New Citizen Lab Report: Pegasus vs Predator

A new Citizen Lab report was published yesterday, entitled “Pegasus vs Predator: Dissident’s Doubly Infected iPhone Reveals Cytrox Mercenary Spyware,” authored by Bill Marczak, John Scott-Railton, Bahr Abdul-Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, and Ron Deibert.


In this report, we detail our investigation into the hacking of the devices of two Egyptians with mercenary spyware technology.

The first – Ayman Nour – is an exiled Egyptian politician now residing in Turkey. Our investigation determined his device was simultaneously hacked earlier this year with Pegasus, the spyware made by the notorious Israel-based NSO Group, and a second piece of spyware called Predator, used by a different government client and made by a less-well-known spyware firm called Cytrox.

The targeting of a single individual with two separate spyware products used by two different government clients shows just how bad the abuse problem around mercenary surveillance technology has become.

The second individual is an exiled Egyptian journalist who chooses to remain anonymous. We determined his phone was also hacked solely with Cytrox’s Predator spyware. We attribute the hacking of the two Egyptians’ phones with medium-high confidence to the government of Egypt.

While NSO Group has received a lot of publicity in recent months, Cytrox has far less exposure outside of the governments it serves. Our report is the first to identify the company’s spyware being abused in the wild by a government client.

We also undertook network scanning for active installations of Cytrox worldwide, and are able to disclose that Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia are likely government clients.

Cytrox – part of the “Star Alliance” of surveillance firms

Our investigation also dug deeply into Cytrox’s extremely complicated corporate history, industry alliances, and registration records. We identified some of the key individuals involved in leadership and executive positions at the firm. Cytrox was reported to be part of Intellexa, the so-called “Star Alliance of spyware,” which was formed to compete with NSO Group. Intellexa describes itself with pride as “EU-based and regulated, with six sites and R&D labs throughout Europe.” That may turn out to be a problem for them.

Digging through these arrangements was like entering into a dark labyrinth of sketchy individuals dodged by various legal improprieties and dubious private intelligence and mercenary surveillance companies spread across several state jurisdictions.

These types of ownership obfuscation techniques – similar to those used by plutocrats and money launderers – make investigation, regulation, and public accountability efforts challenging. We should expect to see these techniques more widely practiced as the heat is turned up on the spyware industry (more on that below).

Vulnerability Disclosure and Meta (Facebook) Enforcement

In accordance with the Citizen Lab’s vulnerability disclosure policy, we shared Predator artefacts with Apple and they confirmed they are investigating. As substantial Predator targeting took place through WhatsApp, the Citizen Lab also shared artefacts with Meta’s security team (WhatsApp’s owners, and formerly known as Facebook).

We are happy to say that our report’s publication is co-timed with Meta’s announcement that it is taking extensive enforcement action against Cytrox, including removal of about 300 Facebook pages and Instagram accounts linked to the firm. Meta is also publishing detailed technical indicators linked to Cytrox’s operations, which greatly assists future efforts of security researchers.

Meta’s security team’s investigation also corroborates the Citizen Lab’s identification of Cytrox customers in Egypt, Armenia, Greece, Saudi Arabia, and Oman, and they add Colombia, Côte d’Ivoire, Vietnam, Philippines, and Germany (Germany!) to the list of other government clients. Meta also confirms abusive worldwide targeting of civil society by Cytrox’s customers. Looking at the list of them, it is no wonder.

In the absence of regulations to the contrary, despotic regimes and other illiberal government agencies will use surveillance technology to go after anyone that is construed as a threat to their malicious aims.

The Mercenary Spyware Industry

NSO Group is definitely on the ropes and wobbling badly…and deservedly so. But our latest report should remind us that the problems around mercenary spyware go well beyond a single company. As one goes down, others will bounce up to make a buck. Rebranding is also always a possibility for an industry that thrives in the shadows and employs many of the same corporate shell games as do the despots and dictators they serve.

This report shows that digital accountability researchers at the Citizen Lab, Amnesty International, and numerous threat teams – working alongside many NGO and investigative journalist partners worldwide – are collectively getting better at tracking and exposing these firms’ malfeasances. Sharing of indicators and other information is getting better too.

However, to avoid playing a constant game of “whack-a-mole”, we need governments to step up and act to control what has effectively become a kind of globally distributed “despotism-as-a-service.”

