Spyware and surveillance-for-hire industry ‘growing globally’: report

The spyware and surveillance-for-hire industry is “indiscriminately” targeting journalists, activists and political opposition, and growing on a global scale, the social media company Meta warned.

In a new report published Thursday, the company said it has “continued to investigate and take actions against spyware vendors around the world, including in China, Russia, Israel, the United States and India, who targeted people in about 200 countries and territories.” Meta was one of the first to publicly challenge the spyware industry back in 2019, when it began legal proceedings against Israeli firm NSO Group for hacking into approximately 1,400 WhatsApp users’ mobile devices.

The report details the tactics being used by spyware and hacking companies, in particular an Indian business called CyberRoot previously exposed by a Reuters investigation into Indian mercenary hackers.

“Our investigation found CyberRoot target people around the world, working in a wide range of industries including cosmetic surgery and law firms in Australia, real-estate and investment companies in Russia, private equity firms and pharmaceutical companies in the US, environmental and anti-corruption activists in Angola, gambling entities in the UK, and mining companies in New Zealand. They were focused on business executives, lawyers, doctors, activists, journalists and members of the clergy in countries like Kazakhstan, Djibouti, Saudi Arabia, South Africa and Iceland. Our investigation corroborates the assessment by investigative journalists at Reuters that this group often targeted people involved in litigation, likely on behalf of law firms.”

Meta blocked the group’s domain infrastructure and shared its tactics, techniques and procedures (TTPs) and other threat indicators with “industry peers and security researchers… to help inform further research and detection of this malicious activity across the internet.” But the company warned that takedowns and litigation were not going to “solve this threat.”

Government and industry response

In a rare moment of unity for the technology industry, Meta’s lawsuit against NSO received the support of competitors including Google and Microsoft, alongside other tech companies such as Cisco and Dell. Apple has since independently brought its own legal action against NSO.

The Israeli company has denied every allegation that its tools — particularly its Pegasus spyware — have been misused. “NSO does not operate Pegasus, has no visibility into its usage, and does not collect information about customers or who they monitor,” the company has said in past statements. “NSO licenses Pegasus solely to law enforcement and intelligence agencies of sovereign states and government agencies following approval by the Israeli government. When we determine wrongdoing, we terminate contracts.”

The company has never explained how it can determine wrongdoing if it has no visibility into how customers use Pegasus, and the Israeli government has repeatedly declined to comment about its approval process for exporting the software.

Meta argues that tackling the challenges posed by spyware requires a coordinated policy approach by democratic governments. In a policy paper accompanying its report, the company recommends that these governments increase the regulations they apply to spyware and surveillance-for-hire companies, including introducing export restrictions, know-your-customer rules, and providing mechanisms for redress when the tools are abused.

There have been some actions towards this end in several jurisdictions. NSO Group was sanctioned last year by the U.S. Department of Commerce, alongside another Israeli company called Candiru, the Russian security firm Positive Technologies, and Singapore-based Computer Security Initiative Consultancy, for developing and selling hacking tools.

The Department of Commerce explained: “These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent.”

A month after the sanctions were made, Reuters reported that NSO Group’s tools had previously been used by an unknown attacker to target U.S. Diplomats in Uganda.

It is not known what impact the incident had on relations between the State Department and Israel's Ministry of Defence, which authorizes each export of NSO Group's technology to foreign powers.

‘Democratizing’ the threat landscape

In its new report, Meta said it had removed a network of around 130 accounts on Facebook and Instagram which were being used to test malicious capabilities, and which it linked to Candiru, which it said was “co-founded by a former employee of NSO Group.”

Another batch of 250 accounts on the platforms — linked to the “spyware vendor Quadream” also “founded by former NSO employees” — were identified testing “capabilities to exfiltrate various types of data including messages, images, video and audio files, and geolocation.”

Meta said in both cases it detected the testing activities early and hadn't observed targeting of authentic users.

Meta said that a diversity of actors were involved in what it calls the "surveillance chain" — the phases of attack including reconnaissance, engagement, and exploitation — and that it also caught spyware vendors using legitimate marketing tools to support their activity.

CyberRoot, for instance, was found to be using a marketing tool called Branch “to create, manage and track the delivery of phishing links,” said Meta.

Branch did not respond to The Record when contacted.

Meta argued that the use of legitimate tools demonstrates the need for a “whole-of-society response” to “tackling this growing malicious industry.”

There are companies offering specialized reconnaissance services who Meta said were still “part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable.”

These companies often market themselves as “web intelligence services,” said Meta, publicly attributing this activity to several of them including a New York-based company called Social Links (which was originally based in Moscow), an Israel-based company called Cyber Globes, a Russia-based firm called Avalanche and an unattributed entity in China.

The China-based group was scraping information on people “in Myanmar, India, Taiwan, the United States, and China, including military personnel, pro-democracy activists, government employees, politicians and journalists,” said Meta.

“In a sense, this industry ‘democratizes’ these threats, making them available to government and non-government groups that otherwise wouldn't have these capabilities to cause harm. They, in effect, exponentially increase the supply of threat actors in the world,” the report argued.