(Credit: Wikimedia commons)
BEIRUT — Hacking, it seems, is everywhere. At least 20 activists, journalists, researchers, and others working on issues related to the Middle East were recently targeted by hackers “backed by the Iranian government,” US-headquartered NGO Human Rights Watch said last week.
The hackers reportedly sent phishing messages via WhatsApp to targets between Sept. 15 and Nov. 25 in an attempt to get victims to enter their email account credentials into fake login portals where they could be stolen.
Four of the 20 people targeted, and one of the individuals whose accounts were compromised, are inside Lebanon, according to Abir Ghattas, Information Security Director for Human Rights Watch.
At least three victims — a correspondent for a US newspaper, an NGO consultant, and a women’s rights activist — had sensitive data compromised in the attack, including email messages, cloud storage drives, contacts and calendars.
One of the victims in Lebanon was Nicholas Noe, an advocacy consultant for Refugees International and director of The Exchange Foundation.
Noe told L’Orient Today he received a fake conference invitation purporting to be from a local think tank. It wasn’t until HRW staff following the trail of the hackers reached out to him a couple of days later that he learned that his account had been hacked.
Noe said there were no obvious signs of an intrusion into his Google account.
“I wouldn’t have realized that they were sitting on my email, much less downloading it, but sitting on my email — I probably never would have realized it,” he said.
The hackers performed a “Google Takeout” on his account — a service that downloads a user’s history across all Google products including email, YouTube, maps, search, and dozens of other products.
The newly discovered hacking campaign is one of many attempts to steal data from journalists, researchers, and activists in Lebanon and around the world.
Pegasus
In January, HRW revealed that two mobile phones belonging to the NGO’s Beirut-based Middle East and North Africa Director Lama Fakih were infected with the sophisticated Pegasus spyware by an unknown attacker.
The spyware, which can infect phones without the victim clicking on any links or opening any files, gives the attacker complete access to the user’s data, as well as built-in tools such as cameras and microphones.
Her targeting coincided with HRW’s investigation into the Aug. 4, 2020 Beirut port explosion alongside other sensitive projects. “But there’s no way to tell if the attacks were related to my work at that time,” she has said.
Former New York Times Beirut bureau chief Ben Hubbard was also repeatedly hacked with Pegasus over a three-year period from June 2018 to June 2021, according to Toronto-based Citizen Lab, which studied his devices. During this time he was writing a book about Saudi Crown Prince Mohammed bin Salman’s rise to power.
Pegasus is developed by the Israeli NSO Group. A private company, its research staff is reportedly made up almost entirely of veterans of Israeli intelligence agencies. The New York Times has reported the Israeli government treats NSO as “a de facto arm of the state.” The government controls and is fully involved in its sale of spyware to friendly governments across the Middle East and the world.
Access to the spyware has been a key diplomatic bartering chip for the Israeli state, according to reports.
“It’s absolutely not just a company in Israel,” Ghattas told L’Orient Today. “They operate clearly with the approval and the blessing of the Israeli government.”
Following an investigation into the hacks targeting Hubbard, Citizen Lab refrained from “attributing this activity to a specific NSO Group customer” but said that the June 2018 hacking was performed by an operator “that we link to the Kingdom of Saudi Arabia with high confidence.”
In 2021, an international media collaboration coordinated by French media nonprofit Forbidden Stories analyzed a leak of 50,000 phone numbers belonging to “potential surveillance targets,” including 180 journalists across 20 countries. Presence on the list of potential targets does not confirm that a hack was actually attempted or successful.
About 300 of those phone numbers were Lebanese, according to the Lebanese partner on the project, Daraj, and included many Lebanese politicians such as Saad Hariri, Nohad al-Mashnouk, Gebran Bassil and Samir Geagea.
Away from the world of formal politics, however, the list also reportedly included Al-Akhbar editor-in-chief Ibrahim al-Amin, Al-Modon journalist Youssef Bazzi, Al Jadeed owner Tahseen Khayat, and Lebanese-French journalist Giselle Khoury.
