It is really sad to the extent that journalists, human rights activists & advocates, political dissidents, and private citizens and their families are the subject of intrusion by governments, corporations, and organizations.
Reports From Meta, Citizen Lab Reveal Dark World of Facebook Cyber Spies-for-Hire
Researchers at Facebook and Citizen Lab have identified a network of mercenary cyber spy companies willing to surveil anyone for the highest bidder.
Meta is warning 50,000 people that they were the targets of “indiscriminate” surveillance carried out by a booming industry of cyberspies for hire who will track, trick, hack targets for the highest bidder.
That’s according to two new reports from security researchers at Meta (the company that owns Facebook) and the University of Toronto’s Citizen Lab, which tracks cybersecurity abuses against human rights groups and journalists.
In a report issued on Thursday, Meta identified seven firms—including one first identified by The Daily Beast—based in India, Israel, Macedonia, and China engaged in creating fake Facebook, Instagram, and WhatsApp accounts to spy on victims in at least 100 countries on behalf of shady clients.
And in its own new report, Citizen Lab found one of those companies, Cytrox, hacked the phone of Ayman Nour, an Egyptian opposition activist and former Egyptian presidential candidate, with sophisticated iOS malware sent via malicious links in the WhatsApp messaging app.
The companies, Meta said, engaged in “indiscriminate” surveillance and targeted victims that included “journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists.”
“What we’re seeing is that these companies are democratizing access to these types of techniques,” Nathaniel Gleicher, Meta’s head of security policy, said. “They are building tools to manage fake accounts, to target and surveil people, to enable the delivery of malware and then they’re providing them to any clients who are willing to pay.”
Meta researchers say such firms form a crucial part of a broader espionage ecosystem that feeds targeting information to hack-for-hire companies like the Israel-based NSO Group. NSO’s iPhone-busting malware has garnered investigations from human rights groups and sanctions from the Biden administration. But Meta researchers say hacking-for-hire firms like NSO are enabled by the spying activities of smaller companies that may not engage in hacking but do leverage sock puppet accounts and other dirty tricks to help hacking mercenaries identify and target their victims.
The report published by Meta on Thursday identified seven surveillance-for-hire firms which company officials found abusing Facebook, Instagram, and WhatsApp platforms to conduct espionage.
Among the companies in Meta’s report is Bluehawk CI, an Israeli snoop-for-hire firm first identified by The Daily Beast and Meta’s security team in April for its role in impersonating reporters from Fox News and other journalists in an attempt to dig up dirt on critics of the emir of Ras Al Khaimah—one of the seven emirates that make up the United Arab Emirates.
In the wake of The Daily Beast’s April story on Bluehawk, Meta suspended nearly 100 accounts linked to the firm. The firm uses fake accounts both to elicit compromising information from targets and “to trick [targets] into installing malware,” according to Meta. Bluehawk operatives tried to sneak back onto Meta’s platforms more recently by trying to create fake accounts purporting to be based in Argentina, according to the company.
Of the seven companies identified in Meta’s report, four were either based or founded in Israel—a sign of the country’s growing reputation as a haven for the surveillance-for-hire industry.
Radha Stirling, whose clients were targeted by Bluehawk CI, told The Daily Beast that American officials “must do everything in their power to hold foreign states and corporations to account for espionage against citizens or we will continue to see an escalation of belligerence that puts individuals and our very security at risk.”
“We intend to push for prosecution to the fullest extent of the law. The prevalence of these acts raises the question of sanctions against states who continue to target Americans,” she said.
Guy Klisman, a former Israel Defense Forces officer who founded Bluehawk, did not respond to text messages from The Daily Beast.
Many of the firms mentioned in Meta’s report engaged in social engineering—tricking targets into handing over sensitive information through deceptive tactics like fake accounts. But Cytrox, a Macedonian-Israeli company identified by Citizen Lab, went further and hacked targets for its clients.
