Spyware brokers and Lebanon’s surveillance state

Spyware brokers highlight the dark side of Lebanon’s surveillance state

investigations

15 min read
21 November, 2023
In 2015 leaked emails revealed Lebanon's likely purchase of spyware that could be used in illicit surveillance. The New Arab raises questions about ongoing risks to citizens' privacy rights in the lack of institutional oversight and accountability.


[This piece is part of a yet-to-be launched investigative section called “For the Record”. The New Arab believes that public interest comes first and that publishing research findings, even if not conclusive, can inform future investigative efforts].

In a region where governments legislate dystopian cybercrime laws and spy on their citizens’ online activities, an outsider might think of Lebanon’s cyberspace as an oasis of privacy and free speech. Nothing could be further from the truth.

Government ministries have been accused of committing routine breaches of or neglecting personal data protection, such as in the 2022 case of a Covid-19-related online platform for travellers.

More insidiously, government officials have been accused of unlawfully intercepting telecommunications and  fabricating online evidence for political ends or to carry out alleged personal vendettas

The Lebanese General Security Directorate, meanwhile, has failed to clarify its alleged ties to the hacking campaign ‘Dark Caracal’, which remains an active threat. In 2018, researchers tracked exploits against WhatsApp to a building owned by the Directorate.

Add to all of this Lebanon’s notorious network of politically connected contractors, untransparent public tendering, and the conflicting allegiances and agendas of its security agencies, and a picture emerges of an online Wild West.

Despite repeated protests over its unconstitutionality, Lebanon’s Cybercrime Bureau continues to target journalists and activists. Those activities reached a dramatic peak during the 2019-2020 mass protest movement. Other Lebanese security agencies have also engaged in repressive practices against individuals’ freedom of speech on political grounds.

It is not clear what kind of tools the Lebanese agencies are currently employing for surveillance purposes. Lebanon’s financial collapse has also impacted the state’s capability to purchase software from abroad since 2019. 

The New Arab (TNA) Investigative Unit has conducted an in-depth research into a case from the past decade, to expose how the Lebanese security apparatus operates when it intends to acquire spyware through private brokers. This case remains relevant today because the opaque business dealings of the same local intermediaries, and the lack of privacy law enforcement mechanisms, continue to endanger activists and journalists, not just from Lebanon, but in the entire region.

The beginning

It all started with a simple email in late 2011, sent to an employee at HackingTeam.

Introductory email to HackingTeam from Karl Feghali (redaction by TNA) [Wikileaks]

The very short email notes that two governmental agencies had shown interest in HackingTeam’s product, after their presentation at Milipol, a security conference in Paris. According to the author of the email, the two potential clients would like to schedule a live demo and presentation in Beirut, Lebanon. The email, however, fails to mention that the product in question is spyware. 

This email, and a million others, were part of WikiLeaks’ HackingTeam Archive, a collection of internal emails from the manufacturer of the surveillance software “Remote Controls Systems” (RCS), released online in 2015. The Italian company had managed to build a “spyware empire”, selling its software to law enforcement agencies all over the world. Using its software, these clients would be able to take screenshots, record audio from phone calls and even monitor a phone’s GPS location undetected. 

Infobox: The rise and fall of Hacking Team

While Hacking Team insisted that its software was intended for use in investigations, multiple reports showed that RCS was used by repressive governments to conduct surveillance of political dissidents, journalists and human rights activists. In 2014, a United Nations panel questioned the company’s sale of its software to Sudan’s National Intelligence and Security Service, in contravention of the U.N.’s weapons’ export ban to the country. In April 2015, UK-based charity Privacy International would write in its report to Italian authorities that “evidence suggests that Hacking Team's RCS is one of the most popular intrusion technologies on the market, and is used widely by countries with poor human rights records.”

Former Hacking Team (HT) Spokesperson Eric Rabe told The New Arab (TNA) that “they [HT] recognized that the software they had was powerful and could be abused.  [...] But ultimately, you assign products to people who are [...] using it without your supervision. I think the opportunity for someone to abuse it was always there, irrespective of how diligent the company might have been in trying to prevent that.”

