Bill Marczak
Appearances
Darknet Diaries
137: Predator
So I'm Bill Marzak. I am a senior researcher at the Citizen Lab at the University of Toronto. And I do a lot of the technical work at Citizen Lab in tracking what we call the mercenary spyware industry. So companies like NSO or Citrux, which makes Predator.
Darknet Diaries
137: Predator
That's right, yeah. We first discovered samples of Predator back in November, December 2021. It's funny, we were actually checking people's phones for Pegasus, but we found one phone and something else caught our eye, which was there was a suspicious process running on the phone right when the forensic data was gathered called Payload 2, which struck us as quite suspicious.
Darknet Diaries
137: Predator
Right. We could see precisely what input or arguments were passed into this process when it was started up. And those arguments included a URL, which was very long, looked quite dodgy. And when we went out and fetched this URL, we were actually able to obtain a binary file for an iPhone. In other words, an application file.
Darknet Diaries
137: Predator
And analysis of this application quite clearly established that it was spyware. It had the capability to, for instance, exfiltrate files from the phone, take passwords, turn on the microphone and listen in to what was going on. So we were actually able to analyze the final payload of the spyware and understand what it was doing.
Darknet Diaries
137: Predator
And through analysis of the payload, as well as analysis of that URL and the website and the URL, we were able to make an attribution back to Predator.
Darknet Diaries
137: Predator
Yeah, I mean, one of the interesting things that struck us about this company, or this sort of cluster of companies like Intellexa and Citrox that are behind Predator, is there was this very tangled corporate web spanning multiple different countries, and it was tough to figure out exactly what was going on. Like, where were the people actually writing the spyware code physically located?
Darknet Diaries
137: Predator
I mean, we did see some references in the spyware's code, like they were trying to avoid targeting phone numbers in Israel, even though the company is ostensibly or was ostensibly Citroën based in northern Macedonia. So there's all these weird links, which are kind of hard, a little bit hard to make sense of.
Darknet Diaries
137: Predator
Right. Yeah, we started getting some outreach from Greece. And spoiler alert, we found spyware. So the first confirmation we were able to produce centered around this financial journalist, Phanasis Koukakis, based in Greece, who had contacted us. And he was already a little bit suspicious for a number of reasons about potential surveillance. He noticed his phone acting a little bit weird.
Darknet Diaries
137: Predator
He had flagged some text messages that he thought were a little bit odd. So we instructed him on how to forward some forensic information from his phone. We reviewed it, and lo and behold, we were able to determine that his phone had been hacked successfully with Predator in, I believe it was July 2021.
Darknet Diaries
137: Predator
Yeah, I mean, one of the really nice things to see in Greece was that there was such tenacity on behalf of the investigative journalist community there. They were so invested, so interested in this story. And we don't really see that in a lot of other countries where we uncover spyware abuses, perhaps because they're more repressive or there's not as much of a tradition or...
Darknet Diaries
137: Predator
It's not really ingrained. Like in Greece, you have this, you know, oh, the birthplace of democracy ingrained in the public consciousness. So there's a lot of people, I think, who feel some responsibility to take action to live up to that legacy.
Darknet Diaries
137: Predator
So just incredible, incredible work by the investigative journalists in Greece taking the story forward, constantly pushing the government and ministers for information and driving this case forward.
Darknet Diaries
137: Predator
Some of the common themes are really anything that creates or engenders a sense of urgency to interact with the message to ensure that the target clicks on these in a timely fashion. So, for instance, things about a large unpaid phone bill or something like, oh, you owe the phone company $8,000. It's due in two days. Click here to pay or something.
Darknet Diaries
137: Predator
Or things that are interesting to the target given the upcoming events in the target's life. Like, oh, you have a package delivery is one we see a lot. Click here to customize the delivery of the package. We couldn't reach you.
Darknet Diaries
137: Predator
click here to reschedule delivery, or things like the upcoming vaccine appointment, or here's your boarding pass for your upcoming flight, or here's your registration for this conference. So they can use cues from the target's life to make these seem very plausible for the target to click on.