Driven by the accessibility of commercial spyware and surveillance tools, sophisticated attacks using a variety of zero-click exploits — attacks that don't require user interaction — are increasingly within the reach of smaller nations, according to The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy at University of Toronto.
In an analysis published in late December, the group detailed how nations of the Gulf Cooperative Council (GCC) in the Middle East used the commercial Pegasus spyware sold by the NSO Group to hack three dozen phones and spy on journalists and news producers. The attacks used a "zero-click" iMessage exploit that uses a specially crafted message to download and execute code on the victim's phone.
Some three dozen journalists and editors — mainly with Qatar-based news organization Al Jazeera — were targeted by the cyberattacks last year, with little ability to defend against them, says Bill Marczak, a senior research fellow at The Citizen Lab.
"Those interactive-less [exploits] take this to a new level because you can't beat this now through better digital security practices," he says. "You tell someone to always keep your OS up to date, never click on links, and they will still get hacked by something like this. The user is not in the loop anymore. There is no opportunity to notice and prevent this for them."
The attacks — purportedly launched by members of the GCC against Qatari interests, according to the report — underscore that smaller nations are increasingly getting into the cyber operations game by standing on the technical shoulders of offensive cybersecurity companies. While The Citizen Lab's report focused on the Israel-based NSO Group, other groups know to market surveillance tools and commercial spyware, including Gamma International in the UK — owned through an offshore shell company — Hacking Team's RCS, and Cyberbit's PSS.
While smaller democracies typically use the tools to enable law enforcement and terrorism investigations, non-democratic countries often use the tools to enable intelligence agencies to target a variety of government priorities, including opposition members and media, Marczak says.
"The 'western' and big cyber power countries tend to view this as a law enforcement tool, while the UAEs, Saudis, and Rwandas of the world tend to view it as an intelligence tool," he says, "and they use it — not necessarily to go after crime — but to go after intelligence targets, including dissents and journalists."
For many smaller nations, conducting cyber operations has the added benefit of helping develop a homegrown source of cyber talent. And the nations hosting the surveillance-tool companies can benefit from having a technology used by intelligence agencies around the world, potentially giving them deeper levels of access and visibility into geopolitics, Marczak says.
"So I think it is seen as an intelligence asset to host these sort of companies," he says. "And it contributes to the development of the cyber talent pipeline locally, which has benefits for the local intelligence in terms of accessing talented people who have honed their skills."
Yet in many ways the companies are unregulated, he adds.
In a previous investigation in 2017, for example, The Citizen Lab identified Cyberbit's PSS targeting devices of Ethiopian journalists, students, and a lawyer. The Italy-based Hacking Team, creator of the RCS spyware product, had counted among its clients many countries with records of systemic human rights abuses, including Russia, Sudan, Nigeria, and Saudi Arabia — a client list revealed when the company was itself hacked in 2015.
The recent research by The Citizen Lab shows that smaller countries continue to count on commercial spyware for their capabilities, says Marczak.
"The companies that produced the spyware have pretty much free rein to sell their stuff," he says. "Until there's more robust regulation placed on the market, the level of activity of commercial spyware is only going to increase."
In the latest campaign, at least three dozen Al Jazeera journalists and editors were targeted by the NSO Group's Pegasus surveillance tool through a zero-click exploit in iMessage delivered through Apple's servers. The researchers concluded that nation-state actors linked to the UAE were responsible for some of the attacks, while the Saudi government was responsible for other attacks.
The increase in sophistication and further development of zero-click attacks means the companies behind commercial spyware will be less accountable, according to The Citizen Lab's report.
"The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance," the group stated. "Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators."
In the end, to combat the misuse of surveillance technologies, the US, Canada, and other democracies should make human rights part of the calculus in approving such technology for export and make sure their own use is predicated on strict laws, Marczak says.
"While clearly the concern has been more on security side than the human rights side, there needs to be a broader agreement to take these issues into account in the main multilateral framework, the Wassenaar Arrangement," he says.