IntelBrief: Spyware for Sale
Bottom Line Up Front
- In 2019, it is easier than ever for nation-states or wealthy individuals to pay virtual mercenaries to conduct a range of illicit activities including espionage, data theft, and cyber intimidation and harassment.
- Companies require permits from their respective governments to export surveillance software, but government checks have proven inadequate as draconian regimes around the world have acquired these programs.
- Geopolitics today is defined by a diffusion of power away from nation-states, accelerated by emerging technologies unregulated by international law.
- The proliferation of surveillance software and its use by authoritarian governments requires greater attention by the international community.
In a three-part expose on the work of an Israeli private-intelligence agency known as Black Cube, journalist Ronan Farrow described how he was surveilled during his investigation of Harvey Weinstein’s alleged crimes, which included numerous allegations of rape. In the first of these articles published by The New Yorker, Farrow detailed how he continuously received messages to click on a link and participate in a political survey. While Farrow claims that he never clicked on the links, around the same time, private investigators working for Black Cube started receiving his exact location, making the whole surveillance process much easier. In 2019, it is easier than ever for nation-states or wealthy individuals to pay virtual mercenaries and hackers-for-hire to conduct a range of illicit activities including espionage, data theft, and cyber intimidation and harassment.
The technique of inducing a target to click on a link is frequently utilized in surveillance software developed by private companies and deployed around the world. Currently, two of the most prominent programs in use are Pegasus and FinSpy. The former was developed by the Israeli NSO Group while the latter was created by the German firm FinFisher. Both companies have a history of murky deals with oppressive governments and shadowy organizations, many of which have been exposed by activists and journalists. Moreover, both companies are required to receive permits from their respective governments in order to sell the software to interested parties that have been appropriately vetted. An initial offer by FinFisher to the Egyptian government in 2010 was priced at €280,000 (around $310,000), while more recent reporting suggests that Pegasus today can easily be sold at upwards of $1 million.
Pegasus was exposed by Citizen Lab, after UAE activist Ahmed Mansoor received a suspicious text that he forwarded to the cybersecurity watchdog organization. After combing the Internet, Citizen Lab published a report in 2018 that showed there are 36 distinct operators, or clients of NSO Group operating in 45 countries, with 10 of them engaging in cross-border surveillance. (In 2019, Black Cube operatives attempted to extract further information from Citizen Lab researchers on their knowledge of the NSO Group.) Some reports claim that Pegasus was used for spying on Omar Abdulaziz, a Montreal-based Saudi activist and friend of Jamal Khashoggi, who was brutally murdered in 2018 by elements linked to Mohammed bin Salman and the Saudi government. Now, Abdulaziz is suing NSO Group for selling the software to abusive regimes worldwide. Reports on FinSpy have been abundant over the years, starting with a series of Wikileaks in 2011. In 2015, Citizen Lab published a report that stated that FinSpy was used by 33 governments around the world. In September of this year, Munich-based prosecutors launched an investigation into FinFisher for selling its software to Turkey without a permit from the German government.
Little can be done once the software is employed, but governments that host these companies, including Israel and Germany, still have the responsibility to implement effective checks and balances. Without well-developed and rigorously implemented regulation, any citizen in any country in the world is a potential and easy target. Geopolitics in the current era is defined by a diffusion of power away from nation-states and to individuals and small groups, accelerated by emerging technologies, many of which are not regulated under international law. The result is a ‘Wild West’ of cyber activity where anything goes and attribution remains difficult, or in some cases, impossible. Just as with the surreptitious collection of data, the proliferation of surveillance software and its use by authoritarian governments around the world requires greater attention by the international community.
For tailored research and analysis, please contact: firstname.lastname@example.org