Cytrox Explained

Founded:2017
Key People:Ivo Malinkovski (CEO)
Founder:Rotem Farkash
Owner:Tal Dilian
Subsid:Cytrox Holdings Zrt (Hungary)
Cytrox AD (North Macedonia)
Balinese Ltd. (Israel)
Peterbald Ltd. (Israel)

Cytrox is a company established in 2017 that makes malware used for cyberattacks and covert surveillance. Its Predator spyware was used to target Egyptian politician Ayman Nour in 2021 and to spy on 92 phones belonging to businessmen, journalists, politicians, government ministers and their associates in Greece. In 2023, the U.S. Department of Commerce added the Cytrox companies Cytrox AD in North Macedonia, and Cytrox Holdings Crt in Hungary to its Entity List and on March 5, 2024, the U.S. Department of Treasury imposed sanctions upon Cytrox AD of North Macedonia and the Intellexa Consortium, which is the parent firm of Cytrox AD, "for trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide."[1] [2] [3]

History

Cytrox was established in 2017, reportedly as a startup in North Macedonia and received initial funding from Israel Aerospace Industries.[4] Its Crunchbase article describes it as providing an "operational cyber solution" to governments, including gathering information from devices and cloud services.[5] Cytrox's CEO is Ivo Malinkovski.[6] A review of corporate registry documents by the University of Toronto's Citizen Lab indicated that Cytrox has a presence in Israel and Hungary.

In 2019, Forbes reported that Cytrox was rescued by Tal Dilian, a former commander of the Israel Defense Forces (IDF), who acquired the company for under $5 million.[7] Dilian served in the IDF for 25 years prior to his departure, following accusations that he had unlawfully enriched himself.[8] Dilian demonstrated the company's surveillance kit to Forbes by hacking into a Huawei device and obtaining its WhatsApp messages without clicks from the victim.[7]

The Citizen Lab said in 2021 that Cytrox was part of an alliance known as Intellexa, which it called "a marketing label for a range of mercenary surveillance vendors that emerged in 2019."[9] Dilian founded the Intellexa Group in 2018; the Intellexa Alliance combines the Intellexa Group and Nexa, a group of surveillance companies that operates mainly in France.[10]

In December 2021, Meta Platforms announced that Cytrox and six other surveillance-for-hire groups had been banned from using its platforms to target other users, in response to the Citizen Lab's findings about Cytrox's Predator spyware being used to target two Egyptian dissidents in June. Meta also announced it had removed over 1,500 Facebook and Instagram accounts associated with the seven companies, which it said were used to conduct social engineering, reconnaissance and sending malicious links to victims in over 100 countries.[11]

In July 2023, the U.S. Department of Commerce added the Cytrox companies Cytrox AD in North Macedonia, and Cytrox Holdings Crt in Hungary to its Entity List, after determining that they posed a threat to the U.S.'s national security and foreign policy interests.[12] [13] [14] [15]

Predator

Predator is spyware developed by Cytrox that targets the Android and iOS operating systems. In May 2022, researchers at Google's Threat Analysis Group (TAG) reported that Predator bundled five zero-day exploits in one package and sold it to several government-backed actors, who used it in three separate campaigns. According to the researchers, Predator worked closely with a component named Alien, which "lives inside multiple privileged processes and receives commands from Predator."[16]

An analysis of the spyware conducted by Cisco Talos in May 2023 revealed that the spyware's Alien component actively implements the low-level functionality required by Predator to surveil its targets, instead of merely acting as a loader for Predator as was previously understood. In Talos's sample, Alien exploited five vulnerabilities, four of which affected Google Chrome and the last of which affected Linux and Android, to infect the targeted devices.[17] After infecting a device, Predator has full access to its microphone, camera and user data such as contacts and text messages.[18] Additionally, Predator has access to a device's location services and messaging apps such as WhatsApp, Telegram and Signal. It also allows hackers to intercept and falsify messages.

