( The National ) – A series of pager explosions across Lebanon, and secondary attacks on walkie-talkies the following day, have killed and maimed a number of Hezbollah operatives, as well as many civilians, including children. The attacks have also injured thousands, including Iran’s ambassador to Beirut.

Israel normally does not claim responsibility for attacks on foreign soil – and it did not do so in this case either – but Defence Minister Yoav Gallant gave strong indications in a speech on Wednesday of Mossad’s role in the sabotage.

Mr Gallant also said that Israel, which has been battling Hamas in Gaza for almost a year, was opening a new phase in the war. “The centre of gravity is shifting northward, meaning that we are increasingly diverting forces, resources and energy towards the north,” he added.

The Lebanon attacks demonstrate Israel’s ability to strike from a distance, establishing a form of deterrence, while claiming plausible deniability, and avoiding a US rebuke at a time when Washington is pressuring Prime Minister Benjamin Netanyahu not to strike Hezbollah. Nevertheless, the Lebanese group does have the ability to weaponise the digital, raising the possibility of violent non-state actors retaliating against their adversaries and taking digital warfare into the realm of AI across the Middle East.

Notwithstanding the vague allusions to the attacks over the past couple of days, historical precedent does demonstrate that weaponising communications is a modus operandi of the Israeli state.

In 1972, in retaliation for the killing of 11 Israeli athletes at the Munich Olympics, Mossad operatives detonated an explosive in the phone of the Palestinian official Mahmoud Hamshari in his Paris apartment. While that telephone was an analogue device, the digital revolution made long-distance assassinations easier for Israel. Another telephone was weaponised in 1996, when Shin Bet, Israel’s internal security agency, targeted the Hamas bombmaker Yahya Ayyash’s Motorola Alpha mobile phone. Working with a Palestinian collaborator, Shin Bet placed 50 grams of explosives in the device, enough to kill him when he held the phone to his ear.

The recent deaths in Lebanon are the epitome of the postmodern, a product of the digital culture of the easy-edit, a time when science and technology allow us to change and manipulate information easily through code, making distances relatively obsolete.

The book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weaponrefers to Israel’s ability to destroy parts of Iran’s Natanz nuclear facility in 2010 with a malicious digital code known as Stuxnet. This code, sneaked into a USB drive, caused nuclear centrifuges to accelerate to the point that they destroyed themselves.

In 1981, by contrast, Israeli F-15 and F-16 aircraft had to fly long distances, refuel in mid-air and drop bombs on Iraq’s Osirak nuclear facility to destroy it, with some even missing their target. Israeli pilots risked being shot down or even crashing, which almost happened when the planes narrowly missed telephone wires on the way to their target outside Baghdad.

Stuxnet did not put any Israeli operatives at risk when they sought to target Iran’s nuclear facility. The code, unlike a conventional bomb, could be easily edited, put onto a USB drive, travel a far distance, achieve its objective, and give Israeli deniability.

“Cyberwar,” Digital, Dream / Dreamland v3 / Clip2Comic, 2024

Notwithstanding the technological sophistication and difficulty to tamper with thousands of communications devices, Israel over the past two days was able to strike targets all over Lebanon, even in neighbouring Syria, with relative ease, in that none of its operatives had to be present to target individuals. It was assassination by remote control.

Establishing deterrence is based on signalling and demonstrating the ability to inflict hurt on an adversary. While the death toll is relatively low, Israel has been able to warn Hezbollah that its members are not safe anywhere in their country, without having to violate the sovereignty of Lebanon.

Tragically, it has also had another effect, in that it has disrupted the civilians’ ontological security, meaning the mental state derived from a sense of order and continuity, even banality of everyday life. Even medical workers in the country use pagers due to electrical outages, and every citizen is bound to be left wondering if their mobile phone has been weaponised.

Deterrence cannot be measured, however, and instead of Israel having deterred Hezbollah, the group will be under pressure to save face by striking back. Israel should have learnt a lesson from when it introduced drone technology to the region in the 1970s, which only led to its proliferation among its adversaries, including the Houthis, who struck Israel directly with a long-distance drone in July.

Israel was the first to use drones in the Middle East in 1973 and had a monopoly on them in the region. But as Rami Khouri, the American University of Beirut professor, once told Peter W Singer, the world’s foremost expert on drones: “The response to drones is to get your own drones. They are just tools of war. Every tool generates a counterreaction.” Indeed, by 2024, Hezbollah released videos of its drones having violated Israel’s sovereignty, having reached the city of Haifa.

While it is uncertain if AI-enabled drones have ever been used, Israel did use an AI programme named Gospel to generate targets for its military campaign in Gaza.

With the digital domain having been weaponised, Hezbollah will feel the need to retaliate. The retaliation, however, is unlikely to be a brute rocket or missile strike that Israel can intercept. The group might play the long game of scoring its own digital victory, perhaps pursuing its own weaponisation of AI to achieve this goal.

Reprinted from The National with the author’s permission.

The Pegasus Project was a working group of international investigative journalists that incorporated 17 media organizations. The project included publications such as the Belgian Le Soir, the Indian The Wire, and the Mexican Proceso alongside bigger media organizations such as The Guardian, Die Zeit, or The Washington Post. Starting on publication day, the 17 media partners released in a synchronized way their reporting on the use of Pegasus to hack into the mobile phones of human rights defenders, journalists, lawyers, and politicians across the globe.

