The first case of a European national being targeted with the Predator spyware created by the Israeli firm Cytrox has been confirmed in Greece.
Thanasis Koukakis, an investigative journalist for CNN Greece who also contributed to the Financial Times and CNBC and is covering one of the country’s biggest corruption scandals, was hacked with the spyware, a forensic analysis of his phone that was shared with Haaretz revealed.
Koukakis was infected with the spyware – which provides its operators with full access to the cellphone, its encrypted data, and even its camera and microphone – between July and September 2021, an analysis conducted by Citizen Lab found.
Citizen Lab’s findings, which have been seen by Haaretz, are based on an analysis of Koukakis’ cellphone conducted last month. The analysis led the University of Toronto-based researchers to a suspicious message received by the journalist that included a link to a purported tip. The link led to a fake website that installed a “certificate” on the phone and thus provided the spyware’s operators with access to his device.
“This certificate exactly matches a certificate we identified attached to a sample of Cytrox Predator spyware” found in the past, Citizen Lab said.
Certificates in this instance are a form of digital identifier that phones and computers use for security purposes. They play a pivotal role in cybersecurity, serving both to identify trusted apps or websites, and to regulate their access to devices.
The one found by Citizen Lab on Koukakis’ phone was the same as the one found over the summer on the phones of two Egyptians who were also targeted by the Predator spyware. By installing the Israeli firm’s certificate on the phone, the spyware could thus enjoy access to the device it was not actually authorized to be on.
Citizen Lab added that it could not “preclude the possibility of other infections.”
The first publicly known case of Predator infections, on the cellphones of two Egyptian nationals, were also found to be infected with the better-known Israeli-made spyware Pegasus, which is created and sold by the NSO Group.
Predator is almost identical to Pegasus in terms of its capabilities, but differs in the way it infects a device: It requires the victim to click on a link, while some versions of Pegasus do not.
Previous reports have suggested that the Greek government may be a client of Cytrox or the firm may have clients in the country.
The government has denied playing any role in the Predator hack, and said any hacking of Koukakis was done by an “individual.”
Last Friday, Greek government spokesperson Yiannis Economou said that “the Greek authorities do not use the specific software described in these complaints, and therefore the Greek state does not deal with any of the companies that manufacture or market such software.” The same spokesperson repeated the claims on Monday.
The logo of Predator creator Cytrox.
However, a review of Koukakis’ reporting, the timeline of his phone’s infection, past findings about Cytrox and documents revealed by other Greek investigative journalists seem to lend credence to the allegation that the Greek government, or someone acting on its behalf, was involved.
Indeed, recent reporting in Greece seems to suggest a connection between the alliance of Israeli-linked cyberoffense firms active in Greece and Cyprus, and a scandal Koukakis was covering.
A mysterious connection
The Israeli-run Cytrox has offices in Europe, including in Hungary. It is part of the so-called “Intellexa Alliance” – a network of Israeli cyberoffense firms connected to the businessman Tal Dilian. He is a former senior Military Intelligence officer whose business was previously based in Cyprus. He founded the Israeli cyberfirms Circles and WiSpear (the latter hacks into Wi-Fi systems), and is the CEO of Intellexa, which reportedly purchased Cytrox in 2018.
According to public information and past reports by Citizen Lab, Cytrox was founded in 2017 and its technology is defined as “cyber intelligence systems designed to offer security” to governments and help “designing, managing and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”
It is unclear if Cytrox is under Israeli defense oversight and whether the firm and others linked to Intellexa sell only to states – as NSO does – or also provide their services to private entities. The body in charge of overseeing defense exports did not respond to Haaretz’s questions regarding Cytrox for this report.
Last December, Facebook revealed that Cytrox was operating hundreds of fake domains in an attempt to entrap “politicians and journalists around the world.” According to Meta, Facebook’s parent company that worked with Citizen Lab on the matter, “these domains were used as part of their phishing and compromise campaigns.
“Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites,” the Meta report stated.
These findings are in line with the message found on Koukakis’ cellphone, as he received a message referring him to such a website.
“Our investigation identified customers in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Cote d’Ivoire, Vietnam, the Philippines and Germany. Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia,” Meta’s researchers found.
The report and claims that Greece was a potential client prompted local investigative journalists to start probing the domains. The investigation led Eliza Triantafyllou, who writes for Greek investigative journalism group Inside Story – which first reported the infection – to the Greek business registry.
She discovered that a man called Felix Bitzios had been appointed to a senior administrative role in three firms in Greece: Intellexa, Apollo Technologies and Hermes Technologies. The firms are the local representatives of Dillian’s formerly Cypriot firms.
Bitzios is a known figure in Greece. His name has previously been linked to the so-called Piraeus Bank scandal, in which a powerful Greek family of well-known shipowners and their Libra Fund allegedly bailed out the bank – which is one of Greece’s largest – in 2014.
A branch of the Piraeus Bank, in Athens.REUTERS
After reading the reports alleging a connection between Dilian and Bitzios, Koukakis – who knew about the latter’s role in the scandal he had been reporting on – decided to have his cellphone checked. This led to last month’s confirmation of his infection by Citizen Lab.
Koukakis had good reason to suspect he had been hacked: Reporters United, another Greek independent investigative journalism outlet, discovered Greek state documents proving that one year prior to the Predator infection, during the summer of 2020, the country’s National Intelligence Service, or EYP – which answers directly to the prime minister – was monitoring Koukakis’ phone for “national security” reasons.
The documents also show that on the day Koukakis asked the security service in August 2020 if he was being monitored – because his cellphone was acting strangely – the intel agency stopped his surveillance. The government then pushed a new law that would make it impossible for those being targeted to be informed.
The issue of disclosure, Koukakis and others say, is at the heart of the matter, warning that without a clear legal framework governing surveillance, no public oversight is possible.
The Foreign Press Association of Greece said Monday that it “noted with great alarm the reports revealing that another journalist [Koukakis] was under surveillance by Greece’s National Intelligence Service.” It added that it “unequivocally condemns any unjustified surveillance of journalists by state authorities.”
Triantafyllou, meanwhile, said she does not believe Koukakis is the only individual in Greece to be targeted by the Predator spyware. “There are 42 links [related to Cytrox] registered in Greece, per the Meta report. I don’t think anyone would deploy such a web just for one journalist,” she said.
Bitzios, Dilian and the Israeli Embassy in Greece did not respond to requests for comment for this story.