciting ride. Now, we still have some time left for questions and answers. So if you have any questions, you can pile up at the microphones. First people are answering that call. So let's start with a question from microphone number one, please. Hi. Thank you for a super inspirational presentation. So my question is that we've seen the homegrown and home-built technology has so many loopholes which you were able to find. But do you also know if the Egyptian government is also importing the tech, which might not be as simple as this or simple as this from, I don't know, European providers? And if yes, like, are you able to detect? Like, to what extent the journalists and dissidents and activists are being targeted? Thank you. Thank you for the question. I don't think there are public records of Egypt using any imported technology or abiding any offensive tool of that sort. But it really wouldn't surprise me in that case. And we've seen other countries in the Middle East doing that. Morocco, for example, recently. So it wouldn't come as a shock. Microphone number two. Thank you for that amazing talk. I, too, want to be you in my next life. Welcome to my life. Okay. Well, my question is personal. Aren't you afraid that this might backfire on you now? You have so much data and so much information in your mind and on paper. Yeah, yeah. You know what? I considered that and everything, especially going through this material and other research I've done in the past. But this pissed me off. Like, I thought, you know what? I'm just going to go ahead and report it and say it as is. And I'll just take the risk, I guess. Don't kill me. Okay. Stay safe. I wholeheartedly agree with that scene applause. Microphone number one, please. Thank you for also the amazing visuals. I really like that part. Your narrative was very long and you had exploration, how you presented it, but I'm very curious how did that feel? You mentioned being frustrated, but it, to me, sounded like a miracle that it's really, okay, and that is exposed and that is exposed and I can just search through it. How did that process really feel? Did you have collaborators that also worked through it or did it go through in two days? Did you extend a bit on the process? Definitely. Excellent question. It was an absolute chaos, pun intended. Just seriously going through all of the material and everything and especially when you're going through the raw stuff so you don't know what's interesting and what's not, what the hell is this PHP code and what's not. So I was going through everything, sometimes fighting things honestly by mistake. Some of the things I found were not planned at all. And the thing that helped me most, I think, was also consulting with my colleagues. A lot of the times I'd just, like, have them come in and ask me questions and make me doubt everything I have and then I would kind of make sure that I'm not sounding like a crazy person and also would get their confirmation that I'm on the right track as well. So that really helped. Thank you. Microphone number two, please. Hi, thank you for your amazing talk. This might sound like a crazy question given that you are exposing everything you've done, but while doing it, did you use any precaution like obscuring your IP address while, I don't know? Yeah. So yeah, everything was done on, like, a separate network for this analysis and behind VPN and whatnot. Yeah, tried to track it to myself as much as possible. Another question for microphone number two. Thank you also for my side. Can you talk about the victims, the targets, since you said they were identifiable by their email addresses and did you take action to inform them or, like, deal with that information? And second question would be, is you, are you or your team, like, working on any guidance on how people can, like, protect themselves or stuff like that? Yeah. So basically with regards to the victims, we've had, like I said, a list of victims and we worked on, when we've had everything and went through the technical stuff as well, we reached out to the New York Times who then had contacts in the region and were able to even talk to the, some of the victims directly and make sure they know that they were targeted in that case. And as for the second part of your question, I would say that if you're someone from that region and you're working in those sensitive positions, just, like, watch out for anything that you might receive via email, via text message, watch out for your phone and just make sure you, like, watch out for those things. Sometimes, again, it's not, it's something that you unfortunately cannot avoid, especially again, if you're walking down the street and someone stops you, but just be careful, I think is the best advice I can give in that case. Yeah, I guess one thing that we learned from your talk is OPSEC, OPSEC, OPSEC. So microphone number two again. Thank you. Hi. I was wondering, you mentioned the location in the application. How was it deriving the location? Was it from base station triangulation or was it switching the GPS on? Or how was it, what kind of data was it getting? The mobile application? Yeah. It was accessing the device's fine location and then trying to, trying some methods, I think GPS and if it doesn't have access to that, then other things and uploading what it can find and the method that it was using. Microphone number one again. Yeah. Hi. Great talk. Thank you for that. Just a small remark. I don't believe that this buffer, puffer mistake is a thing that points to Egyptian solely because in German the word puffer also starts with a P. Oh. Yeah, I also have Syrian friends who do the same mistake, so it's not exclusively Egyptian. Yeah. I do want to say that it's, oh my God, how do I explain this without being tricky? It's an Arab mistake in general, usually like in my region, for example, it's mistaking a P for a B, but the other way around is a bit more Egyptian in that sense. So again, yeah, I do agree, not conclusive evidence, but it was a hint in a way. Thanks. Microphone number two, please. Hi. Thanks for the talk. Just curious, did you try to write an email to the developer? No. I did not. I should have maybe. Does it give a result online with this email? No. Yeah. So I looked it up. I try to see if there was a Facebook account maybe associated with that email, nothing came up. It was just in the code, I think. And I think the name devde.log something just says that it's like supposed to be devlog or developer logs. I think that's what the name might be hinting. So it's just used for that, but no conclusive evidence. Is there another question on microphone number two? Perfect. Move on up. Thank you for the talk. I was thinking about sending this talk to Egyptian friends. Is it safe? Oh, my God. Yes, no, maybe. Question mark. I am not sure. I'm not sure. I would say be careful if they're abroad than gladly, but be careful. Thank you. Microphone number one. So you've been doing a lot of work to investigate the infrastructure from a state surveillance agency. And there are other institutions like Citizen Lab and Amnesty that do a lot of work on this and also don't always expose it. So it's ongoing. Yeah. Have you shared the information you have with them so they can continue their own investigations? Yeah. We basically, my work started by looking over at the findings from Amnesty International's reports. Yeah. And we reached out to Amnesty after we've had those findings to try and cooperate and we informed them of everything that we found on this. Now, have we reached the end of your questions? Search your souls. Are there maybe any questions left? Because we would have another two or three minutes. Yes. Thank you. Search or move to the microphone number two. Your question, please. Should Google have done anything better to make sure that the apps weren't uploaded to the Play Store? Hmm. Should they have, I'm not really sure because they do have their mechanisms to protect against if you identify like malicious patterns within the apps or see malicious views right away. In this case, I think it was a bit more tricky because again, if you're somewhat providing a legitimate service then the tricky things or the malicious stuff are being done on the server side. It's a bit harder to prevent against that. Supposedly there was even a new report about this app from UAE called Totok, which appeared to be completely legitimate but might have been used for to gather intelligence by the UAE government. So could they have known that? I don't think so, not in advance. Microphone number two. You were able to look up every who is information of the registered websites. My question is, did the registrant names match and were there street addresses to their registrants? Because in the Dutch who is, if they're not secured, well there's an address to it usually. Yeah. So basically most of the websites did not have who is information. This one specifically did and there was, I don't think there was a street name, but there was a region name in Egypt or like a town name, so nothing too specific. Are we now at the end? Any more questions? This would be your last moment. Three, two, one, no. So I thank you for all of you. Oh, there's one person. Yeah, it's like somewhat disagreeing with this marriage. Yes, you. So your last question, please. Just came to my mind. How did you figure out the place in the map was the general agency for? Yeah. So like I said, we talked to reporters from the New York Times who had contacts in the region and were able to confirm that. Thank you. All right. Thank you very much for all of your very interesting, enthusiastic and engaged questions. I think that showed that you all appreciated the talk as much as I did. So please give Asil another big, warm round of applause. Thank you for the great talk.