The Pegasus Project ended up involving around 800 journalists. However, it would never have been possible without an initial, individual decision. The one taken by a source whose identity, to this day, is only known by a very few. The source leaked a list of 50,000 phone numbers that had been targeted for hacking through Pegasus.

Before the Pegasus Project became a reality, there was a core group of only four people. The team consisted of two Amnesty International cybersecurity experts, Claudio Guarneri and Donncha Ó Cearbhaill, and two journalists, Laurent Richard and Sandrine Rigaud, the founder and editor, respectively, of the non-profit media organization Forbidden Stories, based in Paris. It was Forbidden Stories that received the list with 50,000 phone numbers targeted by Pegasus. Richard and Rigaud explain the story of the Pegasus Project in their book “Pegasus: The Secret Technology That Threatens the End of Privacy and Democracy.”

In the beginning, the reporters’ main task was to corroborate, thanks to the technical expertise of Guarneri and Ó Cearbhaill, that the list they had received truly included targeted people. They initially did so by matching some phone numbers in the leaked list with journalists who had collaborated with Forbidden Stories in the past and were on the reporters’ phone contact lists.

Richard and Rigaud reached out to the journalists suspected of having been attacked, asking whether they would agree to have their mobile phones remotely scanned by the Amnesty International cybersecurity experts. Some of them also sent their mobile phones for forensic analysis.

Guarneri and Ó Cearbhaill started to discover signs of attempted or successful infection in the devices. Those who turned out their mobile phones at this early stage, brave people such as the Azerbaijani journalist Khadija Ismayilova, spied on by her own government, were fundamental for the success of the investigation.

The investigative effort had to be carried out in the utmost secrecy. This required obvious measures such as keeping mobile phones away from work-related conversations or continuous scans to guarantee that the mobile phones of those involved in the investigation had not been compromised. But it also implied very complicated equilibria, such as approaching suspected targets and convincing them to hand over their mobile phones while sharing little information about the ongoing journalistic investigation.

Previous personal acquaintances helped create the relationships of trust needed for the targeted people to feel confident enough to depart from their mobile phones and the personal information contained there. Here, the success of Forbidden Stories and the partners it later incorporated was all the more impressive against the background of the ongoing COVID-19 pandemic, which limited international travel and face-to-face interactions.

After consulting with the German journalist Bastian Obermayer, who, together with Frederik Obermaier, had been responsible for the Panama Papers investigation, Richard and Rigaud carefully expanded the circle of people involved in the Pegasus reporting. Forbidden Stories embarked four partner media organizations on the project – Le Monde, Die Zeit, Süddeutsche Zeitung, and The Washington Post.

With this decision, the risk of NSO getting wind of the investigation and introducing changes in its Pegasus attacks – something that would have greatly complicated the work of the Amnesty International forensic team – expanded exponentially. But so did the capacity to establish the names behind the 50,000 phone numbers on the list and gain access to new targeted mobile phones for further analysis. After a period of successful cooperation with these four media organizations, and as the intended publication day approached, the Pegasus Project grew to the final 17 partners.

Laurent Richard and Sandrine Rigaud Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy. New York: Henry Holt & Co., 2024. Click here to buy.

With the help of these partner media organizations, the Amnesty International cybersecurity experts received a constant flow of mobile phones that helped them better understand how Pegasus operated. Guarneri and Ó Cearbhaill progressively developed their own forensic tools to detect Pegasus infections with growing accuracy and detail. In the book, Richard and Rigaud succeed in making understandable the highly complex procedures involved in hacking a mobile phone as well as in detecting these infections.

What the Amnesty International forensic investigation showed was that WhatsApp and SMS messages were two of the easiest and most common avenues to get access to the targeted mobile phones, but not the only ones. The NSO had developed so-called “zero-click” attacks that did not need the targeted person to click on a fake message for the hacking to be successful. Once inside the mobile phone, the attackers using Pegasus had access to any information contained in the device. The mobile phone’s microphone and camera could also be activated to capture everything within their range.

As the investigation would reveal, Pegasus was at the hands of governmental agencies in dictatorships such as the United Arab Emirates, Saudi Arabia, Morocco, or Azerbaijan, as well as illiberal democracies such as Hungary and India. The most proliferous user was Mexico, where Pegasus was deployed against drug traffickers and critical journalists alike. Among the victims of Pegasus were the closest entourage of the Saudi journalist Jamal Khashoggi, murdered in the Saudi consulate in Istanbul in October 2018, or the French President Emmanuel Macron, a target of Morocco.

But these famous names were only the tip of the iceberg, with at least hundreds of human rights advocates, journalists, and lawyers being targeted. The Pegasus Project investigation directly contradicted NSO’s long-standing claim that their cyber surveillance star product, Pegasus, was being deployed by trusted governmental agencies only to prosecute criminals and terrorists and guarantee global security. Before the Pegasus Project revelations, NSO had defended that misuse of Pegasus immediately led to the violator agency losing access to it. The magnitude of the Pegasus Project revelations put this lie to rest.

In their book, Richard and Rigaud provide an interesting portrait of Shalev Hulio and Omri Lavie, who, together with Niv Karmi – the “N” in NSO Group – founded the self-styled cybersecurity company in 2010. Niv Karmi would leave NSO only one month after its foundation. In “Pegasus”, Hulio and Lavie emerge as perfect examples of the dangers inherent in letting profit maximization trump any ethical concern.

