Three months after the revelation of the surveillance of a Greek journalist came the complaint of a party president that he had been targeted with the same spyware. In the meantime, the National Transparency Authority issued its conclusion on the first case without any incriminating evidence for the government. What did the EAD fail to consider? The invoices and the private contract that connect the supplier of the Police with the company behind the spyware.
On April 11, 2022 the inside story revealed that for at least ten weeks the mobile phone of journalist Thanasis Koukakis was trapped with a powerful (and very expensive) spying software called Predator. Three months later the National Transparency Authority tasked with checking the case assured that everything had been done well by the security services without examining the bank accounts of the companies Koukakis had filed and which appear to be connected to the security services, it did not examine still activity of Cypriot companies connected to the software producer or dealing with the public. If it did the image of government activity in the issue of the use of illegal software would look less innocent.
The use of spyware to track targets is absolutely illegal in Greece, let alone when used against a business and financial reporter with several revelations scandals on his resume. The infection of Koukaki's mobile phone was certified by the Citizen Lab of the University of Toronto, whose main research objective is to identify digital threats against members of civil society, as well as to monitor the spread of spyware. Before the breach of Koukaki's mobile phone, he had detected the breaches – with the same or with other software – of dozens of mobile journalists, activists and politicians, including the prince of Saudi Arabia bin Salman (who is visiting our country these days) or the Hungarian government, which eventually admitted to using the phone-hacking software, as did the German government.
What the Predator can do
Predator is a surveillance tool that gives its operator full and permanent access to the target's mobile [phone] device. Predator allows the operator to extract passwords, files, photos, web browsing history, contacts as well as identity data (such as mobile device information). It can take screenshots [screen captures], record the user's entries [on his mobile], and can also activate the device's microphone and camera. This enables attackers to monitor any action taking place on or near a device, such as conversations taking place within a room. It also allows its operator to record text messages sent or received (including those sent through "encrypted apps", or apps that allow messages to disappear, such as WhatsApp or Telegram) as well as simple and VoIP phone calls (including telephone conversations through "encrypted" applications)". Source: Citizen Lab mobile report Thanasis Koukakis |
Bill Marzak, a senior researcher at Citizen Lab, a scientist with great technical proficiency in spyware detection, had told the inside story at the time that there was a serious possibility that the Greek government was behind the targeting of Thanasis Koukakis. "From a technical point of view, we cannot say exactly whether it is the Greek government or a private company. However, we have not seen a case where a powerful spyware like Cytrox's Predator has been sold to a private company for its own use." Predator customers in Greece (with state support) had "seen" him December 2021 not only Citizen Lab in their previous research but also Meta (facebook) in their own report.
A few hours after the publication of the inside story report, at noon on April 11, government spokesman Giannis Economou had proceed – without presenting evidence – to the hasty conclusion that the journalist was monitored by a private individual. Four days later, on April 15, the Reporters United revealed that a year before the illegal infection of his mobile phone with the Predator, Thanasis Koukakis had been the target of (legal) surveillance by the EYP (under the Prime Minister) for reasons of "national security" and had been ordered to declassify his communications, the which was abruptly interrupted when the journalist turned to the Communications Privacy Authority as he had reasonable suspicions that he was the target of illegal surveillance.
Because the matter began to take shape, although its re-publication by most media was limited to non-existent, the National Transparency Authority, established by the current government with the first bill it brought to the floor as soon as it assumed power (Staff State) and, tasked with preventing and raising awareness against corruption, launched an ex officio investigation into the Koukaki case. The object of the EAD audit was not to clarify who is using the Predator and against whom in Greece, although there was enough evidence which had highlighted the inside story and argued that the journalist was not the only target, but to establish whether or not the Ministry of Civil Protection and the National Intelligence Service had procured the Predator surveillance software (or other similar software) or contracted with any of the companies we had mentioned in our reports.
A hundred or so days later and while a third investigation has taken place, this time from Google which also talks about clients and targets of Predator in Greece, the journalist got his hands on the EAD report on his case. Its conclusion, implicitly but clearly, is one: the government has nothing to do with the monitoring of Thanasis Koukakis, since neither ELAS nor EYP emerged from the EAD control to have purchased or used this or similar spyware.
