Photo Illustration by Elizabeth Brockway/The Daily Beast/Getty
Meta is warning 50,000 people that they were the targets of “indiscriminate” surveillance carried out by a booming industry of cyber spies for hire who will track, trick, hack targets for the highest bidder.
That’s according to two new reports from security researchers at Meta (the company that owns Facebook) and the University of Toronto’s Citizen Lab, which tracks cybersecurity abuses against human rights groups and journalists.
In a report issued on Thursday, Meta identified seven firms—including one first identified by The Daily Beast—based in India, Israel, Macedonia, and China engaged in creating fake Facebook, Instagram, and WhatsApp accounts to spy on victims in at least 100 countries on behalf of shady clients.
And in its own new report, Citizen Lab found one of those companies, Cytrox, hacked the phone of Ayman Nour, an Egyptian opposition activist and former Egyptian presidential candidate, with sophisticated iOS malware sent via malicious links in the WhatsApp messaging app.
The companies, Meta said, engaged in “indiscriminate” surveillance and targeted victims that included “journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists.”
“What we’re seeing is that these companies are democratizing access to these types of techniques,” Nathaniel Gleicher, Meta’s head of security policy, said. “They are building tools to manage fake accounts, to target and surveil people, to enable the delivery of malware and then they’re providing them to any clients who are willing to pay.”
Meta researchers say such firms form a crucial part of a broader espionage ecosystem that feeds targeting information to hack-for-hire companies like the Israel-based NSO Group. NSO’s iPhone-busting malware has garnered investigations from human rights groups and sanctions from the Biden administration. But Meta researchers say hacking-for-hire firms like NSO are enabled by the spying activities of smaller companies which may not engage in hacking but do leverage sock puppet accounts and other dirty tricks to help hacking mercenaries identify and target their victims.
The report published by Meta on Thursday identified seven surveillance-for-hire firms which company officials found abusing Facebook, Instagram, and WhatsApp platforms to conduct espionage.
Among the companies in Meta’s report is Bluehawk CI, an Israeli snoop-for-hire firm first identified by The Daily Beast and Meta’s security team in April for its role in impersonating reporters from Fox News and other journalists in an attempt to dig up dirt on critics of the emir of Ras Al Khaimah—one of the seven emirates that make up the United Arab Emirates.
In the wake of The Daily Beast’s April story on Bluehawk, Meta suspended nearly 100 accounts linked to the firm. The firm uses fake accounts both to elicit compromising information from targets and “to trick [targets] into installing malware,” according to Meta. Bluehawk operatives tried to sneak back onto Meta’s platforms more recently by trying to create fake accounts purporting to be based in Argentina, according to the company.
Of the seven companies identified in Meta’s report, four were either based or founded in Israel—a sign of the country’s growing reputation as a haven for the surveillance-for-hire industry.
Radha Stirling, whose clients were targeted by Bluehawk CI, told The Daily Beast that American officials “must do everything in their power to hold foreign states and corporations to account for espionage against citizens or we will continue to see an escalation of belligerence that puts individuals and our very security at risk.”
“We intend to push for prosecution to the fullest extent of the law. The prevalence of these acts raises the question of sanctions against states who continue to target Americans,” she said.
Guy Klisman, a former Israel Defense Forces officer who founded Bluehawk, did not respond to text messages from The Daily Beast.
Many of the firms mentioned in Meta’s report engaged in social engineering—tricking targets into handing over sensitive information through deceptive tactics like fake accounts. But Cytrox, a Macedonian-Israeli company identified by Citizen Lab, went further and hacked targets for its clients.
In its report, Citizen Lab said it found Cytrox iOS malware on the phone of two victims, former Egyptian presidential candidate Ayman Nour, and an unnamed Egyptian “host of a popular news program.” Cytrox was first formed as part of a network of Israeli spyware companies called Intellexa in order to compete with NSO Group.
In a sign of the competition between the firms, Citizen Lab researchers found an active infection of Cytrox malware running on Nour’s phone at the same time as NSO Group’s Pegasus malware. Like NSO’s Pegasus software, Cytrox’s malware, known as Predator, is able to defeat the security of Apple’s mobile operating system iOS when users click a malicious link loaded with it. The two targets identified by Citizen Lab were infected after clicking on spoofed links sent to them via WhatsApp and meant to look like legitimate news websites.
Starting in 2020, Nour said his concerns about his security grew, leading him to reach out to a British cybersecurity firm for help. The firm then turned his phone over to Citizen Lab, which discovered both the Cytrox and NSO malware.
“For many years, I had doubts about being hacked on my phone, but since 2018, serious signs began to appear,” Nour said in a statement to The Daily Beast. “Egyptian and Arabic TV channels started to broadcast parts of my calls and build false stories around it, as well as publishing my personal photos.”
“The experience is violent in its psychological effects and it is enough to say that I have completely stopped communicating with my children, my family, and my friends to protect them from any hazards,” Nour wrote.
Meta said its researchers found a “vast domain infrastructure” used by Cytrox to target its victims and uncovered customers of the firm located in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam, the Philippines and Germany.
Black Cube, the private intelligence firm staffed by former Mossad officers, is among the most notorious of the firms named in Thursday’s Meta report. In 2016, the firm helped convicted rapist Harvey Weinstein by sending operatives to dig up dirt on his accusers and spy on journalists from TheNew Yorker and The New York Times who were reporting on them.
More recently, Meta security officials have caught Black Cube operatives creating fake accounts to sidle up to targets with fake personas that included “graduate students, NGO and human rights workers, and film and TV producers.” The fake accounts solicited email addresses from their targets which Meta says were “likely for later phishing attacks.”
In a statement sent to The Daily Beast, Black Cube claimed that it “does not undertake any phishing or hacking and does not operate in the cyber world” and “obtains legal advice in every jurisdiction in which we operate.”
Other espionage-for-hire firms identified by Meta researchers include Cognyte, which holds itself out as a “security intelligence company,” Cobwebs Technologies, which claims to specialize in providing “web intelligence solutions,” and BellTroX, an India-based firm first identified by Reuters.
Meta security officials were unable to identify one anonymous firm based in China which developed surveillance tools, including facial recognition software, for use by Chinese law enforcement agencies. The company’s suite of services included approaching targets with fake accounts all the way up through hacking them with custom malware used against targets in Hong Kong and Xinjiang, where Chinese authorities have engaged in particularly aggressive surveillance, as well as Myanmar.
While the surveillance-for-hire industry is hardly new—private intelligence firms have existed for decades—Meta says that the growth of the industry has worked to “lower the barrier to entry” for anyone looking to buy information on their adversaries, regardless of who they might be.