Facebook (NASDAQ: FB), recently renamed Meta, has announced that it banned seven firms that were using the platform, as well as Instagram and WhatsApp, to spy on users. Across more than 100 countries, 50,000 human rights activists, celebrities, dissidents, critics of authoritarianism, and normal users were targeted.
"While these 'cyber mercenaries' often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate," Meta wrote in a statement. "The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts."
Across the company's platforms, more than 1,500 accounts were being used by these so-called "surveillance-for-hire" companies. Meta's investigation reportedly revealed that the seven companies involved are based in Israel, China, India, and North Macedonia.
"Each of these actors rely on networks of fake accounts on our platforms that are used to deceive users and mislead them," Meta's head of security policy Nathaniel Gleicher, told NPR.
According to Meta, the "cyber mercenaries" start by gathering all available information about their target, attempt to get in contact with the target or their network of friends, and finally use a phishing domain to get the users' sensitive private information or use another method to install spyware on the target's device. Spies set up fake profiles as human rights activists, nonprofit workers, journalists and media figures, and graduate students.
The spies were able to surveil their targets across other platforms, including Twitter (NYSE: TWTR), Youtube (NASDAQ: GOOGL), and email providers. The stolen information is usually then passed onto the firm's client. For instance, reportedly, one of the banned companies, Black Cube, was previously hired by Harvey Weinstein to get leverage against journalists and his accusers.
Black Cube told NPR that it "does not undertake any phishing or hacking and does not operate in the cyber world," and instead described itself as a "litigation support firm" carrying out legal investigations.
"Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents' activities are fully compliant with local laws," the firm said in a statement.
Another of the banned firms reportedly attempted to trick critics of the government in the United Arab Emirates by posing as reporters for Fox News. According to Meta's investigation, another group had created tools for Chinese law enforcement to use to spy on Uighurs and other minority groups in Xinjiang, Myanmar, and Hong Kong. Each of the banned firms was sent a cease-and-desist letter from Meta.
Gleicher told NPR that governments and law enforcement were some of those that hired the spy firms, but that these firms aren't picky about their clients.
"Almost anyone can hire one of these firms," Gleicher said. "These firms both democratize these threats and they give an added layer of deception to the worst actors."
Meta says that it used an alert system established in 2015 to notify the 50,000 users that it believes were targeted. The information was shared with "security researchers, other platforms, and policymakers so they can take appropriate action." Meta writes that stopping these firms would require the cooperation of all of these groups.
The industry's attention was first brought to these "surveillance-for-hire" companies by NSO, the company behind the infamous Pegasus spyware. Facebook and Apple (NASDAQ: AAPL) have both sued NSO relating to its alleged misuse and abuse of their platforms. Pegasus has been implicated in the hacks and surveillance of thousands of people, including the fiancée of Jamal Khashoggi, a Saudi journalist who was assassinated in 2018, and 14 government leaders.
However, Meta says that "NSO is only one piece of a much broader global cyber mercenary industry".