But then, HackingTeam itself got hacked, releasing some 400GB of its documents online. The perpetrator, whose identity is still unknown, wrote in their manifesto that they specifically targeted HackingTeam because it “was a company that helped governments hack and spy on journalists, activists, political opposition”. HackingTeam never recovered from the damage its reputation incurred after the hack: after the Italian authorities revoked its export licence in March 2016, its development team would be dissolved and the company acquired in 2019.
Screenshot of HackingTeam’s now defunct homepage, showing the company’s motto: “Rely on us.” [HackingTeam/fair use]

Selling to the Lebanese Army

The trove of emails revealed that the Directorate of Military Intelligence within the Lebanese Army had likely been a client of the software maker, after an agreement was reached in June 2015. 

While the terms of the deal and whether it was finalised were never confirmed, documents from the WikiLeaks’ archive show that the total value of the contract was set at €1,438,530 ($1,445,525 at the time). The first instalment of the order, set at a value of 80% of the deal, was set to be paid on delivery.

Internal email, detailing terms of the deal between HackingTeam and the Lebanese Army in June 2015 (original text in Italian translated by TNA). [Wikileaks]

When asked whether the order of the Italian spyware was ever delivered, the Lebanese Army did not provide an answer in time for publication, despite repeated attempts to contact them.

Little attention was paid at the time to the broker at the centre of these deals. 

As part of their agreement with HackingTeam, this intermediary would receive a 30% commission of any deal (in this case 431,559 Euro, around $479,319 at the time) that they would help negotiate, to be paid to a company named “Phoenix International Trade ltd”, registered in the British Virgin Islands (BVI). Its managing director, according to this same agreement, is a Lebanese national: Karl Feghali.

Email from Karl Feghali to HackingTeam, negotiating his commission as intermediary. [Wikileaks]

Through the 2010 Official Gazette of the British Virgin Islands, which contains a list of all companies registered in the overseas territory, The New Arab (TNA) is able to confirm that a company under the same name and number was registered in BVI. The name of its managing director could not be confirmed.

Email from Karl Feghali to HackingTeam, with information about his company in the British Virgin Islands. [Wikileaks]

TNA attempted to speak with Karl Feghali to confirm his role in HackingTeam’s dealings in Lebanon, the commission he earned in that role, his representation agreements with foreign weapons suppliers, the public contracts his companies received, and his current role at Rohde & Schwarz, a German firm that produces radiomonitoring and radiolocation devices. Feghali refused to comment.

When asked about his work as an intermediary between HackingTeam and the Lebanese Army, the Lebanese businessman simply replied: “I do not do that work anymore.”

Speaking to TNA, a supplier to security agencies in Lebanon was less sure: “Karl Feghali is probably still active. But in Lebanon there is no more market [because of the financial crisis]. He would be active outside of Lebanon.”

Missed opportunities: HackingTeam and the Lebanese security agencies

While Feghali initiated correspondence with the spyware maker as early as November 2011, the two parties did not reach a working agreement until January 2014. Introductions to Lebanese security agencies quickly followed suit after.

TNA can establish that Karl Feghali was involved in discussions of HackingTeam’s product with three separate entities within the Lebanese law enforcement agencies, based on the leaked correspondence.

Besides the Directorate of Military Intelligence of the Lebanese Army, he acted as intermediary to the Lawful Interception department within the Internal Security Forces (ISF), as well as the Telecommunication department at the General Directorate of General Security (GS). When dealing with these potential clients, Feghali insisted on being presented as a mere “consultant” by the spyware manufacturer.

According to HackingTeam’s emails, a first meeting between HackingTeam’s sales team and GS occurred on 10 March 2014. GS did not have the budget for the tool, but it intended to “allocate about half a million euros by Q3” for its purchase.

Internal email from an employee at HackingTeam, explaining interest from GS in HackingTeam’s technology. [Wikileaks]

A second presentation, this time with the ISF Lawful Interception department, was also in the works for 2015, but was never confirmed. Around the same time, the €1.44 million deal with the Lebanese Army was finalised.

Email from Karl Feghali to HackingTeam, introducing the Internal Security Forces’ Lawful Interception department as a potential client. [Wikileaks]

Telecommunication monitoring in Lebanon

Civil society organisations have long spoken against the ambiguous legal framework surrounding lawful telecommunication monitoring.

Legal agenda, a Lebanese legal advocacy organisation, wrote back in 2014 that the ISF’s Cybercrime Bureau’s “extensive powers to fighting crimes – that involve high information technologies - practically allows it to jeopardise basic freedoms associated with online activity, such as the freedom of expression and the right to privacy”. 

While many laws regulating surveillance do exist, such as Law 140/1999 on wiretapping, “there is a gap between the law and its enforcement”, as noted by British charity Privacy International in a Lebanon-focused report published in 2019.

