Article Details

Who watches the watchmen? Surveillanceware firms make bank, avoid oversight. Enough governments love it and it's highly lucrative. Governments can't get enough of hacking services to use against their citizens, despite their protestations that elements of the trade need sanctioning. Only legitimate government agencies are supposed to use surveillanceware against criminal targets but governments and companies are widely abusing this, as we've covered many times in the past. Legal surveillanceware companies have targeted activists, journalists, and even political figures, and there's also evidence that the vulns are leaking into the malware sphere. An analysis [PDF] of the industry by security operations center specialist Sekoia shows that surveillanceware vendors are seeing business grow in leaps and bounds and prices are going up to match. For example, the report recounts that, in 2011, the Gamma Group - a British biz that was offering FinFisher spyware that was first exposed by The Register to government agencies was charging €1,100 per infection. Four years later, the Italian vendor Hacking Team was offering similar attack code for €1 million for a full hacking service, but by 2022, an investigation into the Candiru spyware biz showed that it was charging €6 million for its surveillanceware-as-a-service operations. "In addition to being very lucrative, documents of major leaders of the sector dating from 2011 to 2022 demonstrate that the price for spyware use is in a constant rise. This is partly due to the increased cost of acquiring vulnerabilities and exploits, but also to the important number of clients looking for spyware. The cost of critical bugs is certainly going up, both for legitimate bug bounty programs and in the prices paid by surveillanceware buyers. While that's good news for flaw finders, it's driving up the amount companies are having to pay to locate critical vulnerabilities in their platforms. At last month's Black Hat security conference in Las Vegas, Eric Escobar, red team leader at Sophos Advisory Services, told The Register that companies like Apple were now paying out up to $1 million for a critical, zero-click flaw in its operating systems and Tom Gallagher, head of the Microsoft Security Response Center, told us that Microsoft paid out $17 million last year to those that poked holes in its code. Naturally, the tech industry isn't too happy about surveillanceware snooping on its customers and has launched legal action. Meta recently scored a $168 million judgment against the Israeli NSO Group for hacking WhatsApp, although the courts took nearly five years to get a verdict in the case. More worryingly, it seems that surveillanceware vendors’ techniques are bleeding into the criminal malware market. Researchers spotted Russia’s Cozy Bear nation-state hacking group last year using surveillanceware flaws found in code from the NSO Group and others to attack Mongolia’s Cabinet and Ministry of Foreign Affairs. Government (in)action Governments too profess to be unhappy with the industry. In 2021, the US sanctioned four companies - including the NSO Group - that were involved in surveillanceware, but this hasn't put them out of business internationally. Last year, 27 countries including the US signed up to the Pall Mall Process, calling for better regulation of the industry. Unfortunately, some of the worst surveillanceware offenders are based in countries that signed up and some signatories are even users of the technology. For example, Italy signed up to the Pall Mall Process, but in March, researchers at Citizen Lab at the University of Toronto discovered that the Italian government was using Paragon surveillanceware to spy on up to 90 of its own nationals, including journalists and activists, via WhatsApp. The Gulf Cooperation Council - a group including Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates - also signed up. But watchdogs have named these countries as serial abusers of surveillanceware. Whether or not meaningful regulations come from this government activity, they would still have to be enforced, and the surveillanceware industry has proved adept at covering its tracks and staying below the radar. Corporate renamings are commonplace as companies use resellers and shell firms to cover up activities, the report notes. For example, when French outfit Amesys was caught selling surveillanceware to the Libyan regime, it split into two companies - Nexa Technologies, based in France, and Advanced Middle East Systems (AMESys) in Dubai - and retired the original brand. So apparently governments are going to allow the industry to prosper with just a light touch of regulation. It seems that it's just too useful to stamp out. "The absence of effective political and regulatory safeguards has left spyware targets more exposed than ever, as infection techniques have grown more covert and resilient," the report concludes. "Vendors now deploy a broader range of attack vectors, rely on stealthier command-and-control (C2) infrastructures, and exploit zero-day vulnerabilities with increasing frequency."