--------------------------------------------------------------------------------
date: 2023-10-07T08:25 tags: [date/2023/10/07, gemnews]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
created: 2023-10-07T10:23:45 (UTC +02:00) tags: [] source:
author:
--------------------------------------------------------------------------------
Predator Files: Technical deep-dive into Intellexa Alliance's surveillance products - Amnesty International Security Lab
## Excerpt
An expose the Intellexa Alliance's surveillance capabilities including advanced spyware, mass surveillance platforms, and tactical systems for targeting and intercepting nearby devices.
--------------------------------------------------------------------------------
On 5 October 2023, a major global investigation – the “
” – was published exposing the proliferation of surveillance technologies around the world and the failure of governments and the European Union (EU) to properly regulate the industry. The Security Lab at Amnesty International is a technical partner in the “Predator Files”, a project coordinated by the European Investigative Collaborations (EIC) media network into the Intellexa alliance, the makers and marketers of the Predator spyware. As part of this collaboration, the Security Lab has reviewed technical documentation, marketing material and other records obtained by Der Spiegel and Mediapart – who are part of EIC – which shed light on the ecosystem of surveillance products offered by the Intellexa alliance.
The Intellexa alliance is an evolving group of companies and brands that have been involved in developing and marketing a wide range of surveillance products including advanced spyware, mass surveillance platforms, and tactical systems for targeting and intercepting nearby devices. The corporate entities of the alliance span various jurisdictions, both within and outside the EU. The exact nature of links between these companies is shrouded in secrecy as corporate entities, and the structures between them, are constantly morphing, renaming, rebranding, and evolving.
In the same vein, the products marketed by Intellexa have been rebranded and renamed numerous times, as various Intellexa alliance entities have worked together to combine product development and marketing activities. This report provides an overview of the distinct products and “attack vectors” offered by this surveillance alliance, including a product glossary to help clarify the analysis where multiple product names were used to describe the same product line over time. This report does not endeavour to describe every product in exhaustive detail, but rather to provide an overview of known or significant products. The goal of this research is also to provide an understanding of the potential impact of the described attack techniques, without making a judgement on the effectiveness of individual products, since marketing material can often overstate the effectiveness of commercial products.
Technical specifications and marketing material from surveillance vendors is often kept secret. The resulting information asymmetry prevents defenders in the cybersecurity industry and at-risk civil society groups from understanding the full scope of threats that they face. The aim of this research is to provide concrete information about surveillance capabilities available from this one vendor in the commercial surveillance market. We hope that this report can be a resource for the cybersecurity community and major mobile device and technology vendors. Our recommendations section outlines possible mitigations and detections which can help protect potential civil society targets and the wider internet ecosystem from some of the attack vectors described here.
Surveillance Industry Glossary
Spyware – Zero-clicks and 1-clicks
There is an ongoing high-stakes race between the vendors of smartphones and other devices we rely on and actors who are invested in subverting these systems for surveillance purposes. Mercenary spyware companies continuously develop and refine their tactics to adapt to expanding security mitigations introduced by vendors, to evade detection and to diversify their offering for customers with different operational and legal requirements.
For many years, researchers and security practitioners publicly observed so called ‘1-click’ attack vectors. Although the specifics vary between different types of attacks and exploits, the common characteristic of 1-click attacks, as demonstrated by their name, is the requirement for the target to unwittingly perform an interaction which triggers the exploitation process. To ensure the target initiates the process, attackers typically need to employ some form of ‘social engineering’. For example, a common ‘1-click’ attack vector involves delivering a malicious link via email, SMS or instant messenger apps with a tailored message to trick the victim into clicking on the malicious link. Just one click can be enough to deliver an exploit for their mobile browser.
As well as requiring interaction from the target, 1-click attacks also often leave behind visible traces which are useful for researchers and security practitioners to discover the
, and possibly even reconstruct which particular mercenary spyware system was involved in the attack.
The past five years saw the advent of so-called “zero-click” attacks. Such attacks – by definition – do not require any action on behalf of the target. The absence of tell-tell links also makes it much more difficult for a target to learn of the attack attempt without an in-depth forensic analysis of their device. Fewer traces and forensic evidence also make it exceedingly difficult for any independent authorities to investigate cases of abuse of these products. This lack of independent oversight capability for advanced attacks including ‘zero-clicks’ also makes it more difficult, if not impossible, to reconcile the use of these tools with human rights requirements.
For these reasons ‘zero-click’ has become the tactic of choice for mercenary spyware companies and their customers. Higher reliability, lower risk of discovery, and situational adaptability have made zero-click attacks an in-demand cyber passe-partout, and an ongoing challenge for digital defenders and technology vendors alike.
These attacks can come in different forms and target different network and software attack surfaces. In the last few years, several zero-click exploit chains have been
leveraging vulnerabilities in messaging platforms such as
, which can be used as the entry point to fully compromise the device. For example, a vulnerability in image parsing code, reachable in Apple’s iMessage image preview feature, can be used to silently deliver a first-stage attack to an unsuspecting target. Without any link to click, the target is unlikely to notice that anything untoward has happened.
