For years, surveillance-for-hire companies have quietly used Facebook, Instagram, and WhatsApp as springboards to target people in more than 100 countries. Today, Meta removed seven of them from its platforms, and is notifying more than 50,000 people that they may have been impacted by the activity. Meta says that many are journalists, human rights activists, dissidents, political opposition figures, and clergy, but that others are simply everyday people, like someone who is party to a lawsuit.
Meta conducted extensive account takedowns and dismantled other infrastructure on its platforms as part of the action, banned the organizations, and sent them cease and desist warnings. The company says it is also sharing its research and indicators of compromise publicly so other platforms and security organizations can better identify similar activity. The findings underscore the breadth of the targeted surveillance industry and the massive scope of targeting it enables worldwide.
“Cyber mercenaries often claim that their services and their surveillance-ware are meant to focus on tracking criminals and terrorists, but our investigations and similar investigations by independent researchers, our industry peers, and governments have demonstrated that the targeting is in fact indiscriminate,” Nathaniel Gleicher, Meta’s head of security policy, said on a Thursday call with reporters. “These companies … are building tools to manage fake accounts, to target and surveil people, to enable to the delivery of malware, and then they’re providing them to any clients who are most interested—the clients who are willing to pay. Which means that there are far more threat actors able to use these tools than there would be without this industry.”
The seven surveillance companies Meta is taking action against are Cobwebs Technologies, an Israeli web intelligence firm with offices in the US, Cognyte, an Israeli firm formerly known as WebintPro, Black Cube, an Israeli firm with a presence in the United Kingdom and Spain, Bluehawk CI, which is based in Israel and has offices in the US and UK, BellTroX, based in India, Cytrox, a North Macedonian firm, and an unknown group based in China.
Meta emphasizes that the surveillance-for-hire industry overall conducts its work in three categories. You can think of it as phases of a surveillance chain; different firms have different specialities within that superstructure.
The first phase is “reconnaissance,” in which firms broadly collect information about targets, often through automated, bulk collection on the public internet and dark web. The second stage is “engagement,” in which operators actually reach out to targets, attempting to establish a relationship and build trust with them. Surveillance companies set up fake profile and personas, posing as, say, grad students or journalists to have an excuse to reach out to targets. They may also distribute fabricated content and misinformation, all to build a rapport. And the third stage is “exploitation,” or “hacking for hire,” in which actors can exploit this trust if needed to get targets to provide information, click a malicious link, download a malicious attachment, or take some other type of action.
