Spyware maker Intellexa remotely accessed the surveillance systems of some government customers, allowing company staff to see the personal data of people whose phones were hacked with its Predator spyware, according to new evidence published by Amnesty International.
On Thursday, Amnesty and a coalition of media partners, including the Israeli newspaper HaaretzGreek news site Inside storyand Swiss outlet Within ITpublished a series of reports based on leaked material from Intellexa, including internal company documents, sales and marketing materials, and training videos.
Perhaps the most striking revelation is that people working at Intellexa could reportedly remotely access the surveillance systems of at least some of its customers through TeamViewer, an off-the-shelf tool that allows users to connect to other computers over the Internet.
The remote access is shown in a leaked training video that reveals privileged parts of the Predator spyware system, including the dashboard, as well as the “storage system containing photos, messages and all other surveillance data collected from victims of the Predator spyware,” Amnesty wrote in its report. (Amnesty published screenshots of the video, but not the full video.)
The nonprofit researchers wrote that the leaked video shows apparent “live” Predator infection attempts “against real targets,” based on detailed information “from at least one infection attempt against a target in Kazakhstan.” The video contained the infection URL, the target’s IP address, and the software versions of the target’s phone.
Companies that sell spyware to government agencies, such as NSO Group and the now-defunct Hacking Team, have long claimed that they never have access to the data of their customers’ targets, nor to their customers’ systems. There are several reasons why.
From the spyware makers’ point of view, they do not want the potential legal liability if their customers use the spyware unlawfully. And spyware makers would rather say that once they sell their spyware, customers are entirely responsible for its use. From a government client perspective, they do not want to reveal the details of their sensitive investigations, such as the names, locations and personal information of targets, to a private company that may be located abroad.
In other words, this kind of remote access is definitely not “normal,” as Paolo Lezzi, the CEO of spyware maker Memento Labs, told TechCrunch when contacted to ask for this story from a spyware maker’s perspective. “No [government] Agency would accept it,” he said.
Therefore, Lezzi was skeptical that the leaked training video showed access to a real customer’s live surveillance system. Perhaps, he suggested, this was training material that showed a demo environment. The CEO also said that some customers have asked Memento Labs for access to their systems, but the company only accepts the offer if it is necessary to resolve technical issues. In any case, he said, “they ensure that we have access to TeamViewer for the necessary time and under their supervision we carry out the intervention and leave.”
Contact us
Do you have more information about Intellexa? Or other spyware makers? From a non-work device, you can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
However, Amnesty believes the leaked video does show access to live Predator surveillance systems.
“One of the training call staff asked if it was a demo environment, and the instructor confirmed it was a live customer system,” said Donncha Ó Cearbhaill, head of Amnesty’s security laboratory, which conducted the technical analysis of the leaked material and has investigated several cases of Predator infections.
The claim that Intellexa employees had insight into who was spying on their customers raised Amnesty’s concerns about security and privacy.
“These findings may only heighten the concerns of potential surveillance victims. Not only is their most sensitive data exposed to a government or other spyware customer, but their data is also at risk of being exposed to a foreign surveillance company, which has demonstrated problems in securely storing their confidential data,” the nonprofit wrote in the report.
Intellexa could not be reached for comment. A lawyer speaking on behalf of Tal Dilian, the founder of Intellexa, told Haaretz that Dilian “has not committed any crime and has not operated any cyber system in Greece or anywhere else.”
Dilian is one of the most controversial people in the government spyware world. A spyware industry veteran previously told TechCrunch that Dilian “moves like an elephant in a crystal shop,” implying he made little effort to conceal his activities.
“In that particular field of spyware salesmen you have to be extremely balanced and observant… but he didn’t care,” the person said.
In 2024, the US government announced sanctions against Tal Dilian and one of his business partners, Sara Aleksandra Fayssal Hamou. In that case, the U.S. Treasury Department imposed sanctions based on allegations that Intellexa’s spyware was being used against Americans, including U.S. government officials, journalists and policy experts. The sanctions make it illegal for U.S. companies and nationals to have any commercial relationship with Dilian and Hamou.
That was the first time the US government, which has taken action against the spyware NSO Group, targeted a specific person involved in the industry.
In his response to Haaretz, Dilian accused journalists of being “useful idiots” in an “orchestrated campaign” to hurt him and his company, which was “implemented in the Biden administration.”
#Sanctioned #spyware #maker #Intellexa #direct #access #victims #government #espionage #researchers #TechCrunch