Taking Action Against the Surveillance-For-Hire Industry

2 years ago

By David Agranovich, Director, Threat Disruption and Mike Dvilyanski, Head of Cyber Espionage Investigations

The global surveillance-for-hire industry targets people to collect intelligence, manipulate and compromise their devices and accounts across the internet.
While these “cyber mercenaries” often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists.
We disabled seven entities who targeted people across the internet in over 100 countries; shared our findings with security researchers, other platforms and policymakers; issued Cease and Desist warnings; and also alerted people who we believe were targeted to help them strengthen the security of their accounts.

Recently, there has been an increased focus on NSO, the company behind the Pegasus spyware (software used to enable surveillance) that we enforced against and sued in 2019. However, NSO is only one piece of a much broader global cyber mercenary industry. Today, as part of a separate effort, we are sharing our findings about seven entities that we removed from our platform for engaging in surveillance activity and we will continue to take action against others as we find them.

What Is Surveillance-For-Hire?

The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts. These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable. This industry “democratizes” these threats, making them available to government and non-government groups that otherwise wouldn’t have these capabilities.

We observed three phases of targeting activity by these commercial players that make up their “surveillance chain”: Reconnaissance, Engagement and Exploitation. Each phase informs the next. While some of these entities specialize in one particular stage of surveillance, others support the entire attack chain.

Reconnaissance: This stage is typically the least visible to the targets, who are silently profiled by cyber mercenaries on behalf of their clients, often using software to automate data collection from across the internet. These providers pull information from all available online records such as blogs, social media, knowledge management platforms like Wikipedia and Wikidata, news media, forums and “dark web” sites.
Engagement: This phase is typically the most visible to its targets and critical to spot to prevent compromise. It is aimed at establishing contact with the targets or people close to them in an effort to build trust, solicit information and trick them into clicking on malicious links or files.
Exploitation: The final stage manifests as what’s commonly known as “hacking for hire.” Providers may create phishing domains designed to trick people into giving away their credentials to sensitive accounts like email, social media, financial services, and corporate networks or click on malicious links to compromise people’s devices.

Although public debate has mainly focused on the exploitation phase, it’s critical to disrupt the entire lifecycle of the attack because the earlier stages enable the later ones. If we can collectively tackle this threat earlier in the surveillance chain, it would help stop the harm before it gets to its final, most serious stage of compromising people’s devices and accounts. See more details on these stages of surveillance attacks in the Threat Report.

Our Enforcement Actions

As a result of our months-long investigation, we took action against seven different surveillance-for-hire entities. They provided services across all three phases of the surveillance chain to indiscriminately target people in over 100 countries on behalf of their clients. These providers are based in China, Israel, India, and North Macedonia. See a full list of entities we took down in the Threat Report.

The “surveillance-for-hire” entities we removed violated multiple Community Standards and Terms of Service. Given the severity of their violations, we have banned them from our services. To help disrupt these activities, we blocked related internet infrastructure and issued Cease and Desist letters, putting them on notice that their targeting of people has no place on our platform. We also shared our findings with security researchers, other platforms, and policymakers so they can take appropriate action.

We alerted around 50,000 people who we believe were targeted by these malicious activities worldwide, using the system we launched in 2015. We recently updated it to provide people with more granular details about the nature of targeting we detect, in line with the surveillance chain phases framework we shared above.

Broader Response to Abuse by Surveillance-For-Hire Groups

The existence and proliferation of these services worldwide raises a number of important questions. While cyber mercenaries often claim that their services and surveillanceware are meant to focus only on criminals and terrorists, our own investigation, independent researchers, our industry peers and governments have demonstrated that targeting is indeed indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists. In fact, for platforms like ours, there is no scalable way to discern the purpose or legitimacy of such targeting. This is why we focus on enforcing against this behavior, regardless of who’s behind it or who the target might be.

To support the work of law enforcement, we already have authorized channels where government agencies can submit lawful requests for information, rather than resorting to the surveillance-for-hire industry. These channels are designed to safeguard due process and we report the number and the origin of these requests publicly.

Protecting people against cyber mercenaries operating across many platforms and national boundaries requires a collective effort from platforms, policymakers and civil society to counter the underlying market and its incentive structure. We believe a public discussion about the use of surveillance-for-hire technology is urgently needed to deter the abuse of these capabilities both among those who sell them and those who buy them, anchored in the following principles:

Greater transparency and oversight: There is a need for a robust international oversight that establishes transparency and “know your customer” standards for this market and holds surveillance-for-hire entities to these norms.
Industry collaboration: Surveillance efforts manifest differently on various tech platforms, making industry collaboration critical if we want to fully understand and mitigate adversarial surveillance efforts.
Governance and ethics: We welcome domestic and international efforts to raise accountability through legislation, export controls and regulatory actions. We also encourage broader conversations about the ethics of using these surveillance technologies by law enforcement and private companies, as well as creating effective victim protection regimes.

We’re encouraged to see our peers and governments begin to draw attention to this threat and take action against it. For our collective response against abuse to be effective, it is imperative for technology platforms, civil society and democratic governments to raise the costs on this global industry and disincentivize these abusive surveillance-for-hire services. Our hope with this threat report is to contribute to this global effort and help shine the light on this industry.

See the full Threat Report for more information about our findings and recommendations.