What the book leaves relatively unexplored are the strong ties between the Israeli government and NSO. As an Israeli company, NSO’s technology exports have to be approved by the Israeli government. This is something common to many other countries with a powerful weapons industry, which similarly have little compunction about selling their technology to serial human rights violators.

But the connections between the Israeli government and NSO go further than this. As Ronen Bergman and Mark Mazzetti from The New York Times documented, “sales of Pegasus played an unseen but critical role in securing the support of Arab nations in Israel’s campaign against Iran and even in negotiating the Abraham Accords.”[1] After the agreement in September 2020, Israel established diplomatic relations with the UAE and Bahrain.

In his acclaimed 2023 book “The Palestine Laboratory: How Israel Exports the Technology of Occupation around the World”, journalist Antony Loewenstein explains how both the Gaza Strip and the West Bank have served as a display room for the effects of Israeli weapons. These weapons are then exported worldwide securing significant revenue and influence for Israel.

Despite the efforts to keep up the appearance of a clear-cut division between the public and the private realms, Israeli cyber-arms firms, as well as traditional weapons companies, “act as an extension of Israel’s foreign policy agenda, supporting its goals and pro-occupation ideology.”[2]

In his book, Lowenstein explains that in 2020 Saudi Crown Prince Mohammed Bin Salman called the Israeli Prime Minister Benjamin Netanyahu after his defence ministry had decided to suspend the licensing of Pegasus to the Saudi kingdom. Around that time, reports had emerged connecting Pegasus with the killing of Jamal Khashoggi, which shed a bad light on NSO and the Israeli government. Netanyahu, for whom the new Saudi-Israeli geopolitical alignment against Iran weighed more heavily than PR concerns, made sure Saudi Arabia regained access to Pegasus.

Back to Richard and Rigaud, it is no overstatement to say that their book is an incomparable opportunity to understand what serious journalism is about. If this is the case, it is not so much because of the findings the book reveals. These, after all, are accessible through the reporting of the 17 partners in the Pegasus Project and the follow-up stories by hundreds of other media organizations. The genius in “Pegasus” is to be found in the impressive description of an even more impressive process. That is, how a single leak developed into a major-scale international investigation up to the highest journalistic standards, all the while staying below the NSO’s powerful radar.

Right before publication, when the company was approached for comment about the impending revelations, NSO’s PR armor collapsed under the weight and scope of the Pegasus Project findings. Failing to engage with the content of the allegations, NSO threatened defamation lawsuits and attempted a divide-and-rule approach toward the different Pegasus Project partners. This last-ditch effort failed to prevent the 17 media organizations from pressing the publish button when the day arrived.

The revelations by the Pegasus Project had significant consequences, such as the Biden administration’s blacklisting of NSO in November 2021. NSO has kept fighting, though. After the Hamas attack against Israel on October 7, 2023, NSO attempted to have its blacklist status in the US reversed citing the threat of Hamas and the role the Israeli company could play against it. The lobbying efforts did not succeed.

In February 2024, NSO suffered a significant defeat when it was forced to hand its code to WhatsApp as a result of a lawsuit dating back to 2019 over NSO’s hacking using WhatsApp messages. These successes notwithstanding, the lack of a global regulatory framework on the use of cyber-surveillance methods is a strong reason to remain concerned. As Richard and Rigaud themselves note in the epilogue to their book, “NSO might be crippled, but the technology it engineered is not.”[3]

[1] Ronen Bergman and Mark Mazzetti, “The Battle for the World’s Most Powerful Cyberweapon,” The New York Times, January 28, 2022, https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html.

[2] Antony Loewenstein, The Palestine Laboratory: How Israel Exports the Technology of Occupation around the World (London and New York: Verso, 2023), p. 59.

[3] Laurent Richard and Sandrine Rigaud, Pegasus: The Secret Technology That Threatens the End of Privacy and Democracy (London: Pan Macmillan, 2023), p. 301.

Netanyahu said in a forthcoming interview, “frankly I’m surprised and disappointed,” according to Politico.

I should think so. Netanyahu, who is on trial on two counts of corruption, operates rather as his namesake, the gangster Benjamin “Bugsy” Siegel did in Las Vegas, corrupting or intimidating judges and other officials. Though to be fair to Mr. Siegel, he murdered many fewer people.

The backdrop to the plan of troglodytes in Congress to harass the ICC is that Netanyahu’s government in Israel has run a decade-long campaign of spying and intimidation against the judges of the International Criminal Court, according to an investigation of The Guardian and two Israeli magazines, +972 Mag and Local Call, published by journalists Harry Davies, Bethan McKernan, Yuval Abraham, and Meron Rapoport.

It is important to point out that the same cast of cyber-bullies has run an operation against American universities under the rubric of “Canary Mission,” in coordination with the inquisitorial Ministry of Strategic Affairs. headed by the American Ron Dermer. So reported James Bamford in The Nation. Canary Mission smears and doxes students and professors at American universities who stand for Palestinian rights in an attempt to interfere with their careers and for the purpose of intimidating them and others into silence.

Both operations are Israeli government-inspired but aided by local agents. Despite the US federal law, FARA, which requires agents of foreign governments to register, Israeli such agents have been exempted from such requirements for political reasons, including Canary Mission and the American Israel Public Affairs Committee.

