Over the past year, researchers have documented spearphishing campaigns that appear to serve governmental interests in Azerbaijan and Qatar. Citizen Lab has reported documented credential theft operations targeting Egyptian civil society, and EFF reported attacks against critics of the Kazakh government. Aside from being autocratic regimes, these countries have another common bond: all were customers of FinFisher and Hacking Team, the German-British and Italian companies that were pioneers in selling hacking-as-a-service products to governments all over the world.In all four reports, another strange theme: the campaigns targeting dissidents had suddenly devolved to much more crude operations based on open source tools, basic spearphishing, and amateur malware. What would lead countries that had spent hundreds of thousands of dollars on malware made by specialized foreign companies to abandon their sophisticated platforms for rudimentary tools?
Read more: When Spies Come Home
Scraping the dredges of autocratic states with incompetent security agencies poses risks for the company itself. Government-grade malware vendors are ideal examples of an underappreciated aspect of cyber security: exposure risk.North Korea can openly broadcast its development of nuclear weapons with the understanding that the demonstration of a thermonuclear device does not substantially enable South Korea to protect against an attack on Seoul. However, the analysis and attribution of North Korean malware enables antivirus companies to improve defensive protection and allows researchers to elaborate other operations. Thus the surveillance industry’s predicament: not only does an errant attack provide insight into the operations of a customer—one bad client can disrupt every operation connected to every client.Hacking Team learned this repeatedly the hard way. When the Ethiopian Information Network Security Agency targeted independent journalists, Citizen Lab acquired a sample of the malware and used forensic investigative techniques to identify other customers. Seemingly unwilling to learn, when Ethiopia found a new vendor this year, they once again burned the company (Cyberbit) by inanely targeting a well known cybersecurity researcher with an attack written in Comic Sans font. This time too the incident painted a descriptive trail of the malware developer’s operations and potential other clients. Even more catastrophically, Google has taken the step of removing surveillance malware from NSO Group and other vendors off of victim devices and notifying users. Apple pushed down a patch that closed the infamous NSO’s iPhone exploit for other customers than the United Arab Emirates.
Surveillance vendors face more competition within an overall more difficult market and with greater risk.
Not only do the malware companies not have an entirely unique product, it’s questionable whether they are the most efficient tool. As device protections improve, the easiest route to the private communications of a dissident is not malware, but credential theft—stealing passwords, an easier attack to orchestrate. People’s entire lives are on their email and social network accounts—a bit of social engineering is sufficient. After all, the breach of John Podesta’s emails appears to have been accomplished through a simple Google impersonation page sent to hundreds or thousands of others. But credential theft is different from Hacking Team’s normal services and lends more to sustained espionage by dedicated and integrated teams.Commodity spyware will accomplish many of the goals not covered by credential theft, such as location tracking and interception of chat messages. Why bother with acquiring scarce exploits and other nondurable goods, such as software signing certificates, unless it’s absolutely necessary?Nor was Hacking Team able to create the internal technical capacity for their clients that was lacking in the first place. Despite spending $384,000 on Hacking Team, Azerbaijan’s Ministry of National Security repeatedly failed to understand the basics of the platform, according to leaked emails. Hacking Team’s leaked inboxes are filled with exchanges mocking their Azerbaijani client and others for their basic incompetence. If a security entity cannot use Netwire, then they are not going to have more success with Hacking Team. How long would Azerbaijan pay for a product it could not use?Thus the market trend is also driven by a race to the bottom. Criminal operations are less expensive, ask even fewer questions, and will perform the whole attack on their own. By some indication, Qatari surveillance against labor rights activists appears to have been conducted by a South Asian hacker-for-hire group. This group had also targeted jihadist organizations in Pakistan and economic institutions elsewhere in Asia, blending counterterrorism with cybercrime. For Qatar, the extracurricular activities of its contractor makes little difference. Sufficient talent can be sourced anywhere—even non-government groups like Hamas have developed a formidable cyber espionage capacity and the post-Hacking Team attacks in Azerbaijan appeared to use locally developed malware.This is cause for some optimism for human rights defenders targeted by government hacking, despite the threat of the democratization of spying with more countries engaging in intrusive surveillance. The narrowing of the middle of the market could be a positive outcome for dissidents. If authoritarian regimes skip on the consultative services provided by foreign companies and opt for more simple methods, then they sacrifice the unique advantage of professional malware provided by sophisticated developers. This increases the chances that attacks will fail due to poor execution or lack of exploits, and malware will be more frequently detected. The quality of attacks may decrease (as hinted at in the cases of former Hacking Team and FinFisher customers) and state sponsored malware campaigns could be (slightly) easier to defend against.A changing security ecosystem will force a decision for Hacking Team and its successors such NSO Group: do they see themselves as giant defense contractors Raytheon or the infamous (and now imprisoned) weapons merchant Viktor Bout?Get six of our favorite Motherboard stories every day by signing up for our newsletter.
Not only do the malware companies not have an entirely unique product, it’s questionable whether they are the most efficient tool.