Fortunately, some government officials appear to be waking up to the threat, and are carving a regulatory path forward:

  • On 3 November 2021, the United State Department of Commerce announced that it was putting NSO Group, Candiru (another mercenary company Citizen Lab has reported on) and other spyware firms on its designated “entity list” for malicious cyber activities.
  • As part of the “Democracy Summit,” on 10 December 2021 the governments of  Australia, Denmark, Norway, and the United States announced a new export control and human rights initiative, noting that authoritarian governments “are using surveillance tools and other related technologies in connection with serious human rights abuses, both within their countries and across international borders.”
  • Last week, the head of GCHQ, Sir Jeremy Fleming, said that the UK government had spyware firms like NSO Group “under close review,” and that their sales were “completely beyond the pale”, adding, “countries or companies that promulgate [spyware technology] in an unconstrained way like that are damaging and should not be tolerated.”
  • And just yesterday, 15 December 2021, a group of U.S. lawmakers, led by Senator Ron Wyden and Representative Adam Schiff, sent a letter to the United States Secretary of the Treasury and the Secretary of State advocating that executives at NSO Group and several others surveillance firms should be sanctioned under the Global Magnitsky Act. That would be a very big problem for those executives: bank accounts frozen, travel disrupted, etc. The lawmaker’s letter specifically highlights the research of the Citizen Lab and our colleagues at Amnesty International.

Now, let’s see if other liberal democratic governments follow suit. (I’m looking at you, Canada).

Read the full report here:

Read about Meta’s Enforcement Action:

News Coverage

P.S. A final comment: this year (2021) mark’s the 20th anniversary of the founding of the Citizen Lab. We haven’t marked the occasion in any special way because we are all more interested in the future than past accomplishments. However, I’m very proud of what we have achieved over the last two decades together, and I feel very lucky to have been surrounded by so many accomplished and ethical researchers over the years.

Now, onto the next twenty!

Introducing QUANTUM-as-a-Service

Imagine that your device could be silently commandeered and used to spy on you simply because you surfed the web. No need for anyone to have possession of it and physically install something. No need to trick you into downloading spyware, clicking on a malicious link, or entering your credentials into a phony login page.  Attackers just wait for you to visit any unencrypted website (http rather than https, that is) and — boom — you’re owned.

Now imagine this capability was commercialized and available for sale to operators all over the world…

Imagine no more.

In a new Citizen Lab report, titled Bad Traffic, we present our discovery of how operators appear to use technology manufactured by a company called Sandvine (formerly Procera) to help deliver exactly this type of nation-state malware in Turkey and Syria. Bizarrely, we also discovered that the same Sandvine technology was configured by operators apparently to commandeer unwitting Internet users in Egypt, but not to spy on them. Instead, there we found user requests appeared to have been manipulated by operators to covertly raise money through online ads and cryptocurrency mining scams.

Known as “packet injection,” and undertaken by Deep Packet Inspection (DPI) devices, the techniques we uncovered at work in Turkey and Egypt are similar to those revealed in the Edward Snowden disclosures, codenamed “QUANTUM.” QUANTUM attacks are considered among the most powerful weapons in the NSA’s (and its Five Eyes allies’) toolkit. One was reportedly employed by the UK’s GCHQ to get inside the computers of Belgium’s largest telco, Belgacom, by redirecting senior Belgacom technicians to fake Linkedin pages where their computers were silently infected with malware.  As the Belgacom operation demonstrates, QUANTUM attacks typically involve two components: a first, where packets are injected into Internet requests; and a second, in which a separate server controlled by the attackers (codenamed FOXACID by the NSA) injects spyware (Figure 1).  We found Sandvine Packetlogic devices were being used by operators to perform the first component, with spyware of the operator’s choice (presumably Turkish authorities) involved in the second.

Figure 1: Top Secret NSA Slide QUANTUM INSERT Diagrams

Pulling off a QUANTUM attack is relatively simple if you control the network of a group of users. Computer scientist Nick Weaver demonstrated a QUANTUM attack at our 2015 Citizen Lab Summer Institute. However, to be able to execute QUANTUM attacks at the national scale requires control or cooperation of a major telecommunications provider, something only national governments can practically do.  

