A sophisticated hack-for-hire campaign targeting journalists and activists in the Middle East and North Africa has been uncovered, utilizing advanced spyware and infrastructure linked to a group with suspected Indian government connections. This discovery, detailed in reports released Wednesday by three collaborating cybersecurity organizations, highlights the persistent threat faced by vulnerable populations in the region.
The campaign, identified by researchers from Access Now, Lookout, and SMEX, employed infrastructure consistent with the advanced persistent threat group known as Bitter. This group has a history of targeting sectors including government, military, and critical infrastructure, primarily across South Asia. The collaboration between these organizations has shed light on the scope and methods of this espionage operation.
Spyware Campaign Exposes Hack-for-Hire Operations Targeting Middle East and North Africa
The investigation was initiated when Access Now received reports on its helpline regarding a spearphishing campaign active during 2023 and 2024. The organization collaborated with Lookout to analyze the malware involved, leading to its attribution to the Bitter group.
Lookout’s analysis concluded that the campaign was likely a hack-for-hire operation, exploiting the Android ProSpy spyware. Meanwhile, SMEX independently investigated a spearphishing campaign directed at a prominent Lebanese journalist, discovering shared infrastructure with the attacks identified by Access Now.
Methods of the Hack-for-Hire Campaign
The operation leveraged social engineering tactics, including fake social media accounts and messaging applications, to deliver malicious links. Depending on the target’s device, these efforts could result in the deployment of Android spyware. Researchers indicated the campaign has been ongoing since at least 2022, primarily targeting members of civil society and potentially government officials in the Middle East.
One individual impacted by the campaign, independent Egyptian journalist Mostafa Al-A’sar, recounted receiving a suspicious link after discussing a job opportunity. Al-A’sar, who had previously been targeted with spyware after his 2018 arrest in Egypt, expressed concerns about his safety and the potential threat to his family, friends, and sources. He emphasized that cybersecurity is a critical necessity, not a luxury, for journalists and civil society organizations.
The Committee to Protect Journalists condemned the surveillance, with its regional director, Sara Qudah, stating that spying on journalists often precedes intimidation and attacks. Qudah called for authorities in the region to cease using technology and financial resources for surveilling journalists, highlighting the danger to their personal safety, sources, and ability to work.
Access Now stated that it did not have sufficient information to definitively attribute the attacks to a specific perpetrator. The ProSpy malware itself was previously documented by ESET last year, after observations of its use against residents of the United Arab Emirates.
The ongoing nature of such sophisticated surveillance operations necessitates continued vigilance from targeted individuals and organizations. Future reports are expected to further detail the capabilities of the Bitter group and potentially offer more clarity on state actors potentially behind such hack-for-hire activities. The focus will remain on understanding the full extent of these threats and developing effective countermeasures.