Greek Intelligence Service Boss Resigns After Journalist, Opposition Party Member Targeted With Phone Malware

from the better-than-being-fired,-I-suppose dept

There’s another player in the phone malware game. NSO is far from the only malware merchant out there. Its products are the most well-known and the most dangerous, thanks to zero-click deployment options.

NSO Group and Candiru — both Israeli companies created and staffed by former state intelligence operatives — were recently hit with sanctions by the US Department of Commerce. Now, there’s another Israeli exploit developer making headlines around the world. And those headlines may eventually see it added to the Commerce Department’s blacklist.

For now, though, it’s just another exploit developer with ties to Israeli intelligence services. Cytrox — developer of a phone exploit called “Predator” — is following the NSO Group game plan, selling its tech to governments willing to utilize the exploits to target journalists and political opponents.

Late last year, Citizen Lab uncovered the hacking of an Egyptian dissident’s phone. The affected device was host to two forms of malware, one created by NSO Group and the other by Cytrox. According to the Citizen Lab investigation, these infections were traced back to two different government clients.

Not much is known about Cytrox’s government customers. Citizen Lab’s findings suggest the Saudi government may have switched to Cytrox after being cut off by NSO Group. But, thanks to recent developments, there’s plenty of information now pointing to Greece being one of Cytrox’s customers. This report surfaced earlier this year.

On April 11 it was revealed via media reports that [Thanasis] Koukakis, an experienced investigative journalist covering financial and banking issues in Greece, had his mobile phone infected for at least ten weeks in 2021 by Predator, an advanced spyware tool developed by a North Macedonian company called Cytrox.

According to a forensic analysis by experts at Citizen Lab, the device was compromised using Predator between July 12 and September 24, 2021. The investigation identified the source of the hacking to be a Greek phone number, which sent Koukakis a text message containing an infected link to a fake website.

A few months later, a member of an Greek opposition party reported his phone had been targeted by the same malware.

The politician, Nikos Androulakis, who became leader of Greece’s third-largest political party, the center-left PASOK-KINAL, at the end of last year, submitted his personal mobile device to the new spyware-detecting tech lab at the European Parliament in Brussels.

Late last month the experts notified Mr. Androulakis that, in September 2021, weeks after declaring he would be a candidate to lead the opposition party back home, he had received a text message with a link that would have installed the spyware Predator, a clunkier version of the famous spyware Pegasus, on his phone, had he clicked on it.

Not only is the software less sophisticated than NSO’s product, but the delivery leaves a lot to be desired. It’s best not to look like an attempted hacking when attempting to compromise a phone.

“Let’s look at this seriously friend, there’s something to gain,” the text said in Greek, followed by the link.

The only response at that point from the Greek government was to deny involvement in the hacking of the journalist’s phone. It said nothing at all about the attempted hacking of the opposition party leader.

Even though it has maintained this specific denial, this certainly looks like an admission of involvement in at least one of these hackings.

The head of Greece’s intelligence service and the general secretary of the prime minister’s office have resigned, amid allegations of the use of surveillance software against a journalist and the head of an opposition party.

National Intelligence Service director Panagiotis Kontoleon and Grigoris Dimitriadis, general secretary of the prime minister’s office, submitted their resignations Friday, the prime minister’s office said. Both were accepted.

Kontoleon resigned “following incorrect actions found in the procedure of legal surveillance,” the prime minister’s office said, without elaborating on which procedures were incorrectly followed or who the targets of legal surveillance might have been. Under Greek law, a prosecutor is required to sign off on any surveillance.

The general secretary’s resignation supposedly has nothing to do with the reported phone hackings. But all we have at this point is an unofficial statement was made by an anonymous government official. And that statement, again, claims the Greek government had nothing to do with the targeting of a local journalist. But this one folds in the attempted hacking of the opposition party leader, which had previously been unaddressed by any official statements.

A government official said [the general secretary’s resignation] was “related to the toxic climate that has developed around him. In no case does it have anything to do with Predator (spyware), to which neither he nor the government are in any way connected, as has been categorically stated.” The official spoke on condition of anonymity as the reasons for the resignation had not been announced.

But it has not been “categorically stated.” And it still hasn’t, because this isn’t an official government statement. The Greek government is facing legal action brought by the opposition leader who hopes this will expose what entity attempted to compromise his phone with Predator malware. The sudden resignation of the head of Greece’s intelligence agency strongly suggests abuses of surveillance powers and tech. The timing of the resignation even more strongly suggests the unspecified abuses are related to recent news reports about these hacking attempts.

At some point more details will be made public. But for now, it appears there’s another malware company with ties to Israeli intelligence selling exploits to governments that can’t be trusted to use them responsibly.

Filed Under: , , ,
Companies: cytrox

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...