In another Snowden disclosure, Canada’s spy agency, CSE, noted in a top-secret presentation that “it’s no lie, quantum is cool,” but then added “it’s easy to find.” Well, maybe for them. For researchers like us, it’s not so easy. Our report is the first case where nation-state spyware injection has been empirically documented “in the wild.” Credit goes to the Citizen Lab’s Bill Marczak, whose remarkable detective work included scanning every one of the billions of IPv4 addresses on the Internet to search for the unique fingerprint he developed for Sandvine’s PacketLogic device. We also verified the fingerprint in a laboratory setting using a second-hand PacketLogic device we purchased. Marczak’s sleuthing identified spyware injection targeting Türk Telekom subscribers in at least five provinces in Turkey, and hundreds of users across the border in Syria who were receiving their Internet access through WiFi connection points leased from Türk Telekom. The same methods helped uncover the Egyptian mass injections for profit scheme, which we have dubbed “AdHose”.

Figure 2: AdHose Packet Injection Diagram 

One imagines that the NSA, GCHQ, and their allies spent many years and considerable scientific and financial resources developing QUANTUM capabilities in house. Today, commercial DPI technology combined with spyware in the ways we have documented allows a government to simply order them up.  With QUANTUM-as-a-Service, many more governments will now be playing in the Five Eyes’ league  — governments like Turkey and Egypt, which Human Rights Watch describes respectively as “the world leader in jailing journalists and media workers,” and “continuing near-absolute impunity for abuses by security forces under the pretext of fighting ‘terrorism.’”

The prospect of QUANTUM capabilities being sold “off-the-shelf” to any government or government-controlled telco should give everyone pause, especially because the type of DPI sold by companies like Sandvine, as presently advertized, falls through the regulatory cracks. It is classic “dual-use” technology, marketed as benign-sounding “quality of service” or “quality of experience” functionality: helping Internet Service Providers manage network traffic, speed up the delivery of videos for higher-paying clients, and block forbidden applications. The 51 member-state, dual-use technology Wassenaar Arrangement targets “IP network communications surveillance” items for export controls, but specifically exempts “quality of service” and “quality of experience” systems. However, as our report shows, Sandvine’s technology (which appears at present to fall under this exemption) can also surreptitiously redirect users to sophisticated spyware, or permit the hijacking of browsers to mine cryptocurrency for profit. Its power is in the hands of the local operator — operators that answer to autocratic rulers like Turkey’s Erdogan or Egypt’s el-Sisi.

It is worth noting that Sandvine is owned by Francisco Partners, the same investment group that also happens to own Israeli spyware vendor NSO Group, another company whose misused services have been the subject of numerous Citizen Lab reports.  In response to our letters to these companies, Sandvine and Francisco Partners both claimed that they have stringent business ethics and other internal checks to prevent abuse of their services. Not good enough checks, it seems.

Until its acquisition by Francisco Partners last year, and its subsequent combination with Procera, Sandvine was headquartered in Waterloo, Canada. At the time of the proposed sale, I argued that the takeover warranted closer scrutiny by the federal government. In light of Citizen Lab’s report, I wonder if anything will be done by relevant authorities in Canada and the United States? Targeted injection of spyware at the nation-state level represents a major public safety risk, and technologies that facilitate such injection should be regulated accordingly.

While we wait for governments to act, there’s more that can be done right now to protect users. Properly encrypting websites by default would certainly frustrate these sorts of attacks. However, Google and Firefox stats show around 20-30% of all websites are still not encrypted by default. That needs to change.

Until such time, keep an eye out for the headers of the websites you visit. If it reads “http” without the “s”, and there’s no little lock icon up in the address bar that says “secure,” you too may be vulnerable to this type of attack.

The Easy and Affordable Way to Undertake Cyber Espionage

I am pleased to announce a new Citizen Lab report, entitled “Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society,” authored by the Citizen Lab’s John Scott-Railton, Bill Marczak, and Etienne Maynier, in collaboration with Ramy Raoof of the Egyptian Initiative for Personal Rights.

