U.S. Government Blacklists Cytrox and Intellexa Spyware Vendors for Cyber Espionage
The U.S. government on Tuesday added two foreign commercial spyware vendors, Cytrox and Intellexa, to an economic blocklist for weaponizing cyber exploits to gain unauthorized access to devices and “threatening the privacy and security of individuals and organizations worldwide.”
This includes the companies’ corporate holdings in Hungary (Cytrox Holdings Crt), North Macedonia (Cytrox AD), Greece (Intellexa S.A.), and Ireland (Intellexa Limited). By adding to the economic denylist, it prohibits U.S. companies from transacting with these businesses.
“Recognizing the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights abuses, the Commerce Department’s action today targets these entities’ ability to access commodities, software, and technology that could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights,” the Bureau of Industry and Security (BIS) said.
Cytrox is the maker of a mobile mercenary spyware called Predator that’s analogous to NSO Group’s Pegasus. It’s part of what’s called the Intellexa Alliance, a marketing label for a consortium of mercenary surveillance vendors that emerged in 2019, according to the University of Toronto’s Citizen Lab.
This alliance purportedly consists of Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, with the exact connections between Cytrox and Intellexa remaining nebulous to date.
Tal Dilian, Intellexa’s founder, describes himself as an intelligence expert with over 25 years of experience in the Israel Defense Forces (IDF). Intellexa, on its website, says it’s a regulated company with six sites and R&D labs throughout Europe. Its main offering is Nebula, which is billed as the “ultimate insights platform” to help law enforcement “stay ahead of criminal activities.”
Per the New York Times, Dilian was forced to retire from IDF in 2003 after an internal investigation raised suspicions that he had been involved in funds mismanagement, citing three former senior officers in the Israeli military. His website, on the other hand, claims he “retired from the military with honors” in 2002.
Earlier this May, Cisco Talos detailed the inner workings of Predator, noting the surveillance tool’s use of a component called Alien to harvest sensitive data from compromised devices. Predator also has an iOS counterpart that was previously observed to be delivered using single-click links sent via WhatsApp.
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
“Alien is crucial to Predator’s successful functioning, including the additional components loaded by Predator on demand,” Asheer Malhotra, threat researcher for Cisco Talos, told The Hacker News at the time. “The relationship between Alien and Predator is extremely symbiotic, requiring them to continuously work in tandem to spy on victims.”
The move builds on U.S. actions in November 2021, when the U.S. government added Israeli companies NSO Group and Candiru to the Entity List for developing software to target government officials, journalists, businesspeople, activists, academics, and embassy workers.
The development also comes as the Biden administration signed an executive order that restricts the use of commercial spyware by federal government agencies.
While purveyors of such digital surveillance tools have ostensibly marketed them to law enforcement and intelligence agencies around the world to combat severe crimes and national security threats, they have also been repeatedly abused by various governments to surreptitiously infiltrate targeted smartphones belonging to members of civil society.