An October 2023 investigation conducted by news organisations led by the European Investigative Collaborations network, known as the Predator Files, found that Predator has been sold to at least 25 countries, including Austria, Germany, Switzerland, the Democratic Republic of the Congo, Jordan, Kenya, Oman, Pakistan, Qatar, Singapore, the United Arab Emirates and Vietnam.[19] Reportedly it was also sold to the Rapid Support Forces in the Sudan.[20] [21]

High-profile targets

Egypt

In December 2021, the Citizen Lab reported that Predator was used to hack the devices of two individuals, Egyptian opposition politician Ayman Nour and an unnamed exiled journalist, in June. As a result, Apple was forced to release a software update for iOS to close the zero-day exploits used to perform the attack.[22]

In September 2023, researchers at the Citizen Lab and the TAG reported that Egyptian opposition politician Ahmed Tantawi was targeted using Predator after announcing his presidential bid. The Citizen Lab said the effort likely failed due to Tantawi having his phone in "lockdown mode", which is recommended by Apple for iPhone users at high risk.[23] [24] [25] It also said it had "high confidence" that the attack was conducted by the Egyptian government. Apple subsequently issued security updates to patch the vulnerabilities exploited by Predator.

Greece

During the 2022 Greek wiretapping scandal, it was revealed that Predator was being used to surveil several politicians (including opposition politician Nikos Androulakis) and journalists, with the Greek government reportedly being implicated in buying and utilising Predator.[26] [27] The Greek government admitted to spying on journalist Thanasis Koukakis, but denied using Predator or maintaining any association with Intellexa.[28] In October 2022, Koukakis sued Intellexa and its executive for breach of privacy.[29]

In March 2023, The New York Times reported that Artemis Seaford, a dual U.S.-Greek national and former security policy manager at Meta, had her phone infected with Predator while in Greece.[30] [31]

In July 2023, the investigation team of the Hellenic Data Protection Authority announced that it had found 220 text messages containing a link polluted with Predator, that had been sent to 92 telephone numbers in order to turn them into spying devices. The news website Inside Story published the content of many of them,[32] which had been sent mostly in 2021. Their recipients included many politicians, ministers and their associates, including associates of the Prime Minister (e.g. Dimitris Avramopoulos, Giorgos Patoulis, Giorgos Gerapetritis, Kostis Hatzidakis, Thanos Plevris, Michalis Chrysochoidis, Adonis Georgiadis, Nikos Dendias, Christos Spirtzis), businessmen (e.g.), journalists, EYP cadres, at least one bishop and the editor of the newspaper Kathimerini, Alexis Papachelas. These names had been included in a list of persons alleged to have been spied upon by EYP and Predator, which had been published in November 2022 by the Documento newspaper.[33]

United States

In October 2023, various American lawmakers were targeted by Vietnam using Predator, including Representative Michael McCaul (R-TX) and Senators John Hoeven (R-ND), Chris Murphy (D-CT) and Gary Peters (D-MI).[34] Experts on Asia at various think tanks and several journalists, including CNN's lead national security reporter Jim Sciutto, were also targeted.[35]

Sanctions

On March 5, 2024, the United States Department of Treasury's Office of Foreign Assets Control (OFAC) imposed sanctions against five entities and two individuals it described as key enablers of the Intellexa Consortium and Predator spyware by placing them on OFAC's Specially Designated Nationals (SDN) List:

See also

Notes and References

  1. Web site: Commerce Adds Four Entities to Entity List for Trafficking in Cyber Exploits . Bureau of Industry and Security of the United States Department of Commerce (bis.doc.gov) . July 18, 2023 . March 6, 2024 . https://web.archive.org/web/20240307185027/https://www.bis.doc.gov/index.php/documents/about-bis/newsroom/press-releases/3297-2023-07-18-bis-press-package-spyware-document/file . March 7, 2024.
  2. News: Benjakob. Omer. U.S. Blacklists Israeli-owned Cyber Arms Firms. en. Haaretz. 1 October 2023. 2 August 2023. https://web.archive.org/web/20230802172827/https://www.haaretz.com./israel-news/security-aviation/2023-07-18/ty-article/.premium/intellexa-cytrox-tal-dilian-u-s-blacklists-israeli-owned-cyber-arms-firms/00000189-6927-dc94-a78d-f9ef48d10000. live.
  3. News: Treasury Sanctions Members of the Intellexa Commercial Spyware Consortium . United States Department of the Treasury (treasury.gov) . March 5, 2024 . March 7, 2024 . https://web.archive.org/web/20240307184749/https://home.treasury.gov/news/press-releases/jy2155 . March 7, 2024.
  4. News: Benjakob . Omer . How Israel Invested in Spyware at Heart of Greek Scandal, EU Inquiry . en . Haaretz . 1 October 2023 . 19 July 2023 . https://web.archive.org/web/20230719042040/https://www.haaretz.com/israel-news/security-aviation/2023-06-28/ty-article/israel-invested-in-spyware-that-brought-down-greek-spymaster/00000188-dd36-d5fc-ab9d-df7edbf20000 . live .
  5. Pegasus vs. Predator: Dissident's Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware . Marczak . Bill . Scott-Railton . John . 16 December 2021 . University of Toronto . Citizen Lab Research Report No. 147 . Razzak . Bahr Abdul . Al-Jizawi . Noura . Anstis . Siena . Berdan . Kristin . Deibert . Ron . 25 September 2023 . 25 September 2023 . https://web.archive.org/web/20230925131038/https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/ . live .
  6. Web site: Whittaker . Zack . 16 December 2021 . A new spyware-for-hire, Predator, caught hacking phones of politicians and journalists . 25 September 2023 . . 25 September 2023 . https://web.archive.org/web/20230925170213/https://techcrunch.com/2021/12/16/cytrox-predator-phone-hacking-meta/ . live .
  7. Web site: Brewster . Thomas . August 5, 2019 . A Multimillionaire Surveillance Dealer Steps Out Of The Shadows... And His $9 Million WhatsApp Hacking Van . 25 September 2023 . Forbes . 25 September 2023 . https://web.archive.org/web/20230925145431/https://www.forbes.com/sites/thomasbrewster/2019/08/05/a-multimillionaire-surveillance-dealer-steps-out-of-the-shadows-and-his-9-million-whatsapp-hacking-van/ . live .
  8. News: Becker . Sven . Buschmann . Rafael . Hoppenstedt . Max . Naber . Nicola . Rosenbach . Marcel . 2023-10-05 . The Predator Files: European Spyware Consortium Supplied Despots and Dictators . en . . 2023-10-11 . 2195-1349 . 11 October 2023 . https://web.archive.org/web/20231011215036/https://www.spiegel.de/international/business/the-predator-files-european-spyware-consortium-supplied-despots-and-dictators-a-2fd8043f-c5c1-4b05-b5a6-e8f8b9949978 . live .
  9. Web site: Goodin . Dan . 26 May 2023 . Inner workings revealed for "Predator," the Android malware that exploited 5 0-days . 25 September 2023 . . 25 September 2023 . https://web.archive.org/web/20230925170215/https://arstechnica.com/information-technology/2023/05/inner-workings-revealed-for-predator-the-android-malware-that-exploited-5-0-days/ . live .
  10. News: Starks . Tim . 2023-10-06 . Analysis Meet the ‘Predator Files,’ the latest investigative project looking into spyware . en-US . Washington Post . 2023-10-06 . 0190-8286.
  11. Web site: Agranovich . David . Dvilyanski . Mike . 16 December 2021 . Taking Action Against the Surveillance-For-Hire Industry . 25 September 2023 . Meta . 24 September 2023 . https://web.archive.org/web/20230924195101/https://about.fb.com/news/2021/12/taking-action-against-surveillance-for-hire/ . live .
