A new publication from Google's Threat Analysis Group focuses on commercial surveillance providers, whose services are purchased by governments for surveillance or espionage purposes. Google currently tracks over 40 CSVs, most of which are highly technical and have the ability to develop spyware and zero-day exploits to compromise their targets, particularly on Android and iOS devices.
Read details on what CSVs target, how spyware is used, the harmful impact of CSVs on individuals and society, and how companies can mitigate these cybersecurity threats.
What are commercial surveillance providers and what do they target?
Commercial surveillance providers are companies that sell comprehensive surveillance services to government clients; These services include spyware, the infrastructure necessary to communicate with the spyware found on compromised devices. Spyware provides backdoor access to devices and enables tracking and data theft.
According to the Google Threat Analysis Group, CSVs operate openly; That is, they have websites, marketing content, sales and engineering teams, press relations, and sometimes even attend conferences. Google estimates that it is impossible to count the number of CSVs worldwide; Additionally, CSVs may change their names multiple times to avoid public scrutiny, often in response to complaints or direct legal action against them.
NSO Group, one of the largest CSVs and reported since 2015 for its operations, remains visible and active. This is the case even though the company was added to the US entity list for malicious cyber activities and technology companies, including Facebook and Apple, have taken legal action.
What are CSVs for?
CSV targeting is different from traditional cyberespionage operations (i.e., advanced persistent threats) in that commercial surveillance vendors target individuals, not entire networks. This makes the service very valuable to someone who wants to monitor or spy on the activities of individuals, who are usually dissidents, journalists, human rights defenders or opposition party politicians. Google previously wrote about such guidance; For example, in 2022, at least eight governments used five zero-day vulnerabilities affecting Android users and used them against political candidates.
SEE: The 8 best advanced threat protection tools and software for 2024 (TechRepublic)
Spyware is the main method most CSVs use
Spyware is malicious software installed on devices. Unbeknownst to the device owner, spyware collects user data and sends it back to the controller (i.e., the CSV client). CSVs usually develop spyware for mobile devices because their clients mainly want to collect SMS, messages, emails, locations, phone calls or even audio/video recordings.
To achieve initial compromise of a device, which may be a computer or smartphone, spyware commonly exploits vulnerabilities in the software. This initial phase may require user interaction, such as when spyware uses a 1-click exploit, which requires at least one user interaction, such as clicking a link or opening a file. However, even more valuable are zero-click exploits, which do not require any user interaction and can be used silently to place spyware on the target's device.
Furthermore, several CSVs show very deep technical expertise and have the ability to use zero-day vulnerabilities to infect devices. If a provider discovers and patches the zero-day, the CSV provides a new one to its customer.
SEE: ESET Threat Report: Prevalence of SpinOk Android SDK spyware and more (TechRepublic)
Since the spyware developed by CSV mainly targets mobile phones, it mainly uses vulnerabilities in the Android or iOS operating systems or the software that runs on them.
The four main categories of the spyware industry
- Commercial surveillance providersAlso known as private sector offensive actors, they develop and sell spyware and its infrastructure, including initial compromise service, provision of functional exploits, and data collection tools.
- Government clients Reach out to the CSVs to obtain the service necessary to achieve your surveillance objectives. Those clients select their targets, craft the campaign that distributes the malware, and then monitor and collect data.
- Individual vulnerability researchers and exploit developers are the main sources for CSVs to get working exploits, particularly zero-day exploits. Some of these people monetize their skills legally by working as defenders and helping to improve software security, while others sell the related vulnerabilities and/or exploits directly to CSV or exploit brokers. Some CSVs have the internal capability to conduct vulnerability research and develop related exploits.
- Exploit brokers and suppliers They are natural or legal persons specialized in the sale of exploits. Although some CSVs may develop exploits internally, they often supplement them by purchasing more exploits from third parties. Google researchers note that brokers can act as intermediaries between sellers, buyers, CSVs, and government clients at every step of the process.
Google products are heavily attacked by CSV files
According to Google, CSVs are behind half of the known zero-day exploits targeting Google products like Chrome and the Android ecosystem, which is not surprising since CSVs primarily run spyware targeting Android mobile phones or iOS.
From mid-2014 to 2023, security researchers discovered 72 zero-days used in the wild; Thirty-five of these 72 exploits have been attributed to CSV, although this is a lower-bound estimate as there are likely exploits not yet discovered and exploits whose attribution remains unknown.
Google's Threat Analysis Group has seen an acceleration in the discovery of zero-day exploits, including those attributed to CSV. Between 2019 and 2023, 53 zero-day exploits were discovered and 33 of them were attributed to CSV.
CSVs can cost several million dollars
Prices for CSV services can run into the millions. For example, in 2022, Amnesty International exposed a leaked commercial proposal for CSV Intellexa from the cybercrime forum XSS.is. The proposal provided the full CSV service for one year, with support for Android and iOS, 10 devices infected simultaneously and more, for 8 million euros (Figure A).
Additional CSV services can be purchased. In the case of Predator spyware, for example, adding persistence costs €3 million more than the main offering. Persistence allows the customer to keep the spyware on the phone even if they turn it off and restart it.
Reported and potential damage caused by CSV
Traditional cyberespionage operations typically steal data from networks or computers, but less frequently from mobile phones, unlike spyware.
Below are two examples from Google's report on the damage caused by CSVs:
María Luisa Aguilar Rodríguez, head of international defense, and Santiago Aguirre, director of the human rights organization Centro PRODH, based in Mexico City, remember that falling into an attack of this type was “terrifying,” since both had been attacked by a CSV client. Aguirre heard his own voice on the local news on the radio, as if he were allied with the local cartels. All the audio had been stolen from his mobile phone and heavily edited in different calls.
Galina Timchenko, co-founder and CEO of the exiled Russian media outlet Meduza, was the subject of a CSV around February 2023. She wrote that “for weeks they had full access to my correspondence, so they could see my close circle. I was afraid for them. I feared for my friends, my colleagues and Meduza partners.” She later realized that several of the reporters who had been hacked with the Pegasus spyware had been killed, raising fears for her own safety, as well as that of her friends and contacts.
Furthermore, the use of spyware could also affect society in general. When political candidates are attacked, it “threatens a society's ability to hold free and fair elections,” Google's Threat Analysis Group wrote.
How vulnerability researchers protect themselves against CSVs
Actors in the field of vulnerability research help protect against CSVs by reporting vulnerabilities to software vendors so that zero-day vulnerabilities are patched; however, the reaction time from initial report to patch release can take weeks or months. Every time a zero-day vulnerability is patched, it not only protects users and businesses, but it also prevents CSVs from honoring their agreements with customers and prevents them from receiving payments, in addition to increasing the costs of their operations.
How businesses can mitigate this spyware threat
These are the steps companies should take to reduce the risk of this security threat:
- Implement mobile security solutions on all employees' mobile devices.
- Train employees to detect attempts to compromise their mobile phones, especially in the case of 1-click exploits, which require the user to click a link or open a file. Suspicious files should only be opened in sandbox environments or in environments running full host and network security solutions.
- Deploy security patches to mobile operating systems and software as soon as possible to avoid being compromised by zero-click exploits.
- Do not store sensitive data on mobile phones, if possible.
- Turn off mobile phones during sensitive meetings to prevent a compromised device from intercepting conversations.
Editor's note: TechRepublic has reached out to Google for additional information about this spyware investigation. If we receive those details, this article will be updated with that information.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.
