A Swiss company that contracts with some of the world’s biggest names is being accused of selling access to governments for surveillance purposes. Mitto AG, a leading provider of text messaging services to many of the world’s most familiar names in tech, sold backdoor access to its network according to former employees and clients.
The scheme was allegedly run by co-founder and chief operating officer Ilja Gorelik and was only known to a small group of high-level employees.
Text messaging contractor accused of selling surveillance on the side
Mitto AG has carved out a niche as a leading contractor for handling automated direct messages for tech and sales platforms, particularly those going to and from areas of the world that Western companies do not have a presence in (for example, a good deal of the Middle East). The company contracts with Google, Twitter, Telegram, LinkedIn and China’s biggest domestic tech firms among its portfolio of about 100 global clients.
According to a Bloomberg News investigation, sourced from anonymous former employees and clients of Mitto AG, the highest levels of the company were also providing governments with backdoor access to its text messaging services on the side. Examples of what buyers might have had access to include two-factor verification codes, temporary passwords, and appointment reminders. Access to these messages also would have likely provided substantial information about what surveillance targets were buying on various e-commerce platforms.
But the real point of interest was not the contents of the text messaging services, but the ability to use the Mitto network to locate and directly track specific phones and to obtain call logs. Mitto’s partnerships with telecommunications providers allowed it to make use of some long-established vulnerabilities in the protocol (Signaling System 7, or SS7) that underpins much of international communication.
Developed in 1970, SS7 has long been known to be full of security holes but persists because of the high cost of replacing it on a global scale. Any “operator,” a status that Mitto AG has due to buying contracts to send bulk text messages in Switzerland, can exploit this system that was essentially built with no security (during a time when there were only a handful of operators) and has had patchwork firewall elements applied to it haphazardly since. This loophole has also been frequently exploited by text message spammers that have been kicked off of other networks.
Text messaging services exploited to track phones
According to four former employees, access was sold to select surveillance technology firms who in turn contracted with various world governments. None of Mitto AG’s clients or its telecommunications partners were aware of this arrangement. Mitto AG denied the claims when confronted by Bloomberg reporters and said that it is opening an investigation into the matter. The comments came from a Mitto representative, with Gorelik unavailable to be reached for questions.
The former employees appear to have provided documents to Bloomberg, with one indicating that in 2019 a senior U.S. State Department official was targeted for surveillance via the Mitto text messaging services. The documents did not indicate who the source of the surveillance was.
Some of the former employees say that they were initially alarmed by Gorelik’s tendency to send emails under a pseudonym and install screenshot-taking spyware on company computers. One of the sources said that Gorelik mentioned having connections to a Middle Eastern spy agency and to helping that country’s defense ministry track phones using Mitto’s text messaging services.
The sources also named Cyprus-based firm TRG Research and Development as one of the companies using Mitto’s text messaging services for surveillance of phones at the behest of government clients. The company has apparently been doing this since 2019. Two of the sources confirmed that TRG worked directly with Gorelik, a claim that TRG denies. The Bloomberg reporters note that TRG has recently posted job advertisements seeking candidates with experience in using SS7 and with knowledge of “lawful interception” practices.
Mitto AG is now facing a probe in Switzerland over the contents of the Bloomberg report. The office of the attorney general is conducting the probe along with the Federal Data Protection and Information Commissioner (FDPIC). The agencies have yet to make any public comment on the probe, but there is a possibility that this type of surveillance could be a criminal offense if it was found to favor a foreign state. The preliminary investigation will seek comment from Mitto AG and interview Swiss mobile network operators, according to a FDPIC press release.