Due to increased scrutiny from security researchers and technology vendors like Apple and Google, the development of full zero-click exploit chains which enable full system compromise are becoming ever more costly to develop and more fragile to maintain. Public pricing lists from a major exploit broker offer up to $2.5 million USD for a full chain, although information available to the Security Lab from industry sources suggests the true cost to a government wishing to buy such a full-chain capability off-the-shelf is more than double this price, if such a full chain is available.
Recent explosive reporting
has revealed how cyber-surveillance companies are racing to subvert and exploit the already invasive digital advertising ecosystem to target and infect mobile devices globally using ad-network powered “zero-clicks”. Spyware companies are borrowing hyper-targeting techniques from the already rights abusing ad-tech industry to enable their customers to infect targets as they are simply browsing a legitimate website. These new developments add urgency to the human rights case for banning the surveillance-based advertising model, which already undermines a number of human rights, even before being paired with highly invasive mercenary spyware.
As long as government demand for such invasive spyware tools and resulting profits from the mercenary surveillance industry remain high, we will continue to see a drive towards exploiting the essential shared internet infrastructure that the public relies on.
However, these “remote zero-click” attacks are not the only tactic that researchers and security practitioners have observed recently. Attackers with privileged access to a target’s mobile or Wi-Fi network can leverage this vantage point to automatically redirect the target to an infection page. This tactic is commonly referred to as a “network injection”.
Companies like
and
pioneered the commercialisation of network injections over a decade ago. While early systems often involved
, current generations of these tools have evolved to use increasingly advanced exploits and vectors in response to generational change in mobile security and other network protocols.
Surveillance companies have productised a range of tactical equipment to mimic cell towers and to infiltrate Wi-Fi networks and even covert network equipment to physically install upstream in mobile networks and Internet service providers. Ultimately, they all aim to intercept the traffic generated by the target device, typically HTTP, hijack it, and then silently redirect the targets’ web browser to an exploitation site. In this way, attackers can leverage more common 1-click exploits in browsers such as Chrome and Safari, but still silently infect a target without needing user interaction.
For example, while reading through their social media feed, a user might decide to read an article from a legitimate local news website, and inadvertently get their phone infected as a result. Just opening one HTTP link to the news website could give the attacker the split-second opportunity needed to redirect to a spyware infection page. The network injection attack and the subsequent exploitation
and there is nothing, other than perhaps navigating over a VPN, that the target could have done to prevent it.
Because of this, network injection-based products have become lucrative options in mercenary spyware companies’ offerings, appealing especially to customers who have legal or coercive power over a country’s telecommunications infrastructure. While such systems may be operationally complex to install initially, once deployed, a surveillance operator can easily integrate with new infection solutions which create an ongoing threat.
Intellexa’s spyware and attack vectors
The Intellexa alliance has built and commercialised a comprehensive suite of tactical and zero-click network injection products – marketed under the Intellexa brand – which accompany the sale of their flagship spyware, Predator. In the following section we detail the technical capabilities of Predator itself, and the wide range of supporting Intellexa products designed to deliver the Predator spyware to targeted mobile devices through the interception and subversion of mobile networks, Wi-Fi and the internet.
Our aim in this analysis is to provide concrete information to policy makers, product vendors, security researchers and civil society to help understand and develop defences against these dangerous attack vectors.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image1.jpg){kind=link}
Figure 1: Exhibit of Intellexa’s range of interception and OSINT products from an industry trade fair.
Predator – A highly invasive spyware ecosystem
The Security Lab’s analysis of brochures and technical documents provided by EIC provides new insight into how this spyware functions on a technical level and the methods by which it infects targets’ devices. Much of this information is published today for the first time as part of the “Predator Files”.
The Intellexa alliance’s mobile spyware, mostly commonly known as “Predator”, is a form of highly invasive spyware that by default gains total access to all data stored or transmitted from the target’s device, and that is designed to leave no traces on the target device, which would render any independent audit of potential abuses impossible.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image2-1024x466.png){kind=link}
Figure 2: Intellexa Predator spyware interface (source: EIC documents)
Predator spyware infections are managed via a web-based system which Intellexa terms the “Cyber Operation Platform”. Spyware operators can also use this interface to initiate attack attempts against a target phone, and if successful, to retrieve and access sensitive information including photos, location data, chat messages and microphone recordings from the infected device. The full Predator system includes a number of distinct software and infrastructure components. These include the spyware agent itself, which is installed on the target’s device, and the software exploits and attack vectors necessary to install the spyware covertly on the target’s phone.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image3-1024x376.png){kind=link}
Figure 3: CyOP – Cyber Operations Platform (source: EIC documents)
The alliance has used several marketing names since 2018 to describe its mobile spyware products including ‘Green Arrow’ for their Android spyware agent and ‘Red Arrow’ for their iOS spyware agent. More recently, Intellexa has marketed its spyware system as ‘Predator’ and ‘Helios’, among others. In this report, we refer to this overall mobile spyware product as Predator as we believe all of these product names refer to the same set of broadly related spyware technology originally developed by the North Macedonian company Cytrox, which later became part of the Intellexa alliance.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image4.png){kind=link}
Figure 4: Predator interface shown in 2019 “spy van” interview (
)
The Predator user interface documented publicly for the first time in the “Predator Files” is structurally and visually similar to an earlier Predator interface briefly shown in Intellexa’s infamous “spy van” during a
between Thomas Brewster and Intellexa founder Tal Dilian.
