The spyware crisis is much bigger than NSO Group
Those international hackers for hire you’ve been hearing so much about? Turns out they do much more. A new report from Facebook parent company Meta, to accompany its enforcement against cyber-mercenaries, hammers home the scope and scale of the world’s private surveillance problem.
Spyware has gotten plenty of notice lately, but most of that attention has focused on a single firm: Israel’s NSO Group, which President Joe Biden blacklisted last month.
The Post reported recently that a United Arab Emirates agency put NSO’S proprietary spyware Pegasus on the phone of the wife of journalist Jamal Khashoggi months before his murder - despite NSO denying any involvement.
Meta’s removal of seven entities in Israel, India, China and North Macedonia, which were alleged to be probing as many as 50,000 people in more than 100 countries, punches another hole in the tired insistence that such operations focus only on criminals and terrorists: The roster of victims runs a gamut, suggesting that the only real selection criterion for these companies is whether a client is willing to pay.
Not only is the cyber-snooping industry much vaster than its most notorious representative, but its activities extend beyond what most think of when they hear the word “spyware”: the moment of exploitation when the privacysmashing tool is planted on an individual’s device.
You can’t plant a bug until you’ve found a way into the house. Surveillants start with reconnaissance that involves hoovering up publicly available information on a target. On Facebook, this often occurs through the creation of fake accounts that can view friends, likes and more.
Next comes engagement, which means building trust with or soliciting knowledge from the target or those close to them.
Firms will commonly employ fictitious personas and clever social engineering to get the job done.
Last comes the download or link that a mark must click to lay their account open to prying eyes or to turn their smartphone into a secret listening device. (The zero-click exploits made infamous by NSO are an even more menacing matter.)
Meta’s report tells regulators worldwide one thing they should already know, which is that spyware is a crisis demanding an international response - with know-your-customer rules and civil liberties assessments required of companies that want to hawk their services all over the globe.
Legislation passed by Congress this month to require a State Department list of purveyors with a history of abetting human rights abusers is a start. Yet the investigation also tells these leaders something else: Stopping a hack also involves stopping everything that comes before it.