[NEWS] Hackers for hire NSO Group faces scrutiny
The industry is known as “hackers-for-hire.” For clients interested in vast, sophisticated spying, it has grown to become the service of choice in the last decade. But now, this primarily self-regulated industry is gaining the attention of tech firms and regulators, keen to protect their users and citizens from intrusive digital surveillance.
In December, Facebook launched an investigation into seven hackers-for-hire firms. They found these firms had compromised around 50,000 users across their platforms. The MIT review also wrote on the recent activity of the NSO Group and its use of Pegasus, its iPhone hacking spyware. The billion-dollar company operates out of Israel, selling cyber-spying capabilities to its (mostly) government clients. And the Washington Post first revealed United Arab Emirates agents had loaded NSO spyware onto the Android phone of journalist Jamal Khashoggi’s wife months before his death.
NSO Group is now facing down several public scandals and a couple of lawsuits from Apple and Facebook over its Pegasus spyware. Hacker News reports an Apple spokesperson describes NSO Group as “notorious hackers,” calling them “amoral 21st-century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.”
Previously, in 2016, the UAE deployed NSO Group’s Pegasus software to hack human rights activist Ahmed Mansoor’s iPhone and harvest data. Meanwhile, Mansoor is still in prison, effectively silenced, on charges stemming solely from his peaceful criticism of the UAE government.
Mid-2021, NSO Group stood accused of spying on Western governments too. The firm was sanctioned by the U.S. last November, and in December, the U.S. State Department confirmed some of their own people had been hacked using Pegasus.
Facebook’s report found that a vast hacker industry, of which NSO was just one of the leading firms, had become accepted by many governments worldwide as a service, key to keeping a grip on power.
An Atlantic Council security researcher and Google cybersecurity expert, Winnona DeSombre, demonstrated a huge demand for these firms when she recently mapped the growth of cyber-hacking for hire. She argues that while much information about hackers-for-hire firms and their activities is hidden from public view, the real problem is that privately sold digital surveillance technology is “primarily self-regulated.”
According to TechNews, the industry is now “too big to fail”. Saher Naumann, a threat intelligence analyst at BAE Systems, commented that “especially in the last five years, you have more countries developing cyber capabilities.” She added, “If you don’t have a way to harness the skills or talent of the people in your country, but you have the resources to outsource, why wouldn’t you go commercial?”
And some of these countries, especially in the Middle-east, are behind in cyber technology, so outsourcing is attractive to them. “They don’t want to be left behind,” Naumann says. While NSO Group faces scrutiny, it seems the global hackers-for-hire industry grows more powerful.
But not everyone is so accepting of the idea that private companies can profit from human rights abuses. Electronic Frontier Foundation (EFF), a digital rights group based in the U.S., has called for American companies connected to human rights abroad to be held accountable. EFF reports that the Ninth Circuit of the Supreme Court has determined that “… because the NSO Group is a private company, it is not immune from the lawsuit even though it serves foreign government clients.” This means that (in the U.S. at least), if foreign-sponsored cyber-surveillance infringes on the rights of journalists, activists, or politically outspoken individuals, hacker-for-hire companies can be held to account.
In other news
- FBI thwarts a years-long phishing scheme targeting authors. As proof that not only tech companies need to worry about phishing efforts, The New York Times reported on a phishing scheme affecting book publishers and targeting authors such as Margaret Atwood and Ethan Hawke that had been going on for over five years. The scammer impersonated personnel at publishing houses and sent emails seeking personal data, information about publishing schedules and agents, and even requesting manuscripts. The phishing scheme employed websites with slightly modified domains, such as penguinrandornhouse.com instead of penguinrandomhouse.com, that could be easily overlooked in an email. On January 5th, the FBI arrested Filippo Bernardini, a rights coordinator for Simon & Schuster, and charged him with wire fraud and aggravated identity theft.
- Google Street view helps authorities arrest a mobster. After being on the run for 20 years, convicted murderer Giocchino Gammino’s time ran out on December 17th. According to The Guardian, authorities arrested Gammino in Galapagar, a town near Madrid. The fugitive was spotted on Google Street View outside El Huerto de Manu, a fruit and vegetable shop he owned. His identity was confirmed when they found a photo of him on a Facebook page for his restaurant La Cocina de Manu. Palermo prosecutor Francesco Lo Voi noted that they had been investigating Gammino for a long time, and Google Maps just confirmed his location and identity.
- Drone carrying a defibrillator saves a life in Sweden. After a 71-year-old man went into cardiac arrest, a doctor was able to utilize a defibrillator delivered by a drone to save the man’s life. The drone comes from Everdrone, and their Emergency Medical Aerial Delivery (EMADE) sends drones to locations faster than an ambulance. According to the Verge, the technology is the result of combined efforts from the Center for Resuscitation Science at Karolinska Institutet, SOS Alarm, and Region Västra Götaland. The service is now available to 200,000 residents in Sweden now, and the company plans to expand further into Europe in the near future.
- Who needs a self-driving car when you have fish? In possibly the most unexpected headline of 2022 so far, scientists at Ben-Gurion University in Beersheba, Israel have taught a goldfish how to drive a small motorized fish tank. These fish proved able to navigate their vehicle to specified locations in order to earn a treat. According to research published in the journal Behavioural Brain Research and reported by the Times of Israel, the fish “were able to operate the vehicle, explore the new environment, and reach the target, regardless of the starting point, all while avoiding dead-ends and correcting location inaccuracies.”
Tip of the week
If you wish to know more about the effect of private digital surveillance on human rights, there are a few groups helping to bring the issues into the spotlight. You could sign up for EFF updates or connect with Fight for the Future to learn more about efforts to protect freedom on the Internet worldwide. Human Rights Watch is following the Ahmed Mansoor case and others affected by hackers-for-hire activities, and Amnesty Tech helps activists who think they’ve been compromised.
Most of us won’t be victims of sophisticated spyware in our lifetime, but you might still be concerned about your digital privacy online. In that case, we’d recommend two articles on the Namecheap blog; How to clean up your digital footprint, and Are ad systems eavesdropping on your smartphone?