Meta Platforms on Thursday revealed it took steps to deplatform seven cyber mercenaries that it said carried out "indiscriminate" targeting of journalists, dissidents, critics of authoritarian regimes, families of opposition, and human rights activists located in over 100 countries, amid mounting scrutiny of surveillance technologies.
To that end, the company said it alerted 50,000 users of Facebook and Instagram that their accounts were spied on by the companies, who offer a variety of services that run the spyware gamut from hacking tools for infiltrating mobile phones to creating fake social media accounts to monitor targets. It also removed 1,500 Facebook and Instagram accounts linked to these firms.
"The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts," Meta's David Agranovich and Mike Dvilyanski said. "These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer."
Four of the cyber mercenary enterprises — Cobwebs Technologies, Cognyte, Black Cube, and Bluehawk CI — are based in Israel. Also included in the list is an Indian company known as BellTroX, a North Macedonian named Cytrox, and an unknown entity operating out of China that's believed to have conducted surveillance campaigns focused on minority groups in the Asia-Pacific region.
The social media giant said it observed these commercial players engaging in reconnaissance, engagement, and exploitation activities to further their surveillance objectives. The companies operated a vast network of tools and fictitious personas to profile their targets, establish contact using social engineering tactics and, ultimately, deliver malicious software through phishing campaigns and other techniques that allowed them to access or take control of the devices.
Citizen Lab, in an independent report, disclosed that two Egyptians living in exile had their iPhones compromised in June 2021 using a new spyware called Predator built by Cytrox. In both instances, the hacks were facilitated by sending single-click links to the targets via WhatsApp, with the links sent as images containing URLs.
While the iOS variant of Predator works by running a malicious shortcut automation retrieved from a remote server, the Android samples unearthed by Citizen Lab features capabilities to record audio conversations and fetch additional payloads from a remote attacker-controlled domain. The Apple devices were running iOS 14.6, the then-latest version of the mobile operating system at the time of the hacks, suggesting the weaponization of a never-before-seen exploit to target the iPhones. It's not immediately clear if the company has already fixed the vulnerability.
"The targeting of a single individual with both Pegasus and Predator underscores that the practice of hacking civil society transcends any specific mercenary spyware company," Citizen Lab researchers said. "Instead, it is a pattern that we expect will persist as long as autocratic governments are able to obtain sophisticated hacking technology. Absent international and domestic regulations and safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future."
In a related development, the U.S. Treasury Department added eight more Chinese companies — drone maker DJI Technology, Megvii, and Yitu Limited, among others — to an investment blocklist for "actively cooperating with the [Chinese] government's efforts to repress members of ethnic and religious minority groups," including Muslim minorities in the Xinjiang province.
Meta's sweeping crackdown also comes close on the heels of a detailed technical analysis of FORCEDENTRY, the now-patched zero-click iMessage exploit put to use by the embattled Israeli company NSO Group to surveil journalists, activists, and dissidents around the world.
Google Project Zero (GPZ) researchers Ian Beer and Samuel Groß called it "one of the most technically sophisticated exploits" that uses a number of clever tactics to get around BlastDoor protections added to make such attacks more difficult, and take over the devices to install the Pegasus implant.
Specifically, the findings from GPZ point out how FORCEDENTRY leveraged a quirk in iMessage's handling of GIF images — a vulnerability in the JBIG2 image compression standard that's used to scan text documents from a multifunction printer — to trick the targets into opening and loading a malicious PDF without requiring any action on their part.
"NSO is only one piece of a much broader global cyber mercenary industry," Agranovich and Dvilyanski added.
Following the revelations, the U.S. government subjected the spyware vendor to economic sanctions, a decision that has since prompted the company to mull a shutdown of its Pegasus unit and a possible sale. "Talks have been held with several investment funds about moves that include a refinancing or outright sale," Bloomberg said in a report published last week.