Cyber mercenaries turn mobile phones into spying devices

As family and friends gather for holiday cheer and ski trips, the risk they face is not being buried by a snow avalanche. The real danger may be a cyber mercenary lurking on the electronic device in their pocket or hotel room sent there by the Russian company Avalanche.

Meta, the parent of Facebook and Instagram, announced earlier this year that it had removed more than 100 accounts on those two social media platforms linked to Avalanche, believed to be an Internet spy company. Avalanche, along with many others such as Israeli NSO Group and Candiru, are accused of selling spyware to foreign governments that use it to create "surveillance for hire" operations. These spyware companies claim that their services are sold only for spying on criminals and terrorists, but in reality the spyware is used to collect intelligence, manipulate and compromise electronic devices and social media accounts of government officials, journalists, activists, dissidents, academics and embassy workers.

In its 2022 annual report assessing online threats, Meta reported that it has targeted and removed more than 200 surveillance for hire operations worldwide since 2017. Those operations spanned 68 countries and operated in at least 42 languages. Meta reports that the United States was the most targeted country by global cyber mercenaries, followed by Ukraine and the United Kingdom. Russia was the most frequent location for these operations, followed by Iran and Mexico.

One of the more disturbing examples of spyware is NSO's Pegasus, which is reportedly able to exploit security flaws in mobile apps like iMessage, WhatsApp, FaceTime, Gmail, Viber, WeChat, Telegram and Apple's built-in messaging and email apps. Once a vulnerability is found, Pegasus can infiltrate a device using the protocol of the app. The targeted person does not have to click on a link, read a message, or answer a call for the Pegasus app to take over the phone.

Once installed on a mobile phone, Pegasus enables the infiltrator to monitor keystrokes, including emails, web searches and passwords. It also enables the user to extract messages, photos and emails, record calls and secretly activate microphones and cameras. Governments have allegedly misused Pegasus to target as many as 50,000 phone numbers since 2016. The spyware sold by lesser-known Candiru (aptly named a parasitic catfish) works in a similar manner.

According to the Pegasus Project, a non-profit group that investigates abuses carried out with Pegasus, 189 journalists have been targeted for surveillance. The highest profile journalist to have been targeted allegedly through Pegasus is Jamal Khashoggi, the Washington Post reporter and vocal critic of the Saudi Arabian government, who was murdered and dismembered in the Saudi consulate in Istanbul in October 2018. Cecilio Pineda, a Mexican journalist, was shot to death at a car wash in March 2017. Pineda's phone reportedly was being monitored using Pegasus one month before he was killed. Candiru's spyware has reportedly been used by governments, including Morocco, Saudi Arabia, and the United Arab Emirates, to illegally access the phone data of at least 100 activists and journalists worldwide.

In addition to journalists, the Pegasus Project also found evidence that 600 politicians, 64 business executives, 85 human rights activists, and ironically, Saudi royal family members were targeted for surveillance through Pegasus. Attorneys in Mexico, India, Saudi Arabia, Azerbaijan, Rwanda, Morocco and Hungary were found on the targeted phone list. While many of these attorneys represent human rights activists or civil rights leaders, there's clearly no reason that attorneys with other types of clients and in other countries such as the U.S. couldn't be targeted.

Meta predicts the situation will get worse in the coming year. The U.S. government seems to agree. The Commerce Department Bureau of Industry and Security, Defense, State, and Energy have created a so-called "Entity List" which bans companies suspected of cybercrimes or other activities harmful to the United States from exporting, re-exporting products to the U.S. or carrying out in-country transfers. The BIS just announced that it has added 120 new entities to the list.

The Entity List is authorized in Section 744.11(b) of the Export Administration Regulations (EAR). 15 C.F.R. parts 730-774. Once on the list, no exceptions are allowed for companies to export to the U.S. and it shifts the burden of proof against them by presuming a denial is justified if the companies seek a review of their import/export licenses issued by the U.S. government.

While the export restrictions may help slow the sale of spyware, they apply only after the fact and may not affect spyware already operating in a country. As an example, the Israeli government reported that it had stopped exports of the Pegasus software to a group of countries accused of mis-using it, including Poland, which was accused of using Pegasus to hack Polish senator, Krzysztof Brejza, when he was running the opposition's 2019 parliamentary election campaign. But the discontinuance of Pegasus sales in Poland apparently did not curtail existing licenses. The only effective strategy to keep spyware from falling into the wrong hands is to enact an international ban on sales. The U.S. government should lead the way.