Facebook is notifying nearly 50,000 users in more than 100 countries that they may have been targets of hacking attempts by surveillance companies working for government agencies or private clients, the company said Thursday.
Meta’s investigators concluded that these companies used Meta’s Facebook and Instagram subsidiaries for surveillance activities, mainly to research and groom targets for later infections by spyware. Each step was part of a broader targeting process the researchers called the “surveillance chain.”
The investigation’s final report, titled “Threat Report on the Surveillance-for-Hire Industry,” took aim at long-standing industry claims that the spying software is used only against terrorists and serious criminals such as drug kingpins and pedophiles. Meta’s investigation found that surveillance companies “regularly” target politicians, human rights workers, journalists, dissidents and family members of opposition figures, with few legal controls or other forms of accountability.
These findings echo those of the Pegasus Project, a global investigation of Israel-based surveillance company NSO Group by The Washington Post and 16 other news organizations, led by Paris-based journalism nonprofit Forbidden Stories. But Meta officials said that while they previously have taken enforcement actions against NSO and sued the company in 2019 for allegedly delivering spyware to users through WhatsApp, the problems posed by private surveillance companies are broader.
“The surveillance industry is much bigger than just one company, and it’s much bigger than just malware-for-hire,” said Nathaniel Gleicher, head of security policy for Meta and a co-author of Thursday’s report. “The targeting we see is indiscriminate. They’re targeting journalists. They’re targeting politicians. They’re targeting human rights defenders. They’re also targeting ordinary citizens.”
Among the companies that Meta sanctioned was a little-known surveillance firm, Cytrox, based in North Macedonia. The Meta report, which said it had removed 300 Facebook and Instagram accounts the company used to engage and deceive targets, lists 10 countries where Cytrox has customers, including Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Ivory Coast, Vietnam, the Philippines and Germany.
Overall, Meta’s report listed more than two dozen countries across six continents that used the surveillance services provided by the seven companies in the report; the victims were in more than 100 countries. The report included an example of the nearly 50,000 notifications, which are to start arriving Thursday, reading, “We believe that a sophisticated attacker may be targeting your Facebook account. Be cautious when accepting friend requests and interacting with people you don’t know.”
Pegasus and other forms of spyware allow operators to remotely turn smartphones and other computers into surveillance devices capable of listening to calls and tracking user locations, as well as stealing photos, videos, contact lists and other files. Advanced spyware can be delivered without the users knowing or taking any action, often by text message or a chat app, and then can activate the cameras and microphones built into smartphones.
The claim about Cytrox being used by Egyptian authorities is backed by a separate report, also released Thursday, by Citizen Lab, a research group at the University of Toronto that specializes in investigating spyware. It found that the iPhone 12 of Egyptian opposition figure Ayman Nour was infected by both NSO’s Pegasus spyware and a similar one by Cytrox, called Predator, on a single day in June.
An initial sign of infection was that the smartphone began “running hot” as it managed the computational demands of two types of spyware at once, the report said. These infections happened even though Nour’s iPhone had the latest version of iOS, the mobile operating system made by Apple.
Nour, speaking by video call from exile in Istanbul, said this intrusion was just the latest after years of efforts by the Egyptian government to undermine him and suppress democratic activity in the country going back to 2005, when he ran unsuccessfully for president against then-strongman Hosni Mubarak.
More recently Nour has had personal photos of himself and private phone conversations made public in what he said were government efforts to embarrass him and undermine his role as a leader in Egypt’s political opposition. Currently the head of the Ghad EL-Tahwra Party, Nour called private surveillance companies “digital monsters” that should face international sanctions.
“This is something that is really dangerous, and it has real impact on politicians,” Nour said through an interpreter. “They are making use of every single word we say on our mobile phones.”
Citizen Lab said the Cytrox hack probably came from the Egyptian government, and the Pegasus one probably from the Saudis or the United Arab Emirates, both of which have been repeatedly identified by researchers as aggressive users of private surveillance services.