Predator network architecture
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image5.jpg){kind=link}
Figure 5: Predator high-level server architecture (source: EIC documents)
The “Predator Files” disclosures reveal how exploit code and spyware payloads are delivered to the target device from what Intellexa terms its “installation server”. Once a phone is infected with the Predator agent, it connects to the command and control (CNC) network where the operators can issue commands to the Predator spyware agent, such as to retrieve certain files or to activate the microphone.
As shown in the Predator architecture diagram (Figure 5), exfiltrated data is also transferred back from the infected device via the CNC anonymisation network with the aim of obscuring the location and identity of the spyware operator, making it more difficult for researchers to identify the source and nature of the attacks.
Pricing of mercenary spyware
Multiple leaked commercial proposals for the Predator spyware system provide insights on the economics of the end-to-end mercenary spyware industry. The New York Times
a 2021 commercial offer for Predator in December 2022. A more recent commercial offer for ‘NOVA’, an Intellexa alliance combined spyware and data analysis system, was leaked on the XSS.is cybercrime forum in 2022 and later
.
While commercial demand is one factor in spyware pricing, these leaked proposals also provide a proxy metric to evaluate the difficulty of attacking modern smartphones and building a maintainable commercial product capable of conducting such attacks.
The commercial offerings license a base system with the Predator Android and iOS surveillance agents along with optional add-ons. These commercial add-ons include the ability to target devices outside the customer’s country, to maintain an infection of a device between reboots (termed “persistency”) and to increase the “magazine” limiting the total number of successful infections allowed in the system.
This 2022 commercial proposal only advertises 1-click attacks, with 10 concurrent live agents (simultaneously infected devices) and 100 successful infections. The offer is restricted to domestic targeting only. A series of trainings for future operators of the spyware system is also included in the proposal.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image6-724x1024.jpeg){kind=link}
Figure 6: Leaked 2022 commercial offer with geographic, concurrency and magazine limits (XSS.is cybercrime forum).
Persistency is offered through an additional license for €3 million euro with support for both iOS and Android, although the 2022 proposal cautions that the persistent infection would not survive a factory reset and would not prevent version updates on the device. Additionally, if international targeting is required, the “Nova international” add-on is available for an additional 1.2 million euro which would give access to 5 additional countries to be mutually agreed upon, with no geographic limitation of target location.
The 2022 proposal also includes a condition that “Delivery is subject to export and/or import control certification by the relevant European authorities, as applicable”.
In the earlier 2021 proposal published by the New York Times, a separate add-on for an additional “magazine” with 100 successful infections was priced at €900,000. From this commercial licencing we can infer a lower bound cost per infection of at least €9000 euro per successful infection for this particular spyware system. This cost per infections is likely to increase each year as the challenge of developing and maintaining reliable exploit chains for modern mobile devices becomes increasingly difficult. While the cost of these attacks tools and individual attacks is significant, we are not yet at the point where these tools are economically unfeasible for States to deploy against civil society and human rights defenders.
Attack vectors
Both previously published commercial proposals and additional material available in the “Predator Files” investigation focus on 1-click attacks using malicious links. Indeed, the 2022 Predator commercial proposal explicitly describes the product as a “remote 1-click browser-based capability to inject Android and iOS payload to mobile devices through link delivery”.
However, in the following section we will demonstrate how such 1-click attack capabilities can be integrated with other surveillance systems to enable more covert and dangerous infection options. One Intellexa alliance document outlines its various approaches for delivering these attacks to the target. These include:
- Strategic ISP infection – described as “0-click through HTTP browsing”.
- Tactical infection (WiFi and GSM) – described as 0-click through HTTP browsing.
- Avatars platform – anonymous accounts or “bots” on social media or instant messaging apps can be used to send 1-click links to targets.