Although the Lebanese constitution protects individual liberty and freedom of expression, security agencies regularly used the threat of summoning and investigation to silence activists in the years leading up to the 2019 October uprising. The practice continues to be in place. 

In April 2023, Jean Kassir, managing editor of Megaphone, a Lebanese media platform, was pulled over while driving to respond to a summons by the ISF regarding a defamation complaint.

In the same month, Lara Bitar, editor-in-chief of The Public Source, another Lebanese outlet, was also summoned by the Cybercrime Bureau after publishing an article on toxic waste in Lebanon.

During the October uprising, security agencies resorted to less sophisticated approaches for accessing the devices of arrested individuals. 

Nour Haidar, a lawyer at Privacy International, but who worked at Legal Agenda at the time of the protests, told TNA that “the Cybercrime Unit were collecting phones, and using old hacking techniques” to get access to them.

Foreign funding to the rescue

To maintain access to cybersecurity tools, however, Lebanese security forces have to rely increasingly more on foreign funding.

Dr. Jihad Fahs, assistant professor at the American University of Beirut’s Faculty of Engineering and an expert on cybersecurity, told TNA that “licence renewals are needed every three to five years or software will become obsolete.” 

According to him, “over the last few years [2020-22] grants from European countries in addition to EU grants kept coming through,” adding that “some of this money was used for licence renewal, equipment upgrade and training.” 

However, Dr. Fahs specifies that this software is for “detection, protection and response - response in the sense of stopping a cyber attack. So defensive only”. 

Maintaining access to offensive tools, like the one negotiated with HackingTeam, would be harder to justify financially. In the aftermath of the financial crisis, the Lebanese Army is needing regular cash injections to simply cover the wages of its soldiers. 

Already in July 2021, a Lebanese General said that the armed forces needed an immediate $100 million to cover soldiers’ basic needs, $47 million of which were provided by the United States in September that year. Qatar would later donate the first part of a $60 million pledge in August 2022. Most recently,  in January 2023, the US announced that a further $72 million cash stipend would be used to pay the salaries of members of the ISF as well

Dr. Fahs told TNA that “cybersecurity is now less of a priority because of the difficulties faced in delivering basic services. [...] The operational side of things comes first.” 

Speaking to TNA about Lebanon's market for cyber tools, the supplier to the country's security agencies asked sarcastically: “Which market? There's no more companies. There is no more country. There's no more government. [...] There is nothing. It’s a nice mountain, and that’s all.”

And what about Karl Feghali?

Despite his emails being leaked on the internet, very little information on Karl Feghali can be found online. 

His first forays as businessman are less murky though. 

In 1991, he registered a sole trading company under the name ‘KAF ETS FEGHALI POUR L'ENTREPRISE ET LE COMMERCE’ to engage in the import and exports of a multitude of products, from air conditioners and surveillance cameras, to lightning rods and security equipment, according to the Lebanese company registrar.

The now defunct website of ‘KAF ETS’ goes into more details about the company’s clients, which include the ISF, the Ministry of Justice, and LibanPost. 

Public documents also show that Feghali’s company received multiple contracts from the Lebanese Council of Development & Reconstruction (CDR), totalling $741,370, between 2000 and 2003.

Total value of CDR contracts awarded to Feghali’s company from 2000 to 2003. [CDR]

The most lucrative of these contracts saw his firm receive $275,973 for the operation and maintenance of the UNESCO palace in Beirut between 2000 and 2001.

Contract for the operation and maintenance of the UNESCO palace in Beirut, granted to Feghali’s company in 2000. [CDR]

Originally established in January 1977, the CDR was tasked with rebuilding Lebanon’s infrastructure to its pre-Civil War level.

The shift towards the security sector 

From a supplier engaged in the reconstruction effort, in 2004 Karl Feghali began to specialise in the import of security and protection equipment into the country, launching a new firm called “Phoenix Services & Engineering Company SARL” (PSEC). 

This new company was frequently tasked with the procurement of surveillance and protection equipment to different parts of the government. As a supplier, PSEC regularly engaged with international suppliers, and obtained exclusive rights to the commercial representation of their products in Lebanon. 

Based on the registry of exclusive rights of the Ministry of Economy and Trade in Lebanon, PSEC signed multiple exclusivity contracts with arms suppliers. 

