19.1 C
New York
Tuesday, May 28, 2024

Meta Removes 7 Surveillance-for-Hire Operations From Its Platforms

For years, surveillance-for-hire companies have quietly used Facebook, Instagram, and WhatsApp as springboards to target people in more than 100 countries. Today, Meta removed seven of them from its platforms, and is notifying more than 50,000 people that they may have been impacted by the activity. Meta says that many are journalists, human rights activists, dissidents, political opposition figures, and clergy, but that others are simply everyday people, like someone who is party to a lawsuit.

Meta conducted extensive account takedowns and dismantled other infrastructure on its platforms as part of the action, banned the organizations, and sent them cease and desist warnings. The company says it is also sharing its research and indicators of compromise publicly so other platforms and security organizations can better identify similar activity. The findings underscore the breadth of the targeted surveillance industry and the massive scope of targeting it enables worldwide.

“Cyber mercenaries often claim that their services and their surveillance-ware are meant to focus on tracking criminals and terrorists, but our investigations and similar investigations by independent researchers, our industry peers, and governments have demonstrated that the targeting is in fact indiscriminate,” Nathaniel Gleicher, Meta's head of security policy, said on a Thursday call with reporters. “These companies … are building tools to manage fake accounts, to target and surveil people, to enable to the delivery of malware, and then they’re providing them to any clients who are most interested—the clients who are willing to pay. Which means that there are far more threat actors able to use these tools than there would be without this industry.”

The seven surveillance companies Meta is taking action against are Cobwebs Technologies, an Israeli web intelligence firm with offices in the US, Cognyte, an Israeli firm formerly known as WebintPro, Black Cube, an Israeli firm with a presence in the United Kingdom and Spain, Bluehawk CI, which is based in Israel and has offices in the US and UK, BellTroX, based in India, Cytrox, a North Macedonian firm, and an unknown group based in China.

Meta emphasizes that the surveillance-for-hire industry overall conducts its work in three categories. You can think of it as phases of a surveillance chain; different firms have different specialities within that superstructure. 

The first phase is “reconnaissance,” in which firms broadly collect information about targets, often through automated, bulk collection on the public internet and dark web. The second stage is “engagement,” in which operators actually reach out to targets, attempting to establish a relationship and build trust with them. Surveillance companies set up fake profile and personas, posing as, say, grad students or journalists to have an excuse to reach out to targets. They may also distribute fabricated content and misinformation, all to build a rapport. And the third stage is “exploitation,” or “hacking for hire,” in which actors can exploit this trust if needed to get targets to provide information, click a malicious link, download a malicious attachment, or take some other type of action. 

Most PopularBusinessThe End of Airbnb in New York

Amanda Hoover

BusinessThis Is the True Scale of New York’s Airbnb Apocalypse

Amanda Hoover

CultureStarfield Will Be the Meme Game for Decades to Come

Will Bedingfield

GearThe 15 Best Electric Bikes for Every Kind of Ride

Adrienne So

Each phase can play out on a number of platforms and services. Meta's WhatsApp, for example, is a common venue for distributing malicious links to victims. And Facebook and Instagram make natural breeding grounds for fake personas.

Researchers at University of Toronto's Citizen Lab also published findings today looking closely at Cytrox, specifically, and its spyware known as Predator. The researchers studied two situations in which Predator infected the devices of Egyptian victims. One is the exiled politician Ayman Nour, and the other hosts an Egyptian news program and asked to remain anonymous. Nour's case is particularly shocking, because his device was simultaneously infected with both Predator and Israeli spyware maker NSO Group’s notorious Pegasus product. A different government operator controlled each piece of malware, Citizen Lab says.

Both targets were infected with Cytrox’s Predator spyware in June while running the latest version of Apple's iOS mobile operating system, which was 14.6 at the time. Predator got on their devices when they clicked malicious links sent to them on WhatsApp.

“Although the technical sophistication of Predator is definitely B-team compared to NSO's Pegasus, the harm is still very much there," says John Scott-Railton, senior researcher at Citizen Lab. “The feeling of being a researcher investigating this stuff right now is that wherever you scratch you find it; whatever rock you turn over you find it. Meta is talking about seven companies here. There are probably two dozen more that haven’t yet made it to the radar and haven’t been addressed. At the end of the day the problem is deeply systemic and transcends a single company.”

NSO Group has faced increasing consequences in recent months for the aggressive and invasive nature of its hacking tools and lack of controls on how they are deployed. But Meta's actions show how widespread the surveillance-for-hire industry is, with plenty of relatively anonymous companies working at a huge scale.

Researchers at Meta say that industry collaboration and work with democratic governments is crucial in addressing this threat. Focusing on the spyware tools distributed by groups like NSO is important, but attempting to catch more of the activity further up the chain is valuable as well, Gleicher says, ideally before malware ever actually hits victims' devices.

More Great WIRED Stories📩 The latest on tech, science, and more: Get our newsletters!The Twitter wildfire watcher who tracks California’s blazesThe fall and rise of real-time strategy gamesA twist in the McDonald’s ice cream machine hacking sagaThe 9 best mobile game controllersI accidentally hacked a Peruvian crime ring👁️ Explore AI like never before with our new database✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

Related Articles

Latest Articles