Spyware traffickers insist their surveillance tools are only sold to customers for the investigation of serious crimes and acts of terrorism. But developments over the past year put the lie to the claim. The diverse and expanding list of victims runs a wide gamut suggesting the real sales criteria is grounded in the profit motive and whether a purchaser is willing to pay the high prices commanded by spyware peddlers for their products. It is an international crisis requiring an international response.

1. Introduction

The Pegasus cyber weapon developed by NSO Group is one of the most sophisticated exploits available on the spyware market. It is a zero-click surveillance tool that allows the operator to take control of a target’s mobile device, download all its data, and activate the camera or microphone without the user knowing. For black hats, it is spyware that dreams are made of; a nightmare for anyone else. Since 2019 the international hubbub over Pegasus has been steadily growing as investigations and reports by tech journalists and cyber sleuths hit the internet. It began with the WhatsApp attack that year and I have been following developments in a series of recent posts to On The Wire.

2. Backdrop

On July 18, 2021, Forbidden Stories and Amnesty International exposed the widespread surveillance of the mobile devices of hundreds of journalists, human rights defenders and political leaders who were targeted by Pegasus. Amnesty’s forensic methodology was peer reviewed and “independently validated” by Citizen Lab of the Munk School of Global Affairs and Public Policy at the University of Toronto. (here) On November 3, 2021, the U.S. Government added NSO Group to the Entity List maintained by the Department of Commerce blacklisting it from receiving American technologies. And on November 23, 2021, Apple Inc. initiated a lawsuit against NSO Group and its parent Q Cyber Technologies in a bid to hold them accountable for the surveillance and targeting of Apple users. (here)

After the story broke about Apple’s lawsuit I expected a time lag before anything new cropped up that would merit another post. But on December 15, 2021, a group of U.S. lawmakers sent a joint letter to Secretary Janet Yellen of the Department of the Treasury, and Secretary Anthony Blinken of the Department of State, requesting that Global Magnitsky sanctions be imposed on NSO Group and three other foreign surveillance companies. (here) The signatories to the letter requested the implementation of sanctions for abuses “including the arrests, disappearance, torture and murder of human rights activists and journalists, such as Jamal Khashoggi, by selling powerful surveillance technology to authoritarian governments.” But, there was still no reprieve when, the next day, a new story broke involving a horse of a different pedigree.

3. Cytrox and Predator

On December 16, 2021, parallel reports were published by Citizen Lab and Meta Platforms, Inc. (formerly Facebook, Inc.) exposing the single-click Predator spyware developed and sold by Cytrox, a Macedonian company in the murky malware-for-hire business. (here) The report by Citizen Lab, titled Pegasus vs. Predator: Dissident’s Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware, confirmed the hacking of devices used by a member of the Egyptian political opposition and an exiled Egyptian journalist who hosts a popular news program. (here) The report by Meta Platforms, titled Threat Report on the Surveillance-for-Hire Industry, is the product of an investigation and disruption of seven entities providing surveillance-for-hire services to target people across the internet including journalists and human rights activists. (here)

(a) Citizen Lab Report

The first target whose phone was hacked by Predator was Ayman Nour who is the president of the Union of the Egyptian National Forces. He is a former presidential candidate and ran against Egyptian President Hosi Mubarek in 2005. He was convicted of “forging signatories on petitions” filed to create his political party and imprisoned for more than four years. He was released in 2009. The charge was widely considered to be politically motivated. The exiled anonymous journalist, who is the second victim of a Perdator hack, is an outspoken critic of the Sisi regime. Here are the other key findings from the report:

• The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.
• Both targets were hacked with Predator in June 2021, and the spyware was able to infect the then-latest version (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp.
• We obtained samples of Predator’s “loader”, the first phase of the spyware, and analyzed their functionality. We found that Predator persists after reboot using the iOS automations feature.
• We conducted Internet scanning for Predator spyware servers and found likely Predator customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.
• Cytrox was reported to be part of Intellexa, the so-called “Star Alliance of spyware,” which was formed to compete with NSO Group, and which describes itself as “EU-based and regulated, with six sites and R&D labs throughout Europe.”

According to Crunchbase, a platform for finding information about private and public companies, Cytrox’s business is vaguely described as providing governments with an “operational cyber solution” that includes information from devices and services. And according to Pitchbook, a sales book used by investment banks to sell products and services, Cytrox’s technology is defined as “cyber intelligence systems designed to offer security” to governments and assist with “designing, managing and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

(b) Meta Platforms Report

In the report describing the actions taken to disrupt seven entities providing spyware services, Meta emphasized that “NSO is only one piece of a much broader global cyber mercenary ecosystem.” While cyber mercenaries often claim their services and surveillanceware are intended to focus on serious crime and terrorism, the report found they “in fact regularly targeted journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists around the world.” Here are the specific findings and actions taken against Cytrox:

• We removed about 300 accounts on Facebook and Instagram linked to Cytrox. […] In collaboration with the Citizen Lab, we obtained copies of iOS and Android malware for further analysis. As a result, our team at Meta was able to find a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media services. […] They used these domains as part of their phishing and compromise campaigns.
• Our investigation identified customers in Egypt, Armenia, Greece, Saudi Arabia, Oman, Columbia, Cote d’Ivoire, Vietnam, the Phillipines, and Germany. Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia. Our findings suggest that Cytrox likely provided services to another threat actor known in the security community as Sphinx, which targeted people in Egypt and its neighboring countries.

The report described cyber mercenaries like NSO Group and Cytrox as “part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer – regardless of who they target or the human rights abuses they might enable.”

4. Polish Senator Hacked

On December 23, 2021, Vanessa Gera and Frank Bajak reported for Associated Press that Senator Krzysztof Brejza’s phone was hacked three times in 2019 when he was running the opposition’s campaign against Poland’s right wing populist government. “Text messages stolen from Brejza’s phone – then doctored in a smear campaign – were aired by state-controlled TV in the heat of the race, which the ruling party narrowly won,” they reported. (here) The probe into Mr. Brejza’s phone was also done by researchers at Citizen Lab who found the phones of opposition lawyer Roman Giertych and prosecutor Ewa Wrzosek were also hacked by Pegasus. (here)

The high profile cases of Pegasus surveillance date back to the WhatsApp attack in 2019. The targets, since then, have included politicians, journalists, lawyers and human rights activists. The ongoing developments have prompted concern that the revelations may “exacerbate a clash between Brussels and Poland’s ruling nationalist Law and Justice party (PiS) over democratic backsliding.” The Polish hacks are particularly serious because they did not occur in an authoritarian state but in a member state of the European Union. The hacking victims see it as a broader attack by the government on civil liberties. John Scott-Railton, a Senior Researcher at Citizen Lab, put it well when he said Pegasus is “on a collision course with democracy.”

5. Conclusion

I began this post with the comment that the spyware market is an international crisis requiring an international response. That is the view of the Editorial Board of The Washington Post in an Opinion titled The spyware crisis is much bigger than NSO Group published on December 27, 2021. The Post zeroed in on the threat report by Meta Platforms describing it as “hammer[ing] home the scope and scale of the world’s private surveillance problem” that “punches another hole in the tired insistence that such operations focus only on criminals and terrorists.” (here) Although the zero-click exploit made famous by NSO’s Pegasus may be more menacing than the single-click download deployed by Cytrox’s Predator, that is little solace for an unwitting victim. After all, Predator is only a click away. The cybersurveillance ecosystem is more vast than its most notorious representatives and the Post has rightly advocated for an international response that includes civil liberties assessments of spyware purveyors mandated by regulators worldwide.