Covert Spyware Campaign Targets U.S. Politicians and Taiwan’s President on Social Media

An enigmatic user recently came under scrutiny for attempting to disseminate spyware to U.S. politicians and Taiwan’s President via Twitter and other platforms. These revelations were brought to light by the human rights organization Amnesty International, which identified a Twitter account with the handle @Joseph_Gordon16 as the source of the spyware distribution. The method employed involved the account replying to various targets through Twitter’s reply function.

@Joseph_Gordon16’s replies contained links cleverly disguised as news articles, but in reality, they led to domains associated with Predator, a well-known spyware program often sold to foreign governments for the purpose of infiltrating smartphones.

This malicious campaign began in February, with the @Joseph_Gordon16 account initially targeting journalists covering Vietnam. However, it later expanded its reach to academics and eventually reached European and U.S. government officials, including two U.S. senators and Taiwan’s President Tsai Ing-wen. Notably, @Joseph_Gordon16 replied to President Tsai’s tweets with links disguised as news articles, similar to its approach with the U.S. senators.

In addition to Twitter, a separate Facebook account operating under the name “Anh Tran” was also identified as sharing similar spyware-laden links. According to Amnesty International, a total of 50 accounts belonging to 27 individuals and 23 institutions were targeted. It remains uncertain whether any of these infection attempts were successful.

Citizen Lab, a watchdog group specializing in spyware investigations, corroborated Amnesty International’s findings. This incident is notable for its audacious attempt to distribute commercial spyware openly on a social media platform.

Citizen Lab observed that such public posting of spyware links carries a substantial risk of exposure and discovery, along with the possibility of unintended targets clicking the links. This suggests a lack of professionalism or a disregard for the risk of being caught.

It is important to note that the Predator spyware is meticulously designed to activate only on the intended target’s smartphone, making it challenging for security researchers to detect. The program undergoes multiple checks before initiating an infection attempt.

Amnesty International also suspects a connection between the @Joseph_Gordon16 account and Vietnamese authorities due to the choice of targets aligned with the Vietnamese government’s interests. Furthermore, a report from the German publication Der Spiegel revealed that Vietnam recently acquired a two-year contract for access to the Predator spyware program.

Although the @Joseph_Gordon16 account has been deactivated, the surveillance company responsible for the Predator spyware, Cytrox, appears to remain active. Recently, Apple patched three iOS vulnerabilities linked to a Predator infection on an Egyptian politician’s iPhone.