The International Criminal Court was envisioned by the internationally-backed Rome Statute in 1998, which came into effect in 2002. The judges are selected by delegates from the 124-member states of the Conference of Parties. Canada, Britain, France, Denmark, Greece, Germany, the Netherlands, Norway, Sweden, Portugal, Spain, and Switzerland are among the signatories. So the Israelis were spying on and harassing judges chosen by several NATO countries.

Mossad, Israeli intelligence, directed an operation against Fata Bensouda, the former prosecutor of the court, during whose tenure the court found that it had jurisdiction over the Occupied Palestinian Territories because Palestine, a non-member observer state of the United Nations, had acceded to the Treaty of Rome in 2015. The Guardian story alleges that Israeli operatives attempted to bribe her, showing up at her private home, to come to a different decision.

The Hill Video: “Ex-Israeli Spy Chief THREATENED ICC Top Prosecutor, Pressures Her To Drop Netanyahu Probe: Report”

Israel’s control of telecommunications in Palestine allowed it to tap into any fact-gathering calls ICC officials made to the Occupied West Bank. Israel intensively spied on Palestinian human rights NGOs sending dossiers to the ICC, using the Pegasus spyware that has so harmed journalists and activists, which was developed by a company with close ties to the Israeli government. Pegasus has been banned in the United States by the Biden administration. At one point, Israeli officials attempted to discredit the Palestinian NGOs working with the ICC by falsely accusing them of having terrorist links. Sound familiar?

Mossad director Mossi Cohen, a close crony of Netanyahu, appears actually to have stalked Bensouda, “turning up unannounced and subjecting her to unwanted calls,” according to Davies et al. Some of the stalking was done in New York, so perhaps the zealous New York City officials who were so concerned with students having tents on campus might open an investigation into an actual crime? Mossad also started a smear campaign against a relative of Bensouda in hopes of discrediting her, an operation that failed.

Her successor, British Prosecutor Karim Khan, said that the ICC under his tenure faced “several forms of threats and communications that could be viewed as attempts to unduly influence its activities.”

As for Canary Mission, Bamford wrote at The Nation, “Like all of Israel’s espionage and covert operations in the United States, Canary Mission’s links to Israeli intelligence—and the Mission’s American financiers—are well hidden. But as a result of a slipup on a tax form a few years ago, those links began to be revealed. And in the process was exposed the role played by one of the wealthiest families in California, headed by publicity-shy billionaire Sanford Diller, a major Trump backer who had donated $6 million to a pro-Trump political committee . . . For donations to a variety of causes, the Diller family maintains the Helen Diller Family Foundation. But in order to get a tax break, they turn the funds over to a much larger trust, the Jewish Community Federation of San Francisco, which then channels the Diller family donations. According to The Forward (formerly The Jewish Daily Forward), in 2016 the Diller Foundation donated $100,000 through the Jewish Community Federation to an obscure Israeli nonprofit called Megamot Shalom. Untraceable, off the grid, unheard of, Megamot Shalom was actually the front for Canary Mission.”

So these individuals donating to Megamot Shalom were breaking the Foreign Agents Registration Act Law, attempting to smear and blackball American professors and students on behalf of the Israeli Ministry of Strategic Affairs. There is almost certainly a RICO offense here.

These two stalking operations, of ICC judges and of American universities, are intended to allow the large scale theft of Palestinian land by Israeli squatters to proceed unhindered, and to shield Israel from the consequences of its war crimes against the Palestinians. The vicious crackdown on protesters against the genocide in Gaza in US universities is being actively connived at by the Dillers of the world. American parents should be outraged that Trumpie Zionists are conspiring to put their children in jail for having a conscience.

Attorney General Merrick Garland must look into Canary Mission and sanction its donors and agents for FARA violations, not to mention a vast conspiracy to interfere with Americans’ first amendment rights and to libel them. It is coming for our children, for God’s sake.

An investigation by Human Rights Watch attributed the phishing attack to an entity affiliated with the Iranian government known as APT42 and sometimes referred to as Charming Kitten. The technical analysis conducted jointly by Human Rights Watch and Amnesty International’s Security Lab identified 18 additional victims who have been targeted as part of the same campaign. The email and other sensitive data of at least three of them had been compromised: a correspondent for a major US newspaper, a women’s rights defender based in the Gulf region, and Nicholas Noe, an advocacy consultant for Refugees International based in Lebanon.

“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups,” said Abir Ghattas, information security director at Human Rights Watch. “This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region.”

For the three people whose accounts were known to be compromised, the attackers gained access to their emails, cloud storage drives, calendars, and contacts and also performed a Google Takeout, using a service that exports data from the core and additional services of a Google account.

Various security companies have reported on phishing campaigns by APT42 targeting Middle East-focused researchers, civil society groups, and dissidents. Most of them identify APT42 based on targeting patterns and technical evidence. Organizations such as Google and the cybersecurity companies Recorded Future, Proofpoint, and Mandiant have linked APT 42 to Iranian authorities. Identifying and naming a threat actor helps researchers to identify, track, and link hostile cyber activity.

In October 2022, a Human Rights Watch staff member working on the Middle East and North Africa region received suspicious messages on WhatsApp from a person pretending to work for a think tank based in Lebanon, inviting them to a conference. The joint investigation revealed that the phishing links sent via WhatsApp, once clicked, directed the target to a fake login page that captured the user’s email password and authentication code. The research team investigated the infrastructure that hosted the malicious links and identified additional targets of this ongoing campaign.