From Koukakis to Androulakis and in the middle the EAD
Four days after the EAD's conclusion, on Tuesday July 26, the president of the Movement for Change, Nikos Androulakis, complained in his lawsuit report to the Supreme Court of an attempt to infect his mobile phone with the same software that unknown people used to monitor Thanasis Koukakis. The new case of Predator use, targeting the leader of an opposition party, fully confirms previous inside story reports that presented solid evidence of the existence of other targets besides the journalist. This is supported by Google itself, which stated in the inside story that the company's risk analysis team estimates that with the data it has collected so far in Greece there is a single-digit number of targets with Android phones.
The president of PASOK-KINAL, Nikos Androulakis, filed a subpoena with the Prosecutor's Office of the Supreme Court, for an attempt to trap and monitor his mobile phone via Predator, Tuesday, July 26, 2022. [EUROKINISSI]
Koukakis and Androulakis have iPhones. But this is not the only coincidence: Both "targets" had received on their mobile phones a personal decoy message with a malicious url from the same falsified – for this purpose – domain (blogspot.edolio5[.]com instead of the correct edolio5. blogspot[.]com). Both received the message last year, the journalist on July 12, 2021 and the MEP on September 21, 2021, after he had announced his candidacy for the leadership of the party.
The only difference is that Mr. Androulakis did not click on the link and thus it appears that his device was not infected. However, the fact that someone targeted a journalist and a (then) political leader candidate a few months apart shows that the Koukakis case was not a misdemeanor case "between two private individuals", as initially attempted to be presented by the government. As Mr. Androulakis states in his petition, his targeting with the Predator is unprecedented for our democracy and constitutes a "direct insult to the democratic state", an act which, according to the provisions of the penal code he cites, constitutes a felony.
And spoofing Greek mobile phones
Something else that is also interesting is that in the case of Mr. Androulakis, the unknown to him Greek mobile phone that was used belongs to a woman who, in a telephone conversation we had, assured us that she has absolutely nothing to do with it, emphasized that she learned about the incident from the news and described the herself as "a simple woman with four grandchildren." All this suggests that whoever is behind the Predator spyware attacks use (also) existing phone numbers without the knowledge of their owners (spoofing). |
In the meantime, the journalist Thanasis Koukakis will appeal today to the European Court of Human Rights against the Greek authorities for the case of his illegal surveillance with spyware, while Nikos Androulakis emphasizes that "the complete clarification of the case, finding the physical and moral perpetrators of the above acts it must take place immediately." Something that possibly should have been the subject of the EAD's control from the beginning, in its own almost three-month investigation.
But let's examine what the National Transparency Authority saw and what it omitted in its audit in the Koukaki case.
The methodology of EAD
The report of the National Transparency Authority (NDA) on the complaint of the contamination of the software of journalist Thanasis Koukakis with the spyware Predator was delivered to him on the morning of last Friday, July 22. The truth is that the Authority had completed its report as of July 10, 2022, but had, according to one of its sources, sent it to EYP for "approval". The document finally handed over to the complaining journalist does not include the entire audit carried out by the FSA, but only "excerpts of the audit", for privacy reasons, we were told. Among the missing items are the names of natural persons (of the auditors of the SAO, the prosecutor supervising the SAO, to which the SAO audit requests were sent, and the lawyers and accountants of the audited corporate entities) and the corporate entities, which are "blackened".
Controlled by the EAD were the Hellenic Police and the EYP and the private companies Intellexa and Krikel – the first because it produces and markets the illegal software and the second because the journalist named it in his testimony as being connected to Intellexa. The legal framework of the audit regarding the protection of the privacy of telecommunications also includes the rules that govern the operation of the EYP, among which there is a special regulation of 2008 on the procurement and provision of the services of the EYP that are exempted from the provisions of Law 2286/1995.
