According to Meta’s David Agranovich and Mike Dvilyanski, “the global surveillance-for-hire sector targets people across the internet to collect intelligence, influence them into exposing information, and breach their devices and accounts. These businesses are part of a large industry that sells intrusive software“.
Meta Platforms officially confirmed that it had taken steps to deplatform seven cyber mercenaries who it said targeted journalists, dissidents, critics of authoritarian regimes, opposition families and human rights activists in over 100 countries “indiscriminately.”
To that purpose, the business informed that 50,000 Facebook and Instagram users that their accounts had been spied on by the organisations, which sell a variety of spyware services ranging from mobile phone hacking tools to building phoney social media accounts to watch targets. It also deactivated 1,500 accounts linked to these companies on Facebook and Instagram.
Cobwebs Technologies, Cognyte, Black Cube, and Bluehawk CI are four of the cyber mercenary companies established in Israel. An Indian firm called BellTroX, a North Macedonian organisation Cytrox, and an unknown Chinese entity thought to have launched surveillance activities targeting minority groups in the Asia-Pacific area are also on the list.
Many commercial players were detected engaged in reconnaissance, engagement, and exploitation actions to further their monitoring objectives. The organisations used a large network of tools and false identities to profile their targets, make contact using social engineering techniques, and then deploy malicious software through phishing campaigns and other approaches allowing them to gain access to or control of the machines.
Google Project Zero (GPZ) researchers Ian Beer and Samuel Groß reported that “It’s one of the most technically advanced exploits, using a number of clever tactics to get around BlastDoor protections added to make such attacks more difficult, and take over the devices to install the Pegasus implant.
FORCEDENTRY used a quirk in iMessage’s handling of GIF images — a vulnerability in the JBIG2 image compression standard that’s used to scan text documents from a multifunction printer — to trick the targets into opening and loading a malicious PDF without requiring any action on their part, according to the findings from GPZ.
In a related development, the US Treasury Department added eight more Chinese companies to an investment blocklist such as drone maker DJI Technology, Megvii and Yitu Limited, for “actively cooperating with the [Chinese] government’s efforts to repress members of ethnic and religious minority groups,” including Muslim minorities in Xinjiang province.
In a separate investigation, Citizen Lab revealed that two Egyptians living abroad had their iPhones hacked in June 2021 using a new spyware named Predator developed by Cytrox. The hacks were made easier in both cases by delivering single-click links to the targets over WhatsApp, which were supplied as photos with URLs.
Finally Bloomberg concluded last week that “talks have been held with numerous investment funds regarding actions that include a refinancing or outright sale. Following the discoveries, the US government imposed economic restrictions on the spyware seller, prompting the business to consider shutting down its Pegasus operation and maybe selling it.