  12. News: DiMolfetta . David . Gregg . Aaron . 18 July 2023 . U.S. blacklists spyware companies, citing security threats . Washington Post . 23 September 2023 . 0190-8286 . 21 July 2023 . https://web.archive.org/web/20230721144038/https://www.washingtonpost.com/national-security/2023/07/18/entity-list-spyware-intellexa-cytrox/ . live .
  13. Web site: Paganini . Pierluigi . 19 July 2023 . US Gov adds surveillance firms Cytrox and Intellexa to Entity List for trafficking in cyber exploits . 23 September 2023 . Security Affairs . 30 September 2023 . https://web.archive.org/web/20230930235753/https://securityaffairs.com/148603/laws-and-regulations/us-gov-cytrox-intellexa-entity-list.html . live .
  14. Web site: The United States Adds Foreign Companies to Entity List for Malicious Cyber Activities . 23 September 2023 . United States Department of State . 23 September 2023 . https://web.archive.org/web/20230923022802/https://www.state.gov/the-united-states-adds-foreign-companies-to-entity-list-for-malicious-cyber-activities-2/ . live .
  15. Web site: Commerce Department’s Bureau of Industry and Security (BIS) added four entities, Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia to the Entity List for trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide. . live . https://web.archive.org/web/20240406052350if_/https://www.bis.doc.gov/index.php/documents/about-bis/newsroom/press-releases/3297-2023-07-18-bis-press-package-spyware-document/file?_gl=1%2A9v3n0%2A_gcl_au%2AMTMzODUzMzk5Ni4xNzExOTYyMjE3 . 2024-04-06 . 2024-04-06.
  16. Web site: Lecigne . Clement . Resell . Christian . 19 May 2022 . Protecting Android users from 0-Day attacks . 26 September 2023 . Google . 26 September 2023 . https://web.archive.org/web/20230926023010/https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/ . live .
  17. Web site: 25 May 2023 . Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware . 26 September 2023 . . 26 September 2023 . https://web.archive.org/web/20230926023008/https://blog.talosintelligence.com/mercenary-intellexa-predator/ . live .
  18. Web site: Jikhareva . Anna . Jirát . Jan . Kormann . Judith . Naegeli . Lorenz . Surber . Kaspar . 2023-10-04 . Permanente Überwachung: Der Spion in der Hosentasche . Permanent Surveillance: The Spy in your Pocket . 2023-10-06 . . de . 3 January 2024 . https://web.archive.org/web/20240103152643/https://www.woz.ch/2340/permanente-ueberwachung/der-spion-in-der-hosentasche/!RW1FFG7SFY37 . live .
  19. Web site: 2023-10-09 . Global: ‘Predator Files’ spyware scandal reveals brazen targeting of civil society, politicians and officials . 2023-10-11 . . en . 12 October 2023 . https://web.archive.org/web/20231012001604/https://www.amnesty.org/en/latest/news/2023/10/global-predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials/ . live .
  20. Web site: Schat . Julien . 2022-12-01 . Europäische Überwachungsexporte: Intellexa beliefert sudanesische Paramilitärs . 2024-06-15 . netzpolitik.org . de-DE.
  21. Web site: Flight of the Predator . 2024-06-15 . Lighthouse Reports . en.
  22. Web site: 22 September 2023 . iOS Exploits Traced to Israeli 'Predator' Spyware Used on Egyptian Politician . 23 September 2023 . PCMag UK . 23 September 2023 . https://web.archive.org/web/20230923050209/https://uk.pcmag.com/security/148775/ios-exploits-traced-to-israeli-predator-spyware-used-on-egyptian-politician . live .
  23. Web site: Attalah . Lina . 14 September 2023 . Aspiring presidential candidate Ahmed Tantawi targeted by Predator spyware . 22 September 2023 . . 4 October 2023 . https://web.archive.org/web/20231004012840/https://www.madamasr.com/en/2023/09/14/news/u/aspiring-presidential-candidate-ahmed-tantawi-targeted-by-predator-spyware/ . live .
