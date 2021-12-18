Facebook is notifying nearly 50,000 users in more than 100 countries that they may have been targets of hacking attempts by surveillance companies working for government agencies or private clients, the company said Thursday.
The notification is the result of a months-long investigation by Meta, Facebook's parent company, into what Meta officials called "cyber-mercenaries" who engage in "surveillance-for-hire." As a result, Facebook said it was taking enforcement actions against seven surveillance companies based in four countries, removing about 1,500 fake accounts, blocking malicious Web addresses and sending cease-and-desist letters to the companies.
Meta's investigators concluded that these companies used Meta's Facebook and Instagram subsidiaries for surveillance activities, mainly to research and groom targets for later infections by spyware. Each step was part of a broader targeting process the researchers called the "surveillance chain."
The investigation's final report, titled "Threat Report on the Surveillance-for-Hire Industry," took aim at long-standing industry claims that the spying software is used only against terrorists and serious criminals such as drug kingpins and pedophiles. Meta's investigation found that surveillance companies "regularly" target politicians, human rights workers, journalists, dissidents and family members of opposition figures, with few legal controls or other forms of accountability.
These findings echo those of the Pegasus Project, a global investigation of Israel-based surveillance company NSO Group by The Washington Post and 16 other news organizations, led by Paris-based journalism nonprofit Forbidden Stories. But Meta officials said that while they previously have taken enforcement actions against NSO and sued the company in 2019 for allegedly delivering spyware to users through WhatsApp, the problems posed by private surveillance companies are broader.
They're targeting politicians, journalists
"The surveillance industry is much bigger than just one company, and it's much bigger than just malware-for-hire," said Nathaniel Gleicher, head of security policy for Meta and a co-author of Thursday's report. "The targeting we see is indiscriminate. They're targeting journalists. They're targeting politicians. They're targeting human rights defenders. They're also targeting ordinary citizens."
Among the companies that Meta sanctioned was a little-known surveillance firm, Cytrox, based in North Macedonia. The Meta report, which said it had removed 300 Facebook and Instagram accounts the company used to engage and deceive targets, lists 10 governments that hire Cytrox, including Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Ivory Coast, Vietnam, the Philippines and Germany.
Overall, Meta's report listed more than two dozen countries across six continents that used the surveillance services provided by the seven companies in the report; the victims were in more than 100 countries. The report included an example of the nearly 50,000 notifications, which are to start arriving Thursday, reading, "We believe that a sophisticated attacker may be targeting your Facebook account. Be cautious when accepting friend requests and interacting with people you don't know."
Pegasus and other forms of spyware allow operators to remotely turn smartphones and other computers into surveillance devices capable of listening to calls and tracking user locations, as well as stealing photos, videos, contact lists and other files. Advanced spyware can be delivered without the users knowing or taking any action, often by text message or a chat app, and then can activate the cameras and microphones built into smartphones.
The claim about Cytrox being used by Egyptian authorities is backed by a separate report, also released Thursday, by Citizen Lab, a research group at the University of Toronto that specializes in investigating spyware. It found that the iPhone 12 of Egyptian opposition figure Ayman Nour was infected by both NSO's Pegasus spyware and a similar one by Cytrox, called Predator, on a single day in June.
An initial sign of infection was that the smartphone began "running hot" as it managed the computational demands of two types of spyware at once, the report said. These infections happened even though Nour's iPhone had the latest version of iOS, the mobile operating system made by Apple.
Nour, speaking by video call from exile in Istanbul, said this intrusion was just the latest after years of efforts by the Egyptian government to undermine him and suppress democratic activity in the country going back to 2005, when he ran unsuccessfully for president against then-strongman Hosni Mubarak.