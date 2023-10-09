This year, Vietnam attempted to infect European and American politicians, UN officials, journalists and academics with Predator. This is infamous spy software with which a telephone can be completely taken over, controlled remotely and tapped without being noticed. Predator, developed in Europe, can also read encrypted traffic.

The Vietnamese campaign is determined by Amnesty International’s Security Lab and is confirmed by both the University of Toronto’s leading CitizenLab and Google’s Threat Analysis Group.

From documents in the possession of the journalistic research collective EIC, where NRC is part of, it appears that Predator was sold from Europe to the communist one-party state of Vietnam in 2020 and 2021. The Blue Arrow spy system, an advanced version of Predator, was purchased for 5.6 million euros.

When researching the infrastructure behind Predator Last spring, Amnesty researchers came across an account on X (formerly Twitter) that sent links leading to servers running Predator software. Fake messages attempted to entice users to click on those links. If they had done that, their phone would have been taken over and tapped without being noticed. The messages were addressed, among others, to senior officials at the European Union and the United Nations who are concerned with fisheries policy. Fishing is very important to the Vietnamese economy.

European parliament

One of the 59 targets identified by Amnesty was the X account of Roberta Metsola, President of the European Parliament. Others included the most senior official of the European Commission’s Directorate-General for Fisheries and the Commission’s general account. The malicious links appeared to point to articles from Asian media, but were imitations of them, leading to a website that infects visitors with Predator.

The X account also sent infected links to the accounts of the President of Taiwan and the Taiwanese Ministry of Foreign Affairs in April. They communicated with the accounts of American senators and an American congressman, which could have caused them to become infected as well. As far as we know, that did not happen. The targets found so far have not clicked on the links.

French company

The X account @Joseph_Gordon16 had a ‘selfie’ in the mirror of a young Asian man as its profile photo. The background image was the skyline of Singapore, which was also indicated as the location. In reality, according to Amnesty and EIC, who are collaborating on this investigation, the account was held by the Vietnamese Ministry of Public Security. That’s by journalists Der Spiegel asked for a response, but none was forthcoming.

Amnesty concludes that there is a large overlap between the interests of the Vietnamese state to influence fisheries policy and the X account. It leaves no doubt as to the exact sender. Google’s Threat Analyzes Group has also done a technical analysis of the infection attempts and states that they come from a part of the Vietnamese government.

Predator was supplied to Vietnam through the French company Nexa, part of the Intellexa conglomerate, which made and sold Predator. Nexa has had close contacts with Vietnamese army officers for some time, according to research by a journalistic research platform Media part in France. The company does not respond to questions about the supply to Vietnam and the use of Predator against European and American politicians and institutions. The company informs the consortium of investigative journalists EIC through a lawyer that it has complied with the rules for the export of spy software.

Life-threatening

Another target of the Vietnamese campaign was the Vietnamese journalist Khoa Lê Trung, who arrived from Berlin in the evenings the Vietnamese medium Thoi Bao leads. There is no freedom of expression in Vietnam and journalists are regularly arrested. With dozens of employees worldwide, Lê produces critical videos and articles about Vietnam. They are distributed via YouTube, various social media and a website that has been blocked in Vietnam for years. Nevertheless, with Thoi Bao he reaches a large audience every month, mainly from Vietnam. Since revealing that the Vietnamese secret service kidnapped a man in Berlin in 2017, he has been receiving constant threats. The message he received on February 9, 2023 promised revelations about the Vietnamese Ministry of the Interior. Lê didn’t click and heard about Amnesty’s findings months later. “If the Vietnamese state can read the messages on my phone, it would be life-threatening for my employees,” Lê said.

CitizenLab researcher John Scott-Railton is amazed at the “recklessness” of the Vietnamese efforts. It is unusual for government actors to use a public account to send spy links. “A Predator customer is clearly still in the learning process here, sending via Twitter is a very bad idea. The fact that that is happening shows that Predator is still going to reckless customers,” says Scott-Railton.

Human rights

Published last week NRC investigation into the European surveillance conglomerate Intellexa, which sells Predator worldwide. It showed that, in addition to Vietnam, the spy software was very recently used in Sudan, Madagascar, Kazakhstan, Egypt, Indonesia and Angola, among others.

Intellexa operates from several European countries and also has an export office in Dubai, which has been used to circumvent European export restrictions. The route via Dubai was also chosen for sales to Vietnam. On the Vietnamese side, the company Delsons in Hong Kong acted as an intermediary, according to export papers.

Amnesty International calls spy software “fundamentally incompatible with human rights.” Governments claim they need the software to track down criminals and terrorists. But according to Amnesty, the ‘spyware’ is mainly used to spy on dissidents and human rights violations are not an exception, but a “hallmark” of the surveillance industry.

Predator Files is an international journalistic investigation into the creators, financiers and sellers of Predator. The stories are based, among other things, on hundreds of documents from French judicial investigations. The information came into the hands of the French research platform Mediapart and the German weekly Der Spiegel and was shared with NRC and other media from the European Investigative Collaborations (EIC) network. The product brochures and technical information have been shared with Amnesty International’s Security Lab. It analyzed this and also conducted research into the use of Predator.