In its report, Citizen Lab said it found Cytrox iOS malware on the phone of two victims, former Egyptian presidential candidate Ayman Nour, and an unnamed Egyptian “host of a popular news program.” Cytrox was first formed as part of a network of Israeli spyware companies called Intellexa in order to compete with NSO Group.
In a sign of the competition between the firms, Citizen Lab researchers found an active infection of Cytrox malware running on Nour’s phone at the same time as NSO Group’s Pegasus malware. Like NSO’s Pegasus software, Cytrox’s malware, known as Predator, is able to defeat the security of Apple’s mobile operating system iOS when users click a malicious link loaded with it. The two targets identified by Citizen Lab were infected after clicking on spoofed links sent to them via WhatsApp and meant to look like legitimate news websites.
“The experience is violent in its psychological effects and it is enough to say that I have completely stopped communicating with my children, my family, and my friends.”
— Former Egyptian presidential candidate Ayman Nour
Starting in 2020, Nour said his concerns about his security grew, leading him to reach out to a British cybersecurity firm for help. The firm then turned his phone over to Citizen Lab, which discovered both the Cytrox and NSO malware.
“For many years, I had doubts about being hacked on my phone, but since 2018, serious signs began to appear,” Nour said in a statement to The Daily Beast. “Egyptian and Arabic TV channels started to broadcast parts of my calls and build false stories around it, as well as publishing my personal photos.”
“The experience is violent in its psychological effects and it is enough to say that I have completely stopped communicating with my children, my family, and my friends to protect them from any hazards,” Nour wrote.
Meta said its researchers found a “vast domain infrastructure” used by Cytrox to target its victims and uncovered customers of the firm located in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam, the Philippines and Germany.
Black Cube, the private intelligence firm staffed by former Mossad officers, is among the most notorious of the firms named in Thursday’s Meta report. In 2016, the firm helped convicted rapist Harvey Weinstein by sending operatives to dig up dirt on his accusers and spy on journalists from The New Yorker and The New York Times who were reporting on them.
More recently, Meta security officials have caught Black Cube operatives creating fake accounts to sidle up to targets with fake personas that included “graduate students, NGO and human rights workers, and film and TV producers.” The fake accounts solicited email addresses from their targets which Meta says were “likely for later phishing attacks.”
In a statement sent to The Daily Beast, Black Cube claimed that it “does not undertake any phishing or hacking and does not operate in the cyber world” and “obtains legal advice in every jurisdiction in which we operate.”
Other espionage-for-hire firms identified by Meta researchers include Cognyte, which holds itself out as a “security intelligence company,” Cobwebs Technologies, which claims to specialize in providing “web intelligence solutions,” and BellTroX, an India-based firm first identified by Reuters.
Meta security officials were unable to identify one anonymous firm based in China which developed surveillance tools, including facial recognition software, for use by Chinese law enforcement agencies. The company’s suite of services included approaching targets with fake accounts all the way up through hacking them with custom malware used against targets in Hong Kong and Xinjiang, where Chinese authorities have engaged in particularly aggressive surveillance, as well as Myanmar.
While the surveillance-for-hire industry is hardly new—private intelligence firms have existed for decades—Meta says that the growth of the industry has worked to “lower the barrier to entry” for anyone looking to buy information on their adversaries, regardless of who they might be.
Meta identifies six firms, including India’s BellTroX, for spying on users
Ryan Gallagher | Bloomberg
Facebook parent Meta Platforms Inc. has announced a sweeping crackdown on surveillance companies that it says have used its social media websites to spy on people in more than 100 countries.
In a report published on Thursday, Meta identified six companies from Israel, India, and North Macedonia, in addition to an unknown entity in China, which it said carried out “indiscriminate” surveillance targeting thousands of people.
Meta said it had blocked infrastructure associated with the companies, issued cease and desist warnings to them, and banned about 1,500 of their accounts from Facebook and Instagram, which had secretly been used to carry out reconnaissance, launch hacking campaigns and trick people into providing personal information.
Those targeted for surveillance by the companies included journalists, dissidents, critics of authoritarian regimes, and families of opposition and human rights activists, according to Meta. More than 48,000 people believed to have been targeted by the surveillance companies were alerted by Meta.
