A U.S. and Greek national who worked on Meta’s security and trust team while based in Greece was placed under a yearlong wiretap by the Greek national intelligence service and hacked with a powerful cyberespionage tool, according to documents obtained by The New York Times and officials with knowledge of the case.
The disclosure is the first known case of an American citizen being targeted in a European Union country by the advanced snooping technology, the use of which has been the subject of a widening scandal in Greece. It demonstrates that the illicit use of spyware is spreading beyond use by authoritarian governments against opposition figures and journalists, and has begun to creep into European democracies, even ensnaring a foreign national working for a major global corporation.
The simultaneous tapping of the target’s phone by the national intelligence service and the way she was hacked indicate that the spy service and whoever implanted the spyware, known as Predator, were working hand in hand.
The latest case comes as elections approach in Greece, which has been rocked by a mounting wiretapping and illegal spyware scandal since last year, raising accusations that the government has abused the powers of its spy agency for illicit purposes.
The Predator spyware that infected the device is marketed by an Athens-based company and has been exported from Greece with the government’s blessing, in possible breach of European Union laws that consider such products potential weapons, The New York Times found in December.
The Greek government has denied using Predator and has legislated against the use of spyware, which it has called “illegal.”
“The Greek authorities and security services have at no time acquired or used the Predator surveillance software. To suggest otherwise is wrong,” Giannis Oikonomou, the government spokesman, said in an email. “The alleged use of this software by nongovernmental parties is under ongoing judicial investigation.”
“Greece was among the first countries in Europe that passed legislation banning the sale, use and possession of malware in December 2022, which has the most severe legal consequences and strict penalties for individuals and legal entities involved in such an offense,” Mr. Oikonoumou continued. “The same legislation includes provisions on restructuring of the National Intelligence Service, additional safeguards for legal surveillance and modernizing procedures on confidentiality of communications.”
European Union lawmakers have launched their own investigation.
Prime Minister Kyriakos Mitsotakis of Greece has come under pressure to explain how and why Predator was sold from Greece and used in Greece, supposedly without the government’s knowledge, against members of his own government, opposition politicians and journalists.
He has insisted that the Greek government had nothing to do with the cyber-surveillance tool, but that opaque actors may have used it behind the authorities’ backs.
The latest case centers on Artemis Seaford, a Harvard Law and Stanford graduate, who worked from 2020 to the end of 2022 as a Trust and Security manager at Meta, the parent company of Facebook, while living in Greece.
In her role at Meta, Ms. Seaford worked on policy questions relating to cybersecurity and she also maintained working relations with Greek as well as other European officials.
After she saw her name on a leaked list of spyware targets in the Greek news media last November, she took her phone to The Citizen Lab at the University of Toronto, the world’s foremost forensics experts on spyware.
The lab report, which was reviewed by The New York Times, found that Ms. Seaford’s mobile phone had been hacked with the Predator spyware in September 2021 for at least two months.
“This does not preclude the possibility of other infections, or of an infection period extending beyond 2021-11-16,” the forensic report by Citizen Lab said.
Ms. Seaford on Friday filed a lawsuit in Athens against anyone found responsible for the hack. The suit compels prosecutors to open an investigation.
Ms. Seaford also filed a request with the Greek Authority for the Protection of the Privacy of Telecommunications, an independent constitutional watchdog, asking them to determine whether the Greek national intelligence service, known as the EYP, had wiretapped her phone.
Two people with direct knowledge of the case said that Ms. Seaford had in fact been wiretapped by the Greek spy service from August 2021, the month before the spyware hack, and for several months into 2022.
They spoke on condition of anonymity because it is illegal for them to publicly comment on EYP operations.
It could take a minimum of three years for Ms. Seaford to be informed of the spy agency wiretap under Greek laws that the government has twice changed since a flurry of wiretapping cases have come to light.
Ms. Seaford is now is the fourth known person to file suit in Greece involving the spyware, after an investigative reporter and two opposition politicians.
In the first case, an investigative reporter, Thanasis Koukakis, in 2020 similarly asked the constitutional watchdog authority to inform him whether he had also been placed under a wiretap.
Before Mr. Koukakis could get a formal answer, the government quickly passed a law in 2021 that drastically curbs citizens’ rights to be informed if they had been under surveillance by the national intelligence service. Mr. Koukakis has taken the Greek government to the European Court of Human Rights over the change in the law.
The Greek government has since come under pressure to restore some recourse for citizens to learn about being wiretapped and seek redress if their surveillance had been abusive.
Under a law passed last year, a citizen who has been targeted by the spy agency can now be informed — but only if they ask, and subject to the approval of a committee, and no earlier than three years after the end of the wiretap.
It is under those new conditions that Ms. Seaford’s surveillance by the Greek national intelligence service may one day be officially confirmed.
“Targets of abusive surveillance should have the right to know what happened to them and have means of redress just like every other crime,” Ms. Seaford said in an interview.
She maintains that there is no reasonable explanation for her being targeted. Wiretapping in Greece is permitted only for national security reasons or serious criminal investigations.
More than a year after her surveillance by the Greek intelligence service and the illegal spyware infection of her mobile device, no charges have been brought against her, and she has not been asked to cooperate with the authorities on any investigation.
“In my case, I do not know why I was targeted, but I cannot see any reasonable national security concerns behind it,” Ms. Seaford said. Meta and the U.S. embassy in Athens declined to comment.
Ms. Seaford’s targeting by the Greek spy agency and some elements of her case were earlier reported by the Greek newspaper Documento.
In Ms. Seaford’s case, it appears that information gleaned from the wiretap may have assisted the ruse used to implant the spyware, according to the timeline established by the forensic analysis and submitted to the Greek prosecutor.
In September 2021, Ms. Seaford booked an appointment for a booster shot of the Covid-19 vaccine through the official Greek government vaccination platform.
She got an automated SMS with her appointment details on Sept. 17, just after midnight. Five hours later, at 05:31 a.m., documents show, she received another SMS asking her to confirm the appointment by clicking on a link.
This was the infected link that put Predator in her phone. The details for the vaccination appointment in the infected text message were correct, indicating that someone had reviewed the authentic earlier confirmation and drafted the infected message accordingly.
The sender also appeared to be the state vaccine agency, while the infected URL mimicked that of the vaccination platform.
Ms. Seaford, who has been reluctant to get dragged into Greek party politics, where the surveillance scandal has become a point of bitter debate, said the question of spyware and surveillance abuse should be a nonpartisan issue.
“My hope is that my case and others like mine will not just be instrumentalized, shut down to avoid political cost for some, or, conversely, elevated for the political gain of others,” she said.
The post Meta Manager Was Hacked With Spyware and Wiretapped in Greece appeared first on New York Times.