Mars – Infection through network injection
Description:
The Intellexa “Mars” product is a network injection system installed at mobile operator ISPs which allows a Predator customer to silently redirect targeted users to a Predator infection server after browsing any HTTP web page. This enables a 1-click browser exploit to be used as a “zero-click”.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image7-1024x135.png){kind=link}
Figure 7: Mars “zero-click” infection – operational flow (source: EIC documents)
Technical Analysis:
Network injection systems rely on the targeted user eventually opening a link to any legitimate unencrypted HTTP URL. The network injection system can respond to the original HTTP request with a HTTP redirect containing a to a 1-click browser exploit link which infects the device without further user action. Network injection systems in effect allow 1-click exploits to be used as no-interaction pseudo zero-clicks.
Such a system is not truly remote as it requires the target’s internet traffic to be transferred over a network that the spyware operator can monitor. As more websites deploy HTTPS encryption, potential targets will tend to make fewer unencrypted HTTP requests, resulting in network injection systems taking longer to successfully inject and redirect a target.
The Mars solution consists of two distinct components: a physical Mars server deployed at each Mars-enabled mobile internet service provider (ISP), and a Mars administration system used by the surveillance operator to define targets and launch attacks across the Mars enabled ISPs.
In the Mars product specifications, Intellexa acknowledges that the product “requires full cooperation from the ISP for the integration and operation”, as such these types of network injection systems can only be used to target devices domestically in a country or devices which are roaming with traffic being forwarded through the Mars-enabled ISP.
The reviewed Mars product documentation describes targeting of devices based on a static IP address assigned to the target subscriber rather than based on a phone number (or MSISDN). Targeting based on a phone number would require closer integration between the Mars system and the mobile operator’s identity and user account systems which may make Mars deployment more complex.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image8-1024x110.png){kind=link}
Figure 8: Administrator interface to target IP addresses.
Each mobile ISP must assign a static internal IP to the potential targets identified by the operator. The MARS operator can then enable targeted redirection and infection of devices connected through the system.
The cooperating ISP must also set up forwarding rules on the ISP gateway router to forward traffic from the predefined target IP addresses to the Mars system for traffic collection and manipulation. In the described scenario, the Mars system would act as a man-in-the-middle (MITM) inline system rather than a man-on-the-side (MOTS) system.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image9.png){kind=link}
Figure 9: Network architecture for MARS system
Previous investigations have shown that the ISP-level (strategic) network injection infrastructure has been used to infect targeted mobile users with advanced spyware tools. In 2019, Amnesty International documented network injection attacks being used in Morocco to infect
and
with NSO Group’s Pegasus spyware.
The
a functionally similar system being used to target a political opposition figure in Egypt with Intellexa’s Predator spyware in September 2023. The Citizen Lab investigation determined with “high confidence” that the network injection system used to deliver Predator infection links in Egypt was a Sandvine PacketLogic device. Earlier network measurements and research showed that Sandvine systems capable of network injection have been deployed in Egyptian networks since at
.
From initial research, the Mars system offered by the Intellexa alliance appears to be a different product to the Sandvine system identified in Egypt. However, more research is needed to characterise this system, its original manufacturer and to identify Mars systems deployed in the wild.
Jupiter – Mars add-on enabling injection on encrypted traffic
Description:
The Intellexa alliance “Jupiter” product is an add-on for the Mars network injection system. The product documentation available as part of the “Predator Files” claims the system allows surveillance operators to also perform network injection into targets’ encrypted HTTPS traffic. The product is only able to inject “pre-enabled” domestic websites.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image10-1024x187.png){kind=link}
Figure 10: Operational flow of Jupiter system (source: EIC documents)
Technical Analysis:
The Jupiter documentation states that “SSL encryption has left intelligence agencies with no solution for interception and infection during SSL traffic”. The Jupiter system aims to subvert the HTTPS ecosystem to also enable network injection attacks on some encrypted traffic.
The product material explains that interception is limited to “local websites” hosted at an ISP in the customer country. The Jupiter hardware needs to be installed on a hosting providers network gateway or an ISP upstream from the domestic hosting provider where the local target website is running. Once Jupiter is installed, the operators need to perform a “one-time procedure”, called a “Jupiter Operation”, which involves redirecting traffic for the target website from “specific international IPs” allowing the target website to be enrolled into the system. A diagram of the combined Mars and Jupiter systems is shown in Figure 11.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image11-1024x589.png){kind=link}
Figure 11: Network diagram of Mars and Jupiter systems for network injection (source: EIC documents)
Each local website that the “Jupiter Operation” is performed on will be added to the “Jupiter List” and becomes “approved for infection for a certain duration”. A “median server” is responsible for communications between the Jupiter and Mars servers and maintains the “Jupiter List”.
This technical documentation suggests that the Jupiter system relies on using a man-in-the-middle network position to obtain a valid TLS certificate for the targeted local website. Certificate authorities allow a number of challenge types to validate that an entity requesting a TLS certificate indeed controls the domain in question. These challenges include a “HTTP challenge” which verifies that a specific validation file is available on a website at a particular URL path, and a TLS challenge which checks that a website returns a specifically formatted TLS certificate.
