NOTE: Al Jazeera has just published my latest piece on how the incoming Biden administration will address Israel, Iran, Saudi Arabia and Middle East issues in general. Please give it a read and promote it via social media.
It in uncharacteristic of me to praise any technology executive or company. In fact, I have often criticized such companies and their policies here. But Microsoft president, Brad Smith, deserves such credit. He published a landmark essay which laid down a marker for all other technology companies. It called out cyber-hacking as a global evil that must be addressed both in the United State and around the world. It called for states to join together to thwart such cyber-attacks, and legislate companies which profit from them out of business.. It is clarion-call for reform of U.S. cyber-security laws and a global effort to confront the cyber-hacking. I’m especially highlighting the portions relevant to the Israeli cyber-hacking company, NSO Group, which is the biggest player in this field:
[One] evolving threat…[is] the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries. This phenomenon has reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place…
NSO represents the increasing confluence between sophisticated private-sector technology and nation-state attackers…Th[ey are] a growing option for nation-states to either build or buy the tools needed for sophisticated cyberattacks…An industry segment that aids offensive cyberattacks spells bad news on two fronts. First, it adds even more capability to the leading nation-state attackers, and second, it generates cyberattack proliferation to other governments that have the money but not the people to create their own weapons. In short, it adds another significant element to the cybersecurity threat landscape…
We need to strengthen international rules to put reckless nation-state behavior out of bounds and ensure that domestic laws thwart the rise of the cyberattack ecosystem. While the world has important international norms and laws to address nation-state attacks, we continue to believe it is important to fill in gaps and continue to develop clear and binding legal obligations for cyberspace.
This should build on the lessons of 2020 and prioritize key and specific areas. For example, it should include the continued development of rules to expressly forbid the type of broad and reckless activity used against SolarWinds and its customers, which tampered with legitimate software and threatened the stability of a broader software supply chain. The international community has been moving in this direction, building on a 2015 report by a United Nations Group of Governmental Experts that received broad UN endorsement last year, as well as multi-stakeholder support by the Global Commission on the Stability of Cyberspace (GCSC). The U.S. government and its allies need to make crystal clear their views that this type of supply chain attack falls outside the bounds of international law…
…Governments should take new and concerted steps to thwart the rise of private sector offensive actors…The sooner governments take action to put this ecosystem out of business, the better.
An early opportunity for the Biden-Harris Administration will come in an appellate judicial case involving the NSO Group itself. NSO has appealed a lower court finding that it is not immune from claims that it violated the U.S. Computer Fraud and Abuse Act by accessing mobile devices without permission. Its argument is that it is immune from U.S. law because it is acting on behalf of a foreign government customer and hence shares that government’s legal immunity. NSO’s proposed recipe would make a bad problem even worse, which is why Microsoft is joining with other companies in opposing this interpretation. The Biden/Harris Administration should weigh in with a similar view.
NSO’s legal approach, while disconcerting, does the world a service by highlighting the path needed to thwart this new cyberattack ecosystem. It’s to ensure that domestic laws clearly and strongly prohibit companies from helping governments engage in unlawful and offensive cyberattacks and investors from knowingly financing them.
Consider the analogy to other forms of societally harmful activity, like human trafficking, narcotics or terrorism itself. Governments not only take strong steps to prohibit the illegal activity itself – such as engaging in drug trafficking – but also ensure that airlines don’t transport the drugs and investors don’t finance the activity.
A similar approach is needed to deter private sector offensive actors. We need steps to ensure, for example, that American and other investors don’t knowingly fuel the growth of this type of illegal activity. And the United States should proactively pursue discussions with other countries that are giving rise to these companies, including Israel, which has a strong cybersecurity ecosystem that can be drawn into dangerous support of authoritarian regimes.
Note that the Microsoft statement targets for blame/responsibility not just NSO, but the venture capitalists profiting from its products and conduct. That would include Franciso Partners and Novalpina Capital, companies which respectively once owned, and currently own NSO. If governments restrict investments in these noxious products, then it will cut off the financial oxygen the companies need to survive.
This Microsoft statement joins an amicus brief filed by American, and the world’s largest technology companies, including Cisco, Google, Dell, Github, LinkedIn and VMware, supporting Whatsapp’s lawsuit against NSO. The suit accuses the Israeli company (and its clients) of hacking the electronic communications of 1,400 human rights activists from around the world. NSO took billions in sales from repressive regimes in the Middle East, Africa and Asia, enabling them to monitor those posing political threats to their rule. In many cases, these victims end in prison, bankrupted by bogus criminal court charges, or dead. Finally, these companies are saying: Enough.
And if the Israeli government won’t tell them itself “Enough,” then Pres-elect Biden and the U.S. Congress must be called upon to do the right thing and end this betrayal of the rights of assembly, speech and press freedom guaranteed under the US constitution and the UN Charter.
