Vietnamese spies tried to hack members of Congress and US journalists by posting links on Twitter, with a probe claiming that the attempts were unsuccessful.
The targeted attacks came as the US and Vietnam were negotiating an agreement that President Biden signed in Hanoi last month.
Foreign Affairs Committee Chairman Michael McCaul and Senator Chris Murphy were both targeted in the brazen scheme.
CNN’s Jim Sciutto, the chief national security analyst and two Asia-based reporters were also sent the spyware plant links.
Asia experts at Washington think tanks were also put in the crosshairs, according to the Washington Post.
The targeted attacks came as the US and Vietnam were negotiating an agreement that President Biden signed in Hanoi last month
CNN’s Jim Sciutto, the chief national security analyst and two Asia-based reporters were also sent the spyware plant links
The report claims that the targeting came as both Vietnamese and American diplomats were negotiating the deal signed by Biden in September.
Both Republican and Democrat politicians were targeted, including Senators John Hoeven and Gary Peters.
Phones set up in the US sometimes have an extra layer of protection, with some spyware creators saying their tools do not work against phones with US numbers.
Foreign agents would have been particularly interested in Washington’s views on China as well as issues in Asia at the time.
The spies are accused of using X, the platform formerly known as Twitter, to try to get politicians and other targets to visit a website under the guise of a news report.
Once they clicked on the link, the website was designed to install the hacking software known as Predator.
Predator is a powerful surveillance program that is hard to detect and is capable of turning on microphones and cameras of iPhones and devices that run Google’s Android software.
The hackers would have been able to retrieve all of the files on the device from which the targets clicked on and read private messages – even those with end-to-end encryption.
Foreign Affairs Committee Chairman Michael McCaul (right) and Senator Chris Murphy (left) were both targeted in the brazen scheme.
The spies are accused of using X, the platform formerly known as Twitter, to try to get politicians and other targets to visit a website under the guise of a news report
The report claims that the targeting came as both Vietnamese and American diplomats were negotiating the deal signed by Biden in September
What is Predator spyware?
Predator is a software that is believed to have been developed by Cytropx, a company based in Skopje, North Macedonia.
It has similar features to Pegasus spyware, and once the tech has access to a device, it can look at every message, call, photo and password.
The technology can hide tracking apps that it does not want the owner to find, and can also add a certificate authority to your phone – meaning the device can be tricked into trusting malicious apps and websites.
Both the camera and microphone can be switched on remotely, without the owner of the device knowing, and record movements and conversations.
Sold as a commercial surveillance-for-hire tool, Cytrox’s spyware is reported to have been sold to governments worldwide.
Those who are targeted by the spyware can give it access to their devices by clicking on a link sent via email or text.
It will then direct the target to a domain that downloads malware before directing to a legitimate page.
Source: Express VPN
Screenshots of posts on the social media site show a response to Senator Hoeven hours after he met Taiwanese President Tsai Ing-wen.
Spyware vendors and buyers usually work anonymously, with anyone who clicked on the link – posing as a news article – being screened out if they were not the intended target.
Many of those targeted had been contacted by an account on X called Joseph Gordon, with many of the posts being deleted within a day or two.
Gordon posted a link which appeared to be from the South China Morning Post on April 14 in direct response to Hoeven meeting Ing-wen.
The link was titled ‘US defence contractors visiting Taiwan in May to boost security tie-up,’ with Amnesty saying that the impostor website could have installed Predator.
Over the weekend of September 30, more than half of Cytrox’s active service for distributing the spyware were taken offline.
According to the Post, the account was deleted in the last month, after questions were raised about the origins of the links being posted.
Intellexa and Cytrox both distribute Predator as part of their evolving network, with the US Commerce Department adding the companies to their Entity List.
It means that US businesses must seek a licence before doing any business with them, with officials acting under an executive order in March to set out police to encourage: ‘the use of commercial spyware … consistent with respect for the rule of law, human rights, and democratic norms and values.’
Amnesty International uncovered the ‘Predator Files’, and a spokesman claimed that through their probe they believe that Predator was ‘sold from Intellexa through several intermediaries to the Vietnamese Ministry of Public Security.’
Vietnam has previously been implicated in other hacking campaigns, and used commercial spyware programs in the past.
The University of Totonro claimed to have detected a Vietnamese installation of a hacking program in 2020 from Circles.
Circles was sold to Francisco Partners, which combined it with NSO Group, the owner of Pegasus. It was ultimately sold in 2019.
Intellexa and Cytrox both distribute Predator as part of their evolving network, with the US Commerce Department adding the companies to their Entity List
Offices for McCaul and Murphy said that no one would have clicked on the link, with Murphy adding that Google notified his office of the targeting attempt
Cytrox and Intellexa did not immediately respond to a request for comment regarding the allegations that they facilitated the spyware.
Sources within the Biden administration told the Post that the targeting of members of Congress was ‘very concerning’.
They added that there are 50 US officials service abroad who had been previously targeted with commercial spyware, and the latest allegations ‘vindicates’ the decision to add Cytrox and Intellexa to the entity list.
Victims who responded to requests for comment said that they ever saw the links which would have installed the hacking program, or they did not click on them.
Offices for McCaul and Murphy said that no one would have clicked on the link, with Murphy adding that Google notified his office of the targeting attempt.
Peters’ office said in a statement that it was aware of the link but did not believe it had been targeted or compromised.
Kami Capener, a spokeswoman for Hoeven, told the Washington Post: ‘We have not been made aware of an attempted spyware attack on our office.’
They told the Washington Post that there has been no evidence that the attempts succeeded, with several being targeted publicly on X – which insiders felt was an unusual part of the hacking plot.
Companies selling Predator also offer the capability to infect devices through WiFi wireless networks and through websites or telecom networks under national control.
Both Cytrox and NSO Group says that they only sell their software to governments, and forbid misuse, their clients have been accused of using the spyware against nonviolent activists, journalists and political figures.
Prime Minister Kyriakos Mitsotakis (pictured) ‘used state intelligence to spy on dozens of people including potential political rivals, journalists and businessmen’
Bills are being considered in Congress and across the world in an attempt to have more control over the spyware industry.
Google reportedly spotted the campaign in May, with University of Toronto’s Citizen lab finding at least six replies on X which could have led to infections.
Researcher John Scott-Railton claims that the links were to sites previously had Predator installed.
Amnesty said it found 59 replies and tweets tagging targets around the world that contained the link, including more than a dozen aimed at people in the United States.
Apple’s optional Lockdown Mode, which limits some iPhone functions, has so far blocked multiple methods used to deliver Predator to targets, according to Citizen Lab.
A Google insider told the Post that the hackers may have chosen to send the public links to members of Congress and other targets because the approach could seem ‘less suspicious’ than a text or email.
Amnesty concluded that the Joseph Gordon account ‘was acting on behalf of Vietnamese authorities or interest groups.’
Google said the technical infrastructure that Amnesty was tracking ‘is associated with a government actor in Vietnam.’
It comes after the Greek Prime Minister was accused of using Predator to ‘spy on dozens of people including potential political rivals, journalists and businessmen’.
Kyriakos Mitsotakis reportedly targeted Antonis Samaras, current members of the cabinet and shipping magnate Vangelis Marinakis, owner of Olympiakos and Nottingham Forest football clubs.
The Greek government has flatly denied using illegal surveillance software. It has admitted that state intelligence monitored Mr Androulakis, without disclosing the reason.