Hacker stealing data from digital tablet showing commercial spyware and US sanctions

European Commercial Spyware Company Hit With US Sanctions

A Europe-based company that has previously been blacklisted for its commercial spyware is now under US sanctions. Intellexa Consortium has been under scrutiny for several years for its “Predator” spyware, which is capable of surreptitiously operating the camera and microphone of devices that it is installed on. The US state department blacklisted the software for trade in mid-2023 for activities “contrary to the national security or foreign policy interests” of the country.

The situation bears a great deal of resemblance to the arc of NSO Group and its Pegasus commercial spyware; both companies were founded by former Israeli intelligence agents and claim that they only supply their product to law enforcement agencies for legitimate purposes, but document leaks have since revealed that both are finding their way to authoritarian governments for questionable uses. An October 2023 investigation by Amnesty International found that Predator had been used to target the devices of members of the US Congress, UN officials and the president of Taiwan among others.

Another highly invasive piece of commercial spyware found in places it shouldn’t be

Like Pegasus, Predator essentially allows unfettered access to a device once it is compromised. In addition to surreptitious recording, it can quietly exfiltrate files and spy on text message exchanges. It remains unclear exactly who has been abusing the commercial spyware, but the Amnesty International report found substantial connections to state-sponsored hackers from Vietnam in compromises that took place in Europe and elsewhere.

It is difficult to say exactly where Intellexa Consortium is headquartered, as it maintains multiple registered addresses throughout Europe. But it is known to have been founded in Cyprus in 2019 and also established business entities in Ireland early in its life. In 2023 the US blacklisted it for “trafficking in cyber exploits,” restricting its domestic organizations from doing business with it. Greek authorities have also raided the company’s offices in Athens over similar concerns.

Though it is based in Europe, the company appears to sell the vast majority of its commercial spyware in the Middle East. Sales figures published in 2021 show that it made €29.5 million of a total €34.3 million of annual revenue in the region, selling only about €2 million of its product in Europe. It is confirmed to have sold Predator to clients in Jordan, Oman, Pakistan, Qatar and the UAE among others.

The US sanctions were placed by the Treasury’s Office of Foreign Assets Control (OFAC) on two specific individuals working for Intellexa Consortium, along with five of the group’s business entities. The action was announced at the annual Summit for Democracy, and builds on an executive order from the previous year’s meeting that more generally restricted commercial spyware originating from foreign countries.

Tal Jonathan Dilian, the company founder, is one of the two parties named in the US sanctions. Dilian reportedly fully or partially owns and operates all components of Intellexa Consortium with the assistance of the other named party, offshoring specialist Sara Aleksandra Fayssal Hamou. In addition to Ireland-based Intellexa Ltd., which was added to the country’s “entity list” last year, the US sanctions name Cytrox AD, Cytrox Holdings ZRT and Thalestris Limited as involved businesses.

Misuse of spyware draws US sanctions

Like NSO Group’s Pegasus spyware, Predator has been observed using “zero click” attacks that merely require a target to receive a message; no clicking on attachments or links, or even opening the message required. However, it does not appear to use the same methods that Pegasus used. As documented by a Citizen Lab report from September 2023, the commercial spyware instead used a novel “man in the middle” attack that was able to redirect mobile data connections to an attack site that served the malware. This was done in specific countries, using an “injection middlebox” to target specific ISPs. Predator also made use of an exploit chain capable of exploiting Android devices via a set of Chrome vulnerabilities (that have since been patched), with malicious links often simply passed via SMS or WhatsApp.

Cyprus was reportedly chosen by Intellexa Consortium as a headquarters due to perceived lax regulation, but the company was eventually pushed to diversify its business operations due to EU regulations and oversight potentially interfering. In addition to the US sanctions the company has since had regional scandals flare up, for example a 2023 incident in Greece in which the head of the intelligence service was accused of using Predator to spy on opposition party figures and stepped down from their post.

The US sanctions appear to be a warning shot to other commercial spyware vendors. Google’s Threat Analysis Group recently estimated there are about 40 such companies, and that they have become a central nexus for zero-day exploits. Organizations such as Human Rights Watch have also found that the spyware tends to end up being used to target journalists, political dissidents and NGO groups. EU member states are additionally under requirements to regulate the sale and transfer of products intended for surveillance.