Civil society organizations, activists targeted by 2-month-long hacking campaign

Human rights organizations and activists have been subject to a sophisticated two-month-long hacking campaign, according to a report published by the Egyptian Initiative for Personal Rights (EIPR) on Thursday.

A detailed technical analysis of the hacking process was also published by Toronto University’s Citizen Lab.

The reports call the campaign mounting the attacks Nile Phish, and strongly suggest links to Egyptian authorities, highlighting that the hacks coincided with an ongoing campaign targeting rights organizations.

Phishing attempts targeted the institutional and personal accounts of employees at eight organizations, all working in human rights, including: EIPR, the Cairo Institute for Human Rights Studies, the Association for Freedom of Thought and Expression, Al-Nadeem Center for the Rehabilitation of Victims of Torture and Violence, Nazra for Feminist Studies, the Egyptian Commission for Personal Rights as well as two other organizations who wished to remain anonymous. Most of these organizations are implicated in the ongoing NGO foreign funding case.

EIPR writes that the campaign started on November 24, and continued until January when the report was prepared. It details 92 hacking attempts, all of which were phishing attacks. Phishing scams rely on tricking users into sharing their personal information through deceptive emails that require the provision of passwords, or clicking on links, etc.

The report divides the attacks into two stages, one of which aligns with increased government pressure on organizations involved in the NGO foreign funding case, including asset freezes and travel bans. During this stage, phishing techniques included the impersonation of several of these organizations. The second stage, the report writes, saw hackers impersonating Google and shipment companies.

The attacks began with an invitation, supposedly from the Al-Nadeem Center, that was sent to a number of organizations and activists inviting them to attend a meeting on the new NGO Law. “The fake invitations depended on using the same language used by Al-Nadeem and other organization, so that they appear more realistic,” the report says.

The invitation included a link at the end to register attendance. Users were told to enter their password to continue, which was then sent to the hacking institution.

Other attacks followed, as rights organizations and activists received a fake file titled “Confidential: Banned from traveling 2017,” and another titled “Confidential: National Security recruitment of NGOs 2015-2016.”

The report also notes several hacking attempts which included real reports written by these organizations, where the original links were replaced with phishing ones.

A number of NGO workers also received official warnings from Google, informing them of attempts by a government body to steal passwords of their personal accounts.

“Such warnings are never sent unless the analysis of Google’s experts have led them to an infrastructure that is most probably governmental,” the report adds.

“There is no legal ground preventing the government from carrying out phishing attacks against citizens,” the report says. The online attacks coincided with a notable escalation led by the Egyptian government to support its abilities to monitor and intercept communications collectively, as well as a huge scale blocking of online encryption tools used by individuals and private enterprises, according to a previous investigation carried out by Mada Masr.

The Egyptian government takes a traditional approach to internet use, particularly following the January 25 revolution, and has arrested the administrators of multiple Facebook groups and referred them to trial. The government is also working on a cyber crimes bill, which does not fight cyber crimes so much as it “penalizes the use of information technology,” according to the EIPR report.

A government source told Reuters that Egyptian authorities will suspend free internet services offered by Facebook in April, after the company refused to allow the government to monitor its clients in Egypt. Similarly, Google issued a statement saying describing a hacking attempt by an Egyptian company called “MCS Holdings”, which tapped into content the users see and their personal correspondence and information, and acquired confidential information.

A previous investigation by Mada Masr revealed that MCS Holdings was involved in activities related to internet monitoring in coordination with Egyptian security before January 25, 2011.


You have a right to access accurate information, be stimulated by innovative and nuanced reporting, and be moved by compelling storytelling.

Subscribe now to become part of the growing community of members who help us maintain our editorial independence.
Know more

Join us

Your support is the only way to ensure independent,
progressive journalism