Leaked training videos and new evidence expose Intellexa as more than just a rogue surveillance company. The Israeli firm stands as a pillar of Tel Aviv's global cyberwarfare infrastructure, infiltrating phones worldwide through 'zero-click' methods, ad-based infections, and covert partnerships with authoritarian governments.
The Cradle
An ongoing court case in Athens implicates Intellexa apparatchiks and local intelligence services in hacking the phones of government ministers, senior military officers, judges, and journalists. While Amnesty International exposes Intellexa’s spyware activities, it does not provide background on its founder, Tal Dilian, a senior former Israeli military intelligence operative, and is staffed by fellow Israeli spying veterans.
In March 2024, following years of damaging disclosures about Intellexa’s criminal activities, the US Treasury imposed sweeping sanctions on Dilian, his closest company confederates, and five separate commercial entities associated with Intellexa.
Predator: Watching, listening, extracting
Yet, these harsh measures were no deterrent to Intellexa’s operations. The company’s service offering has only evolved over time, becoming ever more difficult to detect and increasingly effective at infecting target devices. Typically, civil society, human rights activists, and journalists are in the firing line.
On 3 December, Google announced Intellexa’s targets numbered at least “several hundred,” with individuals based in Angola, Egypt, Kazakhstan, Pakistan, Saudi Arabia, Tajikistan, Uzbekistan, and elsewhere potentially affected.
As Intellexa's flagship tool, Predator infects target devices through “one-click” and “zero-click” methods, even embedding itself via online ads. Once installed, it silently plunders photos, passwords, messages, and chats on Signal, Telegram, and WhatsApp, in addition to microphone recordings.
This stolen data is then routed through a maze of anonymizing servers to its clients. These customers are overwhelmingly authoritarian governments, often targeting activists and journalists.
Predator also boasts a number of unique features designed to obscure its installation on a device from targets. For example, the spy tool assesses a device’s battery level and whether it is connected to the internet via SIM card data or WiFi. This allows for a bespoke extraction process, ensuring devices are not obviously drained of network or power, to avoid stoking user suspicion.
Aladdin’s Cave
If Predator senses it has been detected, the spyware will even “self-destruct” to leave no trace of its presence on an impacted device. The methods by which Intellexa installs its malign tech on target devices are just as ingenious and insidious.
On top of “one-click” attacks, Intellexa is a pioneer in the field of “zero-click” infiltration. Its resource ‘Aladdin’ exploits internet advertising ecosystems, so users need only view an ad – without interacting with it – for spyware to infect a device.
Such ads can appear on trusted websites or apps, resembling any other advert a user would normally see. This approach requires Intellexa to pin down a “unique identifier,” such as a user’s email address, geographical location, or IP address, to accurately serve them a malicious advert.
Intellexa’s government customers can often readily access this information, simplifying accurate targeting. Research published by Recorded Future, a US cybersecurity company, indicates Intellexa has covertly established dedicated mobile ad companies to create “bait advertisements,” including job listings, to lure in targets.
Aladdin has been under development since at least 2022 and has only grown more sophisticated over time. Troublingly, Intellexa is not the only firm active in this innovative spying field. Amnesty International suggests “advertisement-based infection methodologies are being actively developed and used by multiple mercenary spyware companies, and by specific governments who have built similar ADINT infection systems.”
That the digital advertising ecosystem has been subverted to hack the phones of unsuspecting citizens demands urgent industry action, which is as yet unforthcoming.
Just as disquietingly, a leaked Intellexa training video depicts how the spyware firm can “remotely access and monitor active customer Predator systems.” In effect, it is able to keep an eye on who its clients are spying on and the precise private data they are extracting – in real time.
Recorded in mid-2023, the video begins with an instructor connecting directly to a deployed Predator system via TeamViewer, a popular commercial remote access software. Its contents suggest Intellexa can view at least 10 different customer systems simultaneously.
This capability is amply highlighted in the leaked video, when a staff member asks their trainer if they are connecting to a testing environment. In response, they state a live “customer environment” is being accessed instead.
The instructor then initiates a remote connection, showing Intellexa staffers can access highly sensitive information collected by customers, including photos, messages, IP addresses, smartphone operating systems and software versions, and other surveillance data gathered from Predator victims.
The video also appears to show “live” Predator infection attempts against real-life targets of Intellexa’s clients. Detailed information is provided on at least one infection attempt targeting an individual based in Kazakhstan, including the malicious link they unwittingly clicked that enabled the infiltration of their device.
Elsewhere, domain names imitating legitimate Kazakhstani news websites, designed to trick users, are displayed. The Central Asian country, set to symbolically join the Abraham Accords, is a confirmed Intellexa client, and local youth activists have previously been targeted by the notorious, similarly Israeli-incubated Pegasus spyware.
Behind the screens: Legal murk and foreign access
The leaked video raises a number of grave concerns about Intellexa’s operations. For one, the shadowy, high-tech digital spying entity employed TeamViewer, about which major security concerns have long abounded, to access information on customer targets.
This raises obvious questions about who else might be able to pry on this trove, without the company’s knowledge. Moreover, there is no indication that Intellexa’s clients approved this access for the training process, or that the tutorial was conducted with even basic safeguards in place.
As such, the targets of Intellexa’s suite of spying resources not only face having their most sensitive secrets exposed to a hostile government without their knowledge or consent, but also to a foreign surveillance company in the process.
The extent to which Intellexa is cognisant of how its technology is used by its clients is a core point of contention in the ongoing Greek legal case. Historically, mercenary spyware companies have firmly insisted they are not privy to data nefariously seized by their customers. Amnesty International states:
“The finding that Intellexa had potential visibility into active surveillance operations of their customers, including seeing technical information about the targets, raises new legal questions about Intellexa’s role in relation to the spyware and the company’s potential legal or criminal responsibility for unlawful surveillance operations carried out using their products.”
The latest disclosures about Intellexa have all the makings of a historic, international scandal, in the precise manner that the use of Pegasus by state and corporate entities the world over has elicited international outcry, criminal investigations, and litigation lasting many years.
However, the proliferation of ominous private spying tools – and their industrial-scale abuse by paying customers – is no aberrant bug, but an intended upshot of Israel’s relentless crusade for cyberwarfare supremacy. In 2018, Israeli Prime Minister Benjamin Netanyahu boasted:
“Cybersecurity grows through cooperation, and cybersecurity as a business is tremendous ... We spent an enormous amount on our military intelligence and Mossad and Shin Bet. An enormous amount. An enormous part of that is being diverted to cybersecurity ... We think there is a tremendous business opportunity in the never-ending quest for security.”
This investment manifests in almost every area of Israeli society. Numerous universities in Tel Aviv, with state support, hone new technologies and train future generations of cyber spies and digital warriors, who then join the ranks of the occupation's armed forces.
Once their military service is complete, alumni frequently found companies at home and abroad offering the same monstrous services road-tested against Palestinians to private sector bodies and governments, without any oversight or guarantee that these resources will not be used for malevolent purposes.
The intelligence failures that enabled the success of Operation Al-Aqsa Flood on 7 October 2023 dealt a severe blow to Israel’s credibility as a cybersecurity leader while devastating its “Startup Nation” brand, with foreign investment in the entity’s tech industry collapsing precipitously.
The real scandal is not just the existence of companies like Intellexa. It is the international impunity they enjoy, the western partnerships they maintain, and the complicity of governments that turn a blind eye to Israeli cyberwarfare exported worldwide.
No comments:
Post a Comment