cytox – Techdirt (original) (raw)
Greek Government Used Predator Spyware To Spend A Year Surveilling A US Citizen
from the if-it-can-be-abused,-it-will-be-abused dept
While NSO Group made most of the headlines in the cell phone malware market, it had plenty of competition back at home. Israel is also home to its competitors. Candiru — another malware company with more talent than ethics — managed to make headlines of its own while being blacklisted by the US Commerce Department following weeks of negative press involving Israeli spyware companies.
A company that managed to escape blacklisting — one with Israeli intelligence service ties of its own — is now taking some of the heat off NSO Group and Candiru. Cytrox, which manufactures a phone malware strain of its own — Predator — is at the center of a massive scandal in Greece, following revelations of its abuse by the Greek government.
Last August, the head of Greece’s intelligence agency resigned after it was discovered that a journalist and an opposition party member apparently had their phones compromised by Predator malware purchased by the Greek government. Shortly thereafter, the company’s office in Greece was raided by Greek law enforcement.
Now, there’s even more to add to that scandal, coming to us courtesy of Gizmodo’s Lucas Ropek.
A former executive on Meta’s security policy team was hacked by the Greek government using sophisticated spyware known as “Predator,” which tracked her for a whole year.
Artemis Seaford, who formerly worked as a trust and safety manager on Meta’s security policy team, had her phone digitally infected by malware in September of 2021, the New York Times reported Monday. Seaford was secretly under surveillance at the behest of the Greek national intelligence service, which deployed tracking software widely. “Predator” was developed by a secretive cyber company known as “Cytrox,” which is said to be based in North Macedonia and sells commercial spyware and other surveillance tools.
The former Meta safety manager has dual citizenship: Greek and US. So, not only does this involve a foreign company spying on a US citizen, it also involves a form of domestic spying, as the Greek government apparently targeted one of its own.
The documents obtained by the New York Times show Seaford was hacked and tracked for a year by the Greek government while she worked at Meta’s Greek office. According to the Times, this appears to be the first time someone has been targeted by a EU nation while residing in a EU nation.
This is the upshot, according to the Times:
The simultaneous tapping of the target’s phone by the national intelligence service and the way she was hacked indicate that the spy service and whoever implanted the spyware, known as Predator, were working hand in hand.
The Greek government, however, claims it was not behind this hacking and tracking.
“The Greek authorities and security services have at no time acquired or used the Predator surveillance software. To suggest otherwise is wrong,” Giannis Oikonomou, the government spokesman, said in an email. “The alleged use of this software by nongovernmental parties is under ongoing judicial investigation.”
Well, great, except that this denial is hardly plausible. The government has yet to publicly admit purchasing the spyware, but there’s a growing amount of evidence pointing towards the Greek government’s involvement in the deployment of Cytrox’s Predator malware.
There’s more circumstantial evidence in this latest report.
Two people with direct knowledge of the case said that Ms. Seaford had in fact been wiretapped by the Greek spy service from August 2021, the month before the spyware hack, and for several months into 2022.
I guess it all depends on who’s lying or what definition of “acquired” or “used” the Greek government is using. It may be that Seaford was targeted by another government, but it seems like an insanely huge coincidence that another government compromised the Meta exec’s phone while she happened to be under direct surveillance by the Greek government itself.
With competing narratives, it all comes down to time. Researchers may be able to find other evidence linking the phone infection with its source. And, thanks to a change in Greek law following the spying scandal, spy agencies must provide information to citizens targeted by their surveillance programs. But this disclosure isn’t required until three years after the expiration of a wiretap, which means the best way to avoid disclosure is to keep renewing wiretap orders indefinitely. Also, there’s no reason to believe this disclosure won’t be heavily redacted, which may make official confirmation impossible.
But whatever happened here is the direct result of malware makers not caring who they sell to or what their customers do with the products they make. Every government abuses the powers it has. Add-ons like Predator just make the inevitable easier.
Filed Under: artemis seaford, greece, predator, spyware, surveillance
Companies: cytox, meta
Phone Malware Company Linked To Greek Domestic Surveillance Scandal Raided By Law Enforcement
from the bad-times-for-bad-actors dept
NSO Group isn’t the only phone malware firm to draw international attention. Sure, NSO’s decision to sell to human rights abusers and aid/abet surveillance of journalists, lawyers, government critics, and political leaders drew the most attention, but there were others. And all of these malware purveyors seem to have sprung from the same source: spies whose last employer was the Israeli government.
NSO Group and its lesser known competitor, Candiru, managed to secure themselves sanctions from the US Commerce Department. In addition, NSO found itself targeted by the very government that allowed it to flourish before the bad press started rolling in.
Meanwhile, another exploit developer flew under the radar, only surfacing occasionally until it finally found itself at the center of a surveillance scandal. Cytrox, owned by Intellexa, sells its Predator malware to government agencies around the world. One of those customers was the Greek government, which apparently used it to target leaders of opposition parties — the sort of thing people generally don’t want allegedly democratic governments to be doing.
