NSO Group has dominated the debate over commercial spyware vendors who sell their hacking tools to governments, but researchers and tech companies are increasingly sounding the alarm about activity in the wider surveillance-for-hire industry. As part of this effort, the Threat Analysis Group is publishing details on Thursday of three campaigns that used the popular Predator spyware, developed by the North Macedonian firm Cytrox.
The University of Toronto's Citizen Lab found evidence that state-sponsored actors who bought the exploits were located in Egypt, Armenia, Greece, and Madagascar. There could have been other customers. The hacking tools were able to take advantage of five previously unknown vulnerabilities, as well as known flaws that had fixes available but that victims hadn't patched.
It is important to shine some light on the vendor community and how they are selling exploits. If there is no regulation and no downside to using these capabilities, you will see it more and more.
Governments that don't have the funds or expertise to develop their own hacking tools have been given access to an expansive array of products and services by the commercial spyware industry. This allows repressive regimes and law enforcement to acquire tools that allow them to surveil dissidents, human rights activists, journalists, political opponents, and regular citizens. While a lot of attention has been given to the fact that Apple's iPad is targeted by a piece of software, the operating system that has been facing the most exploitation attempts is the one that is used worldwide.
Huntley says they want to protect users and find activity as quickly as possible.
More than 30 vendors have been tracked by TAG and they have ranged in levels of public presence. Attackers sent one-time links over email that looked like they had been shortened with a standard URL shortener. The attacks were limited to a few dozen potential victims. If a target clicked on the malicious link, they were taken to a malicious page that automatically deployed the exploits before redirecting them to a legitimate website. The malicious page was used by attackers to load Cytrox's full spyware tool, Predator.
As is the case with Apple's mobile operating system, such attacks require exploiting a series of operating system vulnerabilities in order to succeed. By installing fixes, operating system makers can break the attack chains and send the vendors back to the drawing board with new or modified exploits. The commercial spyware industry has been able to thrive despite this.
John Scott-Railton is a senior researcher at Citizen Lab.