Hack-for-hire group caught targeting Android devices and iCloud backups
Security researchers from Access Now, Lookout, and SMEX have identified a hack-for-hire group targeting journalists, activists, and government officials across the Middle East and North Africa. The hackers used phishing attacks to steal iCloud credentials, deployed Android spyware called ProSpy disguised as popular messaging apps, and attempted to hijack Signal accounts. Lookout links the campaign to BITTER APT, a hacking group with suspected ties to the Indian government and possible connections to the hack-for-hire company RebSec.
Key Points
- 1. A hack-for-hire group has been targeting journalists, activists, and government officials across the Middle East, North Africa, and potentially the U.S. and UK.
- 2. The attackers used phishing to steal Apple ID credentials and access iCloud backups, giving them full access to iPhone contents.
- 3. For Android users, the group deployed spyware called ProSpy disguised as popular apps like Signal, WhatsApp, Zoom, and regional messaging apps.
- 4. Lookout linked the campaign to BITTER APT, a group with suspected ties to the Indian government, and identified RebSec as a possible operator.
- 5. The hackers also attempted to hijack victims' Signal accounts by tricking them into adding attacker-controlled devices.
- 6. RebSec has since deleted its social media accounts and website, and the Indian embassy did not respond to requests for comment.
Relevance
- This campaign highlights the growing trend of governments outsourcing hacking operations to private companies, creating a cheaper alternative to commercial spyware like Pegasus.
- The targeting of journalists and activists underscores persistent threats to press freedom and civil society in authoritarian regions.
- The use of relatively simple techniques like phishing and fake apps demonstrates that effective surveillance does not require sophisticated zero-day exploits.
The exposure of this hack-for-hire operation reveals a thriving shadow industry where private companies offer governments plausible deniability for digital espionage against civil society.