Private, mercenary-style surveillance and hacking groups have used Facebook and Instagram to target 50,000 people in over 100 countries, according to a newly published investigation by Meta, Facebook’s parent company.
The existence of private companies that use sophisticated digital tools to pry secrets from people’s work and private lives—sometimes as part of legitimate law enforcement efforts, but also often in legally and ethically suspect ways—has been known about for some time. But the public conversation about surveillance-for-hire has long focused on just a handful of companies and capabilities even though the booming cyber surveillance industry includes hundreds of firms around the world. Meta’s investigation, which company investigators described in detail in a press conference today, outlines private-sector mass surveillance on a scale never before revealed.
“Cyber mercenaries often claim their services and their surveillanceware are meant to focus on tracking criminals and terrorists,” said Nathaniel Gleicher, head of security policy at Facebook. “But our investigation and similar investigations by independent researchers, our industry peers and governments have demonstrated that the targeting is in fact indiscriminate.”
We will be providing notices to approximately 50,000 people that we believe were targeted by these companies, across our platforms and others. They include journalists, human rights advocates, activists, dissidents, clergy, political opposition figures, and their families.”
Gleicher and his team named seven surveillance companies from around the world that their investigation had revealed as carrying out illicit surveillance. The firms boast a vast and diverse set of customers—including the United States government.
- Cobwebs Technologies, an Israeli firm with offices and customers in the US, had 200 accounts shut down that were collecting information on targets and engaging in social engineering to reveal private information. The company is used by law enforcement, according to investigators, and it is also used to target activists, opposition politicians, and government officials in Mexico and Hong Kong. Cobwebs spokesperson Meital Levi Tal told MIT Technology Review that the company was unaware of Meta’s findings and that it “operates only according to the law and adheres to strict standards in respect of privacy protection.”
- The Israeli firm Cognyte lost 100 accounts reportedly engaged in monitoring targets including journalists and politicians around the world.
- Black Cube. an Israeli company with an immense list of scandals surrounding it including a history of spying on reporters. Facebook investigators say they found the firm gathering intelligence on a vast array of targets ranging from Palestinian activists to people in the medical and energy industries as well as academics, particularly inside Russia. Black Cube reportedly built fake personas including students, human rights workers, and film producers. Investigators say Black Cube would typically befriend a person they’re targeting, then set up phone calls to obtain their email address with the likely goal of hacking them through tactics like phishing attacks. When reached for comment, the company denied it undertakes any hacking operations and insisted that all “agents’ activities are fully compliant with local laws.”
- Another Israeli firm, Bluehawk CI, is already well known for posing as journalists and tricking targets into installing malware. Facebook said they removed 100 accounts linked to the firm that they concluded were being used widely against targets including political opponents of the United Arab Emirates government and businessmen across the Middle East.
- The Indian company BellTroX has been active for at least seven years in the surveillance industry. Facebook removed 400 accounts associated with the firm that investigators said were used to pose as politicians and journalists and to stage phishing attacks against victims including doctors, lawyers, activists, and members of clergy in Angola, Argentina, Saudi Arabia, and Iceland.
- The North Macedonian firm Cytrox is engaged primarily in hacking, investigators said. The company targeted journalists and politicians around the world. Cytrox is a part of an alliance of surveillance and intelligence firms known as Intellexa. Executives at another Intellexa firm, Nexa Technologies, were indicted earlier this year for their alleged role in the spying on and torture of dissidents in Libya and Egypt.
- Finally, an unidentified organization in China was linked to a vast surveillance operation that included the use of social engineering against targets and the development of malware to spy on minority groups in Xinjiang, China, Myanmar, and Hong Kong.
Facebook’s parent company Meta, which sued the Israeli hacking company NSO Group in 2019, is sending cease and desist letters to each of the firms today as well as sharing alerts to the approximately 50,000 victims they’ve identified. The alerts tell a victim that “a sophisticated actor may be targeting your Facebook account” and then recommends steps to better secure their account including running a privacy checkup.
The ultimate goal of the work, investigators said, is to prompt a bigger discussion about the surveillance-for-hire industry. They said they recommend stronger transparency and “know your customer” laws, deepening industry collaboration to counteract surveillance firms, and raising accountability through new legislation and export control laws.
The investigators added that not all of the firms’ work appears to contravene known laws and ethical standards—some of these companies are known to use Facebook and Instagram to carry out legitimate law enforcement and intelligence work. But both platforms have established channels for law enforcement to legally request data in a way that complies with due process and transparency.
“The targeting we’re seeing from these companies doesn’t look like that,” Gleicher said. “It’s indiscriminate targeting across society. These companies are designed to conceal who their clients are. If you’re a foreign government who wants to make it hard for defenders to find you, you hire a company like this to create a layer of obfuscation between you and the harm that occurs.”
Beyond the cease and desist letters, and widespread removal of accounts, Gleicher did not rule out future lawsuits against any of the offending firms. Still, investigators said ferreting out for-hire surveillance activities is likely to be an ongoing challenge.
“When we see networks engage in this type of activity, we take a network approach,” said David Agranovich, director of threat disruption at Facebook. “We take down all of their activity on the platform at the same time. And knowing that they are adversarial networks, we will then work to keep them off of our platform.”