Hack of Egyptian presidential candidate's iPhone tied to tech firm Sandvine
In the attempted hacks, Eltantawy was lured into clicking links contained in fake security alerts that purported to be from the messaging service WhatsApp.
Attempts to hack the iPhone of a presidential candidate in Egypt have been linked to the computer networking company Sandvine Inc., whose equipment has previously been used by Belarus and other countries to censor the internet.
Ahmed Eltantawy, a prominent opposition politician, was repeatedly targeted with spyware between May and September after he announced his plans to run in Egypt’s 2024 presidential elections, according to an analysis from the University of Toronto’s Citizen Lab. After conducting a forensic examination of the device, the researchers concluded with “high confidence” that the Egyptian government was behind the attempted hacks.
His phone blocked the hacking attempts because it was in a “lockdown mode,” but it turned out he had been successfully infected two years earlier with a spyware known as Predator, manufactured by North Macedonian surveillance technology firm Cytrox, the researchers found. That hack was carried out via a text message containing a link to a Predator website, according to the researchers.
In the attempted hacks, Eltantawy was lured into clicking links contained in fake security alerts that purported to be from the messaging service WhatsApp. His phone was silently redirected to a malicious website, and spyware was supposed to be “injected” onto his phone with the help of technology sold by Sandvine, according to Citizen Lab’s report.
“The use of mercenary spyware to target a senior member of a country’s democratic opposition after they had announced their intention to run for president is a clear interference in free and fair elections,” Citizen Lab wrote in its report.
Sandvine “does not make, sell or collaborate with spyware or malware vendors,” according to an emailed statement provided to Bloomberg, which also said its products were not “capable of injecting malware or spyware.” The statement referred instead to a technique called “packet redirection,” which it said was a capability “sold by all major vendors in the space and used millions of times a day.”
“Sandvine makes products for telecom companies that enable the internet to function and to ensure that citizens have high quality access to information worldwide,” according to the statement.
Representatives from Cytrox and the Egyptian government didn’t respond to requests for comment.
Sandvine, originally founded in Canada, was acquired by San Francisco-based private equity firm Francisco Partners and combined with Procera Networks in 2017, in a deal worth $444 million. The company makes equipment, known as “deep packet inspection” technology, that can be used to manage massive flows of internet traffic passing between networks. The technology can be customized to block out spam and viruses. But conversely, it can also be deployed to blacklist millions of websites and messaging apps so that they cannot be accessed, according to the company’s documents.
Two former Sandvine employees said the company’s systems could also be configured by customers to target particular users with advertising, or to redirect them to malicious websites that deploy spyware such as Predator.
Bill Marczak, senior researcher at Citizen Lab, said the onus was now on Sandvine to “turn off” the capability that its Egyptian customers allegedly used to try to deploy spyware. “The company needs to make it clear to its employees that they should not enable this,” he said
Sandvine has made dozens of sales in Egypt in recent years, according to internal documents reviewed by Bloomberg News. The documents state that since 2019 the company has sold technology totaling more than $30 million to state-owned Telecom Egypt, Vodafone Egypt, and to government agencies including Egypt’s Ministry of Defense and the National Telecom Regulation Authority. One of Sandvine’s largest ever single sales was a deal in 2020 totaling more than $10 million to Telecom Egypt, according to the documents.
Telecom Egypt, the Ministry of Defense and the National Telecom Regulation Authority didn’t immediately respond to requests for comment.
Several attempted spyware infections of Eltantawy’s iPhone occurred while he was connected to Vodafone Egypt’s network, according to Citizen Lab’s report. In addition to providing Vodafone Egypt with deep-packet inspection equipment, between 2020 and 2021 Sandvine also provided the telecom firm with on-site training in Egypt, which educated local telecom employees on how to use the technology, internal Sandvine documents show. A representative for the Vodafone Group didn’t respond to requests for comment.
Bloomberg News previously reported that Egypt was one of at least a dozen countries where Sandvine’s equipment had been used by governments to censor content on the internet. Researchers from the Qurium Media Foundation, a digital rights organization, found in September 2020 that Sandvine’s technology had been used to help the Egyptian government block more than 600 websites, including 100 news and media websites. Sandvine didn’t address the sales or the alleged censorship in its emailed statement.
In Belarus, Sandvine previously sold its equipment to a state-controlled internet agency, which used the technology in August 2020 to block social media platforms, messaging apps and news websites amid nationwide protests over a disputed presidential election, Bloomberg News reported. After public protests and inquiries from US senators, Sandvine announced that it would no longer work with Belarus, saying that it abhorred “the use of technology to suppress the free flow of information resulting in human rights violations.”