On December 16, Meta and The CitizenLab published a joint investigation, in which Armenia appeared for the first time as a state among countries using spyware. Armenia is believed to have used the software Cytrox’s Predator, which targets people to collect data, manipulate it, and disable their devices and Internet accounts.

Media researcher Samvel Martirosyan wrote that Armenia used spyware to infect and spy on people’s phones inside the country. Information security specialist Ruben Martirosyan said that he received messages from two people targeted by Cytrox.

 

Cyber mercenaries

Spyware operates mainly in the interests of governments, claiming that only criminals and terrorists are targeted. A similar program is Predator used in Armenia, which is a product of the Cytrox company.

Founded in 2017, Cytrox started its activities as a northern Macedonian startup. According to the documents of the United Registry, Cytrox also has its representative offices in Israel and Hungary.

 

 

The company description section of Crunchbase states that they offer governments “operational cyber solutions” and collect information from devices and cloud systems. Pitchbook describes the technology as “cyber intelligence systems designed to offer security to the government.”

 

The Targets

A months-long investigation by Meta and The CitizenLab has revealed that despite claims by the spyware company that their services are being used to track down potential criminals, the target is much wider. Journalists, members of religious minorities, critics of authoritarian regimes, members of the opposition family and human rights activists have been victims of spyware.

Similar cases have been reported in Egypt when the accounts of deported politician Ayman Nuri and the host of a popular news show (who prefers to remain anonymous) were hacked by Predator. By the way, Ayman Nuri’s phone was spied on by both Cytrox Predator and NSO Group’s Pegasus spy program, which were monitored by government customers in different countries.

The attacks of the two targets took place in June 2021. The program was able to infect the latest version 14.6 of Apple’s iOS system with a one-click link sent via WhatsApp.

The team of investigators scanned the web servers of the Predator spy program and found its possible client countries. Among them, besides Armenia and Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia.

A global spyware industry exists.

Meta notes in its publication that the attention to the NSO company created by the Pegasus spy system has recently increased. And although they sued the NSO in 2019 for illegal activities in their networks, it is, unfortunately, only one part of the global spyware industry.

Meta has stopped 7 similar companies in about 100 countries, each of which carries out one or more stages of espionage.

The 3 stages of espionage are:

• Reconnaissance: The program logs into the target device or account and captures the open information generated in its online domain for a certain period of time.
• Engagement: A spy communicates with a target or affiliate to gain trust and get them to click a fateful click.
• Exploitation: phishing links that take data from the target mail, social networks, bank accounts or that deactivate their devices

Cytrox used in Armenia is working in the third stage of operation.

 

List of phishing links created by Cytrox that mimic other sites

 

Meta shared the findings of the investigation with security researchers, various platforms and politicians, sent warnings to the spy services about its activities and not to repeat them, and warned the alleged targets about what happened in order to strengthen the security of their accounts.

“We will continue to investigate and use force against all those who will try to distort our applications. However, the work of these cyber mercenaries recognizes neither platforms nor state borders. Their opportunities are used by the governments of the countries, private enterprises and all those who are ready to pay. It is almost impossible for the targets to find out whether they are being followed or not,” Meta wrote in its report.

Recently, the first news on the topic of spyware updates came on November 24, when many Armenians received warning notifications from Apple. Among the targets of Pegasus were the former director of the National Security Service and now the leader of the “I have honor” opposition force Arthur Vanetsyan and the former head of the RA State Control Service David Sanasaryan.

 

Christian Ginosyan