Cytrox did not reply to a request for comment on Thursday, nor did the Egyptian Embassy in Washington.
NSO Group issued a statement saying it did not have enough information to comment fully. “The details we do have from reporters are ambiguous both from contractual and technological perspectives and indicate with high probability there is no connection to Pegasus,” the statement said.
Meta’s actions are the latest developments in months of growing scrutiny of the global surveillance industry since the Pegasus Project in July. The NSO Group has repeatedly denied its findings and said it works only with vetted countries and terminates contracts with any that violate company policies limiting the use of its spyware to only terrorists and serious criminals.
Even so, the U.S. government blacklisted NSO in November following an investigation that backed the key claims of the Pegasus Project. Apple sued NSO soon after and issued warnings to users across the world — including 11 employees working for the U.S. government in Uganda — that they had been targeted by Pegasus.
These repercussions have done little to slow the global surveillance industry, said Bill Marczak, a senior research fellow at Citizen Lab who discovered the attacks on Nour’s phone and on a phone belonging to another Egyptian. This person, who hosts a popular news program in Egypt, has opted to remain anonymous and is not named in the report.
Marczak called the nearly simultaneous hacking of Nour’s iPhone by two types of spyware remarkable evidence of how widespread such techniques have become. Never before had Citizen Lab researchers seen a single target “doubly hacked.”
“It really drives home that the story of spyware is not just the story of NSO,” said Marczak. “This is an industry that is really growing.”
The Meta report cites six other companies. One, BellTrox, is based in India, and one is based in China, but Meta researchers were unable to determine its name, they said. The remaining four are based in Israel: Cognyte, Cobwebs Technologies, Bluehawk CI and Black Cube, the last of which was hired by disgraced Hollywood producer Harvey Weinstein to collect information on women accusing him of sexual misconduct and journalists covering that story.
Meta said it removed 300 fake Facebook and Instagram accounts linked to Black Cube, which it said specialized in serving people involved in legal battles — a leading purpose for hiring private surveillance, Meta investigators found. That company’s clients included private individuals, businesses and law firms worldwide, Meta’s report said.
In response to the report, Black Cube issued a statement denying Meta’s allegations and saying it complies with the laws wherever it operates. “Black Cube does not undertake any phishing or hacking and does not operate in the cyber world,” the statement said.
Cobwebs Technologies denied that it had violated any laws. “We have not been contacted by Facebook (Meta) and are unaware of any claims it has allegedly made about our services,” the statement said. Cobwebs Technologies “operates only according to the law and adheres to strict standards in respect of privacy protection.”
The list of clients for Cobwebs Technologies included an unnamed customer in the United States, as well as Bangladesh, Hong Kong, New Zealand, Mexico, Saudi Arabia and Poland.
The other companies named in the report did not respond to requests for comment.
Experts in the surveillance industry say it includes more than 100 companies that span the globe, with many having numerous international hubs of operation — a fact making a crackdown by any one country, or even a group of countries, unlikely to stop abuses.
The Meta report says surveillance companies operate by steps, starting with reconnaissance to identify information about prospective targets, and followed by a period of engagement, sometimes over social media or other communications services. This often involves the use of fake accounts — sometimes supposedly belonging to TV producers, journalists or academic researchers — that gain the trust of targeted individuals.
Finally, during the exploitation phases, the spyware is delivered to a user’s device, infecting it and allowing data collection to begin.
“The scrutiny and the pressure on NSO Group is welcome,” said David Agranovich, director of threat disruption for Meta and a co-author of the threat report. “But it can’t just be one and done. Part of the reason why we’re including all of these cases in our threat report, and while we are leaning so heavily into making people understand that this is an industry that is bigger than just one company … is in hopes that it inspires more pressure, more action and broader impact across the entirety of the surveillance-for-hire industry.”