By Joseph Marks
Hands type on a computer keyboard in Los Angeles in this photo illustration on Feb. 27, 2013. (Damian Dovarganes/AP)
The company Lookout discovered a cache of digital messages between government officials in an unnamed nation with a relatively nascent surveillance program -- and more than a dozen companies eager to outfit it with bespoke spying tools.
The messages, which Lookout will detail at the ShmooCon cybersecurity conference, highlight how the barrier to entry for getting sophisticated spyware tools has dramatically lowered. The proliferating private market for hacking tools has allowed even poor and developing nations’ governments to scoop up troves of private conversations from critics, activists and political opponents — often far outside their borders.
“Historically, these tools were the purview of a few nations that had people to develop them in house. Now there’s another tier that don’t have the technology but can pay for it, and there are fewer checks and an even greater potential for abuse,” John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which has extensively investigated spyware, told me.
The nation that Lookout is profiling started with a $23 million budget for spyware, researchers Michael Flossman and Andrew Blaich told me. The government apparently negotiated with companies -- including major spyware players such as Italy’s Hacking Team and Israel’s NSO Group -- offering complex hacking tools that cost as little as $50,000 and as much as $7 million.
The government was mainly focused on exposing the contents of smartphones and tablets, the researchers say. Ultimately, the nation couldn’t afford what it really wanted within its price range, so it opted to build its own more moderate tool in house, the researchers said.
Lookout isn’t naming the country or providing details on its spying targets because researchers are still studying the operations, Flossman and Blaich said. The researchers discovered the messages between the government and spyware companies, along with internal communications after they were exposed by an error in a computer server the officials used.
Lookout has experience studying government spyware campaigns. The company previously uncovered what appeared to be a Pakistani military spying operation targeting the mobile phones of diplomats, military personnel, and activists in Pakistan, Afghanistan, India, Iraq, and elsewhere.
But the troves of messages shed new insight into this highly opaque form of government contracting. One big takeaway for researchers was how easy it was for the government to get pitches and compare prices from numerous spyware companies, almost as if they were contracting for construction or janitorial work rather than invasive spying tools.
“This shows the low barrier to entry when it comes to building a mobile surveillance program,” Flossman told me.
The spyware companies also mirrored more conventional businesses, offering slick sales brochures and tiered pricing options, Flossman and Blaich said.
In one case, a company trying to sell the government one hacking tool offered to throw in a second tool if the first one was discovered and patched by the software company within 40 days. The deal was off, though, if the government did something stupid that might draw the software company’s attention to the hack, the spyware company said.
The messages also provide an unusual inside look at the practices of spyware companies under frequent criticism for selling their tools to autocratic regimes that use them to to spy on political opponents, journalists and human rights activists.
The spyware products sold by Hacking Team and NSO Group, for instance, are often purchased and used for legitimate law enforcement investigations -- and also to clamp down on dissent within their borders. A 2018 Citizen Lab investigation found instances of NSO Group malware in 45 nations frequently targeting civil society actors rather than criminals.
“We know that once these are in the possession of a security service there’s an incredible temptation to abuse them,” Scott-Railton told me.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Democratic National Committee headquarters in Washington. Photographer: Andrew Harrer/Bloomberg
The phishing campaign targeted dozens of DNC email addresses, but there’s no evidence it was successful, ABC News reported. The effort, which had other targets as well, used tactics similar to those employed by the Russian hacking group known alternately as Cozy Bear and APT29.
The allegations came in an amended complaint filed as part of the DNC’s lawsuit against Russia, the Trump campaign and others stemming from 2016 hacks at the DNC and the Hillary Clinton campaign that rocked the presidential election. The DNC did not allege the Trump administration knew about the post-midterm phishing campaign.
Sen. Angus King (I-Maine) in a television news interview on Capitol Hill in Washington on Dec. 9, 2014. (AP Photo/J. Scott Applewhite)
The Securing Energy Infrastructure Act would direct the energy secretary to set up a two-year pilot program within the Energy Department's National Laboratories to identify security vulnerabilities. The program would also aim to study the use of analog and physical controls to isolate and protect industrial control systems from digital attacks.
“Securing our energy infrastructure is not an abstract policy idea, it is an immediate need to protect our grid from the real threat of malign actors,” King said in a statement. “So far, the federal government has not matched this serious threat with the necessary action.” The bill passed the Senate in December in the previous Congress but it didn't advance in the House.
The U.S. Capitol building in Washington on Jan. 9. (Jonathan Ernst/Reuters)
The government also can't buy tools that automatically renew certificates to keep federal sites online. Matthew Prince, chief executive of Cloudflare, said he contacted the Justice Department and NASA to pitch his company's services including automatic renewal of certificates, but to no avail. “They’ve said ‘Thanks for the offer to help, but we don’t actually have anyone who is able to sign a new contract,’” Prince said, according to Brian. “Even agreeing to the terms of service is a contract. So they can’t even sign up for the free version of the service that would solve this problem.” Additionally, TechCrunch's Zack Whittaker has a list of federal HTTPS sites that are set to expire soon. You can see the list here.
The Justice Department headquarters in Washington on May 14, 2013. The Justice Department is among the federal agencies that the ACLU is suing. (J. David Ake/AP)
“The public has a right to know how the federal government monitors social media users and speech, whether agencies are retaining social media content, and whether the government is using surveillance products to label activists and people of color as threats to public safety based on their First Amendment-protected conduct,” Hugh Handeyside, a senior staff attorney for the ACLU’s National Security Project, said in a statement.
Rep. Douglas A. Collins (R-Ga.) at a news conference at the Republican congressional retreat in Philadelphia on Jan. 25, 2017. (Matt Rourke/AP)
— More cybersecurity news from the public sector:
A Surface Laptop computer at the hardware lab of Microsoft's main campus in Redmond, Wash., on April 20, 2017. (Mike Kane/Bloomberg News)
— More news about security incidents:
A shopper walks past a Huawei store in Beijing on July 4, 2018. (Mark Schiefelbein/AP)
— More cybersecurity news from abroad:
- ShmooCon hacker conference in Washington through Sunday.
How popular is the border wall?
Schiff compares Trump to 5th grader after canceling congressional trip:
Trump long-touted online polls during the 2016 campaign:
Source: The Washington Post