Thanasis Koukakis was called by the EAD to an unsigned – informal, as it is characterized – examination on May 4, 2022, 25 days after his monitoring was made public. Then the former commander of the EAD, Angelos Binis, sent letters to the president of the Telecommunications Privacy Protection Authority, the prosecutor who supervises the EYP, the head of ELAS and the commander of the Independent Public Revenue Authority to help him. Of the above, only the Telecommunications Privacy Authority did not respond, as it has not even started the audit. Similar letters were sent on May 18 and 31 to Intellexa and Krikel. A month and a half had already passed. The companies replied in writing and then the EAD's auditor team visited them on 9 June (Intellexa) and 14 June (Krikel) at their offices. But while Intellexa sends its written responses to the DPA before the on-site investigation of the echelon, Krikel does so after it. We will return to this point.
In these visits, the group did not meet the legal representatives of the companies, but accountants and lawyers. Of course, it is not clear exactly what supervision of the company's activities was exercised by its Greek branch in Elliniko, as Intellexa's accounts and correspondence ended up in Cyprus, and not at the company's headquarters in Elliniko which was visited by EAD, as two independent sources confirmed to the inside story among them sources employed in the last two years by the company. In fact, according to inside story information, before the audit one of Intellexa's lawyers had been replaced, when he asked the company's legal representatives to see the contracts the company had signed with all its clients.
According to the conclusion of the EAD, Intellexa has not concluded a supply contract, either alone or in partnership with other domestic companies registered in GEMI, with agencies of the Ministry of Citizen Protection and the EYP. Here, of course, there is a gap in the investigation, because Koukakis was under surveillance for at least three months and this cannot be disputed. Which non-domestic and non-GEMI companies could Intellexa have dealt with? On this the auditors do not seem to have looked for evidence.
Intellexa: double refutability
At the end of June, Israeli colleague Haaretz technology reporter Omer Ben Yaacob visited inside story's offices. Ben Jacob, with whom we went to the Intellexa offices in Elliniko, where business personnel housed in the same building told us that "they have 4-5 weeks to show up" (the FSA conducted an inspection in early June), explained to us that a Israeli company that develops and sells spyware is subject to double control by the Israeli state: whenever it presents a product to "customers" and when it sells it. In both of these phases it needs state approval, unless it creates an intermediate company in a third country, in which case it avoids these two scopes. Many times also the buyer for his own reasons (e.g. because it is prohibited by law in his country) wants to avoid the "scope" of admitting that he uses such software, especially when it is not limited to the needs of collecting information outside the country of the buyer. This need for double deniability leads to the need to create between buyer and seller often two and three companies in the transaction, or even to choose a company from another jurisdiction (e.g. Cypriot or Irish) to complete the transaction (the deniability, i.e. the ability to deny something you've done, is central to the culture of any agency that practices covert action).
The authors of the findings of the National Transparency Authority avoided dealing with intermediate or other jurisdiction companies. Such a company, which seems to have played a role in the establishment of the Israeli company in Greece, is the Cypriot SANTINOMO LIMITED, which was founded by Felix Biggio on September 2, 2019, two months after the Greek elections of the same year, and is also active in covert action technology applications. This information was given to the inside story by a person who worked for Intellexa.
Felix Bitzios is the person appointed to Intellexa Greece, as well as Apollo Technologies and Hermes Technologies, belonging to the Intellexa group, as an alternate advisor and administrator from March 31, 2020 to June 23, 2021. He was also the legal representative of the branch of Feroveno, which also belongs to the Intellexa group, until November 15, 2021 (Thanasis Koukakis' mobile phone was already infected with Predator). The presence of the specific person in these companies – as he had reveal in January 2022 the inside story – is the element that alarmed the journalist Thanasis Koukakis and turned to Citizen Lab for the control of his cell phone, since from 2017 to 2021 the journalist had extensively researched and written about his role Mr. Biggiou in various cases under legal investigation.
Intellexa employed 13 people in Athens (paid well above market averages), but its turnover was found to be under €1 million, which could be an indication that all the "products" and "services" were not billed by the Greek company - especially since the mail never reached Hellinikon, but went to Cyprus. The EAD does not seem to have dealt with this contradiction either.
Out of control three related companies for the critical year 2021
The DPA for the companies Intellexa, Hermes Technologies, Apollo Technologies and Feroveno Limited, examined tax data of customers and suppliers only for the management year 2020 (year of establishment of all four companies in Greece). The reason cited for this is that during the time the audit was carried out, the deadline for posting the corresponding data by the companies on the myAADE platform for the 2021 management year had not expired.
