RAB procures Telegram interceptor

Bangladesh Police’s elite unit Rapid Action Battalion (RAB) has reportedly procured an advanced communications interception system to snoop into private communications over Telegram, a popular messaging platform. Intelligence Online, a Paris-based independent publication dedicated to covering global intelligence communities, reported on September 22nd that the procurement of the interceptor, called “Tucan”, was made possible by a local distributor, Ezzy Communications.

Tucan’s original manufacturer remained unidentified in the report.

“The system allows its operators to deanonymize Telegram clients, set up keyword alerts in messaging content, and obtain users’ metadata, such as telephone numbers, addresses, and email details,” the report explained.

Netra News has not been able to corroborate the claims independently.

“When private chat lines are intercepted, users’ public and private messages can be captured and subjected to emotional analysis. Tucan can also correlate information obtained from Telegram with that from other social networks and messaging services via the user's telephone number and name,” the Intelligence Online story added.

Telegram does not disclose the number of its users in Bangladesh, but its messaging platform remains popular among activists and professionals wary of the government’s widespread surveillance operations, though Signal and Whats App remain the most popular. The application is widely known to be encrypted and secured, although cyber security experts questioned several of its security features.

It is still unclear how “Tucan”, if at all, could be employed to intercept private encrypted communications.

Queries sent to Telegram’s press team went unanswered.

A local merchant of surveillance technology

Several affiliates of Ezzy Group, including Ezzy Communications and Ezzy Enterprise, have supplied interceptors, surveillance, and hacking tools to Bangladesh’s intelligence and security agencies, including the National Telecommunication Monitoring Centre (NTMC) and the Directorate General of Forces Intelligence (DGFI).

Netra News has identified at least two former Ezzy Group employees who worked as contractors at the DGFI Headquarters to help operate intercepting devices, underscoring the corporate group’s unusually deep relationship with Bangladesh’s notorious security apparatus.

Citing its own sources, Intelligence Online reported that Ezzy has long worked with major cyber intelligence companies such as Cellebrite, Gamma Group, Utimaco, and 3I-Mind (now Digital Clues).

According to reports by Haaretz and Al Jazeera, one of Ezzy’s suppliers, Cellebrite, an Israel-based digital forensics behemoth, previously provided RAB with sophisticated surveillance technology. Following an outcry in Israel from civil liberties groups, Cellebrite decided to halt its sale of advanced surveillance tools to Bangladesh.

Intelligence Online further claimed that Ezzy supplies to intelligence agencies sophisticated “zero-day” hacking tools, which exploit unknown and unreported software flaws or vulnerabilities.

In his recent book, Brazil-based cyber security researcher Eduardo Izycki found DGFI to use surveillance software FinFisher by British-German firm Gamma International and hacking tools developed by German company Trovicor. In both instances, Ezzy Enterprise was identified as the distributor.

In 2015, the famed Canadian research laboratory Citizen Lab published a lengthy research paper on the presence of FinFisher in the server of DGFI. In a report published in July 2016, Privacy International, a global privacy advocacy group, identified Ezzy Enterprise as an example of a distributor in the global surveillance industry.

According to a website that tracks the changes of websites globally, Ezzy Communications removed the names of its partners, including Gamma International and Trovicor, from its website on 15 April 2020. An archived version of the website shows these companies as Ezzy’s partners and the Bangladesh Army and NTMC as its clients.

In 2019, an affiliate of the Ezzy Group installed surveillance cameras powered by Huawei, the Chinese technology giant, in different parts of Sylhet, a northeastern city. A subsequent journal paper by a Bangladeshi academic described how those surveillance cameras could capture number plates of moving vehicles. The intrusive technology was hailed as security-strengthening measures as part of the government’s signature “Digital Bangladesh” policy.

Bangladesh’s state minister for information technology, Zunaid Ahmed Palak, said at the time that as part of its “Vision 2041”, the government would replicate a similar surveillance network across the country.

Ezzy Group has business interests in gas and oil exploration, cyber security and surveillance equipment supply, manpower export, and tourism industries.

Kamal Uddin Ahmed serves as the conglomerate’s chairman, while his son Zulfiqar Ali is its managing editor. Zulfiqar Ali is also the honorary consul general of Guatemala in Bangladesh.

One of the group’s directors is Shahnul Hasan Khan, a close business partner of controversial businessman Chowdhury Nafeez Sarafat. The duo, who were colleagues in a bank a few years ago, are now serving as directors at Padma Bank, Canadian University of Bangladesh, and Unique Meghnaghat Power Limited, among others.

Shahnul Hasan Khan also publishes the online news portal NewsBangla 24, of which Chowdhury Nafeez Sharafat is the chairman of the editorial board.

Ezzy Group, which appeared to be a tight-knit family-run company, added Shahnul Hasan Khan as its director in the 2020-21 period, according to the group’s archived websites

Netra News reached out to both Zulfiqar Ali and Shahnul Hasan Khan for their comments on this report, but neither responded.

Enhancing surveillance capabilities

Bangladeshi intelligence and security agencies are strengthening their capabilities of monitoring and intercepting online communications as the general election approaches.

In a separate story on August 21st, Intelligence Online reported that NTMC has recently purchased geolocation tracking devices from the French firm Intersec for USD 13 million (Taka 130 crore). The British firm Creativity Software was the closest bidder.

Creativity Software, which the U.S.-based SS8 has recently bought, found its US ties a significant disadvantage “because of the United States’ complicated relations” with Bangladesh.The US Treasury Department has sanctioned RAB and seven of its former and serving officials for their alleged role in extrajudicial executions and enforced disappearances.●