predator – Techdirt (original) (raw)
Stories filed under: "predator"
Greek Government Used Predator Spyware To Spend A Year Surveilling A US Citizen
from the if-it-can-be-abused,-it-will-be-abused dept
While NSO Group made most of the headlines in the cell phone malware market, it had plenty of competition back at home. Israel is also home to its competitors. Candiru — another malware company with more talent than ethics — managed to make headlines of its own while being blacklisted by the US Commerce Department following weeks of negative press involving Israeli spyware companies.
A company that managed to escape blacklisting — one with Israeli intelligence service ties of its own — is now taking some of the heat off NSO Group and Candiru. Cytrox, which manufactures a phone malware strain of its own — Predator — is at the center of a massive scandal in Greece, following revelations of its abuse by the Greek government.
Last August, the head of Greece’s intelligence agency resigned after it was discovered that a journalist and an opposition party member apparently had their phones compromised by Predator malware purchased by the Greek government. Shortly thereafter, the company’s office in Greece was raided by Greek law enforcement.
Now, there’s even more to add to that scandal, coming to us courtesy of Gizmodo’s Lucas Ropek.
A former executive on Meta’s security policy team was hacked by the Greek government using sophisticated spyware known as “Predator,” which tracked her for a whole year.
Artemis Seaford, who formerly worked as a trust and safety manager on Meta’s security policy team, had her phone digitally infected by malware in September of 2021, the New York Times reported Monday. Seaford was secretly under surveillance at the behest of the Greek national intelligence service, which deployed tracking software widely. “Predator” was developed by a secretive cyber company known as “Cytrox,” which is said to be based in North Macedonia and sells commercial spyware and other surveillance tools.
The former Meta safety manager has dual citizenship: Greek and US. So, not only does this involve a foreign company spying on a US citizen, it also involves a form of domestic spying, as the Greek government apparently targeted one of its own.
The documents obtained by the New York Times show Seaford was hacked and tracked for a year by the Greek government while she worked at Meta’s Greek office. According to the Times, this appears to be the first time someone has been targeted by a EU nation while residing in a EU nation.
This is the upshot, according to the Times:
The simultaneous tapping of the target’s phone by the national intelligence service and the way she was hacked indicate that the spy service and whoever implanted the spyware, known as Predator, were working hand in hand.
The Greek government, however, claims it was not behind this hacking and tracking.
“The Greek authorities and security services have at no time acquired or used the Predator surveillance software. To suggest otherwise is wrong,” Giannis Oikonomou, the government spokesman, said in an email. “The alleged use of this software by nongovernmental parties is under ongoing judicial investigation.”
Well, great, except that this denial is hardly plausible. The government has yet to publicly admit purchasing the spyware, but there’s a growing amount of evidence pointing towards the Greek government’s involvement in the deployment of Cytrox’s Predator malware.
There’s more circumstantial evidence in this latest report.
Two people with direct knowledge of the case said that Ms. Seaford had in fact been wiretapped by the Greek spy service from August 2021, the month before the spyware hack, and for several months into 2022.
I guess it all depends on who’s lying or what definition of “acquired” or “used” the Greek government is using. It may be that Seaford was targeted by another government, but it seems like an insanely huge coincidence that another government compromised the Meta exec’s phone while she happened to be under direct surveillance by the Greek government itself.
With competing narratives, it all comes down to time. Researchers may be able to find other evidence linking the phone infection with its source. And, thanks to a change in Greek law following the spying scandal, spy agencies must provide information to citizens targeted by their surveillance programs. But this disclosure isn’t required until three years after the expiration of a wiretap, which means the best way to avoid disclosure is to keep renewing wiretap orders indefinitely. Also, there’s no reason to believe this disclosure won’t be heavily redacted, which may make official confirmation impossible.
But whatever happened here is the direct result of malware makers not caring who they sell to or what their customers do with the products they make. Every government abuses the powers it has. Add-ons like Predator just make the inevitable easier.
