After Meta (Facebook) recently reported alerting 50,000 people that it believed were being targeted by “surveillance-for-hire” entities, we take a look are who these entities are and what they do.
Following months of investigation, Meta recently informed 50,000 people that they were being targeted by seven “surveillance-for-hire” entities / “cyber mercenaries” who were targeting people in over 100 countries on behalf of their clients. It has been reported that Meta has issued cease-and-desist warnings against six of the seven entities it identified. The seventh is known to be in China but couldn’t be identified.
What Does “Surveillance-For-Hire” Mean?
The surveillance-for-hire industry consists of companies that use a combination of social engineering and technology to monitor and gather information about (and sometimes from) individuals for their clients. In the case of Meta’s investigation, these companies are described as entities that use “intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target, or the human rights abuses they might enable”. Surveillance-for-hire companies claim to use their surveillance services to tackle criminals and terrorists but, offer their services to many government and non-government groups that otherwise wouldn’t have these capabilities as well as private individuals, law firms, businesses, politicians and even law enforcement agencies. Meta’s investigation also claims that these surveillance companies also target journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists.
Examples of surveillance-for-hire companies/cyber mercenaries include:
– Black Cube. Although it recently described itself as simply a “litigation support firm”, it is one of the companies identified recently by Meta. Black Cube was formed by former Israeli intelligence agency Mossad veterans. Meta suggested that Black Cube used fictitious personas to contact targets and obtain email addresses for phishing attacks (which Black Cube denies). Black Cube has previously made the news following reports by the New Yorker in 2017 that it was used by Harvey Weinstein to surveil reporters covering allegations about his assaults.
– NSO. Meta identified this company as being behind Pegasus spyware (software used to enable surveillance) that it sued in 2019 (and Apple has also sued).
– Cognyte. Based in Israel, Meta says that Cognyte sells access to its platform which enables managing fake accounts across social media platforms including Facebook, Instagram, Twitter, YouTube, and VKontakte (VK), and other websites to social-engineer people and collect data.
– Bluehawk CI. Based in Israel with offices in the UK and the US, Meta says that Bluehawk sells a range of surveillance-for-hire activities including social engineering, gathering of litigation-related intelligence about people, and managing fake accounts to trick them into installing malware. Meta alleges that the fake accounts pose as journalists working for media organizations like La Stampa (Italy) and Fox News (US) to trick targets into giving an on-camera interview.
– Cobwebs Technologies. Founded in Israel with offices in the United States, Meta says that Cobwebs Technologies sells access to its platform that enables reconnaissance across the internet, including Facebook, Instagram, WhatsApp, Twitter, Flickr, public websites and “dark web” sites. Meta also claims that the accounts used by Cobwebs customers also engage in social engineering to join closed communities and forums and trick people into revealing personal information.
Some of the issues raised by Meta’s recent investigation that has shone a light on the entities in the surveillance-for-hire industry include:
– Their services are indiscriminately sold to anyone willing to pay, including known bad actors.
– They work across many platforms and national boundaries.
– Their capabilities are used by both nation-states and private enterprises. This means that they lower the barrier to entry for anyone willing to pay.
– It is often impossible for targets to know they are being surveilled across the internet.
What Does This Mean For Your Business?
The scale of this industry identified in Meta’s report indicates that this dark surveillance is widespread. The fact that there are many different companies who sell their services indiscriminately operating in secrecy means that it is hard to trace activity back to the client. Also, with these entities working across multiple platforms and national boundaries, a collective effort from platforms, policymakers, and civil society, as well public discussion about the use of surveillance-for-hire technology, greater transparency and oversight are now needed to help protect people. Also, as suggested by Meta, industry collaboration as well as more governance and regulator-led conversations about the ethics of these companies could help top protect their targets.