With the Jupiter system installed at the hosting provider, the Jupiter customer can man-in-the-middle verification requests sent from the international IP ranges used by the TLS certificate authorities to verify the domain verification challenge. As the attacker chosen certificate authority receives a valid challenge response, it will allow the certificate request and in turn issue a valid TLS certificate to the Jupiter operator which is a valid and trusted for the target website.
The TLS certificate issued during the “Jupiter Operation” can then be loaded in the “Median server” and in the “Mars systems” installed at each mobile operator ISP. Once the certificate has been issued, the Mars operator can actively man-in-the-middle encrypted HTTPS requests sent from a target to the local website without further interaction with the hosting provider network. This man-in-the-middle position can then be used to network inject browser exploit code inside the connection to the legitimate website.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image12-1024x303.png){kind=link}
Figure 12: “Jupiter Operation” process involving temporary redirection of some external IPs (source: EIC documents)
Triton – Samsung baseband zero-click
Description:
Triton is a zero-click tactical infection product which can be used to compromise Samsung devices in a range of hundreds of meters through their cellular baseband.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image13.png){kind=link}
Figure 13: Triton – Baseband target acquisition (source: EIC documents)
Technical Analysis:
The Triton system is a tactical infection vector which the Intellexa alliance’s marketing material claims can infect many recent models of Samsung devices including “the latest models with the latest operating system versions”. The system appears to target vulnerabilities in baseband software used in Samsung devices which allows infection with the Predator spyware with “no interaction with the target” or the need for the target to use a browser or any other app.
The attack involves a number of distinct steps. First, an IMSI catcher is used to downgrade target Samsung devices from 5G, 4G or 3G to the legacy 2G protocol. The documentation explains that the downgrade attack can be performed with an Intellexa alliance IMSI catcher product or with a third-party IMSI catcher which supports such downgrade attacks.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image14-1024x527.png){kind=link}
Figure 14: Diagram from Intellexa Triton marketing material
Once the target phone is downgraded to 2G, a separate 2G base station transceiver (BTS) – likely a software defined radio integrated with the Triton product – is used to deliver the attack payload over a ‘specific 2G radio channel’. The sales brochure claims the full spyware agent installation can take up to 3 minutes and be performed over distances ranging up to hundreds of meters.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image15-1024x607.png){kind=link}
Figure 15: Diagram from Intellexa Triton marketing material
In March 2023, Google Project Zero
documenting numerous fully remote zero-click vulnerabilities uncovered during their analysis of the Samsung Exynos baseband chipset and firmware used in many recent Samsung devices.
The Intellexa brochure claims that the Triton attack is effective against many recent models of Samsung devices. Based on the description of the affected device models and version, it is likely that Triton also targets vulnerabilities in the Exynos baseband software and in particular its 2G networking code. Unfortunately, the documentation available during this investigation does not include enough technical details to pinpoint the exact vulnerability or attack surface exploited by this product. It is unclear if Triton exploits a memory corruption vulnerability or if the baseband is manipulated to trigger a browser and pivot to a 1-click browser attack.
SpearHead – Wi-Fi interception and infection
Description:
SpearHead is a range of Wi-Fi interception systems originally developed by WiSpear is a member of the Intellexa alliance. SpearHead products allow target identification and geo-location, traffic interception, and network injection to deliver spyware payloads.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image16.png){kind=link}
Figure 16: Older public graphic containing WiSpear products (Source: public WiSpear image)
Technical Analysis:
EIC documents and
outline a range of SpearHead products which can be carried in a briefcase, mounted on a drone or installed in a
, the SpearHead 360. Intellexa alliance brochures claim the system is built around a Wi-Fi radio unit with a “digital adaptive beam-forming antenna” which allows for Wi-Fi signals to be “accurately geo-located based on direction of arrival (DoA) calculations”.
The vehicle-based SpearHead 360 system can also be paired with the backpack or drone mounted SpearHead to create “ad-hoc tactical networks” which, according to the marketing material, can be used to triangulate and accurately geo-locate the exact location of emitted Wi-Fi signals over large distances.
In addition to Wi-Fi geolocation, the system also advertises methods for “advanced manipulation of WiFi communications and protocols” and multiple strategies to perform man-in-the-middle attacks which they term “active WiFi interception”. The SpearHead systems promises integration with “back office systems” such as password cracking clusters which can allow for the brute-force calculation of Wi-Fi passwords where the network password is unknown. The system also includes a feature which uses “WiFi protocols to extract the device’s IMSI”. This feature may involve exploiting a publicly known information leakage flaw in
.
The Intellexa material claims that their Wi-Fi interception systems is fully integrated with multiple “infection and data extraction systems” such as Intellexa’s Predator. The SpearHead Wi-Fi interception devices can be used to perform network injection attacks on connected Wi-Fi devices and redirect to 1-click spyware infection links.