Human Rights Watch and Amnesty International contacted the 18 high profile individuals identified as targets of this campaign. Fifteen of them responded and confirmed that they had received the same WhatsApp messages at some point between September 15 and November 25, 2022.

On November 23, 2022, a second Human Rights Watch staff member was also targeted. They received the same WhatsApp messages from the same number that contacted other targets.

Social engineering and phishing attempts remain key components of Iranian cyberattacks. Since 2010, Iranian operators have targeted members of foreign governments, militaries, and businesses, as well as political dissidents and human rights defenders. Over time, these attacks have become more sophisticated in the ways they execute what is known as “social engineering.”

According to Mandiant, a US-based cybersecurity company, APT42 has been responsible for several phishing attacks in Europe, the US, and the Middle East and North Africa region. On September 14, 2022, the US Office of Foreign Assent Control at the Treasury Department imposed sanctions on individuals affiliated with the group.

Via Pixabay.

The investigation also revealed inadequacies in Google’s security protections to safeguard its users’ data. Individuals successfully targeted by the phishing attack told Human Rights Watch that they did not realize their Gmail accounts had been compromised or a Google Takeout had been initiated, in part because the security warnings under Google’s account activity do not push or display any permanent notification in a user’s inbox or send a push message to the Gmail app on their phone.

Google’s security activity revealed that the attackers accessed the targets’ accounts almost immediately after the compromise, and they maintained access to the accounts until the Human Rights Watch and Amnesty International research team informed them and assisted them in removing the attacker’s connected device.

Google should promptly strengthen its Gmail account security warnings to better protect journalists, human rights defenders, and its most at-risk users from attacks, Human Rights Watch said.

“In a Middle East region rife with surveillance threats for activists, it’s essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region’s embattled activists, journalists, and civil society leaders,” Ghattas said.

Technical Analysis of the Phishing Campaign

On October 18, 2022, a Human Rights Watch staff member working on the Middle East and North Africa region received a message on WhatsApp that claimed to be from a Lebanon-based think tank and invited the recipient to a conference. The invitation used the same format as previous invitations from the think tank, indicating a sophisticated level of social engineering. The person impersonated by the threat actor group APT42 in the WhatsApp messages previously worked for the think tank.

The Human Rights Watch staff member forwarded these messages to the information security team, which confirmed they were a phishing attempt. If the person had clicked on the cutly[.]biz link, they would have been redirected to the URL https://sharefilesonline[.]live/xxxxxx/BI-File-2022.html which hosts a fake Microsoft login page.

Click to expand Image

 

The cutly[.]biz domain is a custom URL shortener deployed and managed by the attacker’s group, designed to mimic the name of the legitimate URL shortener cutt.ly.

The phishing link sent to the Human Rights Watch staff member included a random path of five characters, both lowercase letters and numbers, which represents around 6 million combinations, making it possible to enumerate all of the existing paths on the attacker’s infrastructure to find other existing links. This enumeration led to the discovery of 44 valid URLs, with many of them redirecting to a phishing page that displayed the email address of the target. The phishing pages were specifically crafted to mimic Microsoft, Google, or Yahoo login pages.

Click to expand Image

 

Further investigation showed that the phishing kit allowed the bypass of multi-factor authentication methods other than a hardware security key. Multi-factor authentication (MFA), often called two-factor authentication, or 2FA, requires a second means of authentication, in addition to a password. Common second factors include a temporary code delivered by SMS, a temporary code given by a smartphone application (such as FreeOTP or Google Authenticator), and a code generated by a Hardware Security Key (like Yubikey or Solo Key). Through different technical means, it is possible to create phishing toolkits that bypass MFA when the temporary code is delivered by SMS or by a smartphone application. It is not possible at present for a phishing kit to bypass multi-factor authentication using hardware keys.

The WhatsApp chats of those who were known to be successfully targeted reveal that the attackers were repeatedly engaging with the targets as they clicked through the phishing links. After entering their credentials on the phishing page, targets were prompted to enter a code on the 2FA bypass page, which the attackers used to gain access to their email accounts. Phishing kits with MFA bypass features have been common since at least 2018, and Amnesty International’s Security Lab has documented multiple usages of such kits against human rights defenders in 2018 and 2020.

Click to expand Image

 

Targeting of Journalists and Human Rights Defenders by APT42

In addition to the two Human Rights Watch staff members, Human Rights Watch and Amnesty International identified 18 other email accounts targeted as part of the same campaign, including six journalists.

Human Rights Watch and Amnesty International contacted all of the individuals and 15 responded. They confirmed they were all targeted with the exact same social engineering approach during the period between September 15 and November 25, 2022. Out of the 20 targets, at least three had been compromised by the threat actor. Confirming the compromise led the research team to additional information about the data exfiltration process. Human Rights Watch also supported the journalists by disconnecting the attackers from their accounts and re-securing them.

The compromise gave the attackers access to the targets’ emails, cloud storage drives, calendars, and contacts. In at least one case, the attacker synced the target’s mailbox and performed a Google Takeout, a service that exports all of an account’s activity and information including web searches, payments, travel and locations, ads clicked on, YouTube activity, and additional account information. It is the most comprehensive and intrusive method to export data in a Google account.

