The parent company of Facebook and Instagram has banned seven firms it says used its platforms to spy on some 50,000 unsuspecting targets, including human rights activists, government critics, celebrities, journalists and ordinary people in more than 100 countries.
These “surveillance-for-hire” companies were linked to around 1,500 accounts on Facebook and Instagram that were used to collect information on people and try to trick them into handing over sensitive personal information so that the firms could install spyware on their devices, according to a report released on Thursday by Meta, formerly known as Facebook.
“Each of these actors rely on networks of fake accounts on our platforms that are used to deceive users and mislead them,” Nathaniel Gleicher, Meta’s head of security policy, told NPR. Some firms also used Meta’s WhatsApp to infect targets’ phones with malware. The surveillance was also carried out over other internet services, from email and text messages to Twitter and YouTube.
The goal, Gleicher said, is to “spy on people or snoop on them without them knowing about it.”
Spyware is a growing area of concern for tech giants like Meta, Apple, Google and Microsoft. Both Meta and Apple have sued Israel-based NSO Group. Its Pegasus software has been linked by a consortium of international media outlets to hacks and potential surveillance of thousands of people, including dissidents, activists, journalists, the fiancée of slain Saudi journalist Jamal Khashoggi, and 14 heads of state.
But NSO “is only one piece of a much broader global mercenary ecosystem,” Meta said in its report. It described a “sprawling” but shadowy industry providing spying-on-demand to anyone who wants it, “regardless of who they target or the human rights abuses they might enable.”
Gleicher’s team spent months investigating surveillance activity before taking action against the seven companies for violating Meta’s community standards and terms of service. Four of the firms are based in Israel, and the other three in China, India, and North Macedonia.
They include Black Cube, an Israel-based intelligence group reportedly used by Harvey Weinstein to dig up dirt on his accusers and journalists. Meta said Black Cube created fake accounts posing as graduate students, human rights workers and film and TV producers and tried to set up phone calls and get email addresses for a wide range of targets, from Palestinian activists to people working in medicine, mining and nonprofit organizations to figures involved in Russia’s tech, finance, real estate and media sectors.
Black Cube said in a statement to NPR that it “does not undertake any phishing or hacking and does not operate in the cyber world.” It described itself as a “litigation support firm” that uses legal investigation methods.
“Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents’ activities are fully compliant with local laws,” it said.
Another Israeli firm called Bluehawk CI tried to trick government opponents in the United Arab Emirates by pretending to be reporters for Fox News and Italy’s La Stampa, Meta said. Bluehawk did not respond to NPR’s request for comment.
Meta also took down accounts connected to “an unidentified entity in China” that, Meta says, made tools used by Chinese law enforcement to spy on minority groups in Xinjiang, Myanmar and Hong Kong.
Meta has banned the companies from its platforms, removed the accounts it linked to them, and sent them cease-and-desist warnings. It is notifying around 50,000 people whom it believes were targeted, and shared its findings with security researchers, other tech companies and policymakers.
Gleicher said the companies were “indiscriminate” about whom they targeted. “We are seeing politicians. We’re seeing human rights activists. We’re seeing lawyers, doctors, clergy, in some cases ordinary citizens. Anyone who might be party to a lawsuit,” he said.
It’s less clear who is hiring these companies. Meta was able to determine in some cases that the spyware firms were working on behalf of governments, law firms and individuals, Gleicher said. But, he added, customers go to surveillance companies in order to hide their activities, and the firms don’t seem to be choosy about their clients.
“Almost anyone can hire one of these firms,” he said. “These firms both democratize these threats and they give an added layer of deception to the worst actors.”
This summer, Ayman Nour, an Egyptian opposition leader and former presidential candidate living in exile in Turkey, noticed something weird about his iPhone. It was getting really hot.
Nour eventually connected with security researchers at University of Toronto’s Citizen Lab, a cybersecurity watchdog.
Citizen Lab’s investigation, led by senior research fellow Bill Marczak, found Nour’s phone was infected with two separate spyware tools: NSO’s Pegasus and Predator, a tool made by a North Macedonian company called Cytrox.
The researchers traced the Predator malware to WhatsApp messages Nour had received, with images and links that appeared to point to news stories. When he clicked on them, his phone was infected.
“They’re selling the ability for governments to turn people’s phones into spies in their pockets, digital snitches,” said Citizen Lab senior researcher John Scott-Railton.
The researchers alerted Meta and Apple about their findings. On Thursday, Meta said Cytrox was one of the seven companies it banned. It took down about 300 Facebook and Instagram accounts linked to Cytrox, which it said spoofed legitimate news outlets and social media sites to carry out phishing attacks against politicians and journalists in countries including Egypt and Armenia. Cytrox did not respond to NPR’s request for comment.
Firms that provide surveillance software and services have come under growing scrutiny this year, spurred by the uproar over NSO. Last month, the Biden administration blacklisted NSO from buying U.S. technology.
This week, a group of Congressional Democrats called on the Treasury and State Departments to sanction NSO and three other surveillance companies under the Global Magnitsky Act, which allows the government to freeze assets and ban U.S. travel for people accused of enabling human rights abuses. (That list includes none of the companies recently banned from Facebook, Instagram and WhatsApp, however.)
“Surveillance mercenaries are now handing full-service spying systems to tyrants,” Wyden told NPR. “We ought to cut off these kinds of outfits like NSO from all U.S. financing, and [sanctions] ought to apply to additional spying-for-hire companies.”
NSO has said it sells its software to governments to combat terrorism and serious crime, and isn’t responsible for how it may be misused.
Security experts say the increased attention on NSO has helped put a spotlight on shadowy purveyors of spyware, but that the problem goes well beyond a few bad actors.
“The surveillance-for-hire industry is broader than a lot of people have realized,” Gleicher said. He said that’s why Meta is going public about the actions it’s taken, and why it’s calling for a collective response from the tech sector, governments and civil society groups.
That includes working with other tech companies to share information, as well as calling for increased regulation, such as “know your customer” requirements for firms selling spyware, and government action such as sanctions.
“Almost every autocrat and dictator around the world is being pitched this kind of technology for surveillance,” Citizen Lab’s Scott-Railton said. “It’s really important that we get to a place where there are big global norms and regulations around this kind of technology. Otherwise, it’s just gas on the authoritarian fire.”
Editor’s note: Meta pays NPR to license NPR content.