Following the resignation of the head of the Greek government’s intelligence service, the government finally decided to start policing itself. But, instead of erecting rules preventing this sort of abuse, it amended its surveillance laws to make it easier for the government to plausibly deny engaging in abuse of its surveillance powers. The stated goal was more transparency. The end result was something else entirely, even if it did finally provide potentially surveilled Greek citizens with an avenue to obtain information about domestic surveillance efforts.
Perhaps this is just a minimal effort meant to make the Greek government look a little less authoritarian, but it’s still surprising. According to this report from Haaretz, Cytrox is now facing the sort of scrutiny that involves armed officers breaking down doors and seizing anything they can find.
Greek police raided the Athens offices of the Israeli company behind the Predator spyware on Tuesday, local media reported, the latest turn of events in a months-long wiretapping affair that has rocked Greece over the past several months.
The offices of Intellexa, the Israeli-owned spyware company, and five other firms were raided by police in the Greek capital, Kathimerini reported on Tuesday. The raids also targeted the company executives’ homes.
The raid of the offices is unexpected. That this was extended to the homes of executives shows the Greek government is possibly aware the offices may have been cleansed of anything incriminating shortly after news broke of the illegal domestic surveillance.
It may also be an indication the government realized the surveillance scandal wasn’t simply going to evaporate into the news cycle ether. More bad news arrived shortly before this raid.
On Sunday, Greek newspaper Documento released a dossier revealing that dozens of acting ministers, military leaders, businessmen and media figures were also under surveillance.
Pretty much NSO Group, in other words. Give governments powerful surveillance tools capable of compromising phones and you should expect, at minimum, periodic abuse. The tools are too powerful and too tempting to be used only for the objectives stated when acquiring the malware. You know, things like criminal investigations of violent crimes or protecting the nation against terrorist attacks. Once acquired, governments — even those not considered to be habitual rights abusers — tend to target anyone deemed a threat to leaders’ job security, which is not nearly the same thing as national security.
Haaretz also reports Cytrox/Intellexa is being sued by Thanasis Koukakis, an investigative journalist apparently targeted by the malware. It’s not a civil suit. It’s a set of criminal accusations, filed with prosecutors in Athens.
That being said, there will be no day of reckoning for these governments or the tech companies who sell them the exploits they abuse. There will be case-by-case wins, but rest assured, the nasty business of malware development will continue. There are far too many well-paying customers out there, many of which appear to desire better ways to keep an eye on people governments don’t like, all while trying to maintain the pretense these acquisitions are necessary to securing nations and ensuring public safety.
Filed Under: greece, malware, predator, spyware, surveillance
Companies: candiru, cytox, intellexa, nso group
Greek Government Responds To Domestic Surveillance Controversy By Making Things Worse
from the those-who-can't,-govern dept
Malware and exploit developers are generating a seemingly endless number of headlines, thanks to misuse of their products by government entities. Israel’s NSO Group has made the most headlines, but other Israel-located malware purveyors have made the news as well. Candiru, another Israeli exploit developer, was hit with the same sanctions the US Commerce Department leveled against NSO Group.
Another surveillance tech firm with ties to Israeli intelligence services, Cytrox, was at the center of another scandal, this one involving the government of Greece. According to Citizen Lab researchers, Cytrox has become the go-to malware purveyor for those who have been denied by the recently recalcitrant NSO Group. In addition to Cytrox phone infections suspected to be originating from Saudi Arabia, Greek citizens were finding themselves targeted by this company’s exploits.
Thomas Koukakis, an investigative reporter covering financial issues, found out his phone had been infected for at least 10 weeks by Cytrox’s “Predator.” The infection was traced back to a Greek phone number, which sent a malicious link to the journalist.
A few months later, opposition leader Nikos Androulakis was notified that his phone had been infected with Cytrox malware shortly before he declared himself a candidate for the country’s third-largest political party.
Following these reports, the head of Greece’s intelligence service resigned, as did the general secretary of the prime minister’s office. These are not admissions of guilt, but they do appear to be high-ranking government officials pressing the eject button before anyone else (the rest of the government/citizens of Greece) did it for them.
So, the Greek government is facing a domestic surveillance scandal — one that involves journalists and political leaders. And it has made an attempt to address this issue through legislation. The problem is that it’s terrible legislation. The proposal appears to do little more than allow the government to say it’s taking things seriously while simultaneously codifying some very helpful opacity.
Here’s what Human Rights Watch has to say about the proposed legislation:
The draft law fails to take into account objections from two constitutionally entrenched independent public bodies: the Hellenic Authority for Communication Security and Privacy (ADAE), which oversees surveillance powers, and the Data Protection Authority, which oversees the use of personal data. ADAE is tasked with monitoring compliance with the terms and the procedures of legally permitted interception of communications, but lacks the power of review that competent judicial authorities have.
Both of these bodies have been bypassed. It appears the government would rather sweep its surveillance of journalists (there’s another target listed in HRW’s report) and opposition leaders under an extremely dark rug while pretending to expand options for those who suspect they’ve been illegally surveilled.
