The Greek spyware scandal: When technology outpaces governance

 

In December 2021, Eliza Triantafillou, a journalist at the Greek independent media outlet The Inside Story, was searching for the subject of her next article when she saw that Facebook’s parent company Meta had released a report ^[3] earlier in the month about the “surveillance for hire” industry.

The article ^[4] she produced in response is part of a series of reports by Greek journalists that unraveled the details of a months-long wiretapping and surveillance scandal labeled “Watergate on Steroids ^[5].” These findings highlight the shortcomings of governmental regulations and technical capacities in keeping up with the rapidly evolving private surveillance industry, which then enables these very governments to surveil their citizens.

So far, there have been four confirmed ^[6] attempts to infect Greek journalists, politicians and even intelligence officers ^[7] with a spyware called Predator, which is capable of advanced surveillance of phones, including recording conversations and accessing encrypted chats.

The Greek connection

Back in December, Triantifillou noticed that both Meta’s report and another ^[8] released on the same day by Toronto-based research laboratory, Citizen Lab, were connected to Greece. Both reports concluded that Predator, a sophisticated surveillance spyware, had been purchased for use in Greece, among other countries. Cytrox, the North Macedonian company that had developed Predator, belongs to a group of mercenary surveillance providers marketed under the Intellexa, which has had a corporate presence in Greece since 2020.

When Triantafillou published her article in January 2022, she focused on how Meta had removed around 300 Facebook and Instagram accounts that were linked to Cytrox, and how Cytrox had “spoofed ^[9]” real URLs, including those of credible news outlets. At quick glance, these links looked genuine, but they had slightly different syntax from the actual URL (like a missing letter or an extra symbol). They could be used to trick targets into clicking on them, thus activating the phone’s infection with Predator.

“We saw that there was an uneven proportion of Greek domains in this list, because Meta reported 310 spoofed domains, and 43 of them were of Greek interest,” Triantafillou said, over a Zoom interview. “We are a very small country. Our share in the global internet traffic is much smaller than the other countries that, based on those two reports, are among the customers.”

The devil is in the details: “legal” versus “illegal” surveillance

When Thanasis Koukakis, another Greek reporter, read Triantafillou’s article, he realised that many of the spoofed domains on the list mimicked news outlets that he used to work for or was still collaborating with. Koukakis had recently uncovered cases ^[10] of fraud in the country. He already suspected that his conversations were being listened to, and, in August 2020, had filed a complaint to the Communications Privacy Assurance Authority (ADAE), asking it to conduct the necessary checks. Today, we know that he was being wiretapped by the National Intelligence Service (EYP). He received a response from ADAE in July 2021 telling him that there had been no violation of the law, which, as it turns out, did not mean that he wasn’t being spied on.

The wiretapping by EYP is technically “legal,” whereas the use of spyware such as Predator is considered illegal in Greece. Article 19 of the Greek Constitution protects the right to privacy in communication. However, exceptions are made for reasons of national security and to investigate serious crimes. Koukakis’s surveillance by EYP was justified by the intelligence agency using the national security argument, even though it is not clear how the work of an investigative journalist could have harmed national security. In March 2021, the government passed an amendment revoking the right of citizens to know if they had been surveilled after their surveillance had ended, which is why Koukakis was not informed about his wiretapping.

The government, too, has used this dichotomy between legal and illegal to defend itself. The prime minister has publicly said ^[11] that, even though the surveillance of a politician was “politically unacceptable,” it was legal, and that the narrative around the issue should not undermine the intelligence agency’s “important work.” When Kyriakos Mitsotakis assumed power as prime minister, he took the EYP under his own command ^[12]. Today, while he claims no knowledge of the wiretapping, the head of the EYP, along with Mitsotakis’s own nephew and general secretary of the Prime Minister's Office, Grigoris Dimitriadis, have resigned from their positions.