Alpha-Max – GSM interception and infection
Description:
Alpha-Max is a 3G/4G interception system originally developed by the Nexa group and marketed by the Intellexa alliance. Advertised features include the ability to identify handset identifiers (such as the target IMSI), listen to calls, block and modify text messages and intercept the data connection of any potential target in its vicinity.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image17.png){kind=link}
Figure 17: Tactical GSM interception systems in the ALPHA product line (source:
)
Technical Analysis:
The marketing material, which – based on described software versions – appears to have been written in 2019 and explains that the Alpha-MAX surveillance system works on the principle of mobile roaming. It consists of two integrated components, a 4G IMSI catcher and a 3G mobile base station (referred to as an eNodeB). Due to what was described as a “lack of 4G roaming agreements” at the time, target devices must first be downgraded from 4G to 3G using a built-in IMSI catcher.
The Alpha-Max system must be connected to the international SS7 network through a dedicated system called the “Alpha-Max provider system” that allows routing of calls, data and text messages. The documentation also says that, at the time, the provider system is “delivered with existing connectivity”, done through several Mobile Network Operators (MNO).
When the target is connected to the Alpha-Max 3G base station it authenticates to the virtual mobile network provider of the Alpha-Max. This allows the device to continue to communicate normally while allowing the operator to intercept the traffic.
In the 3G protocol the handset authenticates the cell tower, and it is no longer possible for an attacker to spoof an arbitrary mobile operator. The Alpha-Max system uses the legitimate network roaming feature and collaboration with mobile network operators to trick the device into roaming to another network. The backend signalling (SS7, and likely Diameter) connection allows the attacker-linked mobile network operator to send roaming requests to the targets’ home mobile operator and to
to authenticate the handset.
In a disclaimer, the product material explains that the “Alpha-Max is working based on roaming, all target mobile phones must be capable of roaming (i.e. roaming enabled). If not roaming enabled, this specific SIM card cannot be a target intercepted by the Alpha-Max”.
As with previous products, the Alpha-Max system is also advertised with spyware injection integration. The brochure describes how EPSILON, a “man-on-the-side” (MOTS) system can be used to manipulate target IP packets, perform a network injection into the targets traffic, and ultimately “place malware on the target’s phone”.
Mass surveillance: wiretapping to encrypted metadata analysis
While encryption of networked communications has become ubiquitous in many regions over the last decade, before that, large portions of Internet traffic was transmitted unencrypted and without protection. Until 2010 major email providers like Gmail and Yahoo did not employ any in-transit encryption at all for user content and served their websites over plain HTTP. In this environment, passive bulk interception technologies where highly effective, and for years were a cornerstone of the early digital surveillance industry’s product offering.
Numerous surveillance companies built and sold mass telephone and internet systems which were deployed to intercept traffic on a whole-country level. These allowed governmental operators to select and monitor at will telephone communications, web traffic, email or messaging alike.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image18-1024x650.png){kind=link}
Figure 18: Interface of the Amesys EAGLE dee packet inspection surveillance system
The Amesys EAGLE deep-packet inspection technology was first documented in 2006 and marketing material describes its ability to parse and analyse a range of network protocols including web browsing and email traffic. The EAGLE DPI system integrated with GLINT, which was a product that Amesys describes as a “global strategic system” for collecting and analysing telephone and network traffic in bulk for entire countries. Amesys, whose products were later integrated into the Intellexa alliance, also marketed a set of portable and tactical products including SMINT. SMINT was a transportable computer which could be connected to a target IP network to monitor and collect traffic. Marketing
show that Amesys also offered the SMINT system with additional EAGLE probe modules to integrate ADSL, WiFi and satellite sensors.
Nexa Technologies was founded in 2012 and took over the surveillance business of Amesys and their existing product lines. The new business entity also renamed the core mass surveillance product EAGLE to the new CEREBRO brand. The new CEREBRO mass surveillance product was integrated with a range of sensor “probes” including the ALPHA series of over-the-air GSM interception products, GAMMA for telephone monitoring, IOTA for internet traffic collection, SIGMA for satellite interception and the OMEGA open-source intelligence system.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image19-1024x531.png){kind=link}
Figure 19: CEREBRO monitoring system and supported probes (published by DISCLOSE)
The golden age of internet mass surveillance technologies such as EAGLE and CEREBRO later faced critical challenges. In 2013,
exposed the unchecked global interception of Internet traffic by the National Security Agency of the United States and its allies. In response, technology vendors and major platforms demonstrated new commitment to rolling-out strong encryption in their products and services. Within a short number of years, the usage of HTTPS by major websites skyrocketed. Today, for example, large parts of web traffic are encrypted by default.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image20.png){kind=link}
Figure 20: HTTPS usage by top 1 million websites – June 2022 (
)
As a result, traditional bulk and mass surveillance products have become less effective as the content of communications suddenly became unavailable. The increased adoption of encryption is one likely driver for the increased demand for endpoint monitoring solutions, such as spyware. While network encryption protects from wiretapping of data in transit, attackers who can successfully compromise target device can still access content, including end-to-end encrypted communications in cleartext.
