These “cyber mercenaries”, the company noted, snooped indiscriminately on journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists, while claiming that their services only targetted criminals and terrorists.
These entities, part of the global surveillance-for-hire industry, provide intrusive software and snooping services to any customer, targeting people across the internet to collect intelligence, manipulate them into revealing information, and compromise their devices and accounts, Meta said in its report following a months-long investigation.
“We’re enforcing against 7 entities we identified as systemically using fake accounts to target people across our platform and the broader internet, as well as sending malware and taking other steps to spy on their targets,” Nathaniel Gleicher, head of security policy at Facebook, tweeted.
We announced today disruptions of 7 surveillance-for-hire entities from Israel, India, North Macedonia, and China. https://t.co/JrcFYEjsbe
— Mike D (@mdvily) December 16, 2021
Outlining the stages involved in this cyber-spying process, Facebook’s parent company noted the first step was “reconnaissance”, where cyber mercenaries secretly profiled users on behalf of their clients—a stage that is usually the least visible to targets.
In this step, the mercenaries used software to automate data collection from across the internet, “pulling critical information from all available online records such as blogs, social media, knowledge management platforms like Wikipedia and Wikidata, news media, forums and ‘dark web’ sites”, the report noted.
In the second step, aimed at establishing contact with the targets—or people close to them—the entities tried to build trust, solicit information and trick targets into clicking on malicious links or files.
And in the final step, the cyber mercenaries exploited their targets by tricking them into giving away their credentials to sensitive accounts like email, social media, and financial services by making them click on malicious links to compromise their devices.
While public debate and action have mainly focused on the exploitation phase, Meta said on Thursday that it was critical to disrupt the entire lifecycle of the attack as earlier stages enable the later ones.
“We often cannot tell who these firms’ clients are—this concealment seems to be a service they offer. That’s why we enforce consistently against this deceptive, violating behaviour, regardless of the firm behind it or who hired them,” Mr Gleicher added.
2/ We’re enforcing against 7 entities we identified as systemically using fake accounts to target people across our platform and the broader internet, as well as sending malware and taking other steps to spy on their targets.
— Nathaniel Gleicher (@ngleicher) December 16, 2021
“Protecting people against cyber mercenaries operating across many platforms and national boundaries requires a collective effort from platforms, policymakers, and civil society to counter the underlying market and its incentive structure,” Meta noted.
Earlier this year, Meta sued Israel-based NSO Group, whose Pegasus software was found to be involved in the potential surveillance of thousands of people, including activists, journalists, dissidents, and their families, including the fiancée of slain Saudi journalist Jamal Khashoggi.
NSO Group has also faced either legal action or criticism from Microsoft, Alphabet, and Cisco Systems.
In the new report, Meta has called for international oversight to establish transparency and “know your customer” standards for the surveillance-for-hire global market and hold them to the new norms.
It also highlighted the need for industry collaboration to fully understand and mitigate threats from surveillance efforts, and also domestic and global efforts to raise the accountability of these service providers via proper legislation, export controls, and regulatory actions.