In 2012, it was granted a licence from Fiocchi Munizioni S.p.A, one of Italy’s largest ammunition manufacturers, to act as its “sole representative to deal with the government, army, navy, air force and security forces inside Lebanon”. In 2014, PSEC signed a two-year representation contract with the Swiss Astra S.A. to import rifles, guns and their parts.

Armed with these business connections, PSEC has been acting as a licensed importer of weapons for the Lebanese armed forces since 2012. TNA can confirm that the arms import licence was renewed as late as 2021, based on the publicly available text of a Ministerial decree.

Feghali’s most recent post on LinkedIn in late 2022 showed two awards his company had received for “Best Sales Partner in the Middle East for Security”. The awards came from Rohde & Schwarz, a German Electronics & Telecommunications specialist, who had opened its Dubai branch for the MENA region back in 1994. Commenting on the LinkedIn post, an account claiming to be associated with the ‘Regional Senior Sales Manager MEA at Rohde & Schwarz’ added: “Proud to have you as an Agent/Partner for us Karl Feghali”.

Awards received by PSEC as sales partner for Rohde & Schwarz in MENA. Karl Feghali uploaded this picture on LinkedIn in late 2022. [LinkedIn]

The German company’s security portfolio focuses on “radiomonitoring and radiolocation” devices, such as “counter drone systems” and “aerial monitoring systems”. 

On LinkedIn, a former employee at PSEC claims to have “assisted Rohde and Schwarz agent in Lebanon during which I participated in 5 projects that were successfully obtained and won. This work consisted [sic] to unite product and service providers with governmental institutions in a competitive environment.”

The New Arab was not able to confirm if Lebanese law enforcement agencies have acquired or are in the process of acquiring security equipment from Rohde & Schwarz. The Rohde & Schwarz Dubai branch did not respond to our request for comment in time for publication

Former employee at PSEC explains his company’s role in negotiating between Rohde & Schwarz and Lebanese governmental institutions. [LinkedIn]

Political connections

Unlike some of his business activities, Feghali’s political ties are less secretive. A January 2023 visit to the Lebanese Minister of Culture, along with MPs Akram Chehayeb and Wael Abou Faour, suggests that he is close to members of the Druze-supported Progressive Socialist Party (PSP).

He was also seen at a gathering in March 2018 with Paul Youssef Matar, the former Archeparch of Beirut, and Taymur Jumblatt, who was recently selected as leader of the PSP.

Feghali (first from the left) in a 2018 meeting with former Archeparch Matar and Taymur Jumblatt, current leader of the Lebanese Progressive Socialist Party (PSP). [Al-Anbaa/fair use]

Despite hailing from a Maronite Christian family, Feghali’s political connections apparently span across the Druze political spectrum. 

According to a 2001 article by Lebanese newspaper The Daily Star, Karl Feghali was one of the original 15 members who were invited to found the Lebanese Democratic Party (LDP) in the same year. The LDP is a pro-Syrian party established by Prince Talal Arslan and Marwan Abu Fadel, and the historical rival of the PSP in Lebanese Druze politics. 

The New Arab contacted the LDP to confirm if Feghali was a co-founder of the party, but it received no response by the time of publication.

In the meantime, Karl Feghali is able to continue his work with no oversight, in an environment where government accountability was already absent before the economic crisis. Due to the Lebanese government’s inability to fulfil its basic functions, public sources of information for tracking business deals, like the ones negotiated by Feghali, are absent.

The Lebanese companies register within the Ministry of Justice, for example, has been inaccessible since 2020. 

The Lebanese Court of Auditors found in a report that 92% of grants (both national and international) from 1997 to 2022 were spent without government supervision, according to an article published in February 2023 on the website of Lebanese daily Al-Akhbar. This echoes a report published in March of the same year by the Gherbal Initiative, a Lebanese pro-transparency non-profit civil company, showing that only 28 out of 204 public administrations provided complete information about the loans and grants they had received from 2001 to 2021.

The import of security tools into the country can therefore continue - paid for using foreign grants and loans - with even less control or supervision.

Sami Hadaya and Ed Carron contributed to this article.

Correction: The initial version of this article stated that data breach accusations were related to a Covid-19 vaccine website. The article was amended to reflect that the case was instead about a Covid-19-related online platform for travellers.

For comments and complaints please email Andrea Glioti (head of TNA investigative unit) andrea.glioti@newarab.com or Anas Ambri (TNA investigative researcher) anas.ambri@newarab.com .

Sensitive info and tips are to be sent via encrypted email to thenewarab@tutanota.com.

More In Investigations