Threat Intelligence, Malware

‘Predator Files’ report prompts call for worldwide ban on spyware


Amnesty International on Monday reported that a series of unsettling Predator spyware attacks have been attempted on civil society, journalists, politicians and academics in the European Union (EU), the United States, and Asia.

The human rights group said these attacks are so serious that it called for a worldwide ban on spyware.

“Intellexa alliance, the European-based developers of Predator and other surveillance products have done nothing to limit who is able to use this spyware and for what purpose,” said Agnes Callamard, secretary general at Amnesty International. “Instead, they are lining their pockets and ignoring the serious human rights implications at stake. In the wake of this latest scandal, surely the only effective response is for states to impose an immediate worldwide ban on highly-invasive spyware.” 

The report published Oct. 9 by Amnesty International’s Security Lab, those targeted — though not necessarily infected — include members of the U.S. Congress Rep. Michael McCaul, R-Texas, and Sen. John Hoeven, R-N.D. Others mentioned in the report include President of the European Parliament Roberta Metsola, Taiwan President Tsai Ing-Wen, German Ambassador to the U.S. Emily Haber, and French Member of the European Parliament Pierre Karlesksind.

The Amnesty International investigation is part of the ‘Predator Files’ project, in partnership with the European Investigative Collaborations (EIC) and backed by additional in-depth reporting by Mediapart and Der Spiegel.

As Amnesty International explained, Predator is a type of highly invasive spyware that has unfettered access to a device's microphone and camera and all its data, such as contacts, messages, photos and videos, while users are entirely unaware once it has infiltrated the device.

Between February and June 2023, Amnesty International said social media platforms X (formerly Twitter) and Facebook were used to publicly target at least 50 accounts belonging to 27 individuals and 23 institutions. The cyber-surveillance weapon used for targeting was Predator, which was developed and sold by the Intellexa alliance. This alliance, which has advertised itself as “EU based and regulated,” functions as a complex and often-changing group of companies that develops and sells surveillance products, including Predator spyware.

The Citizen Lab confirms Amnesty’s findings

In its own research, The Citizen Lab independently received and collected a set of since-deleted posts by the threat actor using Predator to target all the high-profile officials, which it calls "REPLYSPY."

Citizen Lab said its findings align with Amnesty International’s Security Lab conclusions concerning Predator, and they assessed with “high confidence” that REPLYSPY included Cytrox Predator infection links in replies to numerous U.S. and international officials and others. Cytrox is a subsidiary of Intellexa.

Here’s how Citizen Lab said the spyware works: Once a user clicks on one of the links, and a validation procedure is satisfied, the user’s device gets infected with the Predator spyware, likely using a chain of zero-day exploits.

Citizen Lab also noted a wider range of suspects targeted by the REPLYSPY actor. For example, “Joseph Gordon,” a phony Twitter handle used by the threat actor, repeatedly replied to tweets mentioning multiple additional elected U.S. officials. Notably the targeting occurred on themes related to Taiwan with links to URLs on the domain name caavn[.]org.

The targeting of high-ranking officials and journalists demonstrates the strategic deployment of this spyware, with a clear motive to gain invaluable insights into policy-making or to quell dissent, said Callie Guenther, senior manager, cyber threat research at Critical Start. Guenther said what heightens the concern is the utilization of ubiquitous platforms like X and Facebook, which are deeply integrated into daily communications, amplifying the potential reach and impact of these cyber threats.

“For businesses, the ramifications of such sophisticated spyware tools are manifold,” said Guenther. “The surreptitious nature of these tools could lead to intellectual property theft, compromising sensitive company data ranging from financial records to strategic blueprints. Moreover, the potential breach of confidential communications poses risks of reputational damage, particularly if discussions about internal strategies, mergers, or acquisitions are inadvertently disclosed.”

Guenther also pointed out that firms operating in sectors with stringent regulatory protocols, such as finance and healthcare, also face elevated legal and compliance risks. An intrusion could result in breaches, leading to significant legal consequences. Furthermore, Guenther said high-value employees, including executives and R&D leads, might find themselves targeted not just for the data they possess but also for their influential capacities.

“Another lurking danger is economic espionage, where the spyware is used to gain economic or trade advantages over competitors,” said Guenther. “Even if a firm boasts robust security measures, its supply chain might present vulnerabilities. Malicious entities could exploit weaker entities within the chain to indirectly gain access to larger corporations.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.