The powerful commercial surveillance tool Predator may have taken a beating in March when U.S. officials announced sweeping sanctions against the spyware purveyor’s parent company and leadership, but in just the latest example of the industry’s astonishing resilience, there is now evidence that Predator is back and even securing new customers.
Newly discovered infrastructure suggests use of the spyware has seen an uptick in recent months despite the hit the spyware brand took in the immediate aftermath of the March announcement. The recently detected infrastructure has likely been used to facilitate the “spyware staging and exploitation process,” according to a report published Thursday by Recorded Future.
The infrastructure is probably tied to Predator customers based in a variety of countries, including the Democratic Republic of Congo (DRC) and Angola, the researchers said.
While reports have previously highlighted the use of Predator in Angola, the DRC appears to be a new client of Intellexa — Predator’s manufacturer — the report said. Other “clusters” of Predator usage found by researchers are possibly tied to the United Arab Emirates and Madagascar, the report said. It tied a likely inactive cluster to Saudi Arabia.
There is evidence that several servers believed to be linked to Predator operations are used in additional countries, but the researchers were unable to confirm which.
The Record is an editorially independent unit of Recorded Future.
Despite an apparent brief downturn in Predator usage following the Biden administration’s March announcement of sanctions against two people and five entities tied to Intellexa, its operators have continued their work with “minimal changes,” the report said.
It is difficult for researchers to conclusively say to what degree Predator has rebounded because there is always the possibility that some activity is not detectable, according to Recorded Future researcher Julian-Ferdinand Vögele.
However, Vögele said in an interview, Predator activity is clearly resurgent.
Predator operators have most recently added an additional layer to what the researchers called their “multi-tiered delivery system” as a means of giving customers more anonymity, the report said. They also have recently improved operational security in “delivery server configurations and associated domains,” the report said.
As a result, Predator spyware operators have altered “significant aspects of their infrastructure setup, including changes that make country-specific attribution more challenging, [but] they have largely retained their mode of operation,” the report said.
Vögele underscored the persistence of the threat posed by powerful commercial spyware given how easy it is for manufacturers to hide their operations.
“It’s very hard to regulate this ecosystem… because it’s very easy to set up shell companies in areas where you might not have jurisdiction,” Vögele said. “It is very easy for these companies to set up new companies that are then untraceable.”
Predator operators have likely been frustrated by sanctions and public reporting which have increased scrutiny on their practices, but they have consistently adapted their tactics, according to the research.
“While public reporting and sanctions have likely made it more challenging for Predator operators, the threat has proven to be persistent,” Vögele said. “As seen in this latest iteration, we expect them to gradually adapt and modify their operational tactics.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.