Mar 06, 2024NewsroomPrivacy / Spyware

The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two individuals and five entities associated with the Intellexa Alliance for their role in “developing, operating, and distributing” commercial spyware designed to target government officials, journalists, and policy experts in the country.

“The proliferation of commercial spyware poses distinct and growing security risks to the United States and has been misused by foreign actors to enable human rights abuses and the targeting of dissidents around the world for repression and reprisal,” the agency said.

“The Intellexa Consortium, which has a global customer base, has enabled the proliferation of commercial spyware and surveillance technologies around the world, including to authoritarian regimes.”

The Intellexa Alliance is a consortium of several companies, including Cytrox, linked to a mercenary spyware solution called Predator. In July 2023, the U.S. government added Cytrox and Intellexa, as well as their corporate holdings in Hungary, Greece, and Ireland, to the Entity List.

Predator, much like NSO Group’s Pegasus, can infiltrate Android and iOS devices using zero-click attacks that require no user interaction. Once installed, the spyware makes it possible for the operators to harvest sensitive data and surveil targets of interest.

OFAC said unspecified foreign actors had deployed Predator against U.S. government officials, journalists, and policy experts.

“In the event of a successful Predator infection, the spyware’s operators can access and retrieve sensitive information including contacts, call logs, and messaging information, microphone recordings, and media from the device,” the Treasury Department said.

The sanctions designations apply to the following individuals and entities –

• Tal Jonathan Dilian (Dilian), the founder of the Intellexa Consortium
• Sara Aleksandra Fayssal Hamou (Hamou), a corporate off-shoring specialist who has provided managerial services to the Intellexa Consortium
• Intellexa S.A., a Greece-based software development company
• Intellexa Limited, an Ireland-based company
• Cytrox AD, a North Macedonia-based company that’s responsible for the development of Predator
• Cytrox Holdings Zartkoruen Mukodo Reszvenytarsasag (Cytrox Holdings ZRT), a Hungary-based entity
• Thalestris Limited, an Ireland-based entity that holds distribution rights to the Predator spyware

It’s worth noting that Intellexa S.A., Intellexa Limited, Cytrox AD, and Cytrox Holdings ZRT were added to the aforementioned economic blocklist last year.

The development comes as new revelations about Predator’s multi-tiered delivery infrastructure from Recorded Future, and Sekoia prompted the operators to shut down their servers.

The sanctions targeting the makers of Predator also arrived after the U.S. government unveiled a new policy last month that will allow it to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware.

Citizen Lab security researcher John Scott-Railton described the OFAC designations as a huge deal, stating they mark the “First time they’re used against a mercenary spyware company.”

“The United States remains focused on establishing clear guardrails for the responsible development and use of these technologies while also ensuring the protection of human rights and civil liberties of individuals around the world,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson.

Feb 05, 2024NewsroomSpyware / Surveillance

The iPhones belonging to nearly three dozen journalists, activists, human rights lawyers, and civil society members in Jordan have been targeted with NSO Group’s Pegasus spyware, according to joint findings from Access Now and the Citizen Lab.

Nine of the 35 individuals have been publicly confirmed as targeted, out of whom had their devices compromised with the mercenary surveillanceware tool. The infections are estimated to have taken place from at least 2019 until September 2023.

“In some cases, perpetrators posed as journalists, seeking an interview or a quote from victims, while embedding malicious links to Pegasus spyware amid and in between their messages,” Access Now said.

“A number of victims were reinfected with Pegasus spyware multiple times — demonstrating the relentless nature of this targeted surveillance campaign.”

The Israeli company has been under the radar for failing to implement rigorous human rights safeguards prior to selling its cyber intelligence technology to government clients and law enforcement agencies for “preventing and investigating terrorism and serious crimes.”

NSO Group, in its 2023 Transparency and Responsibility Report, touted a “significant decrease” in reports of product misuse during 2022 and 2023, attributing the downturn to its due diligence and review process.

“Cyber intelligence technology enables government intelligence and law enforcement agencies to carry out their basic duties to prevent violence and safeguard the public,” the company noted.

“Importantly, it allows them to counter the widespread deployment of end-to-end encryption applications by terrorists and criminals without engaging in mass surveillance or obtaining backdoor access to the devices of all users.”

