Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:55 PM

Even Small Nations Have Jumped into the Cyber Espionage Game

While the media tends to focus on the Big 5 nation-state cyber powers, commercial spyware has given smaller countries sophisticated capabilities, as demonstrated by a "zero-click" iMessage exploit that targeted journalists last year.

Driven by the accessibility of commercial spyware and surveillance tools, sophisticated attacks using a variety of zero-click exploits — attacks that don't require user interaction — are increasingly within the reach of smaller nations, according to The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy at University of Toronto.

In an analysis published in late December, the group detailed how nations of the Gulf Cooperative Council (GCC) in the Middle East used the commercial Pegasus spyware sold by the NSO Group to hack three dozen phones and spy on journalists and news producers. The attacks used a "zero-click" iMessage exploit that uses a specially crafted message to download and execute code on the victim's phone.

Related Content:

Former NSO Group Employee Steals, Sells Spy Tools

How Data Breaches Affect the Enterprise

New From The Edge: Security Pros Reflect on 2020

Some three dozen journalists and editors — mainly with Qatar-based news organization Al Jazeera — were targeted by the cyberattacks last year, with little ability to defend against them, says Bill Marczak, a senior research fellow at The Citizen Lab.

"Those interactive-less [exploits] take this to a new level because you can't beat this now through better digital security practices," he says. "You tell someone to always keep your OS up to date, never click on links, and they will still get hacked by something like this. The user is not in the loop anymore. There is no opportunity to notice and prevent this for them."

The attacks — purportedly launched by members of the GCC against Qatari interests, according to the report — underscore that smaller nations are increasingly getting into the cyber operations game by standing on the technical shoulders of offensive cybersecurity companies. While The Citizen Lab's report focused on the Israel-based NSO Group, other groups know to market surveillance tools and commercial spyware, including Gamma International in the UK — owned through an offshore shell company — Hacking Team's RCS, and Cyberbit's PSS.

While smaller democracies typically use the tools to enable law enforcement and terrorism investigations, non-democratic countries often use the tools to enable intelligence agencies to target a variety of government priorities, including opposition members and media, Marczak says.

"The 'western' and big cyber power countries tend to view this as a law enforcement tool, while the UAEs, Saudis, and Rwandas of the world tend to view it as an intelligence tool," he says, "and they use it — not necessarily to go after crime — but to go after intelligence targets, including dissents and journalists."

For many smaller nations, conducting cyber operations has the added benefit of helping develop a homegrown source of cyber talent. And the nations hosting the surveillance-tool companies can benefit from having a technology used by intelligence agencies around the world, potentially giving them deeper levels of access and visibility into geopolitics, Marczak says.

"So I think it is seen as an intelligence asset to host these sort of companies," he says. "And it contributes to the development of the cyber talent pipeline locally, which has benefits for the local intelligence in terms of accessing talented people who have honed their skills."

Yet in many ways the companies are unregulated, he adds. 

In a previous investigation in 2017, for example, The Citizen Lab identified Cyberbit's PSS targeting devices of Ethiopian journalists, students, and a lawyer. The Italy-based Hacking Team, creator of the RCS spyware product, had counted among its clients many countries with records of systemic human rights abuses, including Russia, Sudan, Nigeria, and Saudi Arabia — a client list revealed when the company was itself hacked in 2015.

The recent research by The Citizen Lab shows that smaller countries continue to count on commercial spyware for their capabilities, says Marczak.

"The companies that produced the spyware have pretty much free rein to sell their stuff," he says. "Until there's more robust regulation placed on the market, the level of activity of commercial spyware is only going to increase."

In the latest campaign, at least three dozen Al Jazeera journalists and editors were targeted by the NSO Group's Pegasus surveillance tool through a zero-click exploit in iMessage delivered through Apple's servers. The researchers concluded that nation-state actors linked to the UAE were responsible for some of the attacks, while the Saudi government was responsible for other attacks.

The increase in sophistication and further development of zero-click attacks means the companies behind commercial spyware will be less accountable, according to The Citizen Lab's report.

"The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance," the group stated. "Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators."

In the end, to combat the misuse of surveillance technologies, the US, Canada, and other democracies should make human rights part of the calculus in approving such technology for export and make sure their own use is predicated on strict laws, Marczak says.

"While clearly the concern has been more on security side than the human rights side, there needs to be a broader agreement to take these issues into account in the main multilateral framework, the Wassenaar Arrangement," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/8/2021 | 4:00:48 PM
Human Rights Don't Exist in Brazil
There is a criminal organization in Brazil using NSO Group's Pegasus to infect devices for hack for hire, to incite terrorism, blackmail people, produce illegal pornography and assist in assassinations. They also have other advanced malware, like UEFI implants and even persistent implants for Kindle and Raspberry Pi. Plus face/voice recognition on every camera and microphone they can get into, in public or private places.

Brazil won't do anything to stop them. Only the FBI, CIA and NSA can stop them.

There is also the possibility that they were engaged on the hack of Bezos' smartphone.

If you know of any security researcher who wants to reverse engineer the exploits they are using, I am more than willing to help them.

If you want a story about how they operate, I am willing to work with you to expose them.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
PUBLISHED: 2021-06-17
In Fiyo CMS, the 'tag' parameter results in an unauthenticated XSS attack.