Spies for hire are secretly targeting journalists, human rights activists and political dissidents on behalf of corporations and governments to an extent not previously understood, Facebook’s parent company said in a new report as it banned six companies and a Chinese network named in the report from its social media platforms.
“The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts,” says the report by Meta Platforms, the parent of Facebook, Instagram and WhatsApp. “While cyber mercenaries often claim that their services and surveillance-ware are intended to focus on criminals and terrorists, our investigation found they in fact regularly targeted journalists, dissidents, critics of authoritarian regimes, families of the opposition and human rights activists around the world.”
It’s all part of a sprawling industry “that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable,” Meta’s report says.
Nathaniel Gleicher, Meta’s security chief, said, “What this industry does is it democratizes snooping.”
A separate and related report by a Canadian research group, The Citizen Lab, describes a case study in which a phone used by an exiled Egyptian politician, Ayman Nour, was infected with two separate pieces of spyware, operated by government clients of two separate surveillance companies cited in the Meta report.
“Once you own somebody’s phone, you essentially have the next best thing to access to their mind,” said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a privacy rights group.
The rise of private surveillance has come to public attention most prominently through the Israeli firm NSO, which the U.S. government has blacklisted over allegations that its Pegasus software has been used to target journalists and others. The software quietly infects smartphones and can turn on cameras, voice recorders and location services without the users knowing.
NSO has denied that it allowed its products to be used for improper surveillance. Facebook sued NSO in 2019, but the Meta report says the problem goes far beyond one company.
“It’s important to realize that NSO is only one piece of a much broader global cyber mercenary ecosystem,” the report says.
The report names six companies Meta found to have engaged in “surveillance for hire,” including creating false personas on social media to fool targets into supplying personal information. The six companies were banned from Facebook, Instagram and other Meta platforms.
Four of them, CobWebs Technologies, Black Cube, Cognyte and Bluehawk CI, are based in Israel, which has long been a leader in surveillance technology. Hollywood mogul Harvey Weinstein hired Black Cube to investigate journalists who were working to uncover his sex crimes, according to court testimony.
One company banned by Meta, BelltroX, is based in India, while another, Cytrox, is headquartered in North Macedonia, Meta said.
In a statement, a spokesperson for CobWebs said: “We have not been contacted by Facebook (Meta) and are unaware of any claims it has allegedly made about our services. CobWebs operates only according to the law and adheres to strict standards in respect of privacy protection.”
A spokesperson for Black Cube said: “Black Cube does not undertake any phishing or hacking and does not operate in the cyber world. Black Cube is a litigation support firm which uses legal Humint [human intelligence] investigation methods to obtain information for litigations and arbitrations. Black Cube works with the world’s leading law firms in proving bribery, uncovering corruption, and recovering hundreds of millions in stolen assets. Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents’ activities are fully compliant with local laws.”
The other companies did not immediately respond to requests for comment.
Meta issued its report at a delicate time for the company, which has come under heavy criticism over allegations by a former company executive that Facebook hurts children, exploits social divisions and undermines democracy in pursuit of growth and profits. The company disputes the allegations.
Gleicher said that the investigation began more than a year ago and that the timing of the report was unrelated to Meta’s public relations woes.
The report accuses the companies of deceptive practices designed to trick targets into providing information.
“Each of these companies are using fake accounts on our platforms as a core of their operation,” Gleicher said. “They’re using fake accounts to mislead or deceive people. They’re also operating on other platforms across the internet.”
In the case of Black Cube, for example, Meta said it took down about 300 Facebook and Instagram accounts linked to employees of the company, which has offices in the U.K., Israel and Spain.
“Black Cube operated fictitious personas tailored for its targets: some of them posed as graduate students, NGO and human rights workers, and film and TV producers,” the report said. “They would then attempt to set up calls and obtain the target’s personal email address, likely for later phishing attacks.”
“Our investigation found a wide range of customers, including private individuals, businesses, and law firms around the world,” Meta said. “Targeting by Black Cube on behalf of its customers was also widespread geographically and across industries, including medical, mining, minerals and energy industries. It also included NGOs in Africa, Eastern Europe, and South America, as well as Palestinian activists. They also targeted people associated with universities, telecom, high tech, consulting, legal, and financial industries, real estate development and media in Russia.”
Meta didn’t spell out all the details in its report, but it said it alerted more than 48,000 people “who we believe were targeted by these malicious activities worldwide,” including with “granular details about the types of targeting and the actor behind it so they can take steps to more effectively protect their accounts.”
To protect themselves, Gleicher said, users should run Facebook’s privacy check-ups, set-up multi-factor authentication and be careful about accepting friend requests from people they don’t know.
Privacy advocates are urging Israel and other governments to better regulate who can use and sell sophisticated spying software.
“The stakes are high, because the people who are being targeted are precisely the people who stand up for human rights in situations where it is particularly difficult to do so,” Galperin said. “And we all benefit from a world where human rights are protected and where democracy is thriving. And these tools are being used as a way to quash that."