Facebook is notifying nearly 50 000 users in more than 100 countries that they may have been targets of hacking attempts by surveillance companies working for government agencies or private clients, the company said on Thursday.
The notification is the result of a months-long investigation by Meta, Facebook's parent company, into what Meta officials called "cyber-mercenaries" who engage in "surveillance-for-hire."
As a result, Facebook said it was taking enforcement actions against seven surveillance companies in four countries, removing about 1 500 fake accounts, blocking malicious Web addresses and sending cease-and-desist letters to the companies.
Meta's investigators concluded that the companies used Meta's Facebook and Instagram subsidiaries for surveillance activities, mainly to research and groom targets for later infections by spyware. Each step was part of a broader targeting process the researchers called the "surveillance chain".
The investigation's final report, titled "Threat Report on the Surveillance-for-Hire Industry", took aim at long-standing industry claims that the spying software was used against only terrorists and serious criminals such as drug kingpins and paedophiles.
Meta's investigation found that surveillance companies "regularly" target politicians, human rights workers, journalists, dissidents and family members of opposition figures, with few legal controls or other forms of accountability.
The findings echo those of the Pegasus Project, a global investigation of Israeli surveillance company NSO Group by The Washington Post and 16 other news organisations, led by Paris-based journalism non-profit Forbidden Stories.
But Meta officials said that while they had taken enforcement actions against NSO and sued the company in 2019 for allegedly delivering spyware to users through WhatsApp, the problems posed by private surveillance companies were broader.
"The surveillance industry is much bigger than just one company, and it's much bigger than just malware-for-hire," said Nathaniel Gleicher, the head of security policy for Meta and a co-author of Thursday's report.
"The targeting we see is indiscriminate. They're targeting journalists. They're targeting politicians. They're targeting human rights defenders. They're also targeting ordinary citizens."
Among the companies that Meta sanctioned was a little-known surveillance firm, Cytrox, in North Macedonia. The Meta report, which said it had removed 300 Facebook and Instagram accounts the company used to engage and deceive targets, lists 10 governments that hired Cytrox – Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Ivory Coast, Vietnam, the Philippines and Germany.
Overall, Meta's report listed more than two dozen countries across six continents that used the surveillance services provided by the seven companies in the report; the victims were in more than 100 countries.
The report included an example of the nearly 50 000 notifications, which were to start arriving on Thursday, reading: "We believe that a sophisticated attacker may be targeting your Facebook account. Be cautious when accepting friend requests and interacting with people you don't know."
Pegasus and other forms of spyware allow operators to remotely turn smartphones and other computers into surveillance devices capable of listening to calls and tracking user locations, as well as stealing photos, videos, contact lists and other files. Advanced spyware can be delivered without the user’s knowing or taking any action, often by text message or a chat app, and then can activate the cameras and microphones built into smartphones.
The claim about Cytrox being used by Egyptian authorities is backed by a separate report, also released on Thursday, by Citizen Lab, a research group at the University of Toronto that specialises in investigating spyware.
It found that the iPhone 12 of Egyptian opposition figure Ayman Nour was infected by NSO's Pegasus spyware and a similar one by Cytrox, called Predator, on a day in June.
An initial sign of infection was that the smartphone began "running hot" as it managed the computational demands of two types of spyware at once, the report said. The infections happened even though Nour's iPhone had the latest version of iOS, the mobile operating system made by Apple.
Nour, speaking by video call from exile in Istanbul, said the intrusion was just the latest after years of efforts by the Egyptian government to undermine him and suppress democratic activity in the country going back to 2005, when he ran unsuccessfully for president against then-strongman Hosni Mubarak.
More recently, Nour has had personal photos of himself and private phone conversations made public in what he said were government efforts to embarrass him and undermine his role as a leader in Egypt's political opposition.
Currently the head of the Ghad EL-Tahwra Party, Nour called private surveillance companies "digital monsters" that should face international sanctions.
"This is something that is really dangerous, and it has real impact on politicians," Nour said through an interpreter. "They are making use of every single word we say on our mobile phones."
