The recent surge in Predator spyware is the result of a widespread and entrenched grey-area commercial operation that trades surveillance operations “at industrial scale.”
That’s according to an analysis by Amnesty International’s Security Labs of data gathered by the European Investigative Collaboration (EIC) media network, which has unearthed new information on how the actors behind the shadowy Predator mobile surveillance tool deliver it to target Android and iOS devices.
The analysis is contained in a recent report entitled the Predator Files, and is focused largely on Intellexa — an alliance of intelligence systems providers that the US Commerce Dept. and many others have identified as the main purveyor of Predator. It describes how Intellexa has been using a wide range of supporting products from alliance partners to intercept and subvert mobile networks and Wi-Fi technologies — sometimes in collaboration with Internet service providers (ISPs).
Predator Spyware: A Pervasive & Dangerous Threat
“Intellexa alliance’s products have been found in at least 25 countries across Europe, Asia, the Middle East and Africa, and have been used to undermine human rights, press freedom, and social movements across the globe,” Amnesty International said. “The ‘Predator Files’ investigation shows what we have long feared: that highly invasive surveillance products are being traded on a near industrial scale and are free to operate in the shadows without oversight or any genuine accountability.”
Just this week, Sekoia reported on a campaign where Madagascar’s government dropped Predator — a tool that can extract practically everything and listen to everything on a target device — on mobile devices belonging to target individuals in the country. Google’s Threat Analysis Group in September released a report describing how Intellexa had developed an exploit chain for three iOS zero-day vulnerabilities that was later used in an attack on Egyptian organizations.
Slew of Cyber-Tools for Intercepting & Subverting Mobile Networks
The Amnesty International report highlights five technologies — and lists several others — that Intellexa has used over the years to help its government and law enforcement clients silently install Predator on mobile devices belonging to persons of interest.
On top of the list is Mars, a network injection system installed at mobile ISP locations. The technology allows Intellexa customers to quietly redirect target users to a Pegasus infection server when they browse any HTTP Web page. For the technology to work, mobile ISPs need to install Mars on their network, assign a static IP to the target subscriber and set up rules for forwarding traffic from the target IP address to the Mars system. “The network injection system can respond to the original HTTP request with a HTTP redirect containing a 1-click browser exploit link which infects the device without further user action,” the report noted.
Intellexa offers an add-on product to Mars called Jupiter that its customers can use to do similar network injection into encrypted HTTPS traffic. In this case however, the injection only works with websites hosted in the target user’s country. As with the Mars product, customers have to convince mobile ISPs to install Jupiter hardware on their networks. The technology basically enables Intellexa customers to insert themselves in the middle of HTTPS requests sent from the target user to a local HTTPS website and inject Predator.
Another tool that Amnesty highlighted in its report is Triton, a product that Intellexa has positioned as something that customers can use to infect Samsung devices — including the latest models running the most recent versions of Android. “The system appears to target vulnerabilities in baseband software used in Samsung devices which allows infection with the Predator spyware with ‘no interaction with the target’ or the need for the target to use a browser or any other app.” The Triton attack chain involves the malware first using a so-called IMSI catcher to downgrade Samsung devices from 5G, 4G, and 3G to the old 2G protocol. Once that happens, Triton uses what appears to be an integrated software defined base station to deliver the payload, the Amnesty report noted.
The other Intellexa tools that the Amnesty report highlights include SpearHead, a range of Wi-Fi interception and infection products that operators can carry James-Bond-like on a briefcase, in a surveillance van on a drone. The technology from Intellexa alliance partner WiSpear allows for target identification, geolocation monitoring, traffic interception and payload delivery. Other tools include a 3G/4G GSM interception and infection product called Alpha-Max from Nexa group and Jasmine a product for deanonymizing encrypted WhatsApp and Signal traffic using metadata analysis.
End-to-End Surveillance Offering
Intellexa has often bundled these technologies to offer an end-to-end surveillance capability for governments and law-enforcement agencies. An Intellexa price proposal that EIC investigators obtained showed the company offering a full range of remote data extraction services from Android and iOS devices for 8 million Euros. The price includes one-click exploits for delivering Predator on Android and iOS devices, the ability to monitor up to 10 targets concurrently, analysis of all data extracted from target systems, and a 12-month warranty.
Concern’s over Intellexa’s operations prompted the US State Department to put Intellexa, Cytrox AD — the maker of Predator — and two other alliance members on its list of entities that present a risk to US national security. The department described the com[panies as “trafficking in cyber exploits used to gain access to information systems thereby threatening the privacy and security of individuals and organizations worldwide.
Microsoft, which released a 128-page digital defense report this week has one section on the emerging threat to organizations posed by cyber mercenary groups, of which Intellexa would be one. The company describes them as private sector offensive actors.
“Cyber mercenaries, as they’re called sometimes in the policy world, dot the landscape,” says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. “I think it’s something that we’re going to have to continue watching because these are the entities that supply nation states with their technical capabilities to carry out destructive actions.”
DeGrippo perceives the sector as a bit of a gray area that is only going to continue to evolve and grow, because of the potential for significant financial gain. “We have to commit to making sure that we are thinking about this threat, tracking this as a threat, making sure that we protect our customers and individuals from these kinds of threats and being, in some ways, threat landscape agnostic.”