Meta, Facebook’s parent company, has kicked six alleged spy-for-hire “cyber-mercenaries” to the curb, along with a mysterious Chinese law-enforcement supplier. It accused the entities of collectively targeting about 50,000 people for surveillance.
In a report (PDF) entitled “Threat Report on the Surveillance-for-Hire Industry” released on Thursday, Meta said that following a months-long investigation, it removed 1,500 fake accounts linked to the spying entities’ reconnaissance of, engagement with, and/or exploitation of the alleged victims.
In addition, Meta has shared its findings with other platforms and security researchers, has issued cease-and-desist warnings to six of the groups, and has begun to warn targeted people in more than 100 countries.
“The global surveillance-for-hire industry targets people to collect intelligence, manipulate and compromise their devices and accounts across the internet,” the report said. “While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our…investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition members and human-rights activists.”
The spyware industry spreads far beyond the infamous Israeli spyware company NSO Group, Meta said, it being “only one piece of a much broader global cyber-mercenary ecosystem.” Facebook sued NSO Group, maker of the notorious, industrial-grade spyware Pegasus, in 2019 over an alleged attack that exploited a zero-day vulnerability in WhatsApp’s messaging platform to inject spyware onto victims’ phones in targeted campaigns.
The Spyware Seven
The report included a chart, shown below, that outlines the banned entities and which surveillance stages they proffer. Details on the seven spyware outfits:
The Israeli firm markets spyware that Meta’s report said has been used in “frequent targeting of activists, opposition politicians and government officials in Hong Kong and Mexico.” Its clients reportedly include the Department of Homeland Security (DHS), the Internal Revenue Service (IRS), and Saudi Arabia. About 200 accounts linked to Cobwebs that allegedly helped customers do reconnaissance across social media sites and the dark web have been removed from Facebook sites and WhatsApp.
Cognyte, Formerly Known as WebintPro
Meta removed about 100 fake accounts on Facebook and Instagram that were linked to the firm, another Israeli spyware maker. Meta claimed it markets a platform to manage fake accounts across social media platforms including Facebook, Instagram, Twitter, YouTube, and VKontakte (VK), and other websites with the purpose of social-engineering people and collecting data.
Meta said this Israeli firm sells social engineering and intelligence gathering. Meta removed 300 accounts linked to Black Cube, which, it said, operated fake profiles tailored to its targets. Some of them posed as graduate students, NGO and human rights workers, and film and TV producers that allegedly attempted to set up calls and obtain the target’s personal email address, “likely for later phishing attacks,” according to the report.
This Israel-based spyware seller cooked up fake personas, Meta said, including one for a Fox News reporter and another for an Italian journalist, as reported by the Daily Beast. The two fake accounts were reportedly used to dig up dirt on people feuding with the emirate of Ras Al Khaimah in the UAE. Meta said it removed about 100 Facebook accounts linked to Bluehawk.
This Indian company allegedly targeted European government officials, gambling tycoons in the Bahamas and U.S. investors, including private equity giant KKR and short seller Muddy Waters, according to reporting by Citizen Lab and Reuters. Meta removed about 400 fake accounts linked to BellTroX that were allegedly used for reconnaissance, social engineering and to send malicious links, likely in phishing attacks. The fake accounts impersonated a politician and posed as journalists and environmental activists to try to finagle email addresses out of targets.
Meta connected this North Macedonian company to 300 fake, now-removed Facebook and Instagram accounts. Meta said its team uncovered a “vast” domain infrastructure that it believes was used by Cytrox to spoof legitimate news outlets in targeted countries and mimic legitimate URL-shortening and social-media services. The report includes an appendix listing hundreds of domains that investigators believe Cytrox used as part of its phishing and compromise campaigns. Cytrox and its customers allegedly tailored attacks “by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites.”
“An Unknown Entity in China”
Meta hasn’t been able to identify exactly who’s behind 100 fake Facebook and Instagram accounts, but said that the Chinese entity has developed surveillanceware for Android, iOS, Windows, Linux, Mac OS X and Solaris operating systems. Analysis of the group’s command-and-control (C2) servers point to it being used by domestic law-enforcement in China.
Pushing Back Against Pervasive Spying
Meta’s move against the surveillance companies is just the latest of a recent surge of U.S. pushback against spyware that includes four spyware developers getting blacklisted and banned from trade last month. In November, the U.S. Commerce Department added NSO Group, Candiru, Positive Technologies and Computer Security Initiative Consultancy to its “Entity List” of entities deemed to pose a risk to the country’s national security or foreign policy.
That apparently wasn’t enough for lawmakers. In a letter sent to the Treasury Department and State Department on Tuesday, more than a dozen Democrats called on the Biden administration to sanction NSO Group, Emirati cybersecurity firm DarkMatter, and European surveillance firms Nexa Technologies and Trovicor, as well as the firms’ top executives, which they say have helped authoritarian governments commit human rights abuses.
The letter follows reporting earlier this month from Reuters and CNN that the iPhones of about a dozen State Department employees were infected by NSO Group spyware. NSO Group said in a previous statement that it had cut off the “relevant customers’ access” to its systems and is investigating the matter.
David Agranovich, Facebook’s director of global threat disruption, told Reuters that he hoped Thursday’s announcement would “kickstart the disruption of the surveillance-for-hire market.” Twitter, for one, was apparently listening: It reportedly removed 300 accounts a few hours after Meta’s announcement, according to Reuters.
‘Everyday’ People Hacked, Spied On
The surveillance victims include people whom Meta described as indiscriminately targeted journalists, dissidents, critics of authoritarian regimes, families of opposition members and human rights activists.
But in a Thursday press conference, Meta’s Nathaniel Gleicher, head of security policy, reportedly said that the surveillance-for-hire industry’s activity “appears to be much broader than that and spread around the world.”
Per Forbes: “Cyber-mercenaries often claim that their services and their surveillance … are meant to focus on tracking criminals and terrorists,” Gleicher said. “But … the targeting is, in fact, indiscriminate,” including”everyday people” such as parties to a lawsuit or family members of human rights activists. Gleicher said that the spying companies sell their spy tools to “the highest bidder.”
An example of the “everyday people” these surveillance companies were allegedly hired to surveil includes the women who accused convicted rapist and former Hollywood producer Harvey Weinstein. Weinstein allegedly used one of the now-banned cyber-mercenaries – Black Cube – to spy on and intimidate the actresses who called him out and the journalists who investigated the allegations.
Surveillance industry watchdog Citizen Lab published its own report on Thursday, asserting that Cytrox’s iOS malware, dubbed Predator, was discovered on the iPhone of exiled Egyptian politician Ayman Nour and the host of a popular news program who requested anonymity. Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus, operated by two different government clients, according to Citizen Lab.
It’s an Uphill Battle to Fight Them Off
Richard Melick, director of product strategy, endpoint at Zimperium, told Threatpost on Friday that these deep-pocketed surveillance companies are churning out exploits for zero days faster than security firms or device makers can patch them.
“No matter the intention, spyware is quickly becoming a more significant issue for mobile phone users as our always-connected lives are so reliant on these devices,” he said via email. “Whether for corporate espionage or government surveillance, these highly-funded organizations are finding vulnerabilities to exploit faster than the OEMs can patch, leaving millions of users susceptible. Unfortunately, too many enterprises, governments, and VIPS are relying on base-level security that is not up to the task of detecting and preventing these privacy intrusions.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.