The full report is here:

When most of us think of state cyber espionage, what likely comes to mind are extraordinary technological capabilities: rare un-patched software vulnerabilities discovered by teams of highly skilled operators, or services purchased for millions from shadowy “cyber warfare” companies.  To be sure, some cyber espionage fits this description, as any perusal through the Snowden disclosures or our recent “Million Dollar Dissident” report will show. But not all of them do.  More often than not, cyber espionage can be surprisingly low-tech and inexpensive, and yet no less effective, than the glitzy stereotypes.

The Egyptian “Nile Phish” campaign is a case in point.

An authoritarian country racked with domestic insecurity and political turmoil, the Egyptian government has mounted a growing crackdown on civil society.  Part of that crackdown involves investigations of alleged “foreign funding” of Egyptian NGOs — known within Egypt as “Case 173.”

Beginning in November 2016, Egyptian NGOs and their staff under Case 173 investigation simultaneously began receiving identical, legitimate looking emails in their inboxes.  Fortunately, technical staff at one such NGO, the Egyptian Initiative for Personal Rights, suspected something wasn’t right, and reached out to us at the Citizen Lab for further investigation.

With EIPR’s assistance, we began analyzing the suspicious emails and discretely contacting other Egyptian organizations and individuals who received them.  What we discovered was an elaborate, coordinated, and multi-phased “phishing” campaign in which legitimate looking emails are sent to unsuspecting users in an attempt to trick them into entering their passwords into fraudulent websites controlled by the operators.

If this type of activity sounds familiar, it is because phishing is widely used as a tactic in the world of everyday cyber crime.  Just yesterday, I received a warning from the University of Toronto’s IT support unit about a malicious email sent to faculty and staff with a notice about a non-existent “Campus Security Notification.”  It may also sound familiar because it was precisely this type of phishing tactic that Russian hackers used to compromise the gmail account of the chairman of the 2016 Hillary Clinton campaign, John Podesta (illustrating the principle that even Great Powers sometimes pick cheap seats as long as it gets them where they want to go).

In the case of #NilePhish, Egyptian NGOs and individuals received emails with an invitation to attend a workshop about Case 173.  The operators used language from a real NGO statement that had been circulating among the community, and included as co-sponsors some of the very NGOs that were targeted.  A second wave of phishing emails included what purported to be a list of individuals subject to a travel ban under Case 173 (who among Egyptian civil society wouldn’t be tempted to check if they were included on that list?).  Alongside these carefully crafted emails — and seemingly just to mix things up — generic phishing attempts were sent with email security or fake courier delivery notifications.

Led by John Scott Railton, our team analyzed the emails and the server infrastructure in detail.  Dozens of fake but legitimate sounding domains were used by the operators to host websites that appeared to be Dropbox login pages or Gmail “failed login” warning messages.  Emails were sent from addresses like fedex_tracking[@] and dropbox.notfication[@]

Because of mistakes made on the part of the attackers, and our team’s use of multiple data sources and methods that are outlined in the report, we were able to eventually link more than 90 messages sent to seven NGOs and individuals as part of a single concerted campaign.  While we were unable to definitively attribute the campaign to an Egyptian government agency, strong circumstantial evidence exists that support it.  For example, we observed phishing against the colleagues of the Egyptian lawyer Azza Soliman, within hours of her arrest in December 2016. The phishing claimed to be a copy of her arrest warrant.  It is highly unlikely a random cyber criminal would be privy to such details, but quite likely someone connected to her arrest is.

Phishing may be an example of “poor man’s” cyber espionage, but the reason it’s used by everyone from Ukrainian securities fraudsters to Russian hackers to para-state groups is because it works.   From a government perspective, why bother with expensive wire transfers, complicated end user license agreements, third party resellers, and export controls, when a handful of cleverly constructed emails and websites will do the job?

The flip side is that there are cheap and easy ways to defend against phishing: users can be educated not to click on links or open emails that look legitimate and to spot giveaways of their malicious nature; tech companies can put in place two-factor authentication for access to their services by default; and NGOs can employ dedicated technologists who can manage their networks and alert their staff to the latest alerts.

Fortunately for Egyptian civil society, EIPR is just such an organization.

#NilePhish is ongoing, and we strongly suspect that there may be other targets of this campaign we have not yet identified.  We hope that the detailed indicators we are publishing can be used by systems administrators and others to find more evidence of targeting and alert potential victims.

Read the full report here:

Read EIPR’s report on #NilePhish in Arabic: