In December 2021, Eliza Triantafillou, a journalist with the independent Greek media The Inside Story, was looking for the subject of her next article when she saw a report on the “surveillance for hire” industry, published earlier this month by Meta, Facebook’s parent company.
She then wrote an article in response [au rapport]. This article is part of a series of reports by Greek journalists, revealing the details of a months-long eavesdropping and surveillance scandal dubbed “Watergate on Steroids.” The findings highlight gaps in government regulations and technical capabilities in the face of the rapidly evolving private surveillance industry, then enabling those same governments to surveil their citizens.
So far in Greece there have been four confirmed attempts to infect journalists, politicians and even intelligence agents with spyware called Predator, which is capable of performing advanced surveillance of phones, including including conversation recording and access to encrypted conversations.
The relationship with Greece
Last December, Eliza Triantafillou noticed on the one hand the Meta report and on the other hand a report published the same day by the research laboratory Citizen Lab, based in Toronto. Both related to Greece and concluded that Predator, a sophisticated surveillance spyware, had been purchased for use in Greece and other countries. Cytrox, the North Macedonian company behind Predator, belongs to a group of mercenary surveillance service providers marketed under the Intellexa label, and present in Greece since 2020.
When Eliza Triantafillou published her article in January 2022, she focused on how Meta took down approximately 300 Facebook and Instagram accounts linked to Cytrox, and how Cytrox “hijacks” genuine URLs, including those credible news media. At first glance, these links look genuine, but they have a slightly different syntax than the actual URL (like a missing letter or an extra symbol). They can thus be used to trick targets into clicking on them, activating the Predator infection of the phone.
“We saw that there was an uneven proportion of Greek domains in this list, because out of 310 spoofed domains reported by Meta, 43 of them were of Greek interest,” said Eliza Triantafillou, during a Zoom interview. “We are a very small country. Our share of global Internet traffic is much lower than that of other countries which, based on these two reports, are among the customers. »
The devil is in the details: “legal” versus “illegal” surveillance
When Thanasis Koukakis, another Greek journalist, read Eliza Triantafillou’s article, he realized that many of the spoofed domains on the list mimicked news sites he had worked for or still collaborated with. Thanasis Koukakis had recently discovered cases of fraud in the country. He already suspected that his conversations were being listened to, and in August 2020 he filed a complaint with the Communications Privacy Guarantee Authority (ADAE), asking it to carry out the necessary checks. Today we know that he was wiretapped by the Ethniki Ypiresia Pliroforion (EYP), the Greek intelligence service. In July 2021, he received a response from the ADAE telling him that there had been no violation of the law, which, in fact, did not mean that he was not being spied on.
The tapping carried out by the EYP is technically “legal. On the other hand, the use of spyware such as Predator is considered illegal in Greece. Section 19 of the Constitution protects the right to confidentiality of communications. However, exceptions are made for national security reasons and to investigate serious crimes. The EYP’s surveillance of Thanasis Koukakis was justified by the intelligence agency using the national security argument, although it is unclear how the work of an investigative journalist could have harmed national security. In March 2021, the government passed an amendment revoking citizens’ right to know if they have been spied on after their surveillance ended, explaining why Thanasis Koukakis was not informed of his bugging.
The government has also used this dichotomy between legal and illegal to defend itself. The Prime Minister has publicly stated that while surveillance of a politician is “politically unacceptable”, it is legal, and the narrative of this case must not undermine the “important work” of the intelligence agency. When Kyriakos Mitsotakis took power as prime minister, he took the EYP under his own command. Today, he claims to have no knowledge of the tapping. However, the head of the EYP, accompanied by the nephew of Kyriakos Mitsotakis and the secretary general of the office of the Prime Minister, Grigoris Dimitriadis, have all resigned from their functions.
A larger frame
In November 2021, Greek journalist Stavros Malichudis was browsing the news when he came across the revelations from the newspaper Efimerida ton Syntakton. It was about tapping by the EYP of a certain number of citizens, including journalists. The article describes the case of a journalist working on migration issues. By carefully reading the details, Stavros Malichudis realizes that the journalist in question is himself. In response to letters sent by the AFP news agency – with which Stavros Malichudis worked at the time – the Greek authorities twice denied having spied on him. “… No surveillance of journalists takes place in Greece… For the avoidance of doubt, the Greek government does the same,” reads a response, signed by the Minister of State.
From wiretapping to spyware
In January 2022, still unsure if his phone conversations were being tapped, Thanasis Koukakis, after reading the Inside Story report, sends the files extracted from his phone to Citizen Lab. They confirm to him that he was targeted by Predator. A message from an unknown number shared a link to what appeared to be a believable blog post. In reality, it was a hijacked URL. After clicking on it, Thanasis Koukakis’ phone was infected with the spyware. Shortly after, thanks to a Reporters United articlehe discovered that he had also been bugged by the intelligence services.
While the Greek government denied buying or using Predator, other targets were identified. In July this year, Nikos Androulakis, president of Greece’s third largest political party, PASOK-KINAL, discovered that he had received an SMS in September 2021 containing the same link as that received by Thanasis Koukakis. He did not click on it, and therefore was not infected. In September, another politician — a former Syriza party minister, Christos Spirtzis — said he had also been the target of an attempted installation of Predator.
This leads to credible suspicions about the government’s role in this surveillance, supported by a Google report. Moreover, the timing of Thanasis Koukakis’ so-called “legal” wiretap and the timing of Predator’s infection of his phone seem too close to be a coincidence. The EYP ended his surveillance after he filed a complaint, and soon after his phone was infected with Predator. Testifying before the European Parliament in early September, Thanasis Koukasis said he believed the spyware came from the government. “Because on the one hand, the cost of Intellexa’s services, according to what Citizen Lab told us and seen the price lists found on the Dark Web, cannot be borne by a private person,” he said. he declares. ” Is it that [le gouvernement aurait pu utiliser] a private person as an intermediary? The answer is yes. »
Eliza Triantafillou agrees with this idea. “Our assumption — which isn’t just an assumption — is that you don’t have to buy it to use it,” she says of Predator. “There is no need to use it directly either. The complex structure of Cytrox and Intellexa, the company marketing the software, spans multiple countries and involves numerous registered entities. Intellexa founder Tal Dillian, a former Israeli Defense Force (IDF) intelligence officer, moved to Greece after facing legal issues with Cypriot authorities for a 2019 Forbes interview. In 2020, Intellexa was incorporated in Greece.
With four known attempts to target Greek citizens with Predator, the question is whether there are other targets. Eliza Triantafillou, she is convinced. “When you have such a powerful and expensive tool, worth millions, and you’ve created at least 50 domains and only used one [lien] to target Androulakis, Koukakis and now Spirtzis, it’s almost stupid to spend that amount of money to only target three people,” she says.
Staying the course with technology
The ongoing scandal in Greece gets to the root of a problem that all countries face: the regulatory mechanisms and organizations meant to protect civilians’ digital rights have not evolved with the times.
Today’s “legal surveillance” only covers a portion of the communications we do on our phones. Much of it — chatting on encrypted apps like WhatsApp and Signal, or talking on Zoom — doesn’t fall under bugging. They require much more advanced surveillance techniques, provided by mercenary surveillance companies like Cytrox.
Rammos Christos, head of the ADAE, underlined this before the European Parliament, declaring that his organization has “the competence to control only telecommunications service providers, and not general agencies or private companies. »
Stavros Malichudis, the journalist bugged by the government, had his phone checked for spyware after the recent revelations (all clear). Along with journalists Eliza Triantafillou and Thanasis Koukakis, he testified before the European Parliament in early September, drawing on his personal experience to show that eavesdropping and spyware are part of an insidious attempt to undermine the fundamental right to life. private. A parliamentary commission of inquiry is also underway in Greece, and its progress continues.