Sudan: “Men with no Mercy” now Armed with EU-linked Spyware

The Rapid Support Forces (RSF)—a paramilitary group in Sudan accused of committing crimes against humanity— imported the “Predator” spyware developed by cyber intelligence firm Cytrox. 

On November 30, 2022, the Israeli newspaper Haaretz and The LightHouse Report published an investigation revealing undeclared export of Israeli surveillance technology connected to a Cessna jet flying from the EU to Sudan between April and August 2022. The flight was illegally delivering high-end surveillance technology to the junta in Sudan.

Last year, Citizen Lab, a technology Laboratory based in Canada, reported that the company has a corporate presence in Israel, Hungary, and Greece. Former Israeli military intelligence official of 24 years, Tal Dilian, acquired Cytrox in 2018 under the “star alliance of spywareIntellexa, a cluster of cybersurveillance startups competing against Pegasus. 

This is not the first time that Predator has appeared in the region. The software was used in December 2021 to hack the phones of two Egyptians in exile: activist Ayman Nour and a TV host who wished to remain anonymous. Other Predator clients in the region include Oman and Saudi Arabia, according to the report by Citizen Lab. In 2022, Intellexa participated in two security and intelligence exhibitions in the UAE: Intelligence Support System (ISS), and International Exhibition for National Security and Resilience (ISNR).

Predator: Technical features

Predator can gain complete control over the mobile devices it infects, according to ExpressVPN and other reports. This includes accessing personal messages and files, recording calls, and monitoring the environment through the camera and microphone. Predator matches almost all features offered by the infamous Pegasus, a spyware developed by the Israeli NSO cyber group.

Additionally, some Pegasus editions can infect the targeted devices using the “Zero-Click” method, which compromises the device without any action from the victim. In the case of Predator spyware, an infection can take place if the target opens an infected web address sent via SMS or any messaging application, without necessarily clicking on it.

Acquiring Predator is also very costly. A leaked business proposal from Intellexa, offered “one-click infection via multiple attack vectors,” licensed for 10 targets at once, with a “magazine of 100 successful infections.” The price tag, including “remote data extraction,” project management, and 12 months warranty, was eight million Euros.

History of privacy violations in Sudan

In 2014, the head of the communications committee in the National Assembly (Sudanese Parliament) claimed that internet censorship and spying on phone calls would stop. The Rapid Support Forces (RSF), however, continued to invest in censorship technologies in Sudan. 

In 2013, Citizen Lab, published a report showing that the former regime in Sudan implanted BlueCoat Proxy SG, a device that can be used to secure and maintain networks, but it can also be used to implement politically-motivated restrictions on access to information and monitor and record private communications.

Also, the National Intelligence and Security Service (NISS) – currently known as General Intelligence Service – planted spyware in many activists’ devices while participating in a workshop abroad. 

In 2013, Citizen Lab published another report proving that the Sudanese authorities have used spyware called Remote Control System (RCS). RCS was developed by Hacking Team, a company based in Italy, and has many features that can be the same as Predator. It can control the victim’s device, access its storage, microphone, and camera, read its SMS, record calls, and follow a user’s activities without a wiretap, even if the victim is outside Sudan.

According to the report on the State of Internet Freedom in Africa 2022, Sudan’s capital Khartoum has 4,000 governmental CCTV cameras spread across the city. Sudanese authorities also use offline methods to violate people’s privacy, such as inspecting their devices’ contents.

Legalizing surveillance

Privacy in Sudan, whether online or offline, has always been subject to violations by the Sudanese government and the subsequent military reiterations of the state. The Sudanese laws do not legalize online surveillance or censorship, but the laws contain numerous broad and vague terms that may be exploited by authorities to practice surveillance lawfully.

Article 25 of the National Security law, Amendment of 2020, stipulates: “The security service has the right to request information, data, documents or things from anyone to check it or take it.”

Also, Sudan’s Cybercrime law gives the so-called “competent authority” the right to violate citizens’ privacy. The 2020 Anti-Cybercrime Law prescribes a punishment of up to four years in jail, a fine or both against anyone who violates the privacy of people. But, the same article considers these same actions lawful  when carried out under the permission of the public prosecutor or a judicial or competent authority. The term “competent authority’’ is not defined, subjecting the law to potential abuses.

“Legally, security forces have the right to monitor people, as this power is within their jurisdiction for the purposes of investigations,” said Mutaz Aljaaly, a Sudanese lawyer. “According to Article 25 of the National Security Law, if surveillance takes place in the midst of investigations, monitoring someone is not considered a crime and does not constitute a violation of privacy.” As such, digital censorship and surveillance falls within the powers of the General Intelligence Service.

“Our problem is mainly with the abuse of power by authorities, especially in relation to monitoring. Security forces are entrusted with investigations and control procedures, and there is no strangeness in granting them these authorities, as they are necessary for their work. What is abnormal, incorrect and illegal, however, is that these authorities are not controlled,” warned Aljaaly.”

Security forces in Sudan can violate privacy without restrictions, and unfortunately, the judiciary accepts the evidence obtained without verifying its accuracy or the method in which it was obtained. In this sense, it is important to set and abide by legal conditions that allow for invading someone’s privacy when conducting investigations. 

Threats to Sudanese citizens

RSF has a bad reputation for committing crimes against humanity. In its famous report “Men with no Mercy,”  Human Rights Watch accused the militia of violating human rights and committing war crimes in 2015 in the Darfur region, Western Sudan. RSF is accused of being responsible for the massacre of Khartoum in 2019 when more than a hundred youths were killed close to the military HQ.

According to reports, RSF killed the Sudanese activist Bahaa Nouri, when they arrested him after they tracked his phone. Therefore, owning this software by the RSF represents a grave threat to people in Sudan, especially activists and human rights defenders. “Predator” is only one spyware whose name made it to mainstream media, but what about other cybersurveillance technology that is still lurking in the shadows, and who knows who might be using it right now?

This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة

Avatar photo

DR Lab

Digital Rights Lab is an NGO working to promote digital rights in Sudan. Follow them on twitter: @DRLab_Sudan