Police buys Israeli phone hacking tool

The Opposition, human rights organisations’ employees, diplomats and journalists in the crosshairs of the government continue to face the threat of relentless hacking targeting their cellphones and laptops.

Earlier this month, Israeli cyber company, Cellebrite, sold technology for hacking into cell phones to the Uganda Police Force, which has been accused of violations and egregious human rights abuses.

READ: Spyleaks: Uganda UN envoy phone tapped

Cellebrite, which specialises in developing tools for digital forensic investigations, has not denied the sale but claims it is scrupulous about legal and ethical use of its products, according to Haaretz, an Israeli newspaper which first reported the story.

Cellebrite’s flagship product is a technology called UFED. The technology enables enforcement authorities to hack into password-protected cell phones and download the information stored on them.

In a letter sent by Mr Eitay Mack, an Israeli human rights lawyer, to Israel’s Defence ministry and Cellebrite, a number of human rights activists are calling for cessation of sales of the technology and support services to the Ugandan government.

HERE: Rwanda tapped phones of top Ugandan officials

Cellebrite, which is headed by its chief executive, Yossi Carmil, claims its tools are sold only to police and security organisations for the purpose of fighting serious crime and terrorism. As has been reported in Haaretz, however, its customers have included repressive, sanctioned regimes, among them Belarus, China, Venezuela, Indonesia, Russia, the Philippines and Bangladesh.

According to open-source information on the Internet and investigative reports by Mr Mack, the tools have made their way into the hands of organisations repressing human rights activists, minorities and the LGBTQ community. Mr Mack also lists murders, abductions and torture of the same groups by the police in his letter.

Not new

In one investigation, the newspaper reported that the Uganda Police Force has used the system for hacking into mobile phones since 2017.

HERE: Pegasus spyware: How does it work?

Although the use of Cellebrite in Uganda had been secret until now, “a local company in Uganda made public that it supplies to the Uganda police the UFED system capable of hacking through protection of mobile devices, gathering information from them and restoring information that has been deleted,” Mr Mack wrote in his letter to the ministry.

On the website of Preg-Tech Communications Ltd, a representative and supplier of Cellebrite and other companies in East Africa, under the heading “June 2017 Provision and Installation of Digital Forensics Systems and Software Updates”, the company detailed the deal to install the Cellebrite hacking tools, software packages and servers for the Uganda Police Force.

The items indicate that possibly the use had begun earlier, as there is also a list of upgrades of old tools. The document is no longer available on the company’s website, but can be viewed using the Internet Archive.

The regional supplier of Cellebrite’s website reveals the sale of UFED systems to the Ugandan police.

The local supplier also revealed that the Uganda Police Force uses UFED-Cloud Analyzer, enabling extraction of a detainee’s data from online storage services such as Dropbox, Google Drive, OneDrive and Apple’s iCloud.

Though Cellebrite publications explain that remote access is possible only if the suspect provides the password, in actuality the user of the system is able to extract the data from all the cloud services installed on the hacked phone.

Close ties

In April 2021, Cellebrite also held a digital forensic investigation workshop for the Uganda Wildlife Authority, a government agency. The workshop included a Cellebrite Certified Operator Course for extracting data from cell phones “in a forensically sound manner using UFED.”

These recent purchases underline the warm ties between Israelis and Kampala. Before this procurement, Israel Military Industries (IMI) sold Uganda Tavor and Galil ACE rifles, a preserve of the Special Forces Command (SFC), the most elite unit of the army that guards the President’s family and other VIPs, and all vital security installations in the country.

In 2019, the head of the SIBAT foreign defence assistance and defence export directorate at the Defence ministry at the time, Brig Gen Michel Ben-Baruch, visited Uganda and met with Mr Adolf Mwesige, the Defence minister at the time. A year later, former Israeli Prime Minister Benjamin Netanyahu visited the country, met with President Museveni and declared that the relations between the two countries testify to “a true friendship.” Netanyahu spoke about the extensive cooperation in “agriculture, education and innovation”, only mentioning cyber in the area of security.

Pegasus hack

Last year, diplomatic staff at the US embassy in Kampala had their iPhones hacked using spyware sold by the Israeli cyber-weapons company, NSO group.

A report by the New York Times put the number of officials at 11, saying embassy staff had received a warning from Apple that “state-sponsored attackers are trying to remotely compromise the iPhone associated with your Apple ID”.

Pegasus is a military-grade surveillance suite that can infect an iPhone without the user’s knowledge and allow its wielder to snoop on everything from voice calls through location data to encrypted chat messages.

A spokesperson for NSO said it would conduct an independent investigation and cooperate with any government probe, as well as “immediately terminating” some customers’ access. There is no suggestion NSO conducted or knew about the hack.

“The heart of the problem is that we have a military junta pretending to be a government and becoming more and more unrestrained,” Mr Andrew Karamagi, a lawyer and human rights activist in Uganda told Haaretz newspaper recently.

September riots

In January 2021, Mr Museveni was re-elected for his sixth consecutive term in office. The election campaign period was convulsed by the most unprecedented phase of violence since independence.

On November 18, 2020, riots broke out in Kampala, which resulted in the death of scores after Opposition candidate, Robert Kyagulanyi, alias Bobi Wine, was arrested in Luuka District. Opponents were hauled before military courts and others detained incommunicado have never been seen again.

“There is no humane way to control people against their will, especially when you have been doing this for close to four decades,” Mr Karamagi said, adding, “The alarming situation of civil rights in Uganda is a function of the interests of the ruling family and its followers.”

The lawyer also proceeded to say that the international community—the United States, China and Russia among other countries—also bears responsibility for the situation in the country.

