Meta is taking aim at private surveillance companies that it says act as “cyber mercenaries” for hire.
The Facebook parent company has banned seven of these companies from the platform, citing the targeting of users in over 100 countries. While these surveillance companies often claim that they only pursue “criminals and terrorists,” Facebook says that it has spotted them targeting users indiscriminately in what appear to be “stalking for hire” operations that are often directed against political dissidents, journalists and activists.
Seven surveillance companies banned from Facebook for “severe” violations
The mention of surveillance companies naturally brings to mind NSO Group, the Israel-based spyware firm that Facebook has a complicated history with but is not among the seven entities banned in this recent wave.
NSO Group makes use of extremely sophisticated zero-day exploits to penetrate Android and iOS devices; the seven outfits that Facebook banned appear to be more of an old-fashioned “private investigation” operation, manually surveilling targets and in some cases attempting to hack them or con them into revealing logins.
A broader report on these global surveillance for hire companies, published by Meta on December 16, names the seven groups that were banned. Each of these was operating about 100 to 400 Facebook accounts. These accounts were used for a variety of tactics: impersonation of journalists and activists, “fake news” pages, and spoofed pages of legitimate companies among other tricks. These entities were based in China, Israel, India, and North Macedonia.
The company says that it alerted about 50,000 people targeted by these surveillance companies, with granular details about their specific activities. The bans were issued for repeated violations of the Community Standards and Terms of Service that Facebook called “severe,” and consisted of the issuance of Cease and Desist letters along with blocking of each organization’s internet infrastructure.
Surveillance companies caught using malicious hacking techniques
As with NSO Group, some of these surveillance companies claim that they only assist government law enforcement entities with the tracking of criminals and terrorists. And as with NSO Group, there is apparently quite a bit of evidence that the services are used by repressive governments to track and suppress dissidents and human rights activists.
As an Apple lawsuit against NSO Group revealed, there is some question as to how personally involved the company was in assisting its clients with their operations. Meta says there is no question that the banned surveillance companies were directly engaging in stalking and hacking targets.
The surveillance companies first do reconnaissance on targets by scraping all available public information from both Facebook and other sites, as well as potentially accessing information from data breaches that is available on the dark web. Fake Facebook accounts play a role here as operatives will attempt to connect with targets to view their contacts, posts and history of engagement on the platform.
Operatives will also engage with people the target knows to try to build a network of trust, often with the eventual goal of linking them to a malicious download or attack site. Meta says that the surveillance companies are not limited to messaging or email in these campaigns, sometimes getting on the phone or even arranging video calls and meetings to socially engineer targets.
The endgame is a collection of tactics used by “black hat” criminal hackers: phishing, spoofing communications from legitimate sources, and use of vulnerabilities and malware to gain illicit access to target accounts and devices. Meta says that five of the seven groups went as far as hacking targets, while the other two stopped short at impersonation in attempts to dig up dirt.
One China-based group was apparently dealing in spyware similar to NSO Group’s Pegasus, with a focus on targeting Myanmar and Hong Kong. Another, called Cytrox and based in North Macedonia, was found to have developed its own spyware and deployed it on the phones of two Egyptians living in exile (who were also targeted by the Pegasus spyware).
The information that Meta provided about these surveillance companies indicates that they had very sophisticated and elaborate operations, and were likely catering to a clientele with deep pockets (such as nation-state entities looking to do illicit surveillance on opposition politicians and sources of troublesome investigations). One of the groups, a Bluehawk CI based in Israel, went so far as to stage fake on-camera interviews while posing as legitimate media outlets such as Fox News. The apparent targets of this particular campaign were political elements in Qatar and opponents of UAE emirate Ras Al Khaimah. Another group based in Israel, Black Cube, posed as employees of legitimate NGOs and universities in an attempt to penetrate Palestinian activist organizations along with a wide variety of private businesses around the world.