Amnesty International are of a strong opinion, that the Vietnamese government is likely behind the surge of attempted cyber-attacks using Predator spyware, targeting entities including U.S. Congress members and European officials.
In a comprehensive cybersecurity analysis report released on October 9, 2023, titled “The Predator Files: Caught in the Net”, a newly discovered cyberattack campaign was found to be specifically targeting high-profile individuals. These include officials from the United Nations, the President of Taiwan, the President of the European Parliament, a Berlin-based Vietnamese-language independent news portal, and a global human rights advocacy organization. The primary vehicle for this malicious software distribution operation was a well-known social media platform known as Network X (previously Twitter).
The threat actors, who operated under the now-deleted Twitter handle @Joseph_Gordon16, devised an intricate strategy aimed at luring its targets into clicking on hyperlinks that were engineered to deliver the Predator malware. Predator is classified as one of many commercially available spyware programs capable of transforming mobile devices into clandestine surveillance tools. This is achieved by secretly activating the device’s microphone, stealing passwords, and extracting chat messages.
The Amnesty report reveals a dynamic coalition of vendors and resellers, led by Intellexa, engaged in the trade of commercial spyware and cyber intrusion techniques for the distribution of malicious software. This includes the utilization of internet service providers under the influence of authoritarian governments. Drawing on corporate records obtained by the European Investigative Collaborations, Amnesty International reported that the Ministry of Public Security in Vietnam entered into a 5.6 million euro agreement in early 2020 with the creators of the Predator spyware through a sales subsidiary named Advanced Middle East Systems, located in the United Arab Emirates.
In March, President the United States Joe Biden of signed an executive order that prohibits government agencies from procuring licenses for spyware deployed by foreign governments for surveillance of dissident activities. During this period, the White House disclosed that a minimum of 50 U.S. personnel stationed abroad had become targets of advanced spyware in ten countries spanning multiple continents.
Amnesty acknowledged that it was unable to authenticate any actual infections resulting from the links shared by X (former Twitter) user @Joseph_Gordon16. Independent security researchers from the University of Toronto’s Citizen Lab conducted their analysis, further uncovering a connection to Vietnam in the malevolent links disseminated by the account.
Between February and June, the Twitter account under the handle X focused its efforts on at least 50 social media accounts associated with “27 individuals and 23 institutions,” including U.S. Representative Michael McCaul and U.S. Senator John Hoeven. President Biden’s visit to Hanoi in September was part of a broader initiative to enhance diplomatic relations between Washington and Hanoi.
Starting in April, Amnesty began to observe the same @Joseph_Gordon16 user also targeting academics and officials specializing in maritime matters, particularly those involved in EU and UN policies addressing illegal or undocumented fishing. Notably, Vietnam received a “yellow card warning” from the European Commission in 2017 for engaging in illegal, unreported, and unregulated fishing activities.
Social media behemoth Meta has previously linked the use of Predator spyware to a threat actor operating out of Vietnam.
Amnesty disclosed in a separate report dated October 6 that Predator customers manage infections through a web-based platform known as the “Cyber Operation Platform,” a term coined by Intellexa. Additionally, Intellexa offers “Mars,” a network injection system deployed within mobile operator ISPs, redirecting unencrypted HTTP requests from smartphones to a Predator infection server. The alliance also provides an add-on product known as “Jupiter,” enabling injection into encrypted HTTPS traffic, but it is only compatible with domestic websites hosted by local ISPs.
The products of the Intellexa alliance have extended their reach to at least 25 countries across Europe, Asia, the Middle East, and Africa. Intellexa promotes itself as an “EU-based and regulated company,” a marketing claim that Amnesty asserts points to a lax enforcement of export controls for dual-use technologies by member states. In June, the European Parliament called upon member countries within the trading bloc to revoke commercial spyware export licenses after an investigatory committee accused them of violating European Union law and human rights commitments by employing or selling commercial spyware.
The Amnesty International’s Secretary General (Agnès Callamard) disclosed that:
“Highly invasive surveillance products are being traded on a near industrial scale and are free to operate in the shadows without oversight or any genuine accountability.”
Please do let us know in the comment section what are your thoughts about this.