Google’s Threat Analysis Group (TAG) has published a report detailing the operations of commercial surveillance vendors (CSVs) that provide spyware tools to governments for spying on journalists, human rights activists, politicians, and dissenters, among other groups.
The report ‘Buying Spying: How the commercial surveillance industry works and what can be done about it’, released on February 6, 2024, underlined that increasing demand for surveillance capabilities by governments across the world incentivizes the development of spyware tools, which gravely impact privacy rights and freedom of speech and expression of the affected individuals as well as society at large.
What is spyware?
The paper defines spyware, also known as an implant or agent, as “surveillance software that is surreptitiously installed on a device to collect the user’s data and send it back to the attacker.” Unlike cybersecurity threats, spyware is generally used to target a small number of individuals.
As the report pointed out, while spyware vendors may point to the use of such tools for law enforcement or to counter terrorist activities, spyware is often abused by governments for objectives that do not fit well within the construct of a free society. This mainly includes snooping on journalists, human rights activists, political opponents, etc., who are categorized as high-risk targets in the TAG report. For example, in October 2023, multiple Indian politicians, mainly from the opposition parties, and journalists reported that they had received an alert from Apple that their iPhones were subjected to a state-sponsored attack. The alert was then probed by the Indian Computer Emergency Response Team (CERT-In).
How do Commercial Surveillance Vendors operate?
Commercial Surveillance Vendors (CSVs) are essentially private companies involved in the development, trade, and deployment of surveillance infrastructure to governments. The report informed that CSVs not only sell spyware to government customers but also the “infrastructure needed to communicate with the spyware, referred to as command-and-control (C2), and the ability to monitor and collect data from the targeted device.”
The data that governments look for include passwords, SMS messages, emails, location, phone calls, and even record audio and video. The entire process of delivering spyware into a target’s device and communicating the extracted data to the attacker requires technical expertise, a greater understanding of the user’s device, applications, and tools. CSVs, big and small private companies based all over the world, have been able to offer governments easy access to spyware for a price.
“Like any other software product company, they have websites and marketing materials, sales and engineering teams, job openings listed on their websites, publish press releases, and even attend conferences. The number of CSVs around the globe is impossible to count, with new companies opening each year and existing ones reincorporating under new names. TAG currently tracks approximately 40 CSVs developing and selling exploits and spyware to government customers,” the report noted.
In addition to government customers, the report identified three main actors that make up for the CSV industry:
- Individual vulnerability researchers and exploit developers: These act as a source for exploits, which are mainly ways to leverage a vulnerability to gain additional access on a system such as operating systems, browsers, and messaging apps. These actors can monetize their work by improving the security of these products or by selling to exploit brokers or directly to CSVs.
- Exploit brokers and suppliers:These are individuals or companies specialized in selling exploits, located all over the world.
- Commercial surveillance vendors (CSV): These are also known as Private Sector Offensive Actors (PSOAs) that develop and sell spyware as a product, including the initial delivery mechanisms, exploits, the C2 infrastructure, and tools for organizing the collected data.
The report found that CSVs have different approaches towards spyware development and for pitching their products. To illustrate these, the report also provides an overview of five spyware product companies like Cy4Gate and RCS Lab, Intellexa, Negg Group, NSO group, and Variston.
Among these, the capabilities of spyware products by Intellexa Alliance provided to countries like France, Egypt, Saudi Arabia, Libya, Vietnam, etc., were recently documented in detail by Amnesty International in its recent report ‘Predator Files: Caught in the Net’. Further, several media organizations have widely reported on government espionage carried out using the Israeli NSO Group’s Pegasus spyware, under the Pegasus Project. Over 300 Indians including journalists, activists, politicians, bureaucrats, and businessmen were reported to be on the list of people to be targeted by the NSO Group’s Pegasus spyware, the New York Times revealed in 2021. Read more about the developments in India regarding the Pegasus revelations here and here.
What causes proliferation of spyware tools?
“CSVs enable the proliferation of dangerous hacking tools worldwide. Surveillance tools are expensive to develop and maintain, and the CSV market allows any entity to “pay-to-play” and have a full remote surveillance capability instead of (or in addition to) developing the tools themselves,” the paper noted, adding that as long as there is demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools. Further, as governments continue to buy “off-the-shelf capabilities from the CSV industry,” the paper highlighted that the use of spyware becomes increasingly normalized.
According to Google’s analysis, public reporting and direct legal actions have proved to be inadequate in restricting the activities of the CSVs. The report cited the popular example of the NSO Group, whose surveillance operations were exposed as early as 2015, but the group continues to sell its tools. The report also stated that to avoid public scrutiny, these companies may change their names multiple times. However, TAG emphasized on public scrutiny that can be instrumental in causing temporary cessations or disruption of their activities.
“This both prevents attacks against users, and makes it harder for CSVs to advertise and sell their products. In addition to public scrutiny, we welcome the actions of governments to contain the proliferation of dangerous tools and capabilities which threaten the safety of the Internet ecosystem and threatens the trust on which a vibrant and inclusive digital society depends,” the paper noted.
Read the complete report by Google’s Threat Analysis Group here.
- Microsoft And The Citizen Lab Identify New Israeli Spyware QuaDream: Here’s How It Works
- Multiple Indian MPs, Journalists Receive Alerts From Apple That Their Phones May Be Targets Of State Surveillance
- Pegasus Spyware: All The Latest Facts On Who Was Targeted, The Modus Operandi, And More
- Supreme Court Opens Sealed Cover Pegasus Report: Only 5 Out Of 29 Phones Infected With ‘Malware’
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!