NSO’s “Zero-Click” Exploit, “Kismet,” Targets Al Jazeera
Citizen Lab is the leading cyber-forensic NGO exposing the misdeeds of NSO Group. It has published an account of a new company’s “product” employed largely by Gulf States against their internal and external foes, mainly Saudi Arabia and United Arab Emirates. Over the past year, a “zero-click” exploit named “Kismet” has targeted iPhones via Apple’s iMessage app. The victims were scores of executives, journalists and editors at Al Jazeera and Al Araby.
Al Jazeera is the leading media company in the region and offers a global audience an independent perspective on regional affairs. Al Jazeera reports on stories that could never be aired by the media outlets of these autocratic regimes. It is based in Qatar and largely funded by the Qatari government (as is Al Araby), which itself is in the midst of a battle with Saudi Arabia and its allies (which include UAE). There have been hacks and cyber-attacks by both sides against the other. But none have previously involved such an escalation in cyber-hacking technology.
A one-click exploit will permit the hacking of electronic devices with no action needed by the target. Unlike others, it does not require the recipient to click on a link in order to download malware. The mere act of communicating with the target’s device allows penetration of the device and access to its contents and capabilities. Kismet offers the nation-state client the following capability:
…Recording audio from the microphone including both ambient “hot mic” recording and audio of encrypted phone calls, and taking pictures. In addition, we believe the implant can track device location, and access passwords and stored credentials.
These features permit an intelligence agency to monitor everything typed on the device, everything spoken within range of it, every phone call made or received. It also will take pictures of whatever is happening within range of the phone. It can also mimic the phone user him or herself by accessing the devices credentials. Finally, access to the user’s passwords enables the hacker to gain access to any password protected website the user visits, including bank accounts, medical history, and other critical personal data.
Here Citizen Lab elaborate on the nature of the professional threats to these journalists:
The Al Jazeera attacks are part of an accelerating trend of espionage against journalists and news organizations. The Citizen Lab has documented digital attacks against journalists by threat actors from China, Russia, Ethiopia, Mexico, the UAE, and Saudi Arabia, among others. Other research groups have documented similar trends, which appear to be worsening with the COVID-19 pandemic. Often these attacks parallel more more traditional forms of media control, and in some cases physical violence.
The increased targeting of the media is especially concerning given the fragmented and often ad-hoc security practices and cultures among journalists and media outlets, and the gap between the scale of threats and the security resources made available to reporters and newsrooms. These concerns are likely particularly acute for independent journalists in authoritarian states who, despite the fact that they play a crucial role in reporting information to the public, may be forced to work in dangerous conditions with even fewer security tools at their disposal than their peers in large news organizations.
Mirroring the Microsoft statement, Citizen Lab calls for increased vigilance and regulatory oversight of bad actors like NSO Group:
Journalists and media outlets should not be forced to confront this situation on their own. Investments in journalist security and education must be accompanied by efforts to regulate the sale, transfer, and use of surveillance technology. As the anti-detection features of spyware become more sophisticated, the need for effective regulatory and oversight frameworks becomes increasingly urgent. The abuse of NSO Group’s zero-click iMessage attack to target journalists reinforces the need for a global moratorium on the sale and transfer of surveillance technology…
These safeguards should include strengthening and expanding regional and international export controls, enacting national legislation that constrains invasive new surveillance technology such as zero-click spyware, and the expansion of mandatory due diligence requirements for spyware developers and brokers.
Circles: Hacking the Global Communications System
Earlier this month, Citizen Lab released another report concerning a different Israeli cyber-hacking company, Circles, which became a subsidiary of NSO Group in 2014. The former offers clients a different set of hacking products which permit the interception of electronic communications by exploiting vulnerabilities in the systems of global telecommunication providers:
These commands allow the attacker to track the victim’s location, and intercept voice calls and SMS text messages. Such capabilities could also be used to intercept codes used for two-factor authentication sent via SMS.
Unfortunately, most U.S. wireless networks and those around the world are vulnerable to these exploits. Clients in 25 countries have deployed the company’s technology to hack the phones of targeted individuals.
Among them is Israel itself, which likely means the Shin Bet is using Circles to target its own citizens or Palestinians. However, there is one anomaly to Circles’ conventions in this instance: it always identifies client states with a word starting with the first letter of the country. In this case, it uses the word “Lexus.” If Israel was the customer, the world should start with an “I.” It’s very possible the “L” might refer to Lebanon, since Israeli intelligence constantly monitors Lebanese targets. But Lebanon is a highly unlikely customer, since Israel’s defense ministry would prohibit any sales of cyber-technology to a hostile neighbor. So my guess is that an Israeli intelligence agency is targeting Lebanon using Circles. I approached an Israeli security source about this. He refused to comment.
Finally, an Israeli lawsuit by Amnesty International against NSO Group found that the company researched specific individuals on behalf of UAE intelligence. NSO offered the targets’ physical location and phone records as proof of the worth of its technology before purchase. This gives the lie to one major defense NSO uses to absolve itself of responsibility for excesses of its clients. It claims that does not monitor how its products are used, does not operate its products on behalf of customers, and does not know who is targeted. In this case, that is clearly a lie.