Surveillance-for-hire: Are you a target of the booming spy business?
Meta has exposed and acted against entities that have been spying on people and organizations around the globe. Find out how the threat actors operate and learn what you can do to protect yourself.
In the shady waters of the internet are swimming several threat actors specialized in running surveillance services. While the most advanced ones are state-sponsored, others are private companies selling offensive services. Behind claims that they are doing only ethical hacking, most of them have no problem working as mercenaries, not caring at all about ethics. Any individual or any company can become their target, as long as someone pays to spy on them.
Seven companies exposed by Meta
In a recent report, Meta (formerly Facebook) exposed and disrupted the activities of seven entities that targeted people worldwide in more than a hundred countries. Those entities originated in China, India, Israel and North Macedonia.
All seven provided intrusion software tools and surveillance services that, according to Facebook, regularly targeted journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists around the world. Those services are sold to just about any person or entity who needs it and are illegal.
Three steps are needed to fully provide their surveillance service:
- Reconnaissance: This is the initial step that consists mainly of profiling the target and
- collecting useful information about it.
- Engagement: This part consists of engaging contact with the target or people close to it in an effort to build enough trust to entice the target to download/execute files or click on infecting links. This is where social engineering and attacking experience come into play. Attackers may use fake social media profiles and reach out directly to their targets.
- Exploitation: This is the final step in the surveillance operation setup. The goal is to compromise the targets device(s) and start enabling surveillance. While the tools and exploits used in this stage greatly vary from a technical perspective, generally the attacker is from this moment able to access any data on the target’s phone or computer, including passwords, cookies, access tokens, photos, videos, messages and address books. The attacker might also silently activate the microphone, camera and geo-location tracking of the device.
SEE: How to migrate to a new iPad, iPhone, or Mac (TechRepublic Premium)
Meta exposed the activities of the seven entities and what kind of actions they provide in the surveillance chain. It took actions against the seven:
“To help disrupt these activities, we blocked related infrastructure, banned these entities from our platform and issued Cease and Desist warnings, putting each of them on notice that their targeting of people has no place on our platform and is against our Community Standards. We also shared our findings with security researchers, other platforms, and policymakers so they too can take appropriate action. We also notified people who we believe were targeted to help them take steps to strengthen the security of their accounts.”
Meta has closed several hundred fake social media accounts used by the seven and alerted more than 50,000 people that they were being targeted by those entities.
A big blurry business
In addition to the Meta report, several investigations from threat researchers over the last few years have been aimed at exposing companies specialized in IT security with parts or all of their services focused on “ethical hacking,” “offensive security,” “advanced penetration testing” and “cyber detective services,” among other terms used.
These companies often use service descriptions that are sometimes vague — or just the opposite: quite precise (Figure A and Figure B).
Figure A
Figure B
Litigations and other formal complaints have been collected by Citizen Lab.
A striking example: The Pegasus malware
The Pegasus malware framework developed by an Israeli-based company called NSO Group has been exposed since 2016 by Citizen Lab. It is a spyware aimed at infecting mobile phones running iOS and Android operating systems, with capabilities to provide complete access to the device’s messages, emails, media, microphone, camera, calls and contacts.
Recently, security researchers from Google’s Project Zero Team published a technical analysis of one exploit being used by Pegasus, an iMessage-based zero-click exploit using the vulnerability CVE-2021-30860. The researchers assess it to be one of the most technically sophisticated exploits they have ever seen. They also mention that it is “demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.”
Pegasus has targeted multiple kinds of targets in different countries for customers of the NSO group. These targets may be business executives, journalists, lawyers, human rights activists, religious or politics figures, NGO employees, academics, government officials and even family members of some targets. Lawsuits are ongoing against NSO in various countries as of today.
SEE: Top Android security tips (free PDF) (TechRepublic)
Why should companies care?
It’s not just individuals who are targeted by surveillance-for-hire entities. Companies might be targeted as well. The attackers could target sensitive employees, like directors or high executives, but also target any employee just to gain access to the corporate network. Once it’s done, they will explore the network or directly head to the accounts of people they know will have the information they want. The attackers might get permanent backdoor access to the targets’ emails, phone messages and calls, or even monitor all of their targets’ daily actions.
In addition to surveillance, the attackers might start stealing information like intellectual property or industrial secrets, roadmaps of sensitive products or just about any useful information that might help competitive intelligence.
How can companies protect themselves?
Companies need to strengthen their efforts in detecting initial compromise on their networks, on the usual servers and endpoints, but also on all the smartphones used in the company.
Companies should:
- Keep systems and software always up to date.
- Always deploy patches as soon as possible. This might prevent an initial compromise via a new vulnerability.
- Run full security audits on networks and computers and correct everything that needs to be changed or updated.
- Use intrusion prevention systems/intrusion detection systems (IPS/IDS).
For the smartphones, they should:
- Always keep the operating system up to date.
- Deploy security tools on all smartphones and keep them up to date.
- Prohibit installation of unnecessary applications on the devices.
- Use only reliable application sources.
- Check every application’s permissions.
- Do not use public Wi-Fi.
- Be wary of social engineering scams. Do not answer or click on links coming from unidentified third parties or from colleagues without checking via a second channel (a call from another phone, for example) that it really came from them.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.