NSO Group's Recent Difficulties Could Shape the Future of the Spyware Industry

The spyware industry continues to find itself in the headlines, most notably for the controversial, and sometimes nefarious, use of spyware products.

In July 2022, Nikos Androulakis, leader of PASOK, Greece’s third largest political party, revealed there had been an attempt to infect his phone with Predator, a piece of surveillance software developed by Cytrox, now part of Greek company Intellexa.

In August, NSO Group’s CEO and co-founder Shalev Hulio stepped down and the Israeli firm laid off 100 workers following findings from the Pegasus Project, an investigation from 17 media organizations about the use of NSO’s software.

In late August, the collaborative investigation newsroom Lighthouse reported that Tykelab and its Italian owner, RCS Lab, were quietly selling powerful surveillance tech both inside and outside of the EU. The company boasted that it can "track the movements of almost anybody who carries a mobile phone, whether they are blocks away or on another continent.”

111% Spyware Surge Between 2021 and 2022

“According to the Lookout Security Graph telemetry data, in the first half of 2022, we have seen a global increase in spyware detections on customer devices of 111% over the same period in 2021,” Justin Albrecht, a mobile security researcher at Lookout, told Infosecurity Magazine. This includes advanced surveillance tooling used by nation states, such as NSO Group’s Pegasus which has reportedly been used to spy on politicians, journalists and human rights activists in several countries, “but also commodity spyware which is widely available for criminal use,” Albrecht added.

Meanwhile, Jean Gottschalk, a principal security consultant for pentesting firm Telecom Defense, told Infosecurity, “AdaptiveMobile Security, whom we collaborate with, have noticed a constant increase, year on year, of malicious packets transiting in SS7 networks.”

SS7 is a protocol created for internet service providers (ISPs) from different countries for 2G and 3G roaming purposes. Since security researchers discovered vulnerabilities in SS7 at the 2014 Chaos Communication Congress in Hamburg, the protocol and its 4G counterpart Diameter have reportedly been used by spyware firms such as Israel-based Rayzone, Cyprus-based Circle, and New-York-based Verint to get sensitive information from targeted victims. Irish firm AdaptiveMobile Security counts among a handful of SS7/Diameter firewall providers with fellow-Irish company Cellusys and US-based NetNumber.

However, SS7 is likely not used by NSO Group which employs more sophisticated 0-click methods.

Spotlight on Authoritarian Governments Using Spyware

"It is worrying that we see more and more spyware companies pop up because the trend is expanding in the wake of active scandals,” Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center (EPIC), told Infosecurity Magazine.

Researchers from the Atlantic Council found in November 2021 that 75% of companies likely selling interception or intrusion technologies marketed these capabilities to governments outside their home country — even when no intelligence relationship previously existed between the two nations.

“Five irresponsible proliferators — [Turkish firm] BTT, [Israel-based] Cellebrite, [Swedish company] Micro Systemation AB, Verint, and Vastech — have marketed their capabilities to US/NATO adversaries in the last ten years,” reads the Atlantic Council report. This was also the case of NSO Group, which technology was, according to the Pegasus Project, found to be used to target Saudi journalist Jamal Khashoggi days before he was murdered in 2018.

Despite the findings by the Atlantic Council, Cellebrite says it is not a surveillance monitoring company and its products are forensic in nature, rather than ‘spyware.' Its products have reportedly been used across the world, including by organizations that were found to violate human rights. Cellebrite claims it is scrupulous about legal and ethical use of its products.

“We’re still seeing surveillance technology being sold to authoritarian countries, as can be seen in our recent discovery that RCS Lab’s Hermit spyware was active within Kazakhstan just months ago,” said Albrecht.

"In privacy-threatening technologies, it's hard to put the genie back in the bottle. Once a technology is out in the world, it's tough to undo that development. It's much easier to put protections in place at the development stage."Calli Schroeder, global privacy counsel, Electronic Privacy Information Center (EPIC)

Focussing on NATO Countries, an Insufficient Promise

As NSO Group’s now ex-CEO has been tasked with convincing the US government to take the company out of its blocklist, the spyware company wants to get back in to Washington’s good books. The firm announced it “will ensure that the company's groundbreaking technologies are used for rightful and worthy purposes” and that it “will examine all aspects of its business, including streamlining its operations to ensure NSO remains one of the world's leading hi-tech cyber intelligence companies, focusing on NATO-member countries.”

However, this change in strategy does not convince Albrecht. “By focusing sales on NATO countries, a spyware company may give the perception that the likelihood of abuse is lower due to the civil rights protections and legal, due process within these countries compared to more authoritarian regimes,” said the security researcher.

“However, many of the recent scandals involving spyware vendors occurred within NATO countries, such as the surveillance of opposition leaders, and in some cases, the vendor of the spyware also operated out of a NATO country, as is the case with Cytrox’s Predator malware.”

Also, it is not easy to pinpoint who exactly is using the technology. “While spyware vendors may claim that their technology is only sold to law enforcement and intelligence organizations, there have been cases where the technology ended up in the hands of undesirable entities due to government corruption, as was seen in Mexico where surveillance technology ended up in the hands of drug cartels,” says Albrecht said. “Many surveillance companies make contradictory claims that their technology cannot be used against certain entities, such as NSO claiming that its tooling cannot be used against US citizens, while also claiming that they have little to no insight into who is being targeted by their malware.”

There is also the issue of what happens when spyware vendors are breached and the source code for their tooling is exposed to the broader public. “This occurred with Hacking Team and Gamma Group, which resulted in their spyware being repurposed by various threat groups,” Albrecht continued.

Global Regulations For Spyware

As with many emerging technologies, spyware is yet to have sufficient international regulations relating to its sale, purchase and use.

“As we've seen before in the development of privacy-threatening technologies, it’s hard to put the genie back in the bottle. Once a technology is out in the world, it's tough to undo that development. It's much easier to put protections in place at the development stage,” Schroeder said. She calls for “quick regulations to ban the unethical use of spyware.”

On the other hand, Gottschalk thinks we should not set our hopes too high when regulating surveillance tech. “Four years after the European Union Agency for Cybersecurity (ENISA) has recommended implementing ‘signaling security,’ as those firewalls are called, for SS7, Diameter, and 5G roaming networks, some European ISPs still lack any such protection today,” he said.

“Even if the technology is only sold to government agencies, there appears to be little effort to monitor how the technology is used and who is targeted,” Albrecht added.

Meanwhile, Schroder hopes that “maybe the repeated scandals can have a positive impact.” But she warns that to be effective, regulations on surveillance tech need to be global, enforced with strong penalties, as those companies tend to be very lucrative, and not solely focussed on the use but on whether it should be developed in the first place.

What’s Hot on Infosecurity Magazine?