“The goal of today’s enforcement is not just to take down their accounts, but to disrupt their activity in the most costly way possible, to blow the cover on their operations and bring transparency to the industry,” said David Agranovich, Meta’s director of threat disruption.
The revelations come amid increasing scrutiny of companies that provide governments with surveillance technologies. The firms, such as Israel’s NSO Group Ltd, contend that they provide the tools to help intelligence and law enforcement agencies fight serious crime and terrorism. But there have been repeated examples in recent years in which governments have allegedly used the technology to spy on dissidents, human rights activists, and journalists.
On Tuesday, a group of 18 U.S. lawmakers wrote to the U.S. Department of the Treasury and the State Department, urging them to use Global Magnitsky sanctions to punish NSO Group and other surveillance companies they accused of enabling human rights abuses. The embattled NSO Group is now said to be exploring options that include shutting its controversial Pegasus spyware unit and selling the entire company, Bloomberg News reported.
Meta says its report aims to show “that NSO is only one piece of a much broader global cyber mercenary ecosystem.” It names four other Israeli firms as having been involved in providing the “surveillance-for-hire” services—Cobwebs Technologies, Cognyte, Black Cube and Bluehawk CI – in addition to and an unknown entity in China. Most of the companies didn’t respond to requests for comment.
A spokesperson for Black Cube said the company operates in compliance with local laws and “does not undertake any phishing or hacking and does not operate in the cyber world.” The company “works with the world’s leading law firms in proving bribery, uncovering corruption and recovering hundreds of millions in stolen assets,” the spokesperson added.
Meital Levi Tal, spokeswoman for Cobwebs Technologies said the company hasn’t “been contacted by Facebook (Meta) and are unaware of any claims it has allegedly made about our services. Cobwebs operates only according to the law and adheres to strict standards in respect of privacy protection.”
John Scott-Railton, a senior researcher at Citizen Lab, a research group at the University of Toronto that focuses on abuses of surveillance technology, said that Meta’s “broad stroke enforcement action” would send “a really clear signal of the way it’s going to treat other offensive players going forward.”
“It’s significant, because it shows this is not the problem of a single company or a handful of companies. It’s an industry-wide problem.”
Meta accused Cobwebs of operating hundreds of fake accounts used to collect information on their targets, who included activists, politicians and government officials in Hong Kong and Mexico. Bluehawk CI was said to use fake accounts posing as journalists to trick people into installing malicious software on their computers, targeting politicians and businessmen in the Middle East. Black Cube was accused of operating fake personas to gather information on people in medical, mining, minerals and energy industries, as well as Palestinian activists and people in Russia involved in finance and real estate development.
India’s BellTroX allegedly operated fake accounts used in suspected efforts to hack people’s phones or computers; the company targeted lawyers, doctors, activists, and members of the clergy in countries including Australia, Angola, Saudi Arabia and Iceland. Meta found a “vast domain infrastructure” associated with Cytrox, which it said was likely used in hacking campaigns that targeted politicians and journalists, including in Egypt and Armenia. Moreover, Meta linked the unknown entity in China to domestic law enforcement in the country and observed it had been supporting surveillance campaigns focused on minority groups in the Asia-Pacific, including the Xinjiang region of China, Myanmar and Hong Kong.
Separately on Thursday, Citizen Lab published a report linking Cytrox to hacks that targeted two prominent critics of the Egyptian government.
The company has developed spyware called Predator that can penetrate iOS and Android mobile devices to secretly record conversations and steal data, Citizen Lab found.
In June, Cytrox’s spy technology compromised a phone belonging to Ayman Nour, the exiled president of the Union of the Egyptian National Forces, an opposition political group. The spyware was also found on the phone of an Egyptian journalist in exile who is the host of a popular news program, according to Citizen Lab’s report, which does not name the journalist.
Citizen Lab’s digital analysis identified multiple servers associated with the delivery of Cytrox’s spyware, in countries including Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia. Governments in those countries are likely among Cytrox’s customers, according to Citizen Lab.
