Meta Platforms on Thursday revealed it took steps to deplatform seven cyber mercenaries that it said carried out “indiscriminate” targeting of journalists, dissidents, critics of authoritarian regimes, families of opposition, and human rights activists located in over 100 countries, amid mounting scrutiny of surveillance technologies.
To that end, the company said it alerted 50,000 users of Facebook and Instagram that their accounts were spied on by the companies, who offer a variety of services that run the spyware gamut from hacking tools for infiltrating mobile phones to creating fake social media accounts to monitor targets. It also removed 1,500 Facebook and Instagram accounts linked to these firms.
Four of the cyber mercenary enterprises — Cobwebs Technologies, Cognyte, Black Cube, and Bluehawk CI — are based in Israel. Also included in the list is an Indian company known as BellTroX, a North Macedonian named Cytrox, and an unknown entity operating out of China that’s believed to have conducted surveillance campaigns focused on minority groups in the Asia-Pacific region.
The social media giant said it observed these commercial players engaging in reconnaissance, engagement, and exploitation activities to further their surveillance objectives. The companies operated a vast network of tools and fictitious personas to profile their targets, establish contact using social engineering tactics and, ultimately, deliver malicious software through phishing campaigns and other techniques that allowed them to access or take control of the devices.
Citizen Lab, in an independent report, disclosed that two Egyptians living in exile had their iPhones compromised in June 2021 using Predator spyware built by Cytrox. In both instances, the hacks were facilitated by sending single-click links to the targets via WhatsApp, with the links sent as images containing URLs.
While the iOS variant of Predator worked by running a malicious shortcut automation retrieved from the spyware server, the Android samples unearthed by Citizen Lab features capabilities to record audio conversations and fetch additional payloads from a remote attacker-controlled domain.
“The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts,” Meta’s David Agranovich and Mike Dvilyanski said. “These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer.”
In a related development, the U.S. Treasury Department added eight more Chinese companies — drone maker DJI Technology, Megvii, and Yitu Limited, among others — to an investment blacklist for “actively cooperating with the [Chinese] government’s efforts to repress members of ethnic and religious minority groups,” including Muslim minorities in the Xinjiang province.
Meta’s sweeping crackdown also comes close on the heels of a detailed technical analysis of FORCEDENTRY, the now-patched zero-click iMessage exploit put to use by the embattled Israeli company NSO Group to surveil journalists, activists and dissidents around the world.
Google Project Zero (GPZ) researchers Ian Beer and Samuel Groß called it “one of the most technically sophisticated exploits” that uses a number of clever tactics to get around BlastDoor protections added to make such attacks more difficult, and take over the devices to install the Pegasus implant.
Specifically, the findings from GPZ point out how FORCEDENTRY leveraged a quirk in iMessage’s handling of GIF images — a vulnerability in the JBIG2 image compression standard that’s used to scan text documents from a multifunction printer — to trick the targets into opening and loading a malicious PDF without requiring any action on their part.
“NSO is only one piece of a much broader global cyber mercenary industry,” Agranovich and Dvilyanski added.
Following the revelations, the U.S. government subjected the spyware vendor to economic sanctions, a decision that has since prompted the company to mull a shutdown of its Pegasus unit and a possible sale. “Talks have been held with several investment funds about moves that include a refinancing or outright sale,” Bloomberg said in a report published last week.