Sanctioned and exposed, Predator spyware maker group has gone awfully quiet
The group behind the Predator spyware has become far less visible in its operations in recent months, a development that researchers say likely indicates that sanctions and exposure have dented the firm’s operations.
The Predator spyware is operated by a corporate entity known as the Intellexa alliance, and the Predator tool has been linked repeatedly to the surveillance of journalists, members of civil society and opposition politicians. The company’s operations have been extensively documented by investigative journalists and researchers, and the Biden administration has sanctioned the firm.
Now, researchers tracking the firm say that they have observed a decline in activity from the Intellexa alliance, including a sharp decrease in the registration of new domains, dating back to last fall and continuing into the spring.
At the same time, researchers caution that it is difficult to determine whether the spyware outfit has become less active or just figured out a way to retool and avoid scrutiny.
Clément Lecigne, a researcher with Google’s Threat Analysis Group, said his firm has good visibility on Intellexa, and while they continue to see some activity from the spyware maker, it has decreased following the imposition of sanctions and a series of embarrassing exposures. “They are probably struggling to get back into shape where they used to be,” he said, while cautioning that “they are not completely gone.”
“The sanctions definitely caused a bit of harm on their side, both on the customer side — like they might have lost a few customers because of that — but also on the partnership with other companies that they used to work with, like, for example, for acquiring exploits,” Lecigne said.
The rapid proliferation of spyware and their increasing use of coveted and highly damaging “zero-day” vulnerabilities has made cracking down on the industry a priority for tech companies and the U.S. government, which has marshaled the support of a growing number of states to counter spyware proliferation. Intellexa’s fading operations may indicate that these efforts are having an impact on a key player in the spyware ecosystem.
A senior Biden administration official speaking on condition of anonymity told CyberScoop that “the constellation of actions that have been undertaken by both the U.S. government, as well as outside groups, has had an impact on the commercial spyware industry in going after misuse and unethical activity, as well as on Intellexa itself.”
That wave of scrutiny kicked off last summer when the administration placed Intellexa on its trade blacklist. It continued in September when Google and the University of Toronto’s Citizen Lab said that Predator spyware had targeted a prominent challenger to Egyptian President Abdel Fattah el-Sisi, prompting Apple to launch a security update in response to a previously unknown, or zero-day, vulnerability.
Weeks later, in October, a media consortium published “The Predator Files,” which revealed Intellexa alliance surveillance products in use around the globe, including attempts by the Vietnamese government to eavesdrop on members of the U.S. Congress.
Then in March, shortly after reports that exposed Intellexa rebuilding its infrastructure in the aftermath of “The Predator Files,” researchers saw evidence that it had taken down that infrastructure. Finally, in that same month, the Biden administration expanded its sanctions against Intellexa to include additional people and entities associated with the alliance.
Since that March stretch, “we can see that there’s still some activity, but far, far less than before,” said Julian-Ferdinand Vögele, a threat analyst with Recorded Future’s Insikt Group, which had worked to expose Intellexa’s infrastructure during that time. The firm has subsequently seen Predator delivery servers drop from a peak of around 80 to near-zero.
Amnesty International began to see a decline in Intellexa activity around October when “The Predator Files” were published and Predator’s use in Egypt was revealed, said Donncha Ó Cearbhaill, head of the security lab at Amnesty Tech.
Past exposure of spyware operations have seen companies take down and then reconstitute their operations. Following a report on NSO Group in 2018, for instance, the firm shut down exposed servers within hours, and it took two months for them to start bringing back up new infrastructure at scale, Ó Cearbhaill said. “This is a pattern we have seen with quite a few other mercenary spyware companies as they try to rebuild after exposure,” he said.
Some have questioned the extent of the potential impact from sanctions. “We don’t know how the sanctions are affecting their business operations,” Ó Cearbhaill said. It’s unclear, for example, how much the U.S. sanctions will affect the firm’s ability to pay salaries in European countries where they are based.
Commercial spyware groups are now the most prolific users of zero-day vulnerabilities, and that may impede the ability of researchers to understand the impact of sanctions and exposure. “We believe that Intellexa are still active, but we don’t know whether they have zero-day exploits for the latest Android and iOS versions,” Ó Cearbhaill said.
The reputational harm of exposure and high-profile sanctions may be contributing to the decline in observed Intellexa activity. Customers may shy away from being associated with a company getting negative attention, and exposures raise questions about the stealthiness of its products. Potential customers will be asking questions like,“How is it possible that you help us with spying on people, but you’re not even able to evade detections?’” Vögele said.
Sanctions can also pose a recruiting challenge for spyware outfits, if potential hires are worried about being put on a list and barred from sending their kids to the United States for education, Vögele said.
The senior administration official said that the intent of placing Intellexa on the trade blacklist, also known as the “entity list,” was to cut them off from U.S. goods and services. The follow-up sanctions also barred them from the U.S. financial system, the official said. Additional action against the commercial spyware industry in general — such as enlisting other nations in a pledge to fight spyware misuse, and visa restrictions against 13 unnamed individuals — has further hampered spyware vendors, particularly in Europe, the base of Intellexa’s operations, according to the official.
“When you take that all together, it has had, in our view, considerable impact,” the official said.
The senior administration official acknowledged the opaque nature of spyware vendors. “It is also true that this is an industry where there are actors who are acting unethically that have sought to obscure their corporate practices, and try to essentially prevent transparency about their client base and their activities,” the official said.
Tal Dilian, the Israeli businessman behind Intellexa, and his ex-wife and business partner who is also said to be linked to Intellexa, did not respond to requests for comment.
AJ Vicens contributed reporting to this story.
