A new bombshell report from Google provides an unprecedented look into the shadowy industry of commercial surveillance vendors - companies that develop and sell powerful spyware to government agencies around the world.
An extensive report published today by Google's Threat Analysis Group provides a behind-the-scenes look at roughly 40 commercial spyware companies that sell hacking tools and spyware to government agencies. These vendors have proliferated surveillance capabilities that were once monopolized by nations, making sophisticated cyber espionage available for purchase on the private market.
"As long as there is demand for surveillance capabilities, there will be incentives for commercial surveillance vendors (CSVs) to continue developing and selling tools, perpetrating an industry that harms high risk users and society at large," the Google report states.
The commercial spyware industry involves numerous players across the exploit supply chain. Individual vulnerability researchers discover and sell software bugs. Shady brokers peddle the exploits to commercial spyware vendors, who integrate them into end-to-end spying solutions targeting mobile devices and sell access to totalitarian regimes.
Google has termed these companies "commercial surveillance vendors" and provided profiles of several major players:
- NSO Group is an Israeli firm known for its "Pegasus" spyware, capable of stealthily infecting and monitoring iPhones and Androids. It has been repeatedly linked to human rights abuses.
- Variston is a Barcelona-based startup collaborating with companies in the UAE to develop the "Heliconia" exploitation framework used to deliver spyware.
- Cy4Gate is an Italian company that acquired vulnerabilities from another firm called Truel IT to develop the "Epeius" Android spyware.
- Intellexa is a Cyprus-based "alliance" bundling spyware products from smaller vendors into turn-key solutions. It has been sanctioned by the U.S.
Google itself is a prime target. Half of the 72 zero-days exploiting its products since 2014 are attributed to CSVs. including 25 used in active attacks in 2022 alone. Whenever Google identifies and patches vulnerabilities in Chrome, Android, or iOS, it disrupts the operational capabilities sold by surveillance vendors to oppressive regimes.
Exploits form critical components allowing the spyware to infect devices and collect sensitive data. Vendors will chain together four or more zero-day bugs - unknown to manufacturers and users - to invisibly install their implants. Google provides multiple case studies detailing how these CSV products work, including a breakdown of NSO's sophisticated "FORCEDENTRY" exploit chain.
But even low-cost "turnkey" options are available. One offering from Intellexa can infect 10 concurrent Android and iOS devices for $8 million, or $12 million with global targeting using different country SIM cards.
The company provides custom support and training on using the web-based system that allows operators to send phishing links, track exploitation progress, and access stolen data with a few clicks.
"This is a lower-bounds estimate, as it reflects only known 0-day exploits. The actual number of 0-day exploits developed by CSVs targeting Google products is almost certainly higher after accounting for exploits used by CSVs that have not been detected by researchers, exploits where attribution is unknown, and cases where a vulnerability was patched before researchers discovered indications of exploitation in-the-wild." - Google
"By identifying and patching vulnerabilities, security researchers can break the exploit chains attackers rely on, causing disruptions and preventing attacks against users," the report explains.
The impacts of targeted commercial spyware attacks, while small in volume compared to other cyber threats, are acutely felt by victims in civil society.
Google partnered with its Jigsaw research division to highlight first-hand accounts from three individuals whose phones were hacked with Pegasus after exposing corruption or challenging authoritarianism.
Journalists Carlos Dada of El Faro in El Salvador and Galina Timchenko of Meduza in Russia experienced professional paralysis and safety concerns after learning of the spyware infections.
Human rights activist María Luisa Aguilar was "terrified" upon discovering repeated Pegasus attacks by Mexican authorities attempting to obstruct her quest for the truth about the notorious 2014 Iguala mass kidnapping.
"We lost all our sources the day we published [the spyware discovery]," Dada said. "We've always done everything we can to protect our sources, but this time it was different."
Despite the escalating risk, the surveilled continue pursuing accountability and reform. "We have no right" to leave Russian audiences at the mercy of the Kremlin's propaganda machine, Timchenko said of continuing Meduza's operations in exile.
Google is calling for concerted national and international action to rein in an industry with few guardrails.
Steps like the Biden administration's spyware use limits, vendor sanctions, and endorsing surveillance technology principles are positive but the report argues much more is required - including building international cooperation, regulations, transparency, and restricting investments fueling the surveillance market. With most CSVs marketing globally, unilateral action achieves limited impact.
"We urge the U.S. government to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry," the report concludes. "Only through a concerted international effort can this serious risk to online safety be mitigated."
In its report, Google said it is committed to disrupting hacking campaigns conducted with these companies’ tools because they have been linked to targeted surveillance of journalists, dissidents, and politicians.
Google is proactively countering spyware threats through solutions like Safe Browsing, Gmail security, the Advanced Protection Program (APP), and Google Play Protect, as well as by maintaining transparency and openly sharing threat information with the tech community.