Google’s security activity revealed that the attackers had accessed the targets’ accounts almost immediately after the compromise and that they had access for about five days until Human Rights Watch informed the targets and helped remove the attacker’s connected device.

Click to expand Image

 

Attribution

The Human Rights Watch Information Security team attributes these attacks with high confidence to the Iranian threat actor APT42, also called TA453 by Proofpoint, Phosphorus by Microsoft, and Charming Kitten by ClearSky and CERTFA based on specific technical indicators linked to the phishing attacks and operational infrastructure used by the attackers when accessing compromised accounts. The list of APT42’s targets that Human Rights Watch identified all relate to the Middle East, including Iran, and one compromised account was accessed by an IP address based in Tehran (see the technical details sections). Several organizations have confirmed this attribution based on their own research into related campaigns.

Many organizations, such as Google, and the cybersecurity companies Recorded Future and Proofpoint, who have investigated APT42 attacks, have concluded that APT42 operates on behalf of Iranian authorities. In September, the American cybersecurity company, Mandiant, attributed APT42’s activities to the Iranian Islamic Revolutionary Guard Corps.

The source code of the phishing page used against the 20 targets includes JavaScript code that is very similar to code that was used on a phishing page hosted on the domain mailer-daemon[.]net in November 2022, which was part of a phishing campaign attributed by Recorded Future to the Iranian threat actor APT42. The same code was also found on continuetogo[.]me in August 2021, which was part of a phishing campaign attributed by Google to Iranian government-backed threat actors.

Click to expand Image

 

The second Human Rights Watch staff member who was targeted on November 23, 2022, received the same WhatsApp messages from the same number that contacted other targets. The malicious link shared with the staff was hosted on mailer-daemon[.]org and the attackers used the same URL shortener (cutly[.]biz) to hide the full name of the domain.

The use of fake, uncommon, or custom URL shorteners was also seen in attacks attributed to other Iranian threat actors such as Phosphorus against Israeli and US targets in June 2022, for which they used litby[.]us.

The investigation of the attacker’s infrastructure showed that the same group registered the domain uani[.]us, a typo-squatted domain that copies an advocacy group based in the United States called United Against Nuclear Iran, which was targeted by Charming Kitten in November 2021.

All of the IP addresses used to connect to the compromised accounts were from the Express VPN (Virtual Private Network) service. Nevertheless, Human Rights Watch found one Iranian IP address, 5.160.239.XXX, that connected to one of the target’s inboxes. This could potentially be the public IP address of the attacker’s own network, perhaps revealed after they forgot to enable their VPN before connecting.

Click to expand Image

 

One of the most notable characteristics of Iranian government-backed threat groups is their highly targeted spear-phishing, social engineering techniques, and impersonation of conference and summit organizers to build trust and rapport with their targets. In this attack, APT42 used the Lebanon-based think tank to trick their targets. The organizers of the Munich Security Conference and Think 20 (T20) Summit in Saudi Arabia have been impersonated in similar ways.  

The recent Mandiant report on APT42 has provided more detailed information into the difference and links between the APT35 and APT42 groups, both of which Mandiant attributes to Iran’s IRGC. The CERTFA, for instance, has reattributed a campaign to APT42 instead of APT35 after this publication.

Technical Details on Post-Compromise Action and Indicators of Compromise

During the investigation, Human Rights Watch supported journalists and human rights defenders who were compromised by this phishing campaign. This gave Human Rights Watch insight into the attackers’ post-compromise actions.

In at least one case, the attackers performed a Google Takeout request, a service that exports all of an account’s activity and information, including web searches, payments, travel and locations, ads clicked on, YouTube activity, and additional account information. It is the most comprehensive and intrusive method to export data in a Google account. The use of Google Takeout to extract data from a compromised account is in line with the features of the HYPERSCRAPE tool identified by the Google TAG team, although Human Rights Watch could not confirm if the tool was used based on logs to which it had access.

For several targets, the attacker synchronized the compromised mailbox to a Microsoft service in order to export the contents of the mailbox. As far as we know, it is the first time that this behavior is reported as a post-compromise tactic used by APT42.

Click to expand Image

 

Google’s security activity revealed that the attackers accessed the targets’ accounts almost immediately after the compromise, and that they maintained access until we informed the targets and assisted them to remove the attacker’s connected device.

Based on Google Security logs, we identified the IP addresses used to connect to a compromised account.

We observed the same computer name connected to all of the compromised accounts: DESKTOP-F8QNCC0.

Click to expand Image

 

Indicators of Compromise

WhatsApp numbers used by the attackers:

1. +1-234-312-1624
2. +1-209-233-0560
3. +1-804-500-1154

cutly[.]biz

hxxps://sharefilesonline[.]live/xxxxxx/BI-File-2022.html

hxxps://sharefilesonline[.]live/xxxxxx/G-check-first.html

hxxps://sharefilesonline[.]live/xxxxxx/G-transfer.html

hxxps://sharefilesonline[.]live/xxxxxx/continue.html

hxxps://sharefilesonline[.]live/xxxxxx/index.php

hxxps://mailer-daemon[.]net/file=sharing=system/xxxxxx/first.check.html

hxxp://mailer-daemon[.]org/ xxxxxx /index.php

DESKTOP-F8QNCC0

5.160.239.XXX

Via Human Rights Watch

( RFE/RL ) – Several Iranian government and state-owned websites have been taken down by Anonymous, the international activist hacker group says, in a move of support for nationwide protests that followed the death of a 22-year-old woman following her arrest by the morality police.