A larger pattern

In November 2021, Greek journalist Stavros Malichudis was scanning the news when he saw an exposé ^[13] by the newspaper Efimerida ton Syntakton. It was about EYP’s wiretapping of a number of citizens, including journalists. The article described one case of a journalist working on migration issues. Reading the details closely, Malichudis realized that he was that journalist. In response to letters sent by the wire agency AFP ^[14] — who Malichudis was working with at the time — the Greek authorities twice denied spying on him. “…no surveillance of journalists occurs in Greece…For the avoidance of doubt, so would the Greek Government,” read one response, signed by the Minister of State.

From wiretapping to spyware

In January 2022, still in the dark about whether his phone conversations had been tapped, Koukakis, after reading the Inside Story report, sends off files extracted from his phone to Citizen Lab, which then confirmed that he had been targeted by Predator. A text message from an unknown number had shared a link to what looked like a credible blog post. In reality, it was a spoofed URL. After Koukakis clicked on it, his phone was infected with the spyware. Soon after, thanks to an article by Reporters United ^[16], he found out that he had also been wiretapped ^[16] by the intelligence service.

While the Greek government has denied ever buying or using Predator, more targets have been identified. In July this year, Nikos Androulakis, the president of Greece’s third-largest political party, PASOK-KINAL, discovered that he had received a text message in September 2021 that contained the same link ^[17] that had infected Koukakis’s phone. He had not clicked on the link and therefore wasn’t affected. In September, one more politician — a former minister from the Syriza party, Christos Spirtzis — said he had also been the target of an attempt to install Predator.

This leads to credible suspicion about the government’s role in this surveillance, which is supported by a report from Google ^[18]. Also, the timing of the so-called “legal” wiretapping of Koukakis and his phone’s infection with Predator seem too closely aligned to be coincidental. EYP called off his surveillance after Koukakis filed a complaint, and, soon after, his phone was infected with Predator. Testifying at the European Parliament ^[19] in early September, Koukasis said that he believes that the spyware was used by the government. “Because on the one hand, the cost of these services from Intellexa, according to what Citizen Lab has told us, as well as the price lists that have been found on the Dark Web, cannot be borne by a private person,” he said. “Could [the government have used] a private person as a go-between? The answer is yes.”

Triantafillou is inclined to agree. “Our hypothesis — which is not just a hypothesis — is that it’s not necessary to buy it in order to use it,” she said about Predator. “Nor is it necessary to use it directly.”The complex corporate structure ^[20] of Cytrox and Intellexa, the company that markets it, spans a number of countries and involves many registered entities. The founder of Intellexa, Tal Dillian, a former intelligence officer in the Israeli Defence Forces, relocated to Greece after facing legal trouble with Cypriot authorities ^[21] for a 2019 Forbes interview. ^[22] In 2020, Intellexa was incorporated in Greece.

With four known attempts to target Greek citizens with Predator, the question is, are there more targets? Triantafillou believes so. “When you have a very powerful and very expensive tool, which is worth millions and you have created at least 50 domains and you have only used [link] one to target Androulakis, Koukakis and now Spirtzis, it's practically stupid to spend that amount of money just to target three people,” she says.

Keeping up with technology

This ongoing scandal in Greece touches at the root of an issue that all countries are grappling with: the regulatory mechanisms and organizations meant to safeguard civilians’ digital rights have not kept up with the times.

So-called “legal surveillance” in this day and age only covers a portion of the communication we undertake on our phones. Much of it — messaging on encrypted applications like WhatsApp and Signal, speaking on Zoom — are outside the ambit of wiretapping. They require much more advanced surveillance techniques furnished by mercenary surveillance companies like Cytrox.

Rammos Christos, head of ADAE, speaking at the European Parliament, pointed this out and said that his organization has the “competence to control only providers of telecommunication services, not general agencies or private corporations.”

Stavros Malichudis, the journalist who was wiretapped by the government, got his phone checked for spyware after the recent revelations (all clear). And along with journalists Triantafillou and Koukakis, he testified at the European Parliament in early September, drawing from personal experiences to show that both wiretapping and spyware surveillance are part of an insidious attempt to undermine the fundamental right to privacy. A  Parliamentary Enquiry committee is also underway in Greece, and developments continue to unfold.