Citizen Lab said the Cytrox hack probably came from the Egyptian government, and the Pegasus one probably from the Saudis or the United Arab Emirates, both of which have been repeatedly identified by researchers as aggressive users of private surveillance services.
Cytrox did not reply to a request for comment on Thursday, nor did the Egyptian Embassy in Washington.
The NSO Group said it did not have enough information to comment fully. "The details we do have from reporters are ambiguous, both from contractual and technological perspectives, and indicate with high probability there is no connection to Pegasus," it said.
Meta's actions are the latest developments in months of growing scrutiny of the global surveillance industry since the Pegasus Project in July. The NSO Group has repeatedly denied its findings and said it worked with only vetted countries and terminated contracts with any that violated company policies limiting the use of its spyware to only terrorists and serious criminals.
Even so, the US government blacklisted NSO in November, following an investigation that backed the key claims of the Pegasus Project. Apple sued NSO soon after and issued warnings to users across the world, - including 11 employees working for the US government in Uganda, that they had been targeted by Pegasus.
The repercussions have done little to slow the global surveillance industry, said Bill Marczak, a senior research fellow at Citizen Lab who discovered the attacks on Nour's phone and on a phone belonging to another Egyptian. The person, who hosts a popular news programme in Egypt, has opted to remain anonymous and is not named in the report.
Marczak called the nearly simultaneous hacking of Nour's iPhone by two types of spyware remarkable evidence of how widespread such techniques have become. Never before had Citizen Lab researchers seen a single target "doubly hacked".
"It really drives home that the story of spyware is not just the story of NSO," said Marczak. "This is an industry that is really growing."
The Meta report cited six other companies. One, BellTrox, was in India and another in China, but Meta researchers were unable to determine its name, they said. The remaining four are in Israel: Cognyte, Cobwebs Technologies, Bluehawk CI and Black Cube, the last of which was hired by disgraced Hollywood producer Harvey Weinstein to collect information on women accusing him of sexual misconduct and journalists covering the story.
Meta said it removed 300 fake Facebook and Instagram accounts linked to Black Cube, which it said specialised in serving people involved in legal battles – a leading purpose for hiring private surveillance, Meta investigators found. The company's clients included private individuals, businesses and law firms worldwide, Meta's report said.
In response to the report, Black Cube denied Meta's allegations and said it complied with the laws wherever it operated.
"Black Cube does not undertake any phishing or hacking and does not operate in the cyber world," it said.
Cobwebs Technologies denied that it had violated any laws.
"We have not been contacted by Facebook (Meta) and are unaware of any claims it has allegedly made about our services," it said. Cobwebs Technologies "operates only according to the law and adheres to strict standards in respect of privacy protection".
The list of clients for Cobwebs Technologies included an unnamed customer in the US, as well as Bangladesh, Hong Kong, New Zealand, Mexico, Saudi Arabia and Poland.
The other companies named in the report did not respond to requests for comment.
Experts in the surveillance industry said it included more than 100 companies that spanned the globe, with many having numerous international hubs of operation – a fact making a crackdown by any one country, or even a group of countries, unlikely to stop abuses.
The Meta report says surveillance companies operate by steps, starting with reconnaissance to identify information about prospective targets, and followed by a period of engagement, sometimes over social media or other communications services. This often involves the use of fake accounts – sometimes supposedly belonging to TV producers, journalists or academic researchers – that gain the trust of targeted individuals.
Finally, during the exploitation phases, the spyware is delivered to a user's device, infecting it and allowing data collection to begin.
"The scrutiny and the pressure on NSO Group is welcome," said David Agranovich, the director of threat disruption for Meta and a co-author of the threat report.
"But it can't just be one and done. Part of the reason why we're including all of these cases in our threat report, and while we are leaning so heavily into making people understand that this is an industry that is bigger than just one company… is in hopes that it inspires more pressure, more action and broader impact across the entirety of the surveillance-for-hire industry."