Advertisement

Predator spyware resurfaces with signs of activity, Recorded Future says

Sanctions and public exposure might have driven Intellexa into silence for months, but that doesn’t mean its Predator spyware is gone for good.
Congolese soldiers sit in their military vehicle at the base of the United Nations Organization Mission for the Stabilization of the Congo (MONUSCO) in Kamanyola, eastern Democratic Republic of Congo, on Feb. 28. (Photo by Glody MURHABAZI / AFP)

It was probably only a matter of time, after a quiet spell, before the Predator spyware showed new signs of life.

Recorded Future’s Insikt Group, in research published Thursday and shared exclusively with CyberScoop, said  it has observed new infrastructure and domains connected to the infamous spyware, which has targeted members of the U.S. Congress, United Nations officials and more. It also identified a likely new customer in the Democratic Republic of the Congo among the four clusters of activity.

Predator is the handiwork of European-based Intellexa. U.S. sanctions, along with exposure in the media and by threat researchers, may have dented its operations for many months, leading to lower visibility. But it was unclear to observers how long it might take for the spyware to resurface.

“Our findings show that while Predator operators did modify certain aspects of their infrastructure in response to public reporting, including elements of their higher-tier infrastructure and tactics for detection evasion, they maintain their operations with minimal changes and often reuse previously identified infrastructure, in line with previous observations,” according to Recorded Future.

Advertisement

The report states that one change to the infrastructure has made country-specific attribution more difficult. But the firm was able to trace three of the four clusters to “likely” customers in Angola, Saudi Arabia and Congo. The fourth has potential connections to Madagascar and the United Arab Emirates.

The signs of Predator activity don’t necessarily invalidate the notion that the sanctions and public reporting made life harder on Intellexa, said Julian-Ferdinand Vögele, a threat researcher with the Insikt Group. Intellexa has been forced to adjust to the exposure — including dismantling some of the exposed infrastructure, according to the report — and could still be suffering reputational damage with potential customers, he told CyberScoop.

In the case of Congo, Recorded Future’s assumption is that the customer is tied to the government, but it’s a “gray area” that could include contractors, Vögele said.

The Predator Files project last year found evidence of Predator products being sold in a number of countries, including Congo. Vögele said the purpose of the customer in Congo would be speculation, but the report mentioned conflicts between Congolese authorities and armed groups, and said that one of domains “associated with the cluster linked to the DRC has a clear connection to the eastern provinces,” nyirangongvrai[.]com. “Mount Nyiragongo, a volcano located within Virunga National Park, is situated in a region heavily affected by armed conflict.”

The Congo embassy in Washington, D.C., directed inquiries for this story to an email account. That account did not respond to a request for comment.

Latest Podcasts