Use of Predator spyware rebounds after a dip from Biden sanctions, researchers say

Avatar

The powerful commercial surveillance tool Predator may have taken a beating in March when U.S. officials announced sweeping sanctions against the spyware purveyor’s parent company and leadership, but in just the latest example of the industry’s astonishing resilience, there is now evidence that Predator is back and even securing new customers.

Newly discovered infrastructure suggests use of the spyware has seen an uptick in recent months despite the hit the spyware brand took in the immediate aftermath of the March announcement. The recently detected infrastructure has likely been used to facilitate the “spyware staging and exploitation process,” according to a report published Thursday by Recorded Future.

The infrastructure is probably tied to Predator customers based in a variety of countries, including the Democratic Republic of Congo (DRC) and Angola, the researchers said.

While reports have previously highlighted the use of Predator in Angola, the DRC appears to be a new client of Intellexa — Predator’s manufacturer — the report said. Other “clusters” of Predator usage found by researchers are possibly tied to the United Arab Emirates and Madagascar, the report said. It tied a likely inactive cluster to Saudi Arabia.

There is evidence that several servers believed to be linked to Predator operations are used in additional countries, but the researchers were unable to confirm which. 

The Record is an editorially independent unit of Recorded Future.

Despite an apparent brief downturn in Predator usage following the Biden administration’s March announcement of sanctions against two people and five entities tied to Intellexa, its operators have continued their work with “minimal changes,” the report said. 

It is difficult for researchers to conclusively say to what degree Predator has rebounded because there is always the possibility that some activity is not detectable, according to Recorded Future researcher Julian-Ferdinand Vögele.

However, Vögele said in an interview, Predator activity is clearly resurgent.

Predator operators have most recently added an additional layer to what the researchers called their “multi-tiered delivery system” as a means of giving customers more anonymity, the report said. They also have recently improved operational security in “delivery server configurations and associated domains,” the report said.

As a result, Predator spyware operators have altered “significant aspects of their infrastructure setup, including changes that make country-specific attribution more challenging, [but] they have largely retained their mode of operation,” the report said.

Vögele underscored the persistence of the threat posed by powerful commercial spyware given how easy it is for manufacturers to hide their operations.

“It’s very hard to regulate this ecosystem… because it’s very easy to set up shell companies in areas where you might not have jurisdiction,” Vögele said. “It is very easy for these companies to set up new companies that are then untraceable.”

Predator operators have likely been frustrated by sanctions and public reporting which have increased scrutiny on their practices, but they have consistently adapted their tactics, according to the research. 

“While public reporting and sanctions have likely made it more challenging for Predator operators, the threat has proven to be persistent,” Vögele said. “As seen in this latest iteration, we expect them to gradually adapt and modify their operational tactics.”

CybercrimeNewsTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Previous Post

US offers $1 million for details on alleged Russian hacker

Next Post

US posts indictments, rewards in Russia’s WhisperGate hacks against Ukraine

Related Posts

Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities

Ivanti has released security updates to address multiple critical flaws in its Cloud Services Application (CSA) and Connect Secure products that could lead to privilege escalation and code execution. The list of vulnerabilities is as follows - CVE-2024-11639 (CVSS score: 10.0) - An authentication bypass vulnerability in the admin web console of Ivanti CSA before 5.0.3 that allows a remote
Avatar
Read More