Deanonymizing WhatsApp and Signal
As internet traffic was increasingly encrypted, companies such as Nexa group started to offer new product lines such as JASMINE, which focused on analysing the metadata of encrypted traffic apps with a particular focus on messaging applications.
In its targeted interception mode – which starts from a single target – JASMINE has claimed it is able to identify communicating parties in encrypted but peer-to-peer applications such as Skype, which create direct network connections between participants. Additionally the JASMINE documentation explicitly claims support for identifying the IP addresses of participants in encrypted apps such as WhatsApp and Signal during voice and video calls where peer-to-peer connections are also used for calling by default.
The JASMINE documentation also explains that by analysing encrypted traffic “events” for a whole country – in mass interception mode – JASMINE has the ability to correlate and identify the participants in encrypted group chats on messaging apps, with specific support analysing WhatsApp chat conversations.
Such a metadata analysis system can record the distinctive network traffic pattern each time a phone receives a new encrypted message or notification from a chat application such as WhatsApp or Telegram. Over time, with dozens or hundreds of messages received, the correlation between these notification events for multiple individuals will get stronger.
Eventually these systems can, with a high degree of confidence, determine which phones in the country are consistently receiving a notification at the same time, therefore indicating the phones and individuals which are likely members of the same encrypted messenger chat group. Recent
revealed how states, for example Russia, are developing and deploying similar internet traffic analysis systems to track the users of encrypted messaging applications in the country.
This is not an abstract risk; other commercial surveillance vendors such as Sandvine have
similar surveillance capabilities to government customers such as Algeria and Belarus.
![[IMG]](https://securitylab.amnesty.org/wp-content/uploads/2023/10/image21.png){kind=link}
Figure 21: Sandvine offering similar encrypted traffic analysis systems (source:
)
Figure 21: Sandvine offering similar encrypted traffic analysis systems (source: Bloomberg)
The possibility of revealing the protester who uploaded an incriminating Instagram video
Such encrypted traffic analysis systems can also be used to identify anonymous users who upload content on social media in a country. We can imagine a scenario where a protester uses Instagram to post videos of police violence or other rights violations on a pseudoanonymous Instagram channel. The upload will be encrypted with HTTPS, however, the file size of the uploaded video file and upload time is still visible to an observer recording network traffic metadata via surveillance systems deployed at their mobile operator.
The authorities could use a traffic correlation tool, similar to JASMINE, to search network logs for all mobile users who uploaded a large file to Instagram’s servers shortly before the video appeared on the Instagram channel. While this search may be noisy, and provide a large pool of possible targets, each new uploaded video would provide more data points, which let the operator narrow down the list of suspects.
Unfortunately, technical attacks such as the traffic correlation approaches described here tend to become more effective as this technology develops. This is an area where advances in machine learning and AI could make such statistical correlation attacks more reliable and practical for governments to deploy indiscriminately, in order to monitor mass internet traffic and ultimately infer information about human social networks and connections at a nation-wide scale.
Recommendations
The aspiration is that the information shared in this report is actionable by civil society technologists and device vendors to make informed decisions about threat models and to prioritise possible security defences and mitigations. Unfortunately, technical fixes cannot solve this problem alone. Our private devices and digital public spaces will remain threatened until we have a global regulatory system in place with robust regulation of the cyber-surveillance industry, and which provides justice and accountability to those harmed by these products.
To Technology Vendors:
Major technology vendors and device manufacturers should urgently continue efforts to harden their products and services against the advanced exploits and attacks described in this report. This includes making 1-click browser attacks more difficult to develop and more brittle to maintain. It is valuable for technology vendors to continue to detect and fix such 1-click exploits being used in the wild. Remote zero-click attack surfaces, basebands, and other radio interfaces which can be exploited in close-access tactical attacks, should also be considered as an actively exploited attack surface. The following recommendations are possible mitigations:
- Provide an enhanced protection options for individuals who are at high risk from sophisticated attacks such as those described, in particular human rights defenders. While the number of people targeted from these tools may be a small percentage of the overall user pool, the harms resulting from these threats can be severe.
- To defend against network injection attacks, browser vendors should offer a HTTPS-only mode, as a user configurable option, or built in to enhanced protection mode like Apple’s Lockdown Mode. The user impact of such a feature may be higher in some regions with lower HTTPS penetration.
- Vendors should consider disabling legacy network protocols such as 2G, or providing some mechanisms to make downgrade attacks more difficult or visible.
- To defend against roaming-based attacks on 3G or 4G, vendors should consider providing a user visible prompt or approval process before the device connects to a new or previously unknown roaming network. Such a feature may be easier to deploy as an optional feature in an enhanced protection mode. It may also be possible to perform some on-device validation of the new roaming network location, notifying the user if the new moibile country code (MCC) is too geographically distant from the current network location to be implausible for a legitimate roaming handover.
