Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/7/2021
03:55 PM
50%
50%

Even Small Nations Have Jumped into the Cyber Espionage Game

While the media tends to focus on the Big 5 nation-state cyber powers, commercial spyware has given smaller countries sophisticated capabilities, as demonstrated by a "zero-click" iMessage exploit that targeted journalists last year.

Driven by the accessibility of commercial spyware and surveillance tools, sophisticated attacks using a variety of zero-click exploits — attacks that don't require user interaction — are increasingly within the reach of smaller nations, according to The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy at University of Toronto.

In an analysis published in late December, the group detailed how nations of the Gulf Cooperative Council (GCC) in the Middle East used the commercial Pegasus spyware sold by the NSO Group to hack three dozen phones and spy on journalists and news producers. The attacks used a "zero-click" iMessage exploit that uses a specially crafted message to download and execute code on the victim's phone.

Related Content:

Former NSO Group Employee Steals, Sells Spy Tools

How Data Breaches Affect the Enterprise

New From The Edge: Security Pros Reflect on 2020

Some three dozen journalists and editors — mainly with Qatar-based news organization Al Jazeera — were targeted by the cyberattacks last year, with little ability to defend against them, says Bill Marczak, a senior research fellow at The Citizen Lab.

"Those interactive-less [exploits] take this to a new level because you can't beat this now through better digital security practices," he says. "You tell someone to always keep your OS up to date, never click on links, and they will still get hacked by something like this. The user is not in the loop anymore. There is no opportunity to notice and prevent this for them."

The attacks — purportedly launched by members of the GCC against Qatari interests, according to the report — underscore that smaller nations are increasingly getting into the cyber operations game by standing on the technical shoulders of offensive cybersecurity companies. While The Citizen Lab's report focused on the Israel-based NSO Group, other groups know to market surveillance tools and commercial spyware, including Gamma International in the UK — owned through an offshore shell company — Hacking Team's RCS, and Cyberbit's PSS.

While smaller democracies typically use the tools to enable law enforcement and terrorism investigations, non-democratic countries often use the tools to enable intelligence agencies to target a variety of government priorities, including opposition members and media, Marczak says.

"The 'western' and big cyber power countries tend to view this as a law enforcement tool, while the UAEs, Saudis, and Rwandas of the world tend to view it as an intelligence tool," he says, "and they use it — not necessarily to go after crime — but to go after intelligence targets, including dissents and journalists."

For many smaller nations, conducting cyber operations has the added benefit of helping develop a homegrown source of cyber talent. And the nations hosting the surveillance-tool companies can benefit from having a technology used by intelligence agencies around the world, potentially giving them deeper levels of access and visibility into geopolitics, Marczak says.

"So I think it is seen as an intelligence asset to host these sort of companies," he says. "And it contributes to the development of the cyber talent pipeline locally, which has benefits for the local intelligence in terms of accessing talented people who have honed their skills."

Yet in many ways the companies are unregulated, he adds. 

In a previous investigation in 2017, for example, The Citizen Lab identified Cyberbit's PSS targeting devices of Ethiopian journalists, students, and a lawyer. The Italy-based Hacking Team, creator of the RCS spyware product, had counted among its clients many countries with records of systemic human rights abuses, including Russia, Sudan, Nigeria, and Saudi Arabia — a client list revealed when the company was itself hacked in 2015.

The recent research by The Citizen Lab shows that smaller countries continue to count on commercial spyware for their capabilities, says Marczak.

"The companies that produced the spyware have pretty much free rein to sell their stuff," he says. "Until there's more robust regulation placed on the market, the level of activity of commercial spyware is only going to increase."

In the latest campaign, at least three dozen Al Jazeera journalists and editors were targeted by the NSO Group's Pegasus surveillance tool through a zero-click exploit in iMessage delivered through Apple's servers. The researchers concluded that nation-state actors linked to the UAE were responsible for some of the attacks, while the Saudi government was responsible for other attacks.

The increase in sophistication and further development of zero-click attacks means the companies behind commercial spyware will be less accountable, according to The Citizen Lab's report.

"The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance," the group stated. "Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators."

In the end, to combat the misuse of surveillance technologies, the US, Canada, and other democracies should make human rights part of the calculus in approving such technology for export and make sure their own use is predicated on strict laws, Marczak says.

"While clearly the concern has been more on security side than the human rights side, there needs to be a broader agreement to take these issues into account in the main multilateral framework, the Wassenaar Arrangement," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OscarWilde
50%
50%
OscarWilde,
User Rank: Apprentice
1/8/2021 | 4:00:48 PM
Human Rights Don't Exist in Brazil
There is a criminal organization in Brazil using NSO Group's Pegasus to infect devices for hack for hire, to incite terrorism, blackmail people, produce illegal pornography and assist in assassinations. They also have other advanced malware, like UEFI implants and even persistent implants for Kindle and Raspberry Pi. Plus face/voice recognition on every camera and microphone they can get into, in public or private places.

Brazil won't do anything to stop them. Only the FBI, CIA and NSA can stop them.

There is also the possibility that they were engaged on the hack of Bezos' smartphone.

If you know of any security researcher who wants to reverse engineer the exploits they are using, I am more than willing to help them.

If you want a story about how they operate, I am willing to work with you to expose them.
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.