“What the public is learning this year is that there is a large cyber insecurity industry that sells these offensive tools,” said Scott-Railton, the senior researcher at Citizen Lab. “And as long as there is no serious oversight, the offensive tools will be used in the same way: to target dissidents, journalists and others. Until there are serious systematic efforts to address this problem, the horrors will keep happening.”
Cytrox has a limited online footprint and has received little media coverage. The company originated as a startup in Macedonia, but was later acquired by Tal Dilian, an Israeli intelligence agency veteran, in a deal worth about $5 million, Forbes reported in 2019. A representative for Dilian didn’t respond to a request for comment.
According to Citizen Lab, Cytrox is involved in a surveillance industry alliance called Intellexa, which was founded by Dilian and says it offers law enforcement and intelligence agencies “cutting-edge technological platforms” that protect communities from criminal activities.
Cytrox has impersonated popular companies and websites—including Apple, Fox News, Instagram, LinkedIn, Tesla, Twitter and YouTube—in order to dupe hacking targets into clicking on malicious links, Citizen Lab’s researchers found.
The two Egyptians who were hacked earlier this year received messages on WhatsApp that tried to trick them into clicking on what appeared to be legitimate news websites, but were in fact malicious domains set up to deliver Cytrox’s spyware, Citizen Lab reported.
In Nour’s case, he became suspicious that his phone had been infected after it began overheating. Citizen Lab’s researchers forensically examined it, finding that it had been successfully infected by two variants of spyware: Cytrox’s Predator and NSO Group’s Pegasus.
Citizen Lab notified WhatsApp parent Meta about its findings, which prompted the company to initiate its own investigation. According to Meta’s report published on Thursday, it identified and removed approximately 300 Facebook and Instagram accounts linked to Cytrox’s spying efforts.
Companies such as Cytrox are “democratizing access” to spying techniques, said Nathaniel Gleicher, Meta’s head of security policy. “They are building tools to manage fake accounts, to target and surveil people, to enable the delivery of malware. And they are providing them to any clients most interested – the clients who are willing to pay.”
Dec. 16, 2021, 12:00 PM PST / Updated Dec. 16, 2021, 7:53 PM PST
By Ken Dilanian
Spies for hire are secretly targeting journalists, human rights activists and political dissidents on behalf of corporations and governments to an extent not previously understood, Facebook’s parent company said in a new report as it banned six companies and a Chinese network named in the report from its social media platforms.
“The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts,” says the report by Meta Platforms, the parent of Facebook, Instagram and WhatsApp. “While cyber mercenaries often claim that their services and surveillance-ware are intended to focus on criminals and terrorists, our investigation found they in fact regularly targeted journalists, dissidents, critics of authoritarian regimes, families of the opposition and human rights activists around the world.”
It’s all part of a sprawling industry “that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses, they might enable,” Meta’s report says.
Nathaniel Gleicher, Meta’s security chief, said, “What this industry does is it democratizes snooping.”
A separate and related report by a Canadian research group, The Citizen Lab, describes a case study in which a phone used by an exiled Egyptian politician, Ayman Nour, was infected with two separate pieces of spyware, operated by government clients of two separate surveillance companies cited in the Meta report.
“Once you own somebody’s phone, you essentially have the next best thing to access to their mind,” said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a privacy rights group.
The rise of private surveillance has come to public attention most prominently through the Israeli firm NSO, which the U.S. government has blacklisted over allegations that its Pegasus software has been used to target journalists and others. The software quietly infects smartphones and can turn on cameras, voice recorders and location services without the users knowing.
NSO has denied that it allowed its products to be used for improper surveillance. Facebook sued NSO in 2019, but the Meta report says the problem goes far beyond one company.
“It’s important to realize that NSO is only one piece of a much broader global cyber mercenary ecosystem,” the report says.
The report names six companies Meta found to have engaged in “surveillance for hire,” including creating false personas on social media to fool targets into supplying personal information. The six companies were banned from Facebook, Instagram and other Meta platforms.