Only for the year 2020 were the income-expenditure tax data of the four companies granted by AADE. The audit of the EAD specifically on Intellexa was extended to 2021 and was based on the data provided by the company's accountant and more specifically the Temporary Balance of General-Analytical Ledgers (January-December 2021) and internal invoices. Based on these, it emerged that "there are no transactions [of Intellexa] with any Public Sector body".
For the other three companies with which Intellexa shares, among other things, the same offices (Hermes Technologies, Apollo Technologies and Feroveno Limited), the EAD with the data it saw from the AADE for 2020 considered that "no data emerged for further evaluation and investigation". Although, we repeat, the monitoring of Koukakis (and now, as we know, the attempted monitoring of N. Androulakis) took place in the second half of 2021. In reference to these three companies, Intellexa notes in its document to the EAD echelon that “[…] none of the companies […] has participated in transactions, provision of services or operational activities of any kind with government agencies, security services or public sector entities in Greece” and that “[…] the companies have never participated in the provision of collection or processing services personal data to any entity whether private or public". From the excerpt of the EAD's opinion in our possession, no other evidence appears to have been adduced beyond this claim by Intellexa.
Graphics: Phoebus Simeonidis
It is also worth noting that from the first publication of the inside story about the use of Predator against a journalist to the visit of the EAD to the offices of the company that has this spyware on the market, a long time passed. The publication was on April 11, 2022, and the scheduled meeting of the EAD level with Intellexa's lawyers and accountants took place almost two months later on June 9, 2022, and after company personnel (technicians, developers, salesmen, etc.) who possibly knowing useful information had begun to work remotely and the offices were essentially empty. By appointing an appointment two months later in the vacant offices, the EAD lost the possibility of "surprise" provided by the law and lost some of the actions it could have taken.
What can the EAD do?
The EAD levels can, among other things, check the electronic commercial correspondence of entrepreneurs, managers, directors, administrators and staff of a company and make seizures of books, documents and other items, as well as electronic means of data storage and transfer, which constitute professional information, up to and including receiving, at their discretion, sworn or non-judicial depositions and requesting explanations from any representative or staff member of the controlled entities. |
The line that connects ELAS' supplier company with Intellexa
Felix Bitzios, representative of Intellexa until June 2021, remained representative of Feroveno, connected to the company, almost until the end of the same time (we recall here that Thanasis Koukakis was illegally monitored from July to September 2021). Bitzios, however, also had relations with the company Krikel, one of the official suppliers of the Ministry of Citizen Protection, before 2019 until today.
Thanasis Koukakis, in the report he submitted to the EAD at the beginning of May, had mentioned to the independent authority the bank accounts held by Intellexa (and related Apollo Technologies and Hermes Technologies and Feroveno) as well as Krikel. Based on the excerpt of the opinion that we read, the EAD did not deal with the bank movements of the accounts. If he had done so he would have identified the company's direct relationship with the man who later played an active role in Intellexa.
The inside story today reveals a contract signed by Krikel in 2018 with another Cypriot company of Felix Biggiou, Viniato Holdings Limited (formerly Macorta Holdings LimitedThe "hairpins of Libra" | First subject), for the provision of consulting services between January and August 2018, for a fee of €550,000 (we also have the relevant invoices at our disposal).
According to what is written in this contract – which was in force when Krikel signed with ELAS for the TETRA encrypted chat system in June 2018 – Felix Biggiou's Viniato (who later played a central role in the relocation and management of Intellexa in Greece ) worked in the nine months of 2018 as a consultant for Krikel, in order for it to develop its strategy regarding projects (support and development of special software) within the Greek territory. Thus, Krikel, which traded among others rice and had zero turnover in 2017, and in the loss-making 2018 gave €550,000 in consultancy fees out of only €840,000 of its turnover, is gradually becoming the main supplier of technology products to the Ministry of Citizen Protection, participating indirectly or directly in all the major projects from 2018. Moreover, according to the answer of the Minister of State Giorgos Gerapetritis (given before the 2018 contract for TETRA came into our hands) to a related question of the SYRIZA member of parliament Yiannis Ragousis, KRIKEL has supplied services for the TETRA system to the Ministry of Citizen Protection.
