Is it too late for a Reckoning in the Commercial Spyware Industry?
*epilepsy warning*|Hatemail: Newsletter and Intel from the LaBac Hacker Collective
As a Reckoning in the Commercial Spyware Industry Begins, We Fear it’s Already too Late
The NSO Group allegedly has committed gross surveillance and privacy abuses through a spyware product called Pegasus, which allows clients to control phone devices and even access encrypted messaging apps. Targets of the spyware included journalists, activists, and world leaders.
The report’s findings sent shockwaves around the world amongst security, journalistic, and political circles. It’s a story we can’t ignore, so this week we’re going all-in on NSO Group. Below, we’ve collected some of the must-reads and important takes on what the report means for global security and international affairs.
What Does the Future Look Like After Pegasus?
Public outrage is long overdue for NSO Group. The company had previously been linked to Saudi Arabia’s murder of dissident Jamal Khashoggi, and the Mexican government’s years-long surveillance of journalists, activists, and students. Members of the journalist coalition publishing the expose on NSO Group have indicated that the company’s use of powerful lobbying groups and high-profile customers likely kept them out of the targets of regulators.
But what has failed to incur, until perhaps now, is broad public disgust of the company. These latest revelations about Pegasus spyware technology, however, are gaining similar traction to the Western public “revolt” against Facebook and their harboring of Cambridge Analytica in 2018. But if the everyday internet user shrugged off Cambridge Analytica’s massive data mining scandal, they might not care much about the implications of Pegasus.
Ultimately, we need to look no further than other news about other spyware companies this week to know that the global arms race for commercial cyberweapons and exploitation capabilities is here, established, and isn’t likely going anywhere. Cryptographer Matt Green wrote on his blog this week an excellent, but sad, take:
What makes NSO special is not that they have some exploits. Rather: NSO’s genius is that they’ve done something that attackers were never incentivized to do in the past: democratize access to exploit technology. In other words, they’ve done precisely what every “smart” tech business is supposed to do: take something difficult and very expensive, and make it more accessible by applying the magic of scale. NSO is basically the SpaceX of surveillance.
The importance of NSO Group, regardless if they implode under public pressure or not, is that it’s unlikely they’ll be the last group to violate ethical tech boundaries. The culture of NSO Group was influenced by hack-for-hire companies that came before them (such as Hacking Team). Like the agile framework before it, NSO Group improved a delivery and business model, publishing it for the rest of the industry to imitate.
Questions remain in the wake of the Pegasus spyware revelations. Now that the NSO Group has pushed the bar, what other tech groups will follow and push the bar even further in the future? Can we expect regulators to crack down on spyware when they are often the beneficiaries of it? Our take: This dark industry is here to stay, and it will be up to those who detest it to defend against it.
More Reading: The Pegasus Project reveals the global scope of NSO Group spyware
[Forbidden Stories] We recommend you start here, where you can read about the collaborative investigation among multiple media outlets and researchers which they have dubbed ‘The Pegasus Project.’ Also check out this account published in the Guardian about the worldwide collaboration, and this Forbidden Stories overview about the NSO Group.
[Amnesty International] Amnesty has disclosed the most technical analysis of NSO Group spyware, in a deep-dive report that covers the full flow of exploitation.
[The Guardian] Using the data leaked to the Pegasus Project, the Guardian reports that French President Emmanuel Macron was at some point targeted by NSO Group clients using the spyware.
[OCCRP] Other targeted parties included activists and journalists from all over the world. Reports about Pegasus-surveilled journalists have so far appeared in the Aristegui Noticias, the Guardian, and Le Monde, just to name a few. But this article by the Organized Crime and Corruption Reporting Project (OCCRP) covers a lot of ground.
[Washington Post] Apple devices were successfully hacked by Pegasus spyware, raising questions about iPhone security and the specific personal data that the spyware can lift. Also, check out the Washington Post’s ‘takeaway’ piece on the whole Pegasus Project.
A Week of Hacking and Compromise
[U.S.White House] [U.K. Government] [Council of the EU] In a firm, coordinated effort, the U.S. and allies formally accused China of a years-long hacking campaign, targeting infrastructure and intellectual property around the world. This includes an operation earlier this year that involved the exploitation of Microsoft Exchange email servers. In a first, NATO joined the condemnation of the Chinese government’s use of hacking, setting a new precedent for NATO posturing in cyberspace against the Chinese Communist Party. The FBI unsealed an indictment with precise accusations of the hacking operation, while the Cybersecurity and Infrastructure Security Administration (CISA) published a technical report of the malware used by the state-sponsored hackers.
[CISA] CISA also published a whopping total of 13 malware analysis reports revolving around the exploitation of Pulse Secure devices in a vulnerability disclosed earlier this year.
[Microsoft] Microsoft published a formal stance on commercial use of cyberweapons, referencing their technical collaboration with Citizen Lab. The group likely the target of the investigation is an Israeli company called Candiru, which Citizen Lab says is responsible for hacking journalists, diplomats, and dissidents around the world.
[Bloomberg] President Joe Biden is to convene a meeting of private sector cybersecurity leaders, says the National Security Council. This news follows Biden’s May 12 executive order to improve the nation’s cybersecurity and the White House’s ransomware task force launch last week.
States and Social Media Power
[Facebook] Facebook disclosed that they have disrupted an Iranian espionage operation that was making use of Facebook to engage and phish targets. The threat actors targeted Middle Eastern tech employees.
[Reuters] In Vietnam, state-backed operators make use of social media influencers and virality in order to push government propaganda.
[Twitter] On state TV, Cuban dictator Miguel Diaz-Canel blamed American sex worker Mia Khalifa for being part of a U.S.-backed propaganda operation to remove him from power. Yep. That happened.
On Our Radar...
[ArsTechnica] [Vice] A Catholic priest was identified amongst a dump of data from gay hookup app Grindr. While his behavior was in violation of his religious oath, but not illegal, the act of deanonymizing data in such a manner is a dark development that violates many tenants of privacy and online consent.
[Swagitda] Cybersecurity economist Kelly Shortridge writes about how “markets don’t give a fuck about cybersecurity,” analyzing the role breach announcements and intrusions affect market prices.
[Texas Antifa Blog] The white-supremacist group PatriotFront has grown in popularity the past couple of years, in part because of their guerilla marketing campaigns. Texas Antifa has accordingly doxed several members of the hate group.
[Respect In Security] [Twitter] Respect In Security is a new industry working group intended to support targets of harassment in the information security industry. According to the group’s Twitter, they launched July 22 (today!).
Hate speech website: kiwifarms[.]net
Who hosts: Cloudflare
Today’s site is kiwifarms[.]net. This New Zealand-based forum has long been a holdout for harassment, racism, misogyny, and hate-motivated violence. In the past month they have been linked to the suicide of a popular emulator developer.
We have observed that Kiwi Farms’ site is protected by Cloudflare, and has been for years despite reports and protests.