Social Media Account Used to Spread Links to Commercial Spyware Malware
Amnesty International says the Vietnamese government is likely behind a wave of attempted Predator spyware infections against targets including members of the U.S. Congress and European officials.
The newly identified campaign targeted United Nations officials, the president of Taiwan, the president of the European Parliament and a Berlin-based Vietnamese-language independent news site, the global human rights organization Amnesty International said in a Monday report.
Central to the attempted spread of infections was an account on social media network X (formerly Twitter). The users behind a now-deleted
@Joseph_Gordon16 handle attempted to lure targets into clicking links that would install Predator malware. Predator is one of dozens of known commercial spyware apps that turn smartphones into surveillance devices by surreptitiously turning on the microphone, stealing passwords and copying chat messages.
The Biden administration in July put two spyware vendors associated with Predator – Intellexa and Cytrox – on a trading blacklist informally known as the “death penalty” and formally called the Entity List (see: Biden Administration Blacklists 2 Commercial Spyware Firms).
The Amnesty report describes a shifting alliance of vendors and resellers headed by Intellexa that sells commercial spyware and hacking techniques to deliver the malware, including through internet service providers controlled by authoritarian governments (see: Apple Fixes Bugs That Infected Egyptian Politician’s iPhone).
Based on business records acquired by the European Investigative Collaborations, Amnesty said that Vietnam’s Ministry of Public Security in early 2020 struck a 5.6 million euro deal with the makers of Predator spyware through a UAE-based sales subsidiary called Advanced Middle East Systems.
President Joe Biden signed in March an executive order prohibiting agencies from buying licenses for spyware used by foreign governments to spy on dissidents. At the time, the White House said at least 50 U.S. personnel overseas had been targeted by advanced spyware in 10 countries on multiple continents.
Amnesty said it could not confirm any actual infections caused by links sent by @Joseph_Gordon16. Security researchers from the University of Toronto’s Citizen Lab conducted independent analysis also finding a Vietnamese connection in the malicious links posted by the account.
Between February and June, the X account targeted at least 50 social media accounts “belonging to 27 individuals and 23 institutions” including U.S. Rep. Michael McCaul and U.S. Sen. John Hoeven. Biden traveled to Hanoi in September as part of an effort upgrading diplomatic relations between Washington and Vietnam.
Amnesty began to observe in April the same @Joseph_Gordon16 user also targeting academics and officials working on maritime issues, specifically researchers and officials responsible for EU and UN policies on illegal or undocumented fishing. Vietnam was given a “yellow card warning ” by the European Commission in 2017 for illegal, unreported and unregulated fishing.
Social media giant Meta has also previously tied the use of Predator spyware to a threat actor based out of Vietnam.
Amnesty said in a separate report dated Oct. 6 that Predator customers manage infections through a web-based system that Intellexa terms the “Cyber Operation Platform.” Intellexa also offers “Mars,” a network injection system installed at mobile operator ISPs that redirects any unencrypted HTTP request from a smartphone to a Predator infection server. It has an add-on product dubbed “Jupiter” that enables injection into encrypted HTTPS traffic, but the add-on only works with domestic websites hosted by a local ISP.
The Intellexa alliance’s products have reached at least 25 countries across Europe, Asia, the Middle East and Africa. Intellexa touts itself as an “EU based and regulated company,” marketing that Amnesty said points to loose implementation of export controls for dual-use technologies by member nations. The European Parliament in June called on trading bloc countries to revoke commercial spyware export licenses after an investigatory committee accused members of flouting European Union law and human rights commitments by using or selling commercial spyware.
“Highly invasive surveillance products are being traded on a near industrial scale and are free to operate in the shadows without oversight or any genuine accountability,” said Agnès Callamard, Amnesty International’s secretary general.