Meta disables 7 ‘surveillance-for-hire’ entities, alerts 50,000 users
Surveillance-for-hire companies target people to collect intelligence, manipulate and compromise their devices and accounts across the internet. These surveillance providers are based in China, Israel, India, and North Macedonia.
Meta (formerly Facebook) on Friday said it has disabled seven ‘surveillance-for-hire’ entities, including one from India, that targeted individuals including politicians, election officials, human rights activists and celebrities in over 100 countries on behalf of their clients.
Surveillance-for-hire companies target people to collect intelligence, manipulate and compromise their devices and accounts across the internet. These surveillance providers are based in China, Israel, India, and North Macedonia.
The social media giant is sending alerts to almost 50,000 people across more than 100 countries who it believes were targeted by one or more of these entities. The seven entities include BellTroX (India), Cytrox (North Macedonia), Cobwebs Technologies, Cognyte, Black Cube and Bluehawk CI (Israel) and an unknown entity in China.
Releasing its ‘Threat Report on the Surveillance-for-Hire Industry’, Meta Head of Security Policy Nathaniel Gleicher said the report is a result of a months-long investigation, and the company took action against seven different surveillance-for-hire entities to disrupt their ability to use their digital infrastructure to abuse social media platforms and enable surveillance of people across the internet.
“… We’re seeing journalists who are targeted, we’re seeing political figures, politicians, election officials, we’re seeing human rights defenders and activists, celebrities, and then we’re seeing ordinary everyday people, anyone who might be party to a lawsuit for example. So, we’re seeing this very wide targeting across society,” he added.
In 2019, WhatsApp (part of Meta) had sued Israeli technology firm NSO Group — which had developed a software called Pegasus, that was allegedly used to conduct cyberespionage on journalists, human rights activists and others.
On Friday, Meta said these seven organisations provided services across all three phases of the surveillance chain — Reconnaissance, Engagement, and Exploitation — that were used to indiscriminately target people.
“To help disrupt these activities, we blocked related infrastructure, banned these entities from our platform and issued Cease and Desist warnings, putting each of them on notice that their targeting of people has no place on our platform and is against our Community Standards,” he said. These findings have also been shared with security researchers, other platforms, and policymakers, so they too can take appropriate action.
“We also notified people who we believe were targeted to help them take steps to strengthen the security of their accounts. The entities behind these surveillance operations are persistent, and we expect them to evolve their tactics. However, our detection systems and threat investigators, as well as other teams in the broader security community keep improving to make it harder for them to remain undetected,” Gleicher noted.
The report said Meta had removed about 400 Facebook accounts, the vast majority of which were inactive for years, linked to BellTroX and used for reconnaissance, social engineering and to send malicious links. BellTroX is based in India and sells what’s known as “hacking for hire” services, which were reported previously as well. Its activity on Meta’s platform was limited and sporadic between 2013 to 2019, after which it paused.
“BellTroX operated fake accounts to impersonate a politician and pose as journalists and environmental activists in an attempt to social-engineer its targets to solicit information including their email addresses, likely for phishing attacks at a later stage,” the report said. This activity, based on the exact same playbook, re-started in 2021, with a small number of accounts impersonating journalists and media personalities to send phishing links and solicit the targets’ email addresses, it added.
Among those targeted were lawyers, doctors, activists, and members of the clergy in countries including Australia, Angola, Saudi Arabia, and Iceland, the report pointed out. “While cyber mercenaries often claim that their services and surveillanceware are intended to focus on criminals and terrorists, our investigation found they in fact regularly targeted journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists around the world,” the report said.
Explaining the three phases, the report said, Reconnaissance is the first stage of the surveillance chain, which is typically least visible to targets.
The targets are silently profiled by cyber mercenaries on behalf of their clients, often using software to automate data collection from across the internet. Firms selling these capabilities typically market themselves as “web intelligence services” to enable collection, retention, analysis and searchability — both targeted and at scale. These services typically scrape and store data from public websites such as blogs, social media, knowledge management platforms, news media, forums and “dark web” sites. One of the primary means of collecting information on social media is the use of fake accounts.
Engagement — the second phase — is typically the most visible to its targets and most critical to spot to prevent compromise. It is aimed at establishing contact with the targets or people close to them in an effort to build trust, solicit information, and trick them into clicking on links or downloading files (to enable the next “exploitation” phase).
Operators typically rely on social engineering tactics and use fictitious personas to reach out to people via email, phone calls, text messages, or direct messages on social media. These personas are typically tailored to each particular target to seem credible and avoid tipping people off to suspect malicious intent. The final stage of the surveillance chain, exploitation, manifests as what’s commonly known as “hacking for hire.” Providers may create phishing domains designed to trick targets into giving away their credentials to sensitive accounts like email, social media, financial services, and corporate networks, as per the report.