What the law is supposed to fix has instead created a parallel route for indefinite opacity. While it does introduce time limits on disclosure, it severely restricts what surveilled citizens can learn about government spying.
Until March 2021, a person under government surveillance for national security reasons had the right to file a request with ADAE for information about themselves. But ADAE would only provide that information once those measures were no longer in effect and, notably, only if disclosure would not compromise the purpose of the investigation. An amendment adopted at the end of March 2021 made it impossible for someone under government surveillance for national security reasons to ever get information about it or to seek a remedy.
The draft law reintroduces access to such information, but only three years after the end of the monitoring. The affected person can be informed of the fact of the surveillance and of its duration but not of the content, significantly hampering a potential victim from collecting evidence about their surveillance and challenging it in court on the basis that it is illegal, abusive, or disproportionate.
On the plus side, the government would be required to turn over information three years after the period of monitoring. On the negative side, the information allowed to be released would be mostly useless, only allowing domestic surveillance targets to be apprised, years after the fact, that they were surveilled. It won’t tell them why they were targeted. It won’t tell them what was targeted. Instead, they’ll only be informed that it happened. And they’ll only know to ask if they can show (without access to evidence) that they were targeted.
What should be done instead is a wholesale reform of surveillance powers, starting with a moratorium on the use of powerful phone exploits to target citizens of Greece. No doubt the government has an interest in securing the nation and fighting crime, but when it’s compromising the phones of journalists and political opponents, it cannot be considered trustworthy enough to wield these powers. This legislation doesn’t make the government more accountable. All it does is codify its refusal to be honest with surveillance targets about its actions.
Filed Under: greece, surveillance
Companies: cytox
Investigation Shows Egyptian Government Hacked A Dissident's Phone Twice, Using Two Different Companies' Malware
from the doublecheck-your-work-I-guess dept
Citizen Lab has uncovered more state-level spying targeting political opponents and journalists. There’s a twist to this one, though. One of those targeted had his phone infected by two forms of malware produced by two different companies. And yet another twist: both companies have their roots in Israel, which is home to at least 19 entities that develop phone exploits. Here’s the summary from Citizen Lab:
Two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known mercenary spyware developer Cytrox.
The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.
Both targets were hacked with Predator in June 2021, and the spyware was able to infect the then-latest version (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp.
Ayman Nour, the lucky recipient of two different strains of malware, is the head of an opposition group who ran against former Egyptian President Hosni Mubarak. Shortly after Nour’s election loss, he was jailed for allegedly forging signatures on petitions — a move generally recognized as retaliation from his victorious opponent.
The other target is a journalist now in exile who has been openly critical of Egypt’s new president.
Unsurprisingly, these attacks have been traced back to the Egyptian government. What’s more surprising is that attribution can be made since attackers using these powerful hacking tools usually do a little better covering their tracks.
We attribute the attacks on the two targets to the Egyptian Government with medium-high confidence. We conducted scanning that identified the Egyptian Government as a Cytrox Predator customer, websites used in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from Egyptian WhatsApp numbers.
Once again, powerful hacking tools deployed against government critics have been traced back to companies with an Israeli presence. NSO Group has always been located in Israel. Cytrox, however, has moved around, changing both its home base and its name several times to distance itself from its irresponsible malware sales. But the Times of Israel has the receipts.
Cytrox was part of a shadowy alliance of surveillance tech companies known as Intellexa that was formed to compete with NSO Group. Founded in 2019 by a former Israeli military officer and entrepreneur named Tal Dilian, Intellexa includes companies that have run afoul of authorities in various countries for alleged abuses.
Four executives of one such firm, Nexa Technologies, were charged in France this year for “complicity of torture” in Libya while criminal charges were filed against three company executives for “complicity of torture and enforced disappearance” in Egypt. The company allegedly sold spy tech to Libya in 2007 and to Egypt in 2014.
It appears there’s a healthy market for powerful phone exploits. But the market consists of unhealthy governments more interested in tracking and surveilling critics than engaging in counterterrorism or investigating serious criminal activity. NSO claims it only sells malware for those more acceptable reasons. Cytrox/Intellexa has never offered any such assurances, possibly because it has an international rap sheet that would immediately undercut its assertions.
It’s an ugly world out there. Plenty of companies operating out of free countries are willing to sell exploits to governments they know will abuse them to commit human rights violations. If NSO Group shuts down its malware arm, it won’t make things safer for dissidents, government critics, and journalists. There are plenty of companies willing to fill this void. And they’re very good about obscuring who they are and what they do.
But one thing is undeniable: malware merchants are enabling abusive governments and it’s going to take more than a few sanctions and fines to prevent this from happening in the future. So far, the countries these companies call home have done little about these residents who are making the world a worse place to live. That has to change. And it appears it’s going to be investigative journalists and security researchers applying the pressure through investigations and exposés. Governments need to stop abdicating their responsibilities and allowing private citizens with finite resources and zero power to do their work for them.
Filed Under: ayman nour, dissident, egypt, hacking, malware, pegasus, predator, spyware, surveillance
Companies: cytox, nso group