Hacked: The story behind the Israeli spyware targeting Moroccan journalists

Under fire for a critical tweet, Moroccan journalist Omar Radi was reportedly under surveillance for one year, his phone infected by a highly-sophisticated spyware developed by an Israeli security firm, according to an Amnesty International report published June 22, 2020. Forbidden Stories obtained access to the report and spoke with Radi about the investigations that made him a state target.

Disponible en

By Phineas Rueckert and Cécile Schilis-Gallego

22 June 2020

The scene — fit for a spy movie — took place in Casablanca at the end of summer 2019. Journalist Omar Radi met his friend Maati Monjib, a historian and human rights activist, for lunch. The two friends hadn’t seen each other for several months, the former being embroiled in a seemingly endless legal case and the latter in a game of cat and mouse with the Moroccan authorities. They had a lot to catch up on.

Monjib was wary that the conversation might be monitored. A tip-off from human rights organization Amnesty International had alerted him to spyware installed regularly on his phone since 2018. Developed by Israeli security firm NSO Group, the spyware called Pegasus allowed data to be extracted from the phone, but also — in true Orwellian fashion — for the camera and microphone to be remotely activated.

That day Monjib was confident his phone was now secure. What he didn’t know, as he sat down to lunch with his friend on that sweltering day in 2019, was that it wasn’t him who should be concerned. The target had changed.

Around 1:00 p.m., Radi took out his phone to verify something on the internet. That was all it took to set off what is believed to be a highly-sophisticated and nearly invisible cyber attack.

NSO’s spyware can scrape a phone’s entire data (Source : Hacking Team Leak)

By surfing the web, the journalist had without knowing it probably given the Moroccan authorities — believed to be an NSO Group client since 2018 — complete control over his device.

It was an especially ironic turn of events, given NSO Group had released, just three days earlier, a new human rights policy in the wake of a number of reported abuses of its technology.

“The state controls your past, your present, your photos, your texts,” Radi said.

The cyber attack against Radi was one of five similar attacks against him outlined in an Amnesty International report that 16 international media organizations were given exclusive access to, coordinated by Forbidden Stories. Amnesty’s report, relying on a technical analysis of Radi’s phone, revealed that the journalist was a victim of so-called “network injection” attacks between January 2019 and January 2020.

It’s no surprise that Radi was likely targeted. It was almost certainly because he had been a thorn in the government’s side for a decade, publishing investigations that revealed hidden links between political and business leaders and shedding light on human rights violations by the state.

Omar Radi’s scoops

 

  • In October 2017, his work on the protest movement of the Rif known as the “Hirak” lead to 48-hour police custody. That year, Omar Radi directed – with ATTAC Morocco – a documentary film on the subject, “Death Over Humilitation”, which tells the story the uprising of the inhabitants of the Al Hoceima region in the north of the country. The story begins with the death of Mohsen Fikri, a fish seller who was crushed in a garbage dumpster while trying to oppose the seizure of his merchandise. In Morocco, the event triggered a protest movement that became increasingly political as the months went by. In March 2020, Omar Radi was sentenced to a 4-month suspended prison term for castigating the sentencing of Hirak members.

 

  • In 2013, Omar Radi was awarded the IMS-AMJI Investigative Journalism Award for his investigation into the exploitation of sand quarries. He denounced the opacity of the system of approvals that allows the exploitation of these quarries and in particular the involvement of companies in tax havens that he identified by combing through trade registers.

 

  • In 2016, the affair known as “servants of the State” is a scandal in Morocco. Omar Radi does not sign the investigation but he is at the origin of the data leak that caused the scandal. The documents he manages to obtain show that very expensive land was offered free of charge to personalities close to the Moroccan authorities.

 

  • Omar Radi is now investigating the issue of land dispossession during the era of King Mohammed VI. The aim of his work is to provide an exhaustive list of these expropriations and to compare the compensation received and the resale prices of the land.

Network injection

In their report, Amnesty concluded with near certainty that NSO Group was behind the attacks against Radi, citing “strong evidence” of the company’s involvement. An analysis of the domain names visited by the journalist showed a troubling similarity to those found in the network injection attacks against Monjib detailed in a report released months earlier, Amnesty wrote.

