Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/7/2021
03:55 PM
50%
50%

Even Small Nations Have Jumped into the Cyber Espionage Game

While the media tends to focus on the Big 5 nation-state cyber powers, commercial spyware has given smaller countries sophisticated capabilities, as demonstrated by a "zero-click" iMessage exploit that targeted journalists last year.

Driven by the accessibility of commercial spyware and surveillance tools, sophisticated attacks using a variety of zero-click exploits — attacks that don't require user interaction — are increasingly within the reach of smaller nations, according to The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy at University of Toronto.

In an analysis published in late December, the group detailed how nations of the Gulf Cooperative Council (GCC) in the Middle East used the commercial Pegasus spyware sold by the NSO Group to hack three dozen phones and spy on journalists and news producers. The attacks used a "zero-click" iMessage exploit that uses a specially crafted message to download and execute code on the victim's phone.

Related Content:

Former NSO Group Employee Steals, Sells Spy Tools

How Data Breaches Affect the Enterprise

New From The Edge: Security Pros Reflect on 2020

Some three dozen journalists and editors — mainly with Qatar-based news organization Al Jazeera — were targeted by the cyberattacks last year, with little ability to defend against them, says Bill Marczak, a senior research fellow at The Citizen Lab.

"Those interactive-less [exploits] take this to a new level because you can't beat this now through better digital security practices," he says. "You tell someone to always keep your OS up to date, never click on links, and they will still get hacked by something like this. The user is not in the loop anymore. There is no opportunity to notice and prevent this for them."

The attacks — purportedly launched by members of the GCC against Qatari interests, according to the report — underscore that smaller nations are increasingly getting into the cyber operations game by standing on the technical shoulders of offensive cybersecurity companies. While The Citizen Lab's report focused on the Israel-based NSO Group, other groups know to market surveillance tools and commercial spyware, including Gamma International in the UK — owned through an offshore shell company — Hacking Team's RCS, and Cyberbit's PSS.

While smaller democracies typically use the tools to enable law enforcement and terrorism investigations, non-democratic countries often use the tools to enable intelligence agencies to target a variety of government priorities, including opposition members and media, Marczak says.

"The 'western' and big cyber power countries tend to view this as a law enforcement tool, while the UAEs, Saudis, and Rwandas of the world tend to view it as an intelligence tool," he says, "and they use it — not necessarily to go after crime — but to go after intelligence targets, including dissents and journalists."

For many smaller nations, conducting cyber operations has the added benefit of helping develop a homegrown source of cyber talent. And the nations hosting the surveillance-tool companies can benefit from having a technology used by intelligence agencies around the world, potentially giving them deeper levels of access and visibility into geopolitics, Marczak says.

"So I think it is seen as an intelligence asset to host these sort of companies," he says. "And it contributes to the development of the cyber talent pipeline locally, which has benefits for the local intelligence in terms of accessing talented people who have honed their skills."

Yet in many ways the companies are unregulated, he adds. 

In a previous investigation in 2017, for example, The Citizen Lab identified Cyberbit's PSS targeting devices of Ethiopian journalists, students, and a lawyer. The Italy-based Hacking Team, creator of the RCS spyware product, had counted among its clients many countries with records of systemic human rights abuses, including Russia, Sudan, Nigeria, and Saudi Arabia — a client list revealed when the company was itself hacked in 2015.

The recent research by The Citizen Lab shows that smaller countries continue to count on commercial spyware for their capabilities, says Marczak.

"The companies that produced the spyware have pretty much free rein to sell their stuff," he says. "Until there's more robust regulation placed on the market, the level of activity of commercial spyware is only going to increase."

In the latest campaign, at least three dozen Al Jazeera journalists and editors were targeted by the NSO Group's Pegasus surveillance tool through a zero-click exploit in iMessage delivered through Apple's servers. The researchers concluded that nation-state actors linked to the UAE were responsible for some of the attacks, while the Saudi government was responsible for other attacks.

The increase in sophistication and further development of zero-click attacks means the companies behind commercial spyware will be less accountable, according to The Citizen Lab's report.

"The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance," the group stated. "Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators."

In the end, to combat the misuse of surveillance technologies, the US, Canada, and other democracies should make human rights part of the calculus in approving such technology for export and make sure their own use is predicated on strict laws, Marczak says.

"While clearly the concern has been more on security side than the human rights side, there needs to be a broader agreement to take these issues into account in the main multilateral framework, the Wassenaar Arrangement," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OscarWilde
50%
50%
OscarWilde,
User Rank: Apprentice
1/8/2021 | 4:00:48 PM
Human Rights Don't Exist in Brazil
There is a criminal organization in Brazil using NSO Group's Pegasus to infect devices for hack for hire, to incite terrorism, blackmail people, produce illegal pornography and assist in assassinations. They also have other advanced malware, like UEFI implants and even persistent implants for Kindle and Raspberry Pi. Plus face/voice recognition on every camera and microphone they can get into, in public or private places.

Brazil won't do anything to stop them. Only the FBI, CIA and NSA can stop them.

There is also the possibility that they were engaged on the hack of Bezos' smartphone.

If you know of any security researcher who wants to reverse engineer the exploits they are using, I am more than willing to help them.

If you want a story about how they operate, I am willing to work with you to expose them.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28488
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...