Filed Under: artemis seaford, greece, predator, spyware, surveillance
Companies: cytox, meta
Phone Malware Company Linked To Greek Domestic Surveillance Scandal Raided By Law Enforcement
from the bad-times-for-bad-actors dept
NSO Group isn’t the only phone malware firm to draw international attention. Sure, NSO’s decision to sell to human rights abusers and aid/abet surveillance of journalists, lawyers, government critics, and political leaders drew the most attention, but there were others. And all of these malware purveyors seem to have sprung from the same source: spies whose last employer was the Israeli government.
NSO Group and its lesser known competitor, Candiru, managed to secure themselves sanctions from the US Commerce Department. In addition, NSO found itself targeted by the very government that allowed it to flourish before the bad press started rolling in.
Meanwhile, another exploit developer flew under the radar, only surfacing occasionally until it finally found itself at the center of a surveillance scandal. Cytrox, owned by Intellexa, sells its Predator malware to government agencies around the world. One of those customers was the Greek government, which apparently used it to target leaders of opposition parties — the sort of thing people generally don’t want allegedly democratic governments to be doing.
Following the resignation of the head of the Greek government’s intelligence service, the government finally decided to start policing itself. But, instead of erecting rules preventing this sort of abuse, it amended its surveillance laws to make it easier for the government to plausibly deny engaging in abuse of its surveillance powers. The stated goal was more transparency. The end result was something else entirely, even if it did finally provide potentially surveilled Greek citizens with an avenue to obtain information about domestic surveillance efforts.
Perhaps this is just a minimal effort meant to make the Greek government look a little less authoritarian, but it’s still surprising. According to this report from Haaretz, Cytrox is now facing the sort of scrutiny that involves armed officers breaking down doors and seizing anything they can find.
Greek police raided the Athens offices of the Israeli company behind the Predator spyware on Tuesday, local media reported, the latest turn of events in a months-long wiretapping affair that has rocked Greece over the past several months.
The offices of Intellexa, the Israeli-owned spyware company, and five other firms were raided by police in the Greek capital, Kathimerini reported on Tuesday. The raids also targeted the company executives’ homes.
The raid of the offices is unexpected. That this was extended to the homes of executives shows the Greek government is possibly aware the offices may have been cleansed of anything incriminating shortly after news broke of the illegal domestic surveillance.
It may also be an indication the government realized the surveillance scandal wasn’t simply going to evaporate into the news cycle ether. More bad news arrived shortly before this raid.
On Sunday, Greek newspaper Documento released a dossier revealing that dozens of acting ministers, military leaders, businessmen and media figures were also under surveillance.
Pretty much NSO Group, in other words. Give governments powerful surveillance tools capable of compromising phones and you should expect, at minimum, periodic abuse. The tools are too powerful and too tempting to be used only for the objectives stated when acquiring the malware. You know, things like criminal investigations of violent crimes or protecting the nation against terrorist attacks. Once acquired, governments — even those not considered to be habitual rights abusers — tend to target anyone deemed a threat to leaders’ job security, which is not nearly the same thing as national security.
Haaretz also reports Cytrox/Intellexa is being sued by Thanasis Koukakis, an investigative journalist apparently targeted by the malware. It’s not a civil suit. It’s a set of criminal accusations, filed with prosecutors in Athens.
That being said, there will be no day of reckoning for these governments or the tech companies who sell them the exploits they abuse. There will be case-by-case wins, but rest assured, the nasty business of malware development will continue. There are far too many well-paying customers out there, many of which appear to desire better ways to keep an eye on people governments don’t like, all while trying to maintain the pretense these acquisitions are necessary to securing nations and ensuring public safety.
Filed Under: greece, malware, predator, spyware, surveillance
Companies: candiru, cytox, intellexa, nso group
Greek Intelligence Service Boss Resigns After Journalist, Opposition Party Member Targeted With Phone Malware
from the better-than-being-fired,-I-suppose dept
There’s another player in the phone malware game. NSO is far from the only malware merchant out there. Its products are the most well-known and the most dangerous, thanks to zero-click deployment options.
