Skip to content

Global Urgency: Commercial Spyware Is Being Misused


Published:
Cybersecurity

In an era where digital espionage is prevalent, the widespread and misuse of commercial spyware pose a significant threat to national security, diplomatic relations, and individual privacy. As nations confront the escalating risks posed by these tools, intensive global efforts are underway to counter their spread and safeguard against their malicious use. From sophisticated surveillance tactics targeting high-profile figures to the covert monitoring of everyday citizens, the implications of unchecked spyware are profound and demand immediate attention. Read more in this week’s Cyber Security Insights.

At the Third Democracy Summit held on March 18, a total of 17 countries, including Sweden, Japan and the United States, issued joint statements for the need to counter the proliferation and misuse of commercial spyware through commitments which includes preventing the export of software, technology and equipment which may be used for malicious cyber activity.

The term, ‘Spyware’ has been used since the 1990’s with the first being identified to steal financial information or passwords from devices. Commercial spyware typically targets mobile platforms, smartphone operating systems and messaging apps and is used to monitor targets and capture potentially sensitive data. A growing movement, particularly in the United States, wishes to regulate the misuse of commercial spyware as they believe it poses a significant threat to national security and foreign policy interests.

The Commercial Spyware Pegasus

The NSO Group is an Israeli cyber intelligence company founded in 2010 and is known for developing and selling a spyware suite called Pegasus. Its name, NSO, is derived from the initials of its three founders, Niv, Shalev and Omri. Several of the company’s employees previously worked for the Israeli Army’s cyber division (Unit 8200) which is known to produce spying software.

Pegasus is a mobile phone spyware suite with an expansive view of a target device such as access to the device’s camera, microphone, location, images, videos, and more. After clicking on a specially crafted exploit link, an attacker can remotely install Pegasus without the target’s permission or knowledge. In March 2023, Pegasus operators were also able to remotely install the spyware on IOS versions using a zero-click exploit thus requiring no user interaction.

The NSO Group sells Pegasus to domestic and international government agencies. The company’s products are treated as Israeli state secrets and require permission from the Israeli Defense Minister to sell to government agencies in other countries.

Figure 1. NSO Group Website

Problems related to Pegasus abuse

The NSO Group states, “NSO create technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.” Agencies are buying and using Pegasus for counterterrorism and anti-crime purposes; however, others are using Pegasus for nefarious activities such as monitoring high-profile figures, foreign diplomats, journalists, dissidents and doing so violating human rights and overlooking democratic principles and the rule of law.

In September 2018, The Citizen Lab in Canada published a study that found 36 agencies were using Pegasus to monitor people in 45 countries. In at least 6 of those countries, Pegasus was used to monitor politicians, lawyers, journalists, human rights activists and dissidents.

In October 2018, Saudi journalist and dissident Jamal Khashoggi was killed by government officials at the Saudi consulate general in Istanbul, Turkey. In the case, Khashoggi’s associate Omar Abdulaziz, a Saudi national living in Canada, had his smartphone infected with Pegasus, which was used by the Saudi government. It is also alleged that the Saudi government and its allies successfully monitored Khashoggi’s family and collaborators both before and after his death leveraging the Pegasus spyware.

Figure 2. Countries with Pegasus Monitoring Targets

Figure 3. Pegasus documentation on information collected

Lawsuit filed by Meta and WhatsApp

Between late April and early May 2019, a zero-day flaw (CVE-2019-3568) in the messaging app WhatsApp was exploited to send spyware to about 1400 devices. In October of that year, Facebook (now Meta) and its WhatsApp subsidiary filed a lawsuit against the spyware maker, NSO Group, for violating the Computer Fraud Prevention Act and WhatsApp’s terms of service. The spyware was sent to lawyers, journalists, human rights activists, dissidents, government officials and diplomats from around the world.

On February 23 of this year, the US District Court ordered NSO Group to disclose to WhatsApp source code and information about its spyware products including Pegasus. Although a final ruling in the case has not yet been issued, the decision was obviously not in NSO’s favor with the company declining to publicly comment on the decision.  

Moves to regulate commercial spyware

Spyware developers, such as NSO Group, have become a problem in recent years. These companies have invested in finding and exploiting vulnerabilities in messaging apps such as WhatsApp, as well as zero-day vulnerabilities in Android, iOS, and Windows. They then exploit these vulnerabilities to provide services and break through targeted security measures. Google notes that spyware developers account for half of all zero-day attacks targeting its products and devices running Android.

Spyware from such companies is being regulated in the United States and elsewhere. In November 2021, the U.S. Government announced that it had added four foreign companies, including NSO Group, to its entity list for malicious cyber activities, a move which restricts NSO Group from buying parts and components from US companies without a special licence. The US government cited developing and providing spyware to foreign governments that used the tool to maliciously target government officials, journalists, activists, business people, academics and embassy workers.

In February, the U.S. government said it would impose visa restrictions on people involved in the exploitation of commercial spyware, including its development, sale and use, because it posed a risk to national security and foreign policy interests.

Summary

People involved in national defense, diplomacy and international business have been targeted by other countries for spyware surveillance. It is recommended to take simple measure such as not storing sensitive information on mobile devices and following security awareness programs. Commercial spyware poses a threat to nation states and well as individuals including countries that disregard human rights and want to tighten state control. Against this backdrop, we welcome global efforts to regulate and guardrail commercial spyware.

About our Cyber Security Insights

This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.

Read more Cyber Security Insights here.

Sources:

Want to know more about how we can help you with your cybersecurity?

Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.