Meta will start notifying around 50,000 Facebook and Instagram users on Thursday that they were the targets of “surveillance for hire” campaigns, carried out by seven different international organizations. These surveillance groups targeted, spied on and at times attempted to exploit users in 100 countries and were hired by customers all over the world, including in the United States.
Meta uncovered the groups as part of an internal investigation, the results of which it published Thursday. Some of the activity has been reported on in the past, but the new report sheds light on the full scope of these operations.
“While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition members and human rights activists,” the report reads.
Meta said it has removed the networks, has informed law enforcement and other tech companies of its findings and is sending cease-and-desist letters to the perpetrators. The report was written by Nathaniel Gleicher, Meta’s head of Security Policy; David Agranovich, director of Global Threat Disruption; and Mike Dvilyanski, head of Cyber Espionage Investigations.
These new findings follow ongoing reporting on the Israeli firm NSO Group, whose Pegasus spyware has been used by authoritarian regimes to spy on journalists, activists and other private citizens. Facebook sued NSO Group in 2019 for exploiting a vulnerability in WhatsApp’s video-calling feature. Last month, Apple announced it was also suing the group over its ForcedEntry exploit, which took advantage of a now-patched vulnerability to remotely break into people’s phones.
Meta’s latest report shows that NSO Group is far from alone in the world of companies that sell surveillance and hacking services. “Surveillance for hire is broader than any one company, and it’s broader than, I think, much of the public debate has been focused on in the last month and years,” Gleicher said on a call with reporters Thursday.
Over the course of its investigation, Meta discovered networks of accounts linked to Indian firm BellTroX, North Macedonian firm Cytrox, an unknown entity operating out of China and four separate firms run out of Israel: Cobwebs Technologies, Cognyte, Black Cube and Bluehawk CI. “These companies are democratizing access to these types of techniques,” Gleicher said.
All in, Meta removed 1,500 Facebook and Instagram accounts linked to these operations, as well as activity on WhatsApp. The companies used those accounts to conduct reconnaissance on targets, engage with them using social engineering tactics and, in some cases, exploit them through phishing campaigns and other techniques that allowed the companies to access or take control of their targets’ devices.
Gleicher stressed that while much of the public concern recently has focused on “hacking-for-hire,” or the actual delivery of malware, it’s just as important to disrupt companies in the earlier phases of these schemes, including their surveillance and social engineering operations. Once these companies have moved on to actually exploiting their targets, Gleicher said, the damage is already done.
While Meta was unable to determine exactly who the companies were working on behalf of, some past clients are already well-known. Harvey Weinstein famously hired Black Cube to try to stifle reporting in The New York Times about allegations of sexual misconduct against him. Meta’s report found instances of Black Cube accounts posing as TV and film producers to trick potential targets.
Meta also got a boost in its digging from other reporting and research. Earlier this year, The Daily Beast reported on an operation, run by Bluehawk CI, that involved a private investigator posing as a Fox News reporter in order to dig up dirt for a legal case in the United Arab Emirates. The Daily Beast’s findings led Facebook to uncover the broader Bluehawk network. Another 2020 report, out of Citizen Lab and Reuters, documented the work of India’s BellTroX. Meta said the company was active between 2013 and 2019, as covered by Reuters, but resumed its work in 2021, following a similar playbook of impersonating journalists to phish targets.
The report also sheds more light on ongoing surveillance efforts by Beijing, which Meta has discussed in the past and which Facebook whistleblower Frances Haugen recently described to Congress. In this new report, Meta said it found about 100 accounts that were used to “deliver malicious payloads” to targets as part of ongoing surveillance of minority groups throughout Asia.
The report makes clear that Facebook and Instagram are not the only platforms these groups have exploited. Many of them also market services that involve Twitter, YouTube and other social media sites. In its report, Meta urged the private sector to work together to thwart these networks. It’s unclear, however, what exactly other companies have done with the information Meta provided to them, and Gleicher didn’t answer Protocol’s question about that.
Meta is also calling on lawmakers and regulators to increase scrutiny surrounding this industry by imposing new laws and regulations on the use of this technology.