Predator spyware endures even after widespread exposure, analysis shows
When researchers and journalists published a sweeping investigation last year detailing the technical infrastructure and sale and distribution of the spyware known as “Predator,” the number of servers used to deliver the tool quickly plummeted.
The investigation seemed to indicate that naming and shaming firms engaged in the operation of digital tools used to violate human rights could disrupt such technology. But within weeks, the operators behind Predator reconstituted and resumed work around the world, according to a new report.
New infrastructure associated with Predator is currently active in at least 11 countries, including Botswana and the Philippines, two countries where use of the tool has not been previously documented, according to an analysis from Recorded Future’s Insikt Group published Friday and shared exclusively with CyberScoop.
“What this shows is that tackling mercenary spyware as a problem requires a holistic, multi-pronged approach,” said John Scott-Railton, a senior researcher with Citizen Lab who reviewed the report. “Naming and shaming? Not enough. Regulations alone? Not enough. Technical solutions? Not necessarily enough.”
In October, a consortium of more than a dozen European media outlets, alongside Amnesty International, published “The Predator Files,” the culmination of a year-long investigation into the sale and distribution by European companies of Predator, powerful spyware that has been abused by various governments to target dissidents and other critics. The project launched a week after Sekoia, a European cybersecurity software provider, detailed technical infrastructure associated with some of the Predator activity.
Following the flurry of international attention, particularly Sekoia’s report, the number of active Predator delivery servers — which refers to the systems used to control the spyware — sharply dropped. At the start of October, researchers could see slightly more than 150 active delivery Predator delivery servers. A month later, at the start of November, that number had dropped by two-thirds to around 50.
The number of active delivery servers continued to drop, but at the same time, the operators of Predator — a nebulous corporate coalition known as the “Intellexa alliance” — began rebuilding a new set of infrastructure to control the software. By the first week of December, a fresh set of approximately 50 delivery servers were up and running. By mid-January, when the analysis cuts off, Recorded Future could observe 81 delivery servers.
The Predator operators “seem to persist with minimal alterations to their modes of operation,” the report, authored by the researcher Julian-Ferdinand Vögele, concludes. The operation’s new infrastructure uses similar themes in spoofed domains and continues to impersonate similar organizations, such as news outlets. Spoofed domains are used to deliver Predator malware. If a target is enticed to click a link based on a spoofed news, sports or weather-related domain, for instance, the exploit chain delivering the malware is triggered, according to the report.
“While these patterns are relatively easy for threat researchers to identify, these TTPs are presumably producing satisfactory results, eliminating the need for changes,” the report notes, referring to tactics, techniques and procedures.
Scott-Railton said the report highlights that while spyware vendors, including those like Predator, are at least partially trying to cover their tracks, infrastructure modifications show that “they still don’t feel compelled to really obfuscate their operations.”
Exposure is valuable, Scott-Railton said, but it seems that “Cytrox is still not terrified of discovery, and from that you can read something pretty dramatic about their fear of consequences, to themselves and their operations, or lack thereof.”
Predator dates to at least 2019 and was created by Cytrox, a company that was later folded into the Intellexa alliance. Cytrox and Intellexa have been blacklisted by the U.S. government.
On Wednesday, Sekoia posted its own update regarding the Predator infrastructure it has observed, including in Botswana.
Friday’s report highlights that the continuing proliferation of spyware continues to widen the circle of potential victims. While the firms behind this type of technology argue it is an essential tool in combating crime and terrorism, Predator has been used to brazenly target members of civil society, journalists, politicians and academics in the European Union, the United States and Asia, according to Amnesty International’s summary of the investigation published in October.
Predator represents just one spyware platform in an ecosystem with dozens of vendors, and given the industry’s profitability, the sophistication of firms marketing spyware tools seems to only be growing. Last month, Google’s Threat Analysis Group noted that 20 of the 25 in-the-wild zero-days the group discovered in 2023 were exploited by spyware vendors.
Policymakers are trying to curb the proliferation of spyware, and last month the U.S. State Department said it would on a case-by-case basis deny visas for individuals looking to travel to the U.S. and who have been implicated in the misuse of commercial spyware. A day later, a coalition of civil society groups, companies and governments announced an effort to study the problem as part of the Pall Mall Process.
Last year, President Joe Biden signed an executive order barring U.S. government agencies from using commercial spyware that presents a national security risk to the United States.
Meta is currently suing the NSO Group, whose spyware known as Pegasus has been implicated in attacks on WhatsApp users. On Thursday, a federal court ordered handed Meta a major victory in that lawsuit by ordering NSO to turn over the source code for Pegasus.