The website of the Iranian presidency, the government-affiliated Fars news agency, and the forensic medical research center of Iran are among the hacked websites that are currently unavailable.

On September 20, a Twitter account purported to belong to the Anonymous group posted a video message that vowed support for the protesters and for women’s rights. “We are here and we are with you! #OpIran Engaged. Expect Us!” the message read.

“This was the last straw,” an altered voice on the video that claimed to be from Anonymous said of Mahsa Amini’s death, “the Iranian people are not alone.”

Demonstrations erupted across Iran recently over the death of Amini and the Iranian government imposed a near-total Internet shutdown on September 21 as nationwide protests continued.

NetBlocks, a London-based internet observatory group, says Iran is now subject to the most severe internet restrictions since violent November 2019 protests over the sudden rise in the price of gasoline.

The recent wave of protests have expanded to as many as 80 cities in Iran, with at least nine deaths confirmed by various sources.

Written by Ardeshir Tayebi based on an original story in Persian by RFE/RL’s Radio Farda

RFE/RL’s Radio Farda

RFE/RL’s Radio Farda breaks through government censorship to deliver accurate news and provide a platform for informed discussion and debate to audiences in Iran.

Via RFE/RL

Copyright (c)2022 RFE/RL, Inc. Used with the permission of Radio Free Europe/Radio Liberty, 1201 Connecticut Ave NW, Ste 400, Washington DC 20036.

It turns out, however, that Netanyahu has himself been given the Pegasus treatment, with his downfall due in part to Israeli police deploying the software against a witness who turned state’s evidence in the disgraced politician’s corruption trial. The Israeli newspaper Arab 48 reports that last Friday, the Jerusalem central court issued an order to the prosecution, demanding an explanation after reports surfaced that police had extracted information from the smart phone of a witness in the corruption trial without the witness’s knowledge. The prosecution has until Tuesday to reply.

The judge rejected a request by Netanyahu’s attorney that the court take up the issue on Monday. The trial will continue as usual until the prosecutor clears up the question about phone surveillance. Prosecutor Yehudit Tirosh said Thursday that a thorough investigation was being carried out.

Netanyahu’s lawyers asked the court to order the prosecution to disclose all the material gathered by the police via the Pegasus program and any other spyware in the course of their investigation of Netanyahu. Despite making the request two weeks ago, the defense still has not received a response.

Natael Bandel at Haaretz explains that Netanyahu is being tried on three counts of corruption. One of the cases, #4000, alleges that when he was prime minister, Netanyahu offered regulatory concessions to Bezeq Communications if they would make sure to give the prime minister favorable coverage at their Walla news site, which Bezeq then owned. It is the second largest news site in Israel. It is in this case that the issue of cyber-spying on a prosecution witness arose.

The witness whose phone was spied on is Shlomo Filber, whom Netanyahu had appointed director of the Ministry of Communications. He says that Netanyahu’s regulatory favors to Bezeq, which included fast-tracking a big merger, were worth hundreds of millions of dollars.

Filber abruptly resigned last spring and agreed to testify against Netanyahu. It is not clear if the ability of the police to turn Filber and have him testify for the prosecution had anything to do with their surveillance of his phone, on which they could have found incriminating evidence they used to pressure him.

Some observers are wondering if the cyber-espionage against Filber could derail the trial of Netanyahu and get him off the hook. He had earlier been said to have accepted a plea deal that would ban him from politics for several years.

The Biden administration has banned Pegasus in the United States and Apple is suing NSO for hacking iPhones. The company may go bankrupt as a result of these measures.

Netanyahu had provided Saudi Arabia with the Pegasus program, which allowed the government of Crown Prince Mohammed Bin Salman to hack the cell phone of Washington Post columnist and dissident Jamal Khashoggi, which led to his murder in the Saudi consulate in Istanbul in 2018. Business Insider reported this week that after a personal call from Bin Salman, Netanyahu reinstated the Saudi license to the software, after the Israeli Ministry of Defense had cut Riyadh off for using it on Khashoggi. So, murdering dissidents was no bar to Israel peddling the dangerous program to the most oppressive dictatorships.

Israeli intelligence used Pegasus against Palestinian human rights groups.

So after Netanyahu had deployed this nasty cyber-espionage tool against stateless Palestinians and used it to curry favor with Mr. Bone Saw in Riyadh, someone else used it to gather intelligence on his extensive corruption.

He who lives by spyware dies by spyware.

The BBC points out that Apple takes pride in the privacy it provides to users, and alleges that it has been in a constant race with NSO to close off vulnerabilities, as the Israeli hackers constantly developed new exploits. NSO spyware can vacuum up all the data on a person’s phone, turn on the microphone and camera and, well, spy on them.

The Biden administration in early November banned NSO from the U.S. for “malicious cyber-activities.” Israeli government attempts to intervene with Biden to reverse the decision have been rebuffed.

NSO is an example of the way the Israeli occupation of the stateless Palestinians generates tools and techniques that then are sold or adopted abroad for use on human rights activists around the world, including on American citizens.

In its lawsuit, filed in US District Court for the Northern District of California, Apple alleged of the Israeli-backed NSO:

“Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple. For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.”