  24. Web site: Bajak . Frank . 23 September 2023 . Leading Egyptian opposition politician targeted with spyware, researchers find . 26 September 2023 . . 26 September 2023 . https://web.archive.org/web/20230926023007/https://apnews.com/article/spyware-predator-cytox-egypt-apple-iphone-6e5ab454bff94e1712c94b20b0756f7f . live .
  25. Web site: 24 September 2023 . Leading Egyptian opposition presidential candidate targeted by spyware . 26 September 2023 . . 5 October 2023 . https://web.archive.org/web/20231005122655/https://www.aljazeera.com/news/2023/9/24/leading-egyptian-opposition-presidential-candidate-targeted-by-spyware . live .
  26. Web site: Stamouli . Nektaria . 5 November 2022 . Greece's spyware scandal expands further . 26 September 2023 . . 27 September 2023 . https://web.archive.org/web/20230927005259/https://www.politico.eu/article/greece-spyware-scandal-cybersecurity/ . live .
  27. Web site: Lavelle . Moira . 17 November 2022 . Reporters dig up more links between Greek government and spyware . 26 September 2023 . . 27 September 2023 . https://web.archive.org/web/20230927005308/https://www.aljazeera.com/news/2022/11/17/reporters-dig-up-more-links-between-greek-government-and-spyware . live .
  28. Web site: Ropek . Lucas . 6 October 2022 . Journalist Sues Spyware Company for Allegedly Helping Gov. Surveil Him . 27 April 2023 . . 27 April 2023 . https://web.archive.org/web/20230427220015/https://gizmodo.com/thanasis-koukakis-sues-intellexa-over-predator-spyware-1849625793 . live .
  29. News: Benjakob . Omer . 6 October 2022 . Criminal Allegations Against Israeli-linked Spyware, Ex-intel Commander in Greek Hacking Scandal . . 27 September 2023 . 2 August 2023 . https://web.archive.org/web/20230802183920/https://www.haaretz.com./israel-news/security-aviation/2022-10-07/ty-article/.premium/criminal-allegations-against-israeli-linked-spyware-ex-intel-commander-in-hacking-scandal/00000183-ad14-d3f8-a9ef-bf5752e60000 . live .
  30. News: Stevis-Gridneff . Matina . 20 March 2023 . Meta Manager Was Hacked With Spyware and Wiretapped in Greece . The New York Times . 27 September 2023 . 0362-4331 . 22 September 2023 . https://web.archive.org/web/20230922230908/https://www.nytimes.com/2023/03/20/world/europe/greece-spyware-hacking-meta.html . live .
  31. Web site: Roth . Emma . 21 March 2023 . Meta security manager was reportedly hacked by Greek intelligence agency . 27 September 2023 . . 6 June 2023 . https://web.archive.org/web/20230606041308/https://www.theverge.com/2023/3/21/23649862/meta-security-executive-spyware-predator-cytrox-greece . live .
  32. News: Παρακολουθήσεις: Τα 92 πρόσωπα που δέχθηκαν επίθεση Predator. 28 July 2023. 17 August 2023. Γιάννης Σουλιώτης. Η Καθημερινή. 17 August 2023. https://web.archive.org/web/20230817195924/https://www.kathimerini.gr/politics/562542166/parakoloythiseis-ta-92-prosopa-poy-dechthikan-epithesi-predator/. live.
  33. News: Predatorgate: Τι έγραφαν τα SMS-παγίδα που έλαβαν επιχειρηματίες, υπουργοί και δημοσιογράφοι. 27 July 2023. Ελίζα Τριανταφύλλου, Τάσος Τέλλογλου. Inside Story. 17 August 2023. 17 August 2023. https://web.archive.org/web/20230817195940/https://insidestory.gr/article/predatorgate-ti-egrafan-ta-sms-pagida-poy-elavan-epiheirimaties-ypoyrgoi-kai-dimosiografoi. live.
  34. Web site: Vietnam agents tried to plant spyware on phones of US lawmakers and journalists: probe. The Hill. Shapero. Julia. 9 October 2023. 9 October 2023. 10 October 2023. https://web.archive.org/web/20231010001006/https://thehill.com/policy/technology/4245853-vietnam-agents-spyware-lawmakers-journalists/. live.
  35. News: Greenberg . Andy . October 14, 2023 . The US Congress Was Targeted With Predator Spyware . en-US . . 2023-10-15 . 1059-1028 . 15 October 2023 . https://web.archive.org/web/20231015120055/https://www.wired.com/story/us-congress-spyware/ . live .