NGO phishing expedition

Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society

February 2, 2017

Media coverage: Associated Press, Vice, The Intercept, The Hill

source: University of Toronto team



In 2011, the Egyptian Government embarked on a wide-ranging legal case charging that many civil society organizations receive foreign funding, and may be engaged in prohibited or illegal activities.

As part of Case 173, international organizations have been subjected to a wide range of legal sanctions, including arrests, travel bans, asset freezes and harsh sentencing. In 2013, 43 defendants working for international NGOs were sentenced to prison for their work, many in absentia as they had already left the country.

Initially primarily focused on international NGOs like the National Democratic Institute and the Konrad Adenauer Foundation, the case has grown increasingly focused on domestic Egyptian organizations. The 37 organizations known to be accused in the case include respected civil liberties groups, pro-bono law firms, and organizations working on gender issues.


With only a handful of exceptions, Nile Phish targets are implicated in Case 173, a legal case brought against NGOs by the Egyptian government over issues of foreign funding. The phishing campaign also coincides with renewed pressure on these organizations and their staff by the Egyptian government, in the context of Case 173, including asset freezes, travel bans, forced closures, and arrests.

Our collaborative investigation has documented at least 92 messages sent by Nile Phish, many highly personalized, and sent as recently as January 31st, 2017. The phishing campaign has included at least two phases, each with distinct phishing tactics and domains. Efforts seem to have been made to compartmentalize the infrastructure for each phase, but a technical error allowed us to link the servers and conclude that the two phases were part of a single campaign.

Nile Phish’s sponsor clearly has a strong interest in the activities of Egyptian NGOs, specifically those charged by the Egyptian government in Case 173. The Nile Phish operator shows intimate familiarity with the targeted NGOs activities, the concerns of their staff, and an ability to quickly phish on the heels of action by the Egyptian government.  For example, we observed phishing against the colleagues of prominent Egyptian lawyer Azza Soliman, within hours of her arrest in December 2016. The phishing claimed to be a copy of her arrest warrant.

The Nile Phish Campaign

In late 2016, Citizen Lab was contacted by the Egyptian Initiative for Personal Rights (EIPR), whose technical team had observed a growing number of suspicious emails sent to EIPR accounts. The messages had caught the attention of the technical team because multiple messages arrived at the same time, concerned current events, and seemed to play on emotional themes related to Case 173. EIPR’s team helped broaden the investigation to a total of seven targeted Egyptian NGOs.

All of the seven Egyptian organizations are also implicated by Case 173. The targets include reputable and respected organizations working on political and rights issues such as freedom of expression, gender rights, and victims of torture and forced disappearances. Six of the organizations have agreed to be named in this report and one requested to be referenced anonymously

read full report here

The Egyptian Initiative for Personal Rights is an independent Egyptian human rights organization, established in 2002, a Cairo-based think tank.
EIPR webpage Who we are says nothing about who they are, only about what they do. There is no information on EIPR’s webpage about its funding, sponsors, it does not identify partners, management or staff members. Why?

Hossam Bahgat is the founder and director of EIPR. Bahgat is also a board member of the International Network for Economic, Social and Cultural Rights (ESCR-Net) and a member of the Board of Directors of the Fund for Global Human Rights. Bahgat is the recipient of 2010 Alison Des Forges Award for Extraordinary Activism from Human Rights Watch.

Gasser Abdel Razek, the executive director of EIPR

Heba Morayef is EIPR’s associate director.

Ramy Raoof, the senior research technologist at EIPR

Gamal Eid, founder of the Arab Network for Human Rights Information.

Prominent Human Rights Activists in Egypt Targeted by Sophisticated Hacking Attacks

Intercept published February 2 2017
The nature and complexity of the attacks, which occurred over the past few months, suggest the campaign is being directly coordinated by an Egyptian intelligence agency, EIPR researchers say.
How EIPR ‘researchers’ get to that conclusion is beyond me.
“I have no doubt that this is either a state agency or a state agency-sanctioned campaign,” said Gasser Abdel Razek, the executive director of EIPR. “Who else would be interested and willing to invest the time and effort into this kind of coordinated social engineering except the state?”
“state agency-sanctioned campaign” or individuals within a state agency recognized as gone rogue and forced to operate outside of its jurisdiction.

Google eventually sent several NGO staff members a warning that they “may have detected government-backed attackers trying to steal your password.”

Wait a minute, that is a loaded sentence. Google’s warnings are generic, they are not in the business of analyzing who is sponsoring a hack. Which government does Sharif Abdel Kouddous mean here and why does he want you to make these giant leaps?

The phishing campaign gels with an ongoing effort by the Egyptian government to boost its electronic surveillance capabilities. State intelligence agencies have purchased powerful surveillance technologies from European companies in recent years, including Remote Control System software built by the Italian spyware manufacturer Hacking Team. Egyptian authorities are also continually trying to block access to the encrypted messaging app Signal while Open Whisper Systems, the company behind the app, develops ways to circumvent the censorship.

This next paragraph seals my impression of what the writer’s intended message was.

The phishing attacks come as Egyptian president Abdel Fattah al-Sisi appears to be building close ties to President Donald Trump, who has called for heavier surveillance of mosques in the United States.

Egyptian Human Rights Activists Are Being Targeted in ‘Dangerous’ Hacking Campaign


link to Azza Soliman

link to Aya Hijazi

shrt lnk:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.