The contract was signed on June 29, 2018 by the then general secretary of the Ministry of Citizen Protection, Dimitris Anagnostakis, and the representative of Krikel, Stanislav Simon Peltsar. The TETRA system, the maintenance of which was undertaken by Krikel in 2018, was previously donated to the Greek public by the company Ioniki Monoprosopi EPE and Lamas Pinto Consulting. Ioniki Monoprosopi belonged among others to Yiannis Lavranos, who was tax audited for fake and fictitious invoices following an article by Thanasis Koukakis.
Pelchar, who signs the €8.8 million (plus VAT 24%) 2018 contract for TETRA, has previously been on a company board with Felix Biggio who during his time at Intellexa co-existed and continues to to be on the board of a company together with Nikos Liolios, who in turn co-existed with Yiannis Lavranos in the company that had initially undertaken the maintenance of the TETRA system. None of these coincidences, however, seem to have concerned EAD.
The EYP and the new autonomous directorate with its own VAT number
The inside story had reports that Krikel is also connected to the contract for the new EYP statutory hearing system. Krikel initially reproduced the publication in successive tweets, but when Mr. Gerapetritis appeared in the Parliament and denied it, she also denied it, responding to new report from Reporters United, and now the EYP also denies it by correspondence with the National Transparency Authority. Krikel, however, according to its inflows and outflows, seen by the inside story, presents a balance of intra-community purchases and intra-community sales of about 13 million – an amount that is greater than the total contract for TETRA services by at least 4 million. In the EAD report, it is underlined that the figures for 2021 are not included, which the company is not yet obliged to publish.
According to what the public prosecutor who supervises EYP replied to the EAD, after a check carried out by her department in the records of the contracts, EYP does not appear anywhere as a counterparty to Krikel. In a previous inside story report, we reported that according to three sources with knowledge of the EYP's call for interest for the legal hearing system, which the Service eventually procured in 2021, the Service's interlocutor was Krikel (the company did not then respond to any from the questions we had asked via email). Based on the conclusion of the EAD, the final counterparty to the system supply contract was the Italian RCS ETM SICUREZZA SPA and not Krikel. However, Krikel and EYP must have some contractual relationship, otherwise it is not explained why for at least two months after the procurement of the Italian legal hearing system (December 2021, January 2022), according to reliable information available to inside story, personal of Krikel as an "educator" was visiting the EYP training site in Agia Paraskevi.
Based on what the public prosecutor who supervises the EYP writes, "we conducted an extraordinary audit in the 7th Department of Public Contracts of the Directorate of Financial Management of the Infrastructures of the EYP, which is exclusively responsible for handling all procedures related to the conclusion of all contracts that have as a contracting party part of the EYP [...]". What is not at all clear in the EAD's conclusion is whether the control was also extended to the independent service called the Center for Technological Support, Development and Innovation (KETYAK), which reports directly to the Commander of the EYP. KETYAK was founded with law 4704 of July 14, 2020 with a somewhat unclear purpose. "[…] It is responsible for conducting applied research, collaborating with Greek and foreign research bodies, coordinating, as well as monitoring and participating in research, technological development and innovation activities, in order to create the appropriate technological and methodological tools and to provide them to EYP and other public bodies", the law reads. People who are familiar with the operation of the National Intelligence Service, speaking in the inside story, characterize this newly established service as "the EYP within the EYP". In fact, with the same law, a special account ("Special Account for Technological Development and Innovation", ELTAK) was established for the financing of programs and projects carried out by the newly established agency. This account - according to the law - is assigned a tax registration number (TIN) different from that of the EYP and has a seal, the form and type of which are determined by decision of the EYP Governor. The Center for Technological Support, Development and Innovation of the EYP has the possibility to conduct tenders as a contracting authority and to enter into project contracts with natural persons, researchers and specialized scientific personnel - with the money of the special account, which may have even come from private resources or international organizations. An employee of another ministry with no previous experience in this type of activity was appointed head of KETYAK.
In closing, let's say that the EAD does not comment on its findings, but unofficially the position of its sources was that "this was what the authority could do, within the framework of the mandate it had received".
Eliza Triantafillou & Tasos Telloglou
Source: insidestory.gr