- To defend against traffic correlation attacks, messaging apps and push notification services should consider traffic correlation attacks as practical real-world attacks which are deployed against their users and include this in their threat models. Some simple mitigations such as small timing delays in notifications, adding cover traffic or sending fixed size messages may help to significantly weaken the accuracy of these types of attacks. More open research is needed to analyse possible mitigations against these correlation attacks.
To At-Risk Individuals
The sophisticated spyware and digital attacks outlined in this report are used to target individuals who are of particular interest to government spyware operators because of their professional background, civil society work or information they possess. If you believe that you are at heightened risk of such attacks, there are practical steps you can take to make these kinds of advanced digital attacks more difficult:
- Always update your web browser and mobile operating system software as soon as any security updates are made available for your devices.
- Enable the enhanced security “Lockdown Mode” if you use an Apple device. This can make a successful compromise of your device significantly more challenging for an attacker.
- Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks – especially those targeting messaging apps – more difficult to perform and less effective.
- Features such as Signal’s optional ‘Relay Call’ mode can help hide revealing metadata, such as the IP address and location of the person you are calling from your ISP or government. In some situations, making or receiving calls from certain countries can expose the individual to heighten risks. A reputable VPN can also help mitigate these risks.
- Those with particular concerns about their devices being compromised can take actions to mitigate the extent of exposure including using “disappearing messages” where available and restarting their devices regularly which can remove non-persistent spyware infections.
- If you receive a state-sponsored attacker warning you should seek expert help to understand any ongoing risks for your accounts or devices.
If you are a human rights defender, journalist, or member of civil society and believe you have been targeted by this campaign or have received similar attack links through social media, please get in touch with the Security Lab at
.
Intellexa Product Glossary
This glossary is a non-exhaustive list of products and marketing names which have been used by Intellexa or Intellexa alliance entities. This has been compiled based on previously published research, as cited above, plus analysis of Intellexa alliance brochures as part of the Predator Files. We are not able to confirm if the actual performance of the products matches the descriptions in promotional materials.
The Intellexa alliance
The Intellexa alliance, its subsidiaries and partnerships have evolved over time since its inception into a complex worldwide company structure. For readability purposes, both EIC and Amnesty International use the following breakdown:
Nexa group –
, Nexa Technologies CZ s.r.o (Czech Republic), Advanced Middle East Systems (United Arab Emirates),
.
Intellexa group –
,
, Cytrox Holdings Zrt (Hungary),
,
,
.
Intellexa alliance – is a technological and commercial alliance concluded in 2019 between the Intellexa group and the Nexa group. The two groups of companies maintained a separate shareholding. In the
, the member companies were Nexa Technologies, Advanced Middle East Systems, Cytrox, WiSpear and Senpai Technologies.9 It is unclear whether the alliance between the Nexa group and the Intellexa group is still active today.
The Intellexa group of companies was founded in 2018 by the former Israeli army officer Tal Dilian and several of his associates, which sells the Predator spyware. Since 2020, it has been controlled by the holding company Thalestris, which is based in Ireland. The Intellexa group’s main companies are Cytrox (North Macedonia), which develops the Predator spyware system, WiSpear (Cyprus), specialist in Wi-Fi interception, and Senpai Technologies (Israel), a specialist in open-source intelligence and the creation of virtual avatars.
The Nexa group of companies, which mainly operated from France, specialized in traffic interception and mass surveillance systems (IP, voice, satellite, IMSI catchers, big data analysis). The group was created in 2012 to take over the surveillance business of the French company Amesys. It included from the start, Nexa Technologies (France) and Advanced Middle East Systems (Dubai), a sister company used by Nexa as a sales office. Between 2019 and 2022, the companies of the Nexa group were
. In 2019, Boss Industries purchased the company Trovicor (Dubai), which specializes in “lawful interception” (telephone monitoring systems). In 2020, the
as a brand and began to operate under the commercial name Trovicor Intelligence. In 2022 Nexa Technologies
, and in 2023 changed its name to RB 42 and announced that it had
. Boss Industries is still the owner of Trovicor, according to public documents.
Cytrox, is a North Macedonian company
which was the original creator of the Predator spyware and was
in 2018.
Amesys, based in France, was a telecom and defence company, which created a mass-monitoring system called Eagle, capable of performing mass surveillance of internet (IP) traffic at the scale of a whole country. Amesys ceased its activities in the cybersurveillance business in 2012, after the transfer of its assets to Nexa Technologies, which renamed Eagle as Cerebro.
Predator Files: Technical deep-dive into Intellexa Alliance's surveillance products - Amnesty International Security Lab was published on 2023-10-07
Response: 20 (Success), text/gemini
| Original URL | gemini://gemini.autonomy.earth/posts/archive/articles-dat... |
|---|---|
| Status Code | 20 (Success) |
| Content-Type | text/gemini; charset=utf-8 |