The US Commerce Department seems to agree with this characterization, saying of NSO that it

“developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.”

There appears to have been an uptick in NSO-backed hacking in 2021. Apple alleged in its complaint,

“Because of Apple’s investment in, and longstanding commitment to, product security and privacy, there is critical need for the company’s products around the world. There are 1.65 billion active Apple devices worldwide, consisting of over a billion iPhones and hundreds of millions of other active Apple devices such as Mac, iPad, and Apple Watch. 5. This action seeks redress for Defendants’ multiple violations of federal and state law arising out of their egregious, deliberate, and concerted efforts in 2021 to target and attack Apple customers, Apple products and servers and Apple through dangerous malware and spyware that Defendants develop, distribute to third parties, and use (or assist others in using) to cause serious harm to Apple’s users and Apple.”

The consequences for human rights workers of NSO’s malware have often been fatal.

An investigation by The Guardian demonstrated that the Saudi government used NSO spyware to hack into the phones of dissident Washington Post columnist Jamal Khashoggi and his friends and family. On the basis of what the Saudi secret police learned about his activities, they lured him to the Istanbul consulate where they strangled him to death on October 3, 2018, and then cut up his corpse with a bone saw to smuggle it in pieces out of the consulate.

Citizen Lab in Toronto found that the 6 Palestinian human rights organizations recently branded “terrorists” by the Israeli state were under NSO surveillance. European governments have slammed the Israeli charges against these organizations as false. Some observers believe that the surveillance was about to be revealed, leading the Israelis to attempt to distract the world with its outrageous charges against human rights workers.

In 2017, NSO hacking tools were used to break into 1,400 American Whatsapp accounts, provoking a complaint from Facebook (now Meta) that led to an FBI investigation of the firm. It is likely this very FBI investigation began the scrutiny that led to the software being banned in the United States. NSO has engaged in widespread influence peddling among former Bush, Biden and Trump administration security officials by putting them on payroll.

There is a lot of talk of OSY Technologies, which owns NSO, being forced into bankruptcy as the US ban is causing it to lose contracts, including in Europe.

—–

Bonus Video added by Informed Comment:

NDTV: “Apple Sues Pegasus-Maker Israeli Firm For Targeting Its Users”

Although Iran and Israel have many enemies, few are able to launch large scale, accurate and effective attacks on either country, except for themselves, of course. Although they do not officially recognise it, others have confirmed their responsibility for the attacks. Neither need official confirmation from each other to know who is responsible.

Such attacks have been happening for more than a decade, but in the past two years civilian targets on both sides have been hit. Shortly after the outbreak of the coronavirus pandemic, Iranians attacked the systems at six water and sanitation facilities in Israel. The occupation state determined immediately where the damage was and repaired it.

Its response came within a few weeks when computer facilities at Iran’s largest port, Bandar Abbas, were subjected to an Israeli cyberattack. Three months ago, unknown attackers targeted the Iranian Railways computer system in a way similar to the attack on the petrol network last week, causing thousands of trains to be cancelled.

The Iran response was to target the systems at Hillel Yaffe Hospital in Hadera. This was a more serious attack than those earlier. It forced the hospital staff to work manually, which could have jeopardised Israeli lives. The attack on the petrol supply network is believed to have been a response to the hospital attack; it was sharp, widespread and meaningful. With actions and reactions, this is thought to be just the beginning of a long conflict.

It is true that human lives are generally not lost in cyberwarfare. Israel, in particular uses strong safety measures. However, the Iranian attacks are becoming more sophisticated, like the attack on the electricity network and internet servers, which caused serious damage to the banking sector. Things would be more serious if Israelis have to buy emergency generators, or make backup copies of their computer files for fear of being hacked by Iran.

Israel has warned that it is not ready for cyberattacks that might cause fatalities. As the tit-for-tat attacks grow, though, there are corresponding fears in Israel that it is not ready for an increase in the pace of Iranian attacks against civilian and military sites with the potential for a lot of damage and huge losses.

It is true that Israeli attacks against Iranian targets may be more deadly, but Israel fears that Iranian attacks could paralyse its economy and technical capabilities, whether in the banks, hospitals, commercial institutions or infrastructure. Cyberattacks on various websites and Hillel Yaffe Hospital, expose Israel’s unpreparedness for such attacks. Indeed, as a country, Israel is highly vulnerable to cyberattacks. There is evidence that there have been 245,000 cyberattacks and cyber-enabled crimes since 2019, including defamation, sexual harassment and robbery. Cyberattacks can be deadly if they lead to drinking water being contaminated, or target operations systems in sensitive areas such as missiles or other weapons.

While neither side really wants this cyberwar to escalate to an all-out confrontation, Iran is not going to sit and do nothing in the face of Israeli attacks. It has teams of hackers who respond against Israel frequently, but this is not a video game; the stakes are high, and there could be fatal consequences.

At the moment, Israel has obvious superiority over Iran in this cyberwar. However, as has happened in earlier stages of their confrontations, the Iranians are learning, improving their capabilities, and ready to respond to Israeli attacks.

The views expressed in this article belong to the author and do not necessarily reflect the editorial policy of Middle East Monitor or Informed Comment.

Unless otherwise stated in the article above, this work by Middle East Monitor is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

——–

Bonus Video added by Informed Comment:

TRT World: “Alleged cyberattack interrupted petrol distribution in Iran”