Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/7/2021
03:55 PM
50%
50%

Even Small Nations Have Jumped into the Cyber Espionage Game

While the media tends to focus on the Big 5 nation-state cyber powers, commercial spyware has given smaller countries sophisticated capabilities, as demonstrated by a "zero-click" iMessage exploit that targeted journalists last year.

Driven by the accessibility of commercial spyware and surveillance tools, sophisticated attacks using a variety of zero-click exploits — attacks that don't require user interaction — are increasingly within the reach of smaller nations, according to The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy at University of Toronto.

In an analysis published in late December, the group detailed how nations of the Gulf Cooperative Council (GCC) in the Middle East used the commercial Pegasus spyware sold by the NSO Group to hack three dozen phones and spy on journalists and news producers. The attacks used a "zero-click" iMessage exploit that uses a specially crafted message to download and execute code on the victim's phone.

Related Content:

Former NSO Group Employee Steals, Sells Spy Tools

How Data Breaches Affect the Enterprise

New From The Edge: Security Pros Reflect on 2020

Some three dozen journalists and editors — mainly with Qatar-based news organization Al Jazeera — were targeted by the cyberattacks last year, with little ability to defend against them, says Bill Marczak, a senior research fellow at The Citizen Lab.

"Those interactive-less [exploits] take this to a new level because you can't beat this now through better digital security practices," he says. "You tell someone to always keep your OS up to date, never click on links, and they will still get hacked by something like this. The user is not in the loop anymore. There is no opportunity to notice and prevent this for them."

The attacks — purportedly launched by members of the GCC against Qatari interests, according to the report — underscore that smaller nations are increasingly getting into the cyber operations game by standing on the technical shoulders of offensive cybersecurity companies. While The Citizen Lab's report focused on the Israel-based NSO Group, other groups know to market surveillance tools and commercial spyware, including Gamma International in the UK — owned through an offshore shell company — Hacking Team's RCS, and Cyberbit's PSS.

While smaller democracies typically use the tools to enable law enforcement and terrorism investigations, non-democratic countries often use the tools to enable intelligence agencies to target a variety of government priorities, including opposition members and media, Marczak says.

"The 'western' and big cyber power countries tend to view this as a law enforcement tool, while the UAEs, Saudis, and Rwandas of the world tend to view it as an intelligence tool," he says, "and they use it — not necessarily to go after crime — but to go after intelligence targets, including dissents and journalists."

For many smaller nations, conducting cyber operations has the added benefit of helping develop a homegrown source of cyber talent. And the nations hosting the surveillance-tool companies can benefit from having a technology used by intelligence agencies around the world, potentially giving them deeper levels of access and visibility into geopolitics, Marczak says.

"So I think it is seen as an intelligence asset to host these sort of companies," he says. "And it contributes to the development of the cyber talent pipeline locally, which has benefits for the local intelligence in terms of accessing talented people who have honed their skills."

Yet in many ways the companies are unregulated, he adds. 

In a previous investigation in 2017, for example, The Citizen Lab identified Cyberbit's PSS targeting devices of Ethiopian journalists, students, and a lawyer. The Italy-based Hacking Team, creator of the RCS spyware product, had counted among its clients many countries with records of systemic human rights abuses, including Russia, Sudan, Nigeria, and Saudi Arabia — a client list revealed when the company was itself hacked in 2015.

The recent research by The Citizen Lab shows that smaller countries continue to count on commercial spyware for their capabilities, says Marczak.

"The companies that produced the spyware have pretty much free rein to sell their stuff," he says. "Until there's more robust regulation placed on the market, the level of activity of commercial spyware is only going to increase."

In the latest campaign, at least three dozen Al Jazeera journalists and editors were targeted by the NSO Group's Pegasus surveillance tool through a zero-click exploit in iMessage delivered through Apple's servers. The researchers concluded that nation-state actors linked to the UAE were responsible for some of the attacks, while the Saudi government was responsible for other attacks.

The increase in sophistication and further development of zero-click attacks means the companies behind commercial spyware will be less accountable, according to The Citizen Lab's report.

"The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance," the group stated. "Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators."

In the end, to combat the misuse of surveillance technologies, the US, Canada, and other democracies should make human rights part of the calculus in approving such technology for export and make sure their own use is predicated on strict laws, Marczak says.

"While clearly the concern has been more on security side than the human rights side, there needs to be a broader agreement to take these issues into account in the main multilateral framework, the Wassenaar Arrangement," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OscarWilde
50%
50%
OscarWilde,
User Rank: Apprentice
1/8/2021 | 4:00:48 PM
Human Rights Don't Exist in Brazil
There is a criminal organization in Brazil using NSO Group's Pegasus to infect devices for hack for hire, to incite terrorism, blackmail people, produce illegal pornography and assist in assassinations. They also have other advanced malware, like UEFI implants and even persistent implants for Kindle and Raspberry Pi. Plus face/voice recognition on every camera and microphone they can get into, in public or private places.

Brazil won't do anything to stop them. Only the FBI, CIA and NSA can stop them.

There is also the possibility that they were engaged on the hack of Bezos' smartphone.

If you know of any security researcher who wants to reverse engineer the exploits they are using, I am more than willing to help them.

If you want a story about how they operate, I am willing to work with you to expose them.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23371
PUBLISHED: 2021-04-12
This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.
CVE-2020-24285
PUBLISHED: 2021-04-12
INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
CVE-2021-29379
PUBLISHED: 2021-04-12
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...