NSO Group and Candiru — both Israeli companies created and staffed by former state intelligence operatives — were recently hit with sanctions by the US Department of Commerce. Now, there’s another Israeli exploit developer making headlines around the world. And those headlines may eventually see it added to the Commerce Department’s blacklist.
For now, though, it’s just another exploit developer with ties to Israeli intelligence services. Cytrox — developer of a phone exploit called “Predator” — is following the NSO Group game plan, selling its tech to governments willing to utilize the exploits to target journalists and political opponents.
Late last year, Citizen Lab uncovered the hacking of an Egyptian dissident’s phone. The affected device was host to two forms of malware, one created by NSO Group and the other by Cytrox. According to the Citizen Lab investigation, these infections were traced back to two different government clients.
Not much is known about Cytrox’s government customers. Citizen Lab’s findings suggest the Saudi government may have switched to Cytrox after being cut off by NSO Group. But, thanks to recent developments, there’s plenty of information now pointing to Greece being one of Cytrox’s customers. This report surfaced earlier this year.
On April 11 it was revealed via media reports that [Thanasis] Koukakis, an experienced investigative journalist covering financial and banking issues in Greece, had his mobile phone infected for at least ten weeks in 2021 by Predator, an advanced spyware tool developed by a North Macedonian company called Cytrox.
According to a forensic analysis by experts at Citizen Lab, the device was compromised using Predator between July 12 and September 24, 2021. The investigation identified the source of the hacking to be a Greek phone number, which sent Koukakis a text message containing an infected link to a fake website.
A few months later, a member of an Greek opposition party reported his phone had been targeted by the same malware.
The politician, Nikos Androulakis, who became leader of Greece’s third-largest political party, the center-left PASOK-KINAL, at the end of last year, submitted his personal mobile device to the new spyware-detecting tech lab at the European Parliament in Brussels.
Late last month the experts notified Mr. Androulakis that, in September 2021, weeks after declaring he would be a candidate to lead the opposition party back home, he had received a text message with a link that would have installed the spyware Predator, a clunkier version of the famous spyware Pegasus, on his phone, had he clicked on it.
Not only is the software less sophisticated than NSO’s product, but the delivery leaves a lot to be desired. It’s best not to look like an attempted hacking when attempting to compromise a phone.
“Let’s look at this seriously friend, there’s something to gain,” the text said in Greek, followed by the link.
The only response at that point from the Greek government was to deny involvement in the hacking of the journalist’s phone. It said nothing at all about the attempted hacking of the opposition party leader.
Even though it has maintained this specific denial, this certainly looks like an admission of involvement in at least one of these hackings.
The head of Greece’s intelligence service and the general secretary of the prime minister’s office have resigned, amid allegations of the use of surveillance software against a journalist and the head of an opposition party.
National Intelligence Service director Panagiotis Kontoleon and Grigoris Dimitriadis, general secretary of the prime minister’s office, submitted their resignations Friday, the prime minister’s office said. Both were accepted.
Kontoleon resigned “following incorrect actions found in the procedure of legal surveillance,” the prime minister’s office said, without elaborating on which procedures were incorrectly followed or who the targets of legal surveillance might have been. Under Greek law, a prosecutor is required to sign off on any surveillance.
The general secretary’s resignation supposedly has nothing to do with the reported phone hackings. But all we have at this point is an unofficial statement was made by an anonymous government official. And that statement, again, claims the Greek government had nothing to do with the targeting of a local journalist. But this one folds in the attempted hacking of the opposition party leader, which had previously been unaddressed by any official statements.
A government official said [the general secretary’s resignation] was “related to the toxic climate that has developed around him. In no case does it have anything to do with Predator (spyware), to which neither he nor the government are in any way connected, as has been categorically stated.” The official spoke on condition of anonymity as the reasons for the resignation had not been announced.