The method used was particularly nefarious, taking place over a matter of milliseconds and, to a distracted eye, without leaving a trace. All Radi had to do was click through to a non-encrypted (HTTP instead of HTTPS) website. As he did so, his mobile 4G/LTE internet traffic was redirected to another website that installed the spyware before rerouting him back to the original site he had attempted to access.

How a “network injection” attack works (Source: Amnesty International)

“It is very scary that just visiting a benign website that you visit everyday would be a vector to infect your phone,” said Bill Marczak, a senior research fellow at Citizen Lab, an organization that investigates cyber-attacks against members of civil society.

Not so long ago the most common method of attack was sending targets text messages carrying malicious links, which they had to click through in order for their phone to be infected, he explained. But with network injection, the process is much more subtle and harder to avoid.

“Maybe you see a weird website flash in a URL bar, but what do you do? Do you try to exit as quickly as possible? Maybe it’s too late at that point,” Marczak said.

Screenshot from Omar Radi’s phone taken on January 27, 2020

Radi remembers two or three instances of this type of attack. “In most cases, I see the URL change, but I’m then redirected back to the site I had originally been looking for,” he said.

Mostly unphased by these momentaneous redirects, he nonetheless took a screenshot on January 27, 2020 and later sent it to Security Lab, the technical investigations team at Amnesty.

Amnesty had suspected Radi might be surveilled following his arrest in December 2019 for publishing a tweet in which he criticized a court decision against human rights activists. From a distance, the Amnesty tech team was able to walk him through the steps for inspecting his phone for infection — notably by looking at the system errors logged in his phone. Most smartphones produce error reports like this, and their disappearance typically indicates the phone has been tampered with.

The data were analyzed by Amnesty’s Security Lab in Berlin. Days later, they called Radi to tell him his phone had indeed been infected. “You start to ask yourself: what could I have said that would be sensitive information? Did I put my sources at risk?” Radi wondered.

Attributing the network injection attack to NSO Group was a matter of “connecting the dots,” according to Security Lab director Claudio Guarnieri, who spoke with the Forbidden Stories consortium.

“It might be the fact that [NSO Group] reused the same server and so there’s a connection that was established there, or they used the same email address to register the different domain names,” he said. “It creates a historical chain that allows us to tie things back together.”

In the crosshairs of the state

NSO’s suspected relationship with the Moroccan state offers another clue to the series of attacks against Radi.

Citizen Lab identified Morocco as a probable client of the secretive Israeli company, which has long insisted on only selling to government clients. In addition, so-called network injection attacks — despite being remotely performed — must pass through a cell tower near the target, or over the mobile network being used, suggesting that the attackers would have had a physical presence in the country where the target was based. Moroccan authorities did not respond to Forbidden Stories’ request for comment.

Radi has been in the authorities’ radar for several years. On March 17, 2020, the journalist was given a suspended four-month prison sentence and a fine of 500 dirhams (about $50 USD) for an April 2019 tweet in which he called a judge an “executioner” for his sentencing of several members of an opposition group called Hirak el-Rif. He is currently appealing the charges.

It wasn’t until nine months after the tweet that Radi was arrested and detained for several days in a Casablanca jail before being released pending trial.

“I was being punished for my work,” Radi said. “They pile things up and eventually they look for a pretext to arrest the person.”

Media experts have confirmed that this approach was in line with the Moroccan state’s treatment of journalists and human rights defenders. “Before, a journalist would have been arrested for what he wrote,” said Bouziane Zaid, a professor of communications at University of Sharjah in the United Arab Emirates and an expert on Moroccan media. “Now they arrest journalists for other motives that have nothing to do with journalism.”

Amnesty has counted at least 10 activists and journalists who have been illegally detained and tried since November 2019 — all of whom, like Radi, were held in contempt of government functionaries, public institutions or the monarchy.

Adbessadak El Bouchattaoui, a lawyer representing activists from the Rif opposition movement, was sentenced to 20 months in prison on a number of charges, including “insulting public officials,” “threatening and insulting public bodies,” and “contributing to the organization of an unauthorized and prohibited demonstration.”

He was also targeted by NSO Group spyware in 2017, Amnesty said. At the time NSO Group said that they would look into the allegations.

“Mourir plutôt que vivre humilié”, le documentaire co-réalisé par Omar Radi en 2018.