NSO Group denied the reporting of the media collaboration, saying “the fact that a number appears on that list is in no way indicative of whether that number was selected for surveillance using Pegasus.”
Additionally, in 2020, Lebanese Al Jazeera journalist Ghada Oueiss sued Saudi crown prince Mohammed bin Salman and Emirati leader Mohammed bin Zayed Al Nahyan among numerous other defendants in a US district court, alleging that they had hacked her phone using Pegasus. In March of this year, the judge dismissed the suit for lack of jurisdiction over the defendants.
In Nov. 2021 Al-Akhbar journalist Radwan Mortada said he received warnings from Apple that his iPhone was being targeted by state-sponsored hackers. Apple issues threat notifications to its users when it suspects a state-sponsored attack. The messages came the same month that Mortada was sentenced, in absentia, to 13 months in prison for allegedly insulting the army by a Lebanese military court.
Dark Caracal
Not all cyber threats are coming from foreign governments, however. Some of them may involve actors inside Lebanon.
First publicly reported in 2018, but allegedly operating since at least 2012, Dark Caracal was a spyware campaign that primarily used phishing attacks to install malicious android applications that can help transmit private messages, photos, account data and the like to the attacker.
It also reportedly allowed the attacker to remotely operate the cameras and microphone of the compromised phone.
In their 2018 report, US-based mobile security firm Lookout and US-based digital rights group Electronic Frontier Foundation (EFF), which studied the attacks, said Dark Caracal had targeted “thousands of victims” in over 20 countries. The diverse geographic areas involved led researchers to suspect a shared infrastructure based in Lebanon was being used by multiple clients.
Among the targets were governments, militaries and corporations, as well as “activists, journalists, lawyers,” the report said. It is unclear whether the attacker is active; the last reports of alleged Dark Caracal activity date from late 2020.
EFF and Lookout reported the attacks were “believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut.”
EFF and Lookout researchers told Reuters they could not say whether the attacks were the work of General Security or a “rogue employee” but in their report said that “based on the available evidence, it is likely that [General Security] is associated with or directly supporting the actors behind Dark Caracal.”
General Security head Abbas Ibrahim denied the report via Reuters in 2018, saying “General Security does not have these type of capabilities.” He did not immediately respond to a request from L’Orient Today for additional comment.
Self defense
In a world where governments are keenly interested in the digital lives of citizens, and some citizens more than most, practicing self-defense is important.
The most important way to protect yourself, Ghattas says, is to use multi-factor authentication (MFA) on all accounts. MFA is an extra step where a user enters a code after entering a correct password to complete the login.
SMS and phone call codes are less safe than app-based codes, which are less safe than physical keys, but any technique is better than not having MFA, she said.
Noe also echoed the importance of multi-factor authentication. His Google account had used a weak form of MFA that involved selecting one number from three options on his phone’s YouTube app to match a number on the computer’s Google login screen.
Since his hack, he has strengthened his MFA across his accounts.
Long, secure and unique passwords are crucial, Ghattas said.
Another key point for Ghattas is to keep devices’ software up to date. Software updates include security patches that close vulnerabilities identified by cybercriminals and hackers. While attackers are constantly looking for new backdoors into devices, device manufacturers are constantly shutting the doors that they find.
Another important practice is data minimization — not keeping more data on a device than necessary. This reduces the impact of an infiltration and makes it less damaging.
Another self-defense strategy, Ghattas said in a conversation with digital rights NGO SMEX last week, is to confirm the identity of people you’re speaking with before opening links and downloads that they send. One way to do this is to reach out to them on a different platform to verify their identity, for instance sending an email to confirm that the WhatsApp user messaging you is the person you are expecting.
The Committee to Protect Journalists and EFF have online resources to learn more about digital safety. Lebanon-based SMEX also operates a helpdesk for at-risk users in Arabic-speaking countries.