But it has not been “categorically stated.” And it still hasn’t, because this isn’t an official government statement. The Greek government is facing legal action brought by the opposition leader who hopes this will expose what entity attempted to compromise his phone with Predator malware. The sudden resignation of the head of Greece’s intelligence agency strongly suggests abuses of surveillance powers and tech. The timing of the resignation even more strongly suggests the unspecified abuses are related to recent news reports about these hacking attempts.
At some point more details will be made public. But for now, it appears there’s another malware company with ties to Israeli intelligence selling exploits to governments that can’t be trusted to use them responsibly.
Filed Under: greece, predator, spyware, surveillance
Companies: cytrox
Investigation Shows Egyptian Government Hacked A Dissident's Phone Twice, Using Two Different Companies' Malware
from the doublecheck-your-work-I-guess dept
Citizen Lab has uncovered more state-level spying targeting political opponents and journalists. There’s a twist to this one, though. One of those targeted had his phone infected by two forms of malware produced by two different companies. And yet another twist: both companies have their roots in Israel, which is home to at least 19 entities that develop phone exploits. Here’s the summary from Citizen Lab:
Two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known mercenary spyware developer Cytrox.
The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.
Both targets were hacked with Predator in June 2021, and the spyware was able to infect the then-latest version (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp.
Ayman Nour, the lucky recipient of two different strains of malware, is the head of an opposition group who ran against former Egyptian President Hosni Mubarak. Shortly after Nour’s election loss, he was jailed for allegedly forging signatures on petitions — a move generally recognized as retaliation from his victorious opponent.
The other target is a journalist now in exile who has been openly critical of Egypt’s new president.
Unsurprisingly, these attacks have been traced back to the Egyptian government. What’s more surprising is that attribution can be made since attackers using these powerful hacking tools usually do a little better covering their tracks.
We attribute the attacks on the two targets to the Egyptian Government with medium-high confidence. We conducted scanning that identified the Egyptian Government as a Cytrox Predator customer, websites used in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from Egyptian WhatsApp numbers.
Once again, powerful hacking tools deployed against government critics have been traced back to companies with an Israeli presence. NSO Group has always been located in Israel. Cytrox, however, has moved around, changing both its home base and its name several times to distance itself from its irresponsible malware sales. But the Times of Israel has the receipts.
Cytrox was part of a shadowy alliance of surveillance tech companies known as Intellexa that was formed to compete with NSO Group. Founded in 2019 by a former Israeli military officer and entrepreneur named Tal Dilian, Intellexa includes companies that have run afoul of authorities in various countries for alleged abuses.
Four executives of one such firm, Nexa Technologies, were charged in France this year for “complicity of torture” in Libya while criminal charges were filed against three company executives for “complicity of torture and enforced disappearance” in Egypt. The company allegedly sold spy tech to Libya in 2007 and to Egypt in 2014.
It appears there’s a healthy market for powerful phone exploits. But the market consists of unhealthy governments more interested in tracking and surveilling critics than engaging in counterterrorism or investigating serious criminal activity. NSO claims it only sells malware for those more acceptable reasons. Cytrox/Intellexa has never offered any such assurances, possibly because it has an international rap sheet that would immediately undercut its assertions.
It’s an ugly world out there. Plenty of companies operating out of free countries are willing to sell exploits to governments they know will abuse them to commit human rights violations. If NSO Group shuts down its malware arm, it won’t make things safer for dissidents, government critics, and journalists. There are plenty of companies willing to fill this void. And they’re very good about obscuring who they are and what they do.
But one thing is undeniable: malware merchants are enabling abusive governments and it’s going to take more than a few sanctions and fines to prevent this from happening in the future. So far, the countries these companies call home have done little about these residents who are making the world a worse place to live. That has to change. And it appears it’s going to be investigative journalists and security researchers applying the pressure through investigations and exposés. Governments need to stop abdicating their responsibilities and allowing private citizens with finite resources and zero power to do their work for them.
Filed Under: ayman nour, dissident, egypt, hacking, malware, pegasus, predator, spyware, surveillance
Companies: cytox, nso group