While the March 2020 charge was the first against Radi, his reporting had already drawn the ire of the Moroccan authorities on several occasions. In 2017, he was detained for 48 hours while reporting on the Rif movement — a highly-sensitive topic for the Moroccan state. Fearing he would be arrested again if he went back to the area, he had to rely on footage filmed by movement organizers to make a documentary on the topic along with the militant organization Attac Maroc.

He believes his collaboration with a number of well-known media organizations — including TelQuel, Le Desk and Le Monde in France —  may have finally landed him in the crosshairs of Moroccan state. For example, it took nearly 12 years for him to have his press card approved, a delay well-known to other journalists working in the country.

Nonetheless, a number of his reporting projects directly challenged political and economic elites in the country.

In 2013, he published an investigation into sand quarry exploitation, a highly-regulated sector requiring approvals. “We mapped the sand quarries in Morocco and discovered that they are doled out by palace authorities to local bigwigs — politicians or party heads,” he said.

Radi highlighted the opacity of the system, notably implicating a number of domestic companies using tax havens that he identified by searching through corporate registries. His work earned him the IMS-AMJI investigative journalism prize.

In 2016, he obtained access to Morocco’s land registry — normally reserved for certain professions. He quickly downloaded sales contracts, tax exemptions, and land registers during a small window in which the system was accessible. “I started extracting information at 4:00 p.m. and by 6:00 p.m., the system was shut down,” he said. “They understood that I was in the process of extracting information.”

The documents he obtained showed that very expensive land had been offered as gifts to high-level individuals close to the state. The information was published in a number of newspapers, and the revelations are still known in Morocco as the “public servants affair.”

Most recently, in a grant-funded project for the Bertha Foundation, he looked into land expropriations under King Mohammed VI. “I made an exhaustive list of land expropriations, including the people whose lands were taken: their names, their families, the size but also the topography of the lands,” he said.

He is currently working on an article to be published by the independent outlet Le Desk in which he zeroes in on several expropriations in particular, finding that landowners were compensated at a rate of 25 dirhams (roughly $3 USD) per square meter for land that was later resold at as much as 600 times the price.

In the south of Rabat, in 2019, Omar Radi attended a protest against land grabbing (Photo: Omar Radi)

In pursuing his investigations, Radi always suspected the authorities may have been following closely behind. He said that after reporting the land dispossession story earlier this year, he received a number of calls from people he had interviewed. All of them asked him not to publish the article because they had received threats from the police.

A long history of surveillance

Morocco has a long history of surveillance that has been the subject of a number of reports in the media and the NGO world. A 2015 report by Privacy International, for example, found that the state had made a “heavy investment in spying on its citizens activities and squashing dissent.

In 2011, the country acquired cybersurveillance infrastructure called Eagle that allowed it to censor internet content and monitor web traffic. Morocco also appears among a list of countries that bought cybersurveillance materials from Swiss companies in 2013 and 2014.

In 2015, a document leak of the Italian company Hacking Team, whose sophisticated spyware allowed hackers to gain full control over an infected computer, showed Morocco among the 21 countries it had as a client.

More recently, a number of Moroccan journalists described strange glitches in their electronic devices that they considered to be signs of attempted infections, according to a 2019 article by the Committee to Protect Journalists, a media freedom watchdog.

In 2018, Citizen Lab, at the University of Toronto, documented the presence of NSO in 45 countries including Morocco (Source: Citizen Lab)

That same year — 2019 — Citizen Lab revealed that NSO Group had successfully taken advantage of a flaw in the encrypted messaging system WhatsApp to infect targets simply through missed calls in the app. Among the known targets: Aboubakr Jamaï, a Moroccan reporter who had received CPJ’s International Press Freedom Award in 2003.

Jamaï now lives in France, and is a close acquaintance of Radi, with whom he launched a French version of the site Lakome. The independent media was targeted on a number of occasions and eventually the Arabic version was shut down when the director was arrested in 2013.

According to Jamaï, the Moroccan state will go to lengths to track those they view as opponents. Alongside a number of other journalists and activists reportedly targeted by NSO Group’s spyware, he wrote a letter to the Moroccan state organization in charge of data privacy, which responded that it was not knowledgeable enough to comment.