“It appears that the waterline was crossed in the 2016 election, when in the wake of their counterfeiting and the extensive repression Museveni exerted, the international community’s tolerance towards him began to fade—which encouraged the opposition in Uganda to increase its activity to depose him,” Mr Mack wrote in his letter. “On Election Day, the government blocked access to the social networks ... In areas of clear support for the opposition, the government did not provide any ballot slips; about 150,000 security personnel were deployed near the polling places ... They intimidated voters and created the impression that they would take vengeance on voters for the opposition ... On Election Day, President Museveni arrested one of the prominent opposition leaders.”

Arbitrary arrests

A Human Rights Watch (HRW) report from March mentioned more than 400 cases of “snatching,” arbitrary arrests, disappearances and torture at the hands of the Uganda Police Force, the army, military intelligence and the internal security organisation. Most of the detainees who were interviewed by the NGO noted that their cellphones were confiscated when they were arrested.

On December 22, 2020, armed police abducted four lawyers and an Opposition activist who had met to share information about incidents in which demonstrators had been killed a month earlier. When asked by police to reveal the passcodes to their phones, they refused, despite reportedly being beaten. Cellebrite’s technology enabled authorities to hack the locked phones.

“The meaning of the hacking of cellular phones in Uganda could be abduction, extortion, torture, execution without trial, disappearing and denial of liberty without a fair legal proceeding, for citizens who have cellphones, and also for their friends and relatives,” Mack wrote.

Cellebrite has responded that the company “is committed to its mission of creating a safer world through providing solutions to law enforcement organisations while ensuring legal and ethical use of its products ... we have developed strict means of oversight that will ensure proper use of our technology in the context of investigations carried out under the law.”

The Defence ministry maintained its usual position, responding that “as a rule [it] does not give information about security export policy.”

Walk to work protests

In April 2011, barely two months after the general election, activists and Opposition politicians organised loosely as Activists for Change (A4C) launched a series of protests across the country to draw attention to police brutality and the rising cost of living. They encouraged Ugandans to peacefully walk to work in protest.

The government reacted violently to the ‘Walk to Work’ protests and urban unrest. In the first month, security personnel killed at least nine unarmed people. More than 100 were injured. Dr Kizza Besigye, the Opposition doyen and then leader of the Forum for Democratic Change (FDC) party was dragged from his vehicle and pepper sprayed in the face, sustaining serious injuries.

More than 600 people were arrested and detained without charge. Some bore marks consistent with allegations of whipping and beatings. Lawmakers were arrested, manhandled and placed under 24-hour surveillance and preventative detention.

A4C launched a second round of protests in late 2011, which continued into 2012 before eventually subsiding in late 2012.

Fungua Macho

Behind the scene, officials of the Chieftaincy of Military Intelligence (CMI) and Uganda Police Force (UPF), acting on presidential orders, used an intrusion malware to infect the communications devices of key Opposition leaders, media and establishment insiders.

The secret operation was codenamed Fungua Macho (‘open your eyes’ in Swahili), according to documents acquired by Privacy International, a registered charity based in London that works at the intersection of modern technologies and rights.

It authored a report titled: For God and My President: State Surveillance in Uganda. The tool chosen as the ‘backbone’ of the operation, FinFisher, is intrusion malware at the time manufactured by the Gamma Group of companies, headquartered in the UK.

Once infected, a person’s computer or phone can be remotely monitored in real time. Activities on the device become visible. Passwords, files, microphones and cameras can be viewed and manipulated without the target’s knowledge.

The Chieftaincy of Military Intelligence (CMI) and Police used state funds to purchase the full ‘Fintrusion suite’. FinFisher operations and sales have since been spun off to “FinFisher GmbH”, the new name (as of September 2013) for Gamma International GmbH, a German branch of Gamma Group.

From 2011 to 2013, at least 73 people were involved in the operation targeting key opposition leaders, media and establishment insiders. Operatives bribed people close to their targets to get access to personal phones and computers on which they installed the malware, according to a confidential intelligence brief prepared for President Museveni.

CMI officials also requested more funds to expand the operation and bribe further insiders. Obtaining personal information to use as blackmail was an explicit goal of the operation, according to secret government documents.

Targeting foes

FinFisher ‘access points’ in the form of fake Local Area Networks (LANs) were installed within Parliament and key government institutions. Actual and perceived government opponents were targeted in their homes. Fake LANs and wireless hotspots were set up in apartment estates and neighbourhoods where many wealthy Ugandans and expatriates live. Twenty-one hotels in Kampala, Entebbe and Masaka were also prepared to allow for infection of Operation Fungua Macho’s targets.

The management of some of the hotels collaborated with the operation to install fake Wi-Fi portals and install FinFisher on desktop computers in the hotels’ business centres, according to the Ugandan military briefing document.

All major conference hotels in Kampala, where high-level events such as heads of state meetings and political party conferences occur and business transactions are negotiated, were included in the target list contained in a government document.

Gamma International GmbH, a German branch of Gamma Group, sold FinFisher to the Ugandan government. By training Ugandan officials on the use of FinFisher, Gamma International GmbH provided indirect support to Operation Fungua Macho. Gamma trained four Ugandan officials to use FinFisher in Germany in December 2011.

From January 19 to 20, 2012, two Gamma officials met with senior intelligence officials in Kampala and briefed them on FinFisher’s capabilities, according to a company document obtained by Privacy International from a separate source.

Ugandan police and military officials travelled to Germany and the Czech Republic as visitors of Gamma to attend ISS (Intelligence Support Systems) World, the key international surveillance trade show, in June 2012, according to company documents.

The Ugandan officials attended demonstrations of surveillance products from Gamma partner companies from around the world. These companies sell technologies, including centralised communications monitoring centres. Oelkers reportedly returned to Kampala at least three times in 2013, according to the Wikileaks Counter Intelligence Unit.

[email protected]