Private, mercenary-style surveillance and hacking groups have used Facebook and Instagram to target 50,000 people in over 100 countries, according to a newly published investigation by Meta, Facebook’s parent company.
The existence of private companies that use sophisticated digital tools to pry secrets from people’s work and private lives—sometimes as part of legitimate law enforcement efforts, but also often in legally and ethically suspect ways—has been known about for some time. But the public conversation about surveillance-for-hire has long focused on just a handful of companies and capabilities even though the booming cyber-surveillance industry includes hundreds of firms around the world. Meta’s investigation, which company investigators described in detail in a press conference today, outlines private-sector mass surveillance on a scale never before revealed.
“Cyber mercenaries often claim their services and their surveillanceware are meant to focus on tracking criminals and terrorists,” said Nathaniel Gleicher, head of security policy at Facebook. “But our investigation and similar investigations by independent researchers, our industry peers, and governments have demonstrated that the targeting is in fact indiscriminate.”
He went on, “We will be providing notices to approximately 50,000 people that we believe were targeted by these companies, across our platforms and others. They include journalists, human rights advocates, activists, dissidents, clergy, political opposition figures, and their families.”
Gleicher and his team named seven surveillance companies from around the world that their investigation had found were carrying out illicit surveillance. The firms boast a vast and diverse set of customers—including the United States government.
- Cobwebs Technologies, an Israeli firm with offices and customers in the US, had 200 accounts shut down that were collecting information on targets and engaging in social engineering to reveal private information. The company is used by law enforcement, according to investigators, and it is also used to target activists, opposition politicians, and government officials in Mexico and Hong Kong. Cobwebs spokesperson Meital Levi Tal told MIT Technology Review that the company was unaware of Meta’s findings and that it “operates only according to the law and adheres to strict standards in respect of privacy protection.”
- The Israeli firm Cognyte lost 100 accounts reportedly engaged in monitoring targets including journalists and politicians around the world.
- Black Cube is an Israeli company associated with an immense list of scandals, including a history of spying on reporters. Facebook investigators say they found the firm gathering intelligence on a vast array of targets ranging from Palestinian activists to people in the medical and energy industries to academics, particularly inside Russia. Black Cube reportedly built fake personas including students, human rights workers, and film producers. Investigators say the company would typically befriend a person and then set up phone calls to obtain the target’s email address, with the likely goal of carrying out tactics like phishing attacks. When reached for comment, the company denied undertaking any hacking operations and insisted that all “agents’ activities are fully compliant with local laws.”
- Another Israeli firm, Bluehawk CI, is already well known for posing as journalists and tricking targets into installing malware. Facebook said it removed 100 accounts linked to the firm that the company concluded were being used widely against targets including political opponents of the United Arab Emirates government and businessmen across the Middle East.
- The Indian company BellTroX has been active for at least seven years in the surveillance industry. Facebook removed 400 accounts associated with the firm that investigators said were used to pose as politicians and journalists and to stage phishing attacks against victims including doctors, lawyers, activists, and members of the clergy in Angola, Argentina, Saudi Arabia, and Iceland.
- The North Macedonian firm Cytrox is engaged primarily in hacking, investigators said. The company targeted journalists and politicians around the world. Cytrox is a part of an alliance of surveillance and intelligence firms known as Intellexa. Executives at another Intellexa firm, Nexa Technologies, were indicted earlier this year for their alleged role in spying on and torturing dissidents in Libya and Egypt.
- Finally, an unidentified organization in China was linked to a vast surveillance operation that included the use of social engineering against targets and the development of malware to spy on minority groups in Xinjiang, China, as well as Myanmar and Hong Kong.
Facebook’s parent company, Meta, which sued the Israeli hacking company NSO Group in 2019, is sending cease-and-desist letters to each of the firms today as well as sharing alerts to the approximately 50,000 victims it’s identified. The alerts tell victims that “a sophisticated actor may be targeting your Facebook account” and then recommend steps to better secure their account, including running a privacy checkup.
The ultimate goal of the work, investigators said, is to prompt a bigger discussion about the surveillance-for-hire industry. They said they recommend strengthening transparency and “know your customer” laws, deepening industry collaboration to counteract surveillance firms, and increasing accountability through new legislation and export control laws.
The investigators added that not all of the firms’ work appears to contravene known laws and ethical standards—some of these companies are known to use Facebook and Instagram to carry out legitimate law enforcement and intelligence work. But both platforms have established channels for law enforcement to legally request data in a way that complies with due process and transparency.
“The targeting we’re seeing from these companies doesn’t look like that,” Gleicher said. “It’s indiscriminate targeting across society. These companies are designed to conceal who their clients are. If you’re a foreign government who wants to make it hard for defenders to find you, you hire a company like this to create a layer of obfuscation between you and the harm that occurs.”
Beyond the cease-and-desist letters and widespread removal of accounts, Gleicher did not rule out future lawsuits against any of the offending firms. Still, investigators said ferreting out for-hire surveillance activities is likely to be an ongoing challenge.
“When we see networks engage in this type of activity, we take a network approach,” said David Agranovich, director of threat disruption at Facebook. “We take down all of their activity on the platform at the same time. And knowing that they are adversarial networks, we will then work to keep them off of our platform.”