A sophisticated hack-for-hire operation, with suspected links to the Indian government, has targeted journalists, activists, and government officials across the Middle East and North Africa. The campaign was uncovered by the digital rights groups Access Now and SMEX, alongside cybersecurity firm Lookout.
The malicious activity focused on delivering spyware through seemingly legitimate Android applications. These apps were designed to mimic news outlets and other trusted sources to trick targets into installing them.
Targets and Tactics
Among the identified targets were prominent Egyptian journalists and government critics, including Mostafa Aaser, a journalist with Mada Masr, and Ahmad al-Sanhouri. The attackers used a technique known as “social engineering,” creating fake personas and websites to build credibility before sending malicious links.
The primary tool was a piece of spyware identified as “Bitter,” a known surveillance tool associated with a threat actor tracked under the same name. Once installed on a victim’s Android device, the spyware could steal sensitive information, including contacts, call logs, text messages, and real-time location data.
Attribution and Infrastructure
Researchers attributed the campaign with high confidence to the Bitter advanced persistent threat (APT) group. Technical evidence, including server infrastructure and code similarities, links this operation to previously documented activities of the group, which is suspected of having ties to Indian state interests.
The campaign’s infrastructure was complex, utilizing multiple domains and servers that were frequently rotated to avoid detection. Fake social media profiles and fabricated news websites were central to the operation’s success in deceiving targets.
Broader Implications
This incident highlights the ongoing threat of commercial spyware and hack-for-hire services being used to target civil society. The digital rights organizations involved have condemned the attacks as a severe violation of human rights and press freedom.
Access Now and SMEX have called for greater accountability from governments that may be contracting or tolerating such private surveillance operations. They emphasize the need for stronger regulations on the spyware industry and better protection for at-risk communities.
Recommendations and Response
Cybersecurity experts recommend that individuals, especially journalists and activists, exercise extreme caution with links and app downloads, even from seemingly known contacts. Using comprehensive mobile security software and keeping devices updated are critical defensive measures.
The investigating organizations are sharing their technical findings with relevant platforms and law enforcement agencies to facilitate the takedown of malicious infrastructure. They also continue to notify other potential victims who may have been compromised.
Further technical analysis and victim identification efforts are expected to continue in the coming weeks. The full scope of the campaign and the complete list of affected individuals may not yet be known, suggesting more revelations could follow as the investigation progresses.
Source: Access Now, Lookout, SMEX