It further sought to “dispel falsehoods” about Pegasus, stating it is not a mass surveillance tool, that it’s licensed to legitimate, vetted intelligence and law enforcement agencies, and that it cannot take control of a device or penetrate computer networks, desktop or laptop operating systems.

“It is technologically impossible for Pegasus to add, alter, delete, or otherwise manipulate data on targeted mobile devices, or perform any other activities beyond viewing and/or extracting certain data,” NSO Group said.

Despite these assurances, the invasive spyware attacks targeting Jordan civil society members underscores the continued pattern of abuse that run counter to the company’s claims.

Access Now said the victims’ devices were infiltrated with both zero-click and one-click attacks using Apple iOS exploits like FORCEDENTRY, FINDMYPWN, PWNYOURHOME, and BLASTPASS to breach security guardrails and deliver Pegasus via social engineering attacks.

The attacks were characterized by the propagation of malicious links to victims via WhatsApp and SMS, with the attackers posing as journalists to increase the likelihood of success of the campaign.

The non-profit further said that enabling Lockdown Mode on the iPhones likely prevented some of the devices from being re-infected again with the spyware. It also called on world governments, including Jordan’s, to halt the use of such tools and enforce a moratorium on their sale until adequate countermeasures are adopted.

“Surveillance technologies and cyberweapons such as NSO Group’s Pegasus spyware are used to target human rights defenders and journalists, to intimidate and dissuade them from their work, to infiltrate their networks, and to gather information for use against other targets,” Access Now said.

“The targeted surveillance of individuals violates their right to privacy, freedom of expression, association, and peaceful assembly. It also creates a chilling effect, forcing individuals to self-censor and cease their activism or journalistic work, for fear of reprisal.”

Jan 18, 2024NewsroomCyber Espionage / Threat Intelligence

High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called Mind Sandstorm since November 2023.

The threat actor “used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files,” the Microsoft Threat Intelligence team said in a Wednesday analysis, describing it as a “technically and operationally mature subgroup of Mind Sandstorm.”

The attacks, in select cases, involve the use of a previously undocumented backdoor dubbed MediaPl, indicating ongoing endeavors by Iranian threat actors to refine their post-intrusion tradecraft.

Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is known for its adept social engineering campaigns, even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective targets. It’s assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).

The sub-cluster, per Redmond, engages in resource-intensive social engineering to single out journalists, researchers, professors, and other individuals with insights on security and policy issues of interest to Tehran.

The latest intrusion set is characterized by the use of lures pertaining to the Israel-Hamas war, sending innocuous emails under the guise of journalists and other high-profile individuals to build rapport with targets and establish a level of trust before attempting to deliver malware to targets.

Microsoft said it’s likely the campaign is an effort undertaken by the nation-state threat actor to collect perspectives on events related to the war.

The use of breached accounts belonging to the people they sought to impersonate in order to send the email messages is a new Mind Sandstorm tactic not seen before, as is its use of the curl command to connect to the command-and-control (C2) infrastructure.

Should the targets engage with the threat actor, they are sent a follow-up email containing a malicious link that points to a RAR archive file, which, when opened, leads to the retrieval of Visual Basic scripts from the C2 server to persist within the targets’ environments.

The attack chains further pave the way for custom implants like MischiefTut or MediaPl, the former of which was first disclosed by Microsoft in October 2023.

Implemented in PowerShell, MischiefTut is a basic backdoor that can run reconnaissance commands, write outputs to a text file, and download additional tools on a compromised system. The first recorded use of the malware dates back to late 2022.

MediaPl, on the other hand, masquerades as Windows Media Player and is designed to transmit encrypted communications to its C2 server and launch command(s) it has received from the server.

“Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection,” Microsoft said.

“The ability to obtain and maintain remote access to a target’s system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system.”

The disclosure comes as Dutch newspaper De Volkskrant revealed earlier this month that Erik van Sabben, a Dutch engineer recruited by Israel and U.S. intelligence services, may have used a water pump to deploy an early variant of the now-infamous Stuxnet malware in an Iranian nuclear facility sometime in 2007.