Togo: Prominent activist targeted by Indian-made spyware linked to notorious hacker group
- Togolese activist targeted by spyware by the Donot Team hacker group.
- Amnesty International reveals links between the Donot team attacks and Innefu Labs, an India-based cybersecurity company.
- First time Donot Team has been publicly linked to cyber attacks targeting activists outside of South Asia.
- Spyware-laden emails and bogus Android apps could access the device’s camera and microphone, steal photos and files, and read WhatsApp messages.
Togolese activists risk being targeted by shadow cyber mercenaries who use covert digital attacks to attempt to steal victims’ private information in order to sell it to private clients, a new Amnesty International investigation has revealed .
In a new report released today, Amnesty International reveals how fake Android apps and spyware-laden emails linked to the notorious hacker group Donot Team were used to target a prominent Togolese human rights defender with the aim of to put him under illegal surveillance. This discovery is the first time that Donot Team spyware has been found in attacks outside of South Asia. The investigation also uncovered links between the spyware and the infrastructure used in these attacks, and Innefu Labs, an India-based cybersecurity company.
Around the world, cyber-mercenaries unscrupulously profit from illegal surveillance of human rights defenders
Danna Ingleton, Deputy Director of Amnesty Tech
The Togolese activist, who wishes to remain anonymous for security reasons, has a history of collaborating with civil society organizations and is a vital voice for human rights in the country. Their devices were targeted between December 2019 and January 2020, in a tense political climate ahead of the 2020 Togolese presidential election.
“Cyber-mercenaries around the world are ruthlessly profiting from the illegal surveillance of human rights defenders,” said Danna Ingleton, deputy director of Amnesty Tech.
“Anyone can be a target – attackers living hundreds of miles away can hack your phone or computer, watch where you go and who you talk to, and sell your private information to repressive governments and criminals . “
The persistent attacks on WhatsApp and emails attempted to trick the victim into installing a malicious app masquerading as a secure chat app. The app was actually custom Android spyware designed to extract some of the most sensitive and personal information stored on the activist’s phone.
The spyware allegedly allowed attackers to access the camera and microphone, collect photos and files stored on the device, and even read encrypted WhatsApp messages as they were sent and received. The covert nature of such attacks makes it extremely difficult for activists to detect whether their devices have been compromised.
“Realizing that this was a digital espionage attempt, I felt in danger. I can’t believe my job could be so disturbing to some people that they would try to spy on me. I am not the only one working for human rights in Togo. Why me ? Togo-based human rights defender told Amnesty International.
Amnesty International’s investigation uncovered a slew of technical evidence left behind by the attackers that identified links between the infrastructure of the attack and India-based Innefu Labs. The company that promotes digital security, data analytics, and predictive policing to law enforcement and armed forces and claims to work with the Indian government. Innefu Labs does not have a human rights policy and does not appear to exercise human rights due diligence – despite the enormous risks their products pose to civil society. Amnesty International has observed additional evidence of Team Donot attacks against organizations and individuals across Asia, mainly concentrated in northern India, Pakistan and Kashmir.
The space for human rights work in Togo has shrunk – in 2019, the year before the presidential election, Amnesty International documented the passage of laws restricting the rights to freedom of expression and peaceful assembly and cases of human rights violations committed by the authorities, in particular against pro-democracy activists.
Several religious and opposition politicians in Togo have reportedly been targeted by digital surveillance tools. In August 2020, The Guardian and Citizen Lab revealed that two Catholic clergymen, Bishop Benoît Alowonou and Father Pierre Chanel Affognon had been targeted using a WhatsApp vulnerability linked to the NSO group.
The Pegasus Project, coordinated by Forbidden Stories with technical support from Amnesty International’s Security Lab, revealed earlier this year that hundreds of Togolese numbers were listed as potential targets for NSO Group’s Pegasus spyware. Those on the list included independent journalists and members of opposition political groups.
The threat of targeted surveillance, whether real or not, can take a psychological toll on activists and have a devastating effect on their human rights work. Little is known about the Wild West cyber surveillance industry, despite repeated calls from Amnesty International and other civil societies for more transparency, and even less is known about the thriving hacker industry.
“The surveillance industry is out of control with companies and cyber mercenaries operating entirely in the shadows.”
“Surveillance companies need to stop pushing profit away from people and ensure that repressive regimes don’t use their technology to stifle civil society,” said Danna Ingleton.
Amnesty International calls:
- Innefu Labs will publish in full the findings of an external audit commissioned by the company on the links between its spyware tools and the infrastructure used in the attack on the Togolese activist. The company must also implement a human rights policy.
- The Indian government must investigate cyber attacks linked to Innefu Labs and take urgent action to ensure that India-based surveillance companies are not involved in targeting activists – which is clearly illegal under international law human rights.
- The Togolese government must ensure that everyone, including activists, is protected against human rights violations, and investigate and remedy any harm caused by cyber attacks carried out by private sector actors.
In a written response to Amnesty International, Innefu Labs denied “the existence of any link between Innefu Labs and spyware associated with the ‘Donot Team'” and the attack on the human rights activist in Togo. Innefu Labs also said they were not aware of any use of their IP address for the alleged activities.
There is no evidence to suggest that Infu Labs had any direct involvement or knowledge of targeting the human rights defender in Togo using the Donot Team spyware tools. The activity related to the Donot team may involve several different actors or organizations having access to the same set of custom spyware tools and the same shared infrastructure.