Four of them, CobWebs Technologies, Black Cube, Cognyte and Bluehawk CI, are based in Israel, which has long been a leader in surveillance technology. Hollywood mogul Harvey Weinstein hired Black Cube to investigate journalists who were working to uncover his sex crimes, according to court testimony.
One company banned by Meta, BelltroX, is based in India, while another, Cytrox, is headquartered in North Macedonia, Meta said.
In a statement, a spokesperson for CobWebs said: “We have not been contacted by Facebook (Meta) and are unaware of any claims it has allegedly made about our services. CobWebs operates only according to the law and adheres to strict standards in respect of privacy protection.”
A spokesperson for Black Cube said: “Black Cube does not undertake any phishing or hacking and does not operate in the cyber world. Black Cube is a litigation support firm which uses legal Humint [human intelligence] investigation methods to obtain information for litigations and arbitrations. Black Cube works with the world’s leading law firms in proving bribery, uncovering corruption, and recovering hundreds of millions in stolen assets. Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents’ activities are fully compliant with local laws.”
The other companies did not immediately respond to requests for comment.
Meta issued its report at a delicate time for the company, which has come under heavy criticism over allegations by a former company executive that Facebook hurts children, exploits social divisions and undermines democracy in pursuit of growth and profits. The company disputes the allegations.
Gleicher said that the investigation began more than a year ago and that the timing of the report was unrelated to Meta’s public relations woes.
The report accuses the companies of deceptive practices designed to trick targets into providing information.
“Each of these companies are using fake accounts on our platforms as a core of their operation,” Gleicher said. “They’re using fake accounts to mislead or deceive people. They’re also operating on other platforms across the internet.”
In the case of Black Cube, for example, Meta said it took down about 300 Facebook and Instagram accounts linked to employees of the company, which has offices in the U.K., Israel and Spain.
“Black Cube operated fictitious personas tailored for its targets: some of them posed as graduate students, NGO and human rights workers, and film and TV producers,” the report said. “They would then attempt to set up calls and obtain the target’s personal email address, likely for later phishing attacks.”
“Our investigation found a wide range of customers, including private individuals, businesses, and law firms around the world,” Meta said. “Targeting by Black Cube on behalf of its customers was also widespread geographically and across industries, including medical, mining, minerals and energy industries. It also included NGOs in Africa, Eastern Europe, and South America, as well as Palestinian activists. They also targeted people associated with universities, telecom, high tech, consulting, legal, and financial industries, real estate development and media in Russia.”
Meta didn’t spell out all the details in its report, but it said it alerted more than 48,000 people “who we believe were targeted by these malicious activities worldwide,” including with “granular details about the types of targeting and the actor behind it so they can take steps to more effectively protect their accounts.”
To protect themselves, Gleicher said, users should run Facebook’s privacy check-ups, set up multi-factor authentication, and be careful about accepting friend requests from people they don’t know.
Privacy advocates are urging Israel and other governments to better regulate who can use and sell sophisticated spying software.
“The stakes are high, because the people who are being targeted are precisely the people who stand up for human rights in situations where it is particularly difficult to do so,” Galperin said. “And we all benefit from a world where human rights are protected and where democracy is thriving. And these tools are being used as a way to quash that.”
- Radha Stirling, whose clients were targeted by Bluehawk CI, told The Daily Beast that American officials “must do everything in their power to hold foreign states and corporations to account for espionage against citizens or we will continue to see an escalation of belligerence that puts individuals and our very security at risk.”
- “We intend to push for the prosecution to the fullest extent of the law. The prevalence of these acts raises the question of sanctions against states who continue to target Americans,” she said.
- Radha Stirling
- Radha Stirling is a human rights advocate, crisis manager, and policy consultant. She is the founder and CEO of the United Kingdom-based organisation Detained in Dubai. She founded Detained in Dubai in 2008, a civil and criminal justice organization after her colleague, Cat Le-Huey, was imprisoned in Dubai.