“It’s ridiculous because our data were stolen and our cell phones were hacked,” the former journalist said.

Asked specifically about the WhatsApp vulnerability, NSO Group repeated that it would look into reported abuses of its technology.

Preventing future attacks?

Radi believes that he has been under the watch of the state since at least February 20, 2011 when he participated in the “Arab Spring.”

“I worked a lot with the 20th of February movement, notably in organizing, doing some underground things,” he said.

In 2015, he discovered that his computer had been infected by Hacking Team spyware.

Companies and governments targeting the same person on multiple occasions is common, according to Marczak, at Citizen Lab. “You often have these targets who just get targeted over and over and over again, over the years, with all kinds of different technologies,” he said.

The mobile phone of Omar Radi, targetted by spyware (Photo: Omar Radi)

Radi has taken a number of precautions with his electronic devices but worries that the intrusions still might put his sources at risk.

“I never click on links, I never open attached files, I avoid using USB sticks that come from outside sources,” he said, adding that he even gives lessons to other journalists and activists about protecting their devices against online attacks.

The authorities have found other ways to hamstring his reporting.

He distinctly remembers feeling followed while reporting for Le Monde on the construction of a palace by a Qatari emir in 2016, in the province of Ifrane. “All of the people he spoke with were interrogated by the Moroccan police right after he left them,” said Serge Michel, the former director of Le Monde Afrique. “That helped the Moroccan police reconstruct what he was working on.”

As Radi continued to work on the subject, the site le360 — close to the Moroccan state — attacked him for doing reporting that was, in their words, not “serious.” Frightened by their tactics, Radi decided not to publish the article.

In addition to these methods of so-called “preventative publication,” Radi was also on the receiving end of a number of defamation campaigns. The site Chouf.tv published a number of articles criticizing the journalist in June 2019, one of which revealed the identity of a female roommate that he was accused of living with “out of wedlock.”

“In Morocco, there is a kind of online press that leads smear campaigns against human rights defenders, or for journalists who dare to investigate certain topics,” said Danna Ingleton, the associate director of Amnesty Tech. “And we know that Omar was targeted by one of those smear campaigns.”

The exhibition booth of NSO at Milipol in Paris in november 2019.

Human rights in the balance

NSO Group, the Israeli firm that reportedly sold the spyware to the Moroccan government, told the Forbidden Stories consortium through a spokesperson that they could neither confirm nor deny the allegation that Morocco had used their products to spy on journalists and human rights defenders.

“NSO is deeply troubled by the allegations in the Amnesty International letter,” the statement read. “We are reviewing the information therein and will initiate an investigation if warranted.”

The company, in its human rights policy, says it will “promptly take immediate action” if there are “sufficient grounds to believe that our products are misused.” However, NSO Group remains highly opaque and provided no information regarding either its clients or the measures it took following previous reports of abuse.

“There’s no oversight mechanism, no transparency,” said David Kaye, UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression.

For now, it’s unclear whether the company has taken additional measures to prevent abuse of its spyware in Morocco in the wake of Amnesty’s earlier report published in October 2019. NSO Group did not respond to the consortium’s specific questions about this point.

Marczak went a step further, saying NSO Group has seemed to do very little in addressing human rights violations. “There hasn’t been a whole lot of public evidence that the NSO’s human rights policy has really helped human rights at all,” he said. “We’re still waiting for that evidence.”

Radi, for his part, doesn’t believe in what he sees as the company’s false promises. Convinced that the spying will continue, he will continue to take as many precautions as he can, multiplying his phone’s security functions and using it as little as possible, he said.

“The most damaging effect is that this might dissuade sources from speaking with me, knowing I am being listened to,” he admitted.

In his personal life, he knows that there could also be consequences. “Everything goes, since they can also attack your loved ones,” he said. “I accept that I might be targeted, but people close to me didn’t ask for all of that.”

That said, he doesn’t want to spend his life looking over his shoulders.

“I’m not going to spend my life always checking for this virus. They’ll always have a way to look into my phone, my computer. It’s David against Goliath.”

À lire aussi

US-VOTE-POLITICS-TRUMP
688965d838b19db580eb8805b28e2da488e2a5038fbd8284004c27a907f9706e
41