While NSO Group was taking flak for hacking into the phones of journalists, activists and human rights
defenders, an entire class of spyware makers and surveillance-for-hire
outfits were operating as normal, largely unnoticed.
These private surveillance groups develop and deploy
never-before-seen exploits that quietly hack into and steal the contents
of a victim’s phone — call logs, text messages, emails, location data
and more — often on behalf of authoritarian governments targeting their
most vocal critics.
Now, following an investigation by researchers at Citizen Lab and
Facebook’s new parent company, Meta, seven surveillance-for-hire groups
have been banned from using the social media giant’s platforms to target
other users.
Meta said Thursday that it has removed more than 1,500 Facebook and Instagram accounts
associated with the seven outfits, which the company said were used for
reconnaissance, social engineering and sending malicious links to
thousands of victims in over 100 countries. Meta said it’s notified
around 50,000 people it believes were targeted by the seven groups.
Although much of the recent focus of the surveillance industry has
been on companies like NSO Group, both Citizen Lab and Meta warned that
the wider surveillance-for-hire industry will continue to balloon if
left unregulated. “It’s important to realize that NSO is only one piece
of a much broader global cyber mercenary ecosystem,” according to a
report of Meta’s investigation seen by TechCrunch before its
publication.
One of the banned companies is Cytrox, a North Macedonia-based
spyware maker. Meta said it found the company using a “vast”
infrastructure of web domains mimicking legitimate news sites to target
the iPhone and Android devices of its victims. Meta said it sent legal
notices to Cytrox and blocked hundreds of domains associated with its
infrastructure.
Meta was acting on findings by Citizen Lab, which also on Thursday released a forensic report into the hacking of phones belonging to two Egyptians living in exile —
a former politician and the host of a popular news show who asked not
to be named. Citizen Lab said the spyware that infected their phones in
July 2021, dubbed Predator, was developed by Cytrox.
Citizen Lab first discovered the spyware on the iPhone belonging to
Ayman Nour, an Egyptian politician and outspoken critic of the incumbent
president, Abdel Fattah el-Sisi, who took over the country following a
military coup in 2013. Nour, who lives in exile in Turkey, became
suspicious when his phone was “running hot.” Citizen Lab found that
Nour’s phone had been infected with Pegasus, the now-infamous spyware
created by NSO Group. That led to the discovery that his phone had been
concurrently hit by the newly discovered Predator spyware.
Both Nour’s phone and the phone belonging to the host of the news
show were running iOS 14.6, the latest version of iOS at the time of the
hacks, suggesting the spyware made use of a never-before-seen exploit
in the iPhone’s software to infect the phones. Apple spokesperson Scott
Radcliffe declined to say whether the company had fixed the
vulnerability.
Predator shares a similar set of features to NSO’s Pegasus. Citizen
Lab said Nour was sent a malicious link over WhatsApp. When opened, the
spyware can access a phone’s cameras and microphone and can exfiltrate
the phone’s data. Predator — unlike Pegasus — lacks the ability to
silently infect a phone without any user interaction, but it makes up
for that with persistence. Citizen Lab said the spyware can survive a
reboot of an iPhone — typically clearing any spyware lurking in its
memory — by creating an automation using the Shortcuts feature built
into iOS.
The researchers said that, “remarkably,” Nour’s phone was compromised
at the same time with both Pegasus and Predator, but that the
infections were likely unrelated.
“Based on the slapdash nature of Predator’s code, it’s clear we’re
looking at the B Team here,” said Bill Marczak, one of the Citizen Lab
researchers who discovered and analyzed the Predator malware. “Even so,
Predator was still able to break into the latest, fully up-to-date
phones, so it’s no surprise that we found repressive governments,
including Egypt and Saudi Arabia, as Predator operators.”
Citizen Lab said it was likely that Predator is being used by
government customers in Armenia, Greece, Serbia, Indonesia, Madagascar
and Oman — plus Egypt and Saudi Arabia, which are known to target their
critics with mobile spyware. Meta, meanwhile, said its investigation
found Predator customers in Vietnam, the Philippines and Germany.
Cytrox CEO Ivo Malinkovski could not be reached for comment; an email sent prior to publication bounced as undelivered.
Meta said that it also banned four other Israeli companies involved
in the surveillance-for-hire business: Cobwebs, Cognyte, Black Cube and
Bluehawk. In addition, it banned BellTrox, an Indian hacking outfit accused of hacking into thousands of email accounts belonging to politicians and
government officials, and a China-based spyware maker believed to be
used by China’s law enforcement.
Although NSO has faced legal challenges and restrictions on its business dealings in large part because of accusations of abuse and spying on members of
civil society — claims that the company has repeatedly denied — the
social media giant warned that the growing surveillance industry
continues to proliferate regardless.
“We will continue to investigate and enforce against anyone abusing
our apps,” Meta’s report said. “However, these cyber mercenaries work
across many platforms and national boundaries. Their capabilities are
used by both nation-states and private enterprises, and effectively
lower the barrier to entry for anyone willing to pay. For their targets,
it is often impossible to know they are being surveilled across the
internet.”
You can contact this reporter securely over Signal and WhatsApp
to +1 646-755-8849. You can also send files or documents using our
SecureDrop. Learn more.