Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
More US Sanctions Against Predator Spyware Maker Intellexa
Intellexa Poised for a Comeback, Warn ResearchersThe U.S. Department of the Treasury ramped up pressure on makers and sellers of Predator commercial spyware through sanctions on five individuals and a Caribbean company accused of enabling tens of millions of dollars of surveillance malware transactions.
See Also: Panel | Cyberattacks Are Increasing — And Cyber Insurance Rates Are Skyrocketing
Included in the sanctions is Felix Bitzois, whom Treasury identifies as owner of the Intellexa Consortium, "a complex international web of decentralized companies" that develops and sells nation-state-caliber surveillance tools. The sanctioned company is British Virgin Islands-based Aliada Group, a firm federal officials say is directed by consortium founder Tal Jonathan Dilian.
The sanctions come months after the federal government sanctioned Dilian as well as five linked companies including Greece-based Intellexa and North Macedonia-based Cytrox, which Treasury says employs the coders responsible for building Predator. Both companies and other components of the Intellexa Consortium have faced restriction on buying U.S.-made technology since their July 2023 inclusion on a Department of Commerce blacklist (see: US Announces First-Ever Sanctions Against Commercial Spyware).
Treasury sanctions outlaw U.S. persons from doing business with designated individuals and companies and freeze any financial holdings kept in U.S.-linked financial institutions. Anti-commercial spyware researchers at The Citizen Lab traced Intellexa's emergence to 2019. Intellexa has been linked to surveillance against Greek politicians, journalists and business executives, in a scandal nicknamed "Greek Watergate."
Predator malware can infect smartphones through attacks that require the user to only click once. Advanced versions require no user interaction, aka a "no-click" attack. Cisco Talos in 2023 described Predator as "especially versatile and dangerous" thanks to its ability to accept new Python-based modules without having to reinfect devices.
A September report by the Atlantic Council's DFRLab says companies in the Intellexa Consortium include a firm specializing in long-range Wi-Fi signal interception and password extraction, as well as an open-source intelligence firm analyzing data from phones infected with Predator.
European Union and U.S. authorities sought to diminish the market for commercial spyware amid ongoing evidence that authoritarian governments have turned those tools against dissidents and activists. Commercial spyware's few public defenders have emphasized their role in capturing dangerous criminals and tracking terrorist groups. In the United States, President Joe Biden in March 2023 signed an executive order that prohibits agencies from buying licenses for spyware used by foreign governments to spy on dissidents (see: US Limits Government Use of Advanced Smartphone Spyware). The Department of State in February announced visa restrictions against individuals involved "in the misuse of commercial spyware."
Whether today's sanctions will deter future Predator infections has yet to be determined. Researchers at Recorded Future earlier this month uncovered new activities from Intellexa despite earlier rounds of U.S. blacklisting and sanctions.
Government actions and exposure resulted in a "noticeable reduction" of observable Predator activity, researchers said. But operators responded by fortifying their infrastructure and adding new layers of complexity to evade detection, paving the way for a resurgence.
Recorded Future uncovered clusters of activities tied to Predator from Angola and Congo, as well as suspected activities in the United Arab Emirates and Madagascar between June and August.
Predator's African customers used a multitiered infrastructure network. Downstream delivery servers likely played a role in device exploitation and initial access. Those servers frequently communicated with upstream servers, likely deployed as hop points for anonymization, "minimizing the chances of linking the delivery servers to specific Predator customers."
Predator infects smartphones by chaining multiple exploits, such as initial remote code execution, sandbox escape or a local privilege escalation, said Julian-Ferdinand Vögele, a senior threat researcher at Insikt Group. He said the spyware is "highly sophisticated" and has "extensive invasive capabilities."
"Predator's ongoing activity despite the U.S. sanctions reveals more about the mercenary spyware ecosystem itself, which is characterized by companies repeatedly changing their identities and corporate structures, shifting operations across jurisdictions and leveraging substantial cross-border funding," Vögele told Information Security Media Group.
Some spyware critics say spyware's apparent intractability isn't a technical problem. "What the EU lacks currently is a political will; it is very obvious that the national governments in the EU and the commission have zero appetite to fix the issue of spyware," said Sophie in 't Veld, a former Dutch member of the European Parliament who acted as rapporteur of an investigation into trading bloc members' use of commercial spyware.
The investigators' report called for the European Commission to introduce tighter spyware export controls and permit commercial spyware's use only in exceptional cases of "genuine threat" to national security. A coalition of civil society groups earlier this month urged the European Commission to enact a complete ban on the development and sale of commercial spyware by private companies. "EU Institutions have failed to provide effective solutions," the groups, led by the Washington, D.C.-based Center for Democracy & Technology, said.
Greek prosecutors reportedly concluded that the Greek government did not deploy Predator or other surveillance software. Poland's Constitutional Tribunal ruled as unconstitutional the country's parliamentary commission investigating the use of Pegasus.
With reporting by Information Security Media Group's David Perera in Washington, D.C.