“This is how they spied on European politicians and journalists”

European journalists, parliamentarians and academics were spied on by software known as ‘Predator’ in an unprecedented attack by authorities in Vietnam. The accusation was made by Amnesty International, which, in collaboration with the European Investigative Collaborations (EIC), created a large dossier as part of its “Predatory Dossiers” project. Additional information was carried out by a consortium of 15 media organisations, including the French Mediapart and the German weekly newspaper Der Spiegel.

The attacks also targeted senior political and civil society figures in the United States and Taiwan. Brussels has already said it wants a statement from Hanoi. France has said any illegal surveillance “cannot be tolerated”, while the US has signaled it intends to look into the matter further. Beyond the specific case, the scandal highlights the power of tech companies operating in a poorly regulated industry, which can make democracies and human rights around the world particularly vulnerable.

watchful alliance

The X (formerly Twitter) and Facebook platforms would act as a “Trojan horse” to gain access to at least 50 accounts belonging to 27 individuals and 23 institutions. The cyber surveillance tool used between February and June 2023 is the ‘Predator’ spyware developed and offered for sale by the Intellexa alliance. According to Amnesty International, this alliance, “based and regulated in the European Union,” is a sophisticated group of companies that develop and sell dangerous surveillance products that are used to violate the privacy of influential people and infiltrate institutions. “Once again, we are faced with evidence of the use of powerful surveillance tools in shameless attacks. This time the targets are exiled journalists, public figures and intergovernmental officials. But let us be under no illusion: the victims are all of us, our societies, our communities, good governance and the human rights of all,” said the International Agnès Callamard, Secretary General of Amnesty.

How does spyware work?

According to Amnesty International’s report, Predator is a highly invasive type of spyware. Once it infiltrates a device, it has unrestricted access to all data such as contacts, messages, photos and videos, as well as the microphone and camera. The developer of these and other surveillance products is Intellexa, an intelligence and cyberweapons company “created by former Israelis” that frequently changes its headquarters and name, Israeli newspaper Haaretz writes. The alliance has companies in various countries, including France (called Nexa), Germany, Greece, Ireland, Czech Republic, Cyprus, Hungary, Switzerland, Israel, North Macedonia and the United Arab Emirates. According to the newspaper Media sectionFormer Israeli Prime Minister Ehud Olmert worked as a consultant for the company and may have helped the company sell its products to Germany. Olmert confirmed that he worked for Intellexa but said their relationship ended several months ago. Experts say Predator can also be used in “zero-click attacks,” meaning it can infiltrate a device before the user clicks on a link, such as infecting nearby devices, so-called “tactical attacks.”

Transmission mechanism

Amnesty International specifically investigated an account on platform X (formerly Twitter) that was renamed ‘@Joseph_Gordon16’. In recent months, this account has shared numerous links intended to infect targets with Predator spyware. Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, said the links posted appeared to come from seemingly harmless news sources “in an attempt to trick the reader into clicking on them”. One of the first targets was journalist Khoa Lê Trung, who is originally from Vietnam and now lives in Berlin. Khoa, who has received death threats since 2018, is the editor-in-chief of the news portal thoibao.de, which is blocked in his country. Those targeted, although not necessarily infected, include President of the European Parliament Roberta Metsola, Taiwanese President Tsai Ing-Wen, US Congressman Michael McCaul, US Senator and German Ambassador to the US John Hoeven, according to the report. Emily Haber as French MP Pierre Karleskind.

Vietnam’s role

The investigation found that the account from which the attacks originated had close ties to Vietnam and may have acted on behalf of Vietnamese officials or interest groups in the Asian country. “Vietnam presents a repressive media environment where journalists, bloggers and human rights defenders are often intimidated into silence,” Amnesty International wrote in the report. ‘@Joseph_Gordon16’, along with the journalist, targeted various academics and officials working on maritime issues, particularly researchers and officials responsible for European Union and UN policies on illegal or undocumented fishing. In 2017, Vietnam received a “yellow card” from Brussels; this was a warning pointing to extensive illegal, unreported and unregulated fishing activities; therefore these activities did not comply with EU criteria for fish imports from countries outside the bloc’s continent. In 2019, the European Union nevertheless signed a trade agreement with the Southeast Asian country.

If Vietnam receives a “red card”, the EU will have to stop imports from the Asian country, which will have serious repercussions on the Vietnamese economy. “We express our concerns arising from the report to the Vietnamese government,” a European Commission spokesman told the Nikkei Asia newspaper. “Any attempt to illegally access citizens’ data, including journalists and political dissidents, is unacceptable.” Nikkei Asia contacted the Vietnamese government for comment but did not receive a response as of October 16. Senior European officials are in Vietnam this week to discuss whether sanctions on seafood should be lifted.

lack of regulation

“We cannot say with absolute certainty that the person responsible was directly within the Vietnamese government, but the interests of the account and those of the Vietnamese authorities closely aligned,” emphasized expert Donncha Ó Cearbhaill. Der Spiegel has gathered evidence that a company that is part of the Intellexa alliance signed a multimillion-dollar deal with Vietnam’s Ministry of Public Security in early 2020 for “infection solutions” called “Lantern Fish.” Documents and export records also confirmed that “Predator” was sold to the Vietnamese Ministry of Public Security through intermediaries. Although there is no definitive information that the spyware has actually infected the devices, Amnesty International has warned European institutions not to regulate the sale of these devices. Khoa Lê Trung told Amnesty International: “You can’t just sell these to countries like Vietnam. This also undermines press freedom in Germany and the public’s freedom of expression.”

Sold in violation of human rights

Vietnam will not be the only country to purchase products from the Intellexa alliance, which are sold in at least 25 countries, including Switzerland, Austria, Germany, Congo, Jordan, Kenya, Oman, Pakistan, Qatar, Singapore and the United Arab Emirates. In many cases it was alleged that they were exploited “in order to violate human rights, freedom of the press, and social movements around the world.” Amnesty International has called on all states to immediately revoke marketing and export licenses granted to the Intellexa alliance, and on Brussels to halt the production and sale of “Predator” and other highly invasive spyware. Finally, he called for adequate compensation or other effective remedies to be provided to victims of illegal surveillance. Following the publication of the report, European Investigative Collaborations received a response from the main shareholders and former executives of the French group Nexa that the Intellexa alliance “no longer exists”. On Vietnam, they said Nexa Group had only fulfilled part of the contract regarding cybersecurity.

Stop the trade deal

The European Parliament’s investigative committee on spyware, through Justice Commissioner Didier Reynders, asked the European executive to propose a legal framework that would strictly regulate the use and sale of these IT products. “The EU cannot be a playground for companies selling this malware, especially for authoritarian regimes,” Belgian MEP Saskia Bricmont, the Green group’s rapporteur on the trade file with Vietnam, told EuropaToday. “European governments cannot be complicit in such espionage. Investigations must be launched without delay and, if in doubt, the trade agreement with Vietnam should be suspended”, the member of the European Parliament concluded.