The Hollowing Middle of the Surveillance Malware Market
Companies will have to choose between law enforcement in the West and authoritarian countries.
Collin Anderson is a Washington DC-based researcher focused on internet measurement and information security, including documenting abuses of surveillance technologies, with an emphasis on countries that restrict the free flow of information.
Spare a moment to consider the FinFishers and Hacking Teams of the world, the forebears of a multi-million dollar market for government spyware. While their founders relished in their personas as spies-for-hire, behind the scenes they have always been startups running on thin margins with stiff competition. Increased costs, export regulations, security improvements, and the perils of belligerent clients will make their position increasingly untenable.
The international surveillance malware market that they were instrumental in creating is moving on without them. Malware vendors benefited from an initial enthusiasm from regimes that were eager to acquire new surveillance technologies. But there is some evidence that the return on investment wasn’t what regimes expected, and competitors are rising on both the high and low end of the spectrum. Meanwhile, basic cyber security dynamics make it difficult to continue to straddle the line selling to governments in authoritarian countries and law enforcement elsewhere.
Read more: When Spies Come Home
Over the past year, researchers have documented spearphishing campaigns that appear to serve governmental interests in Azerbaijan and Qatar. Citizen Lab has reported documented credential theft operations targeting Egyptian civil society, and EFF reported attacks against critics of the Kazakh government. Aside from being autocratic regimes, these countries have another common bond: all were customers of FinFisher and Hacking Team, the German-British and Italian companies that were pioneers in selling hacking-as-a-service products to governments all over the world.
In all four reports, another strange theme: the campaigns targeting dissidents had suddenly devolved to much more crude operations based on open source tools, basic spearphishing, and amateur malware. What would lead countries that had spent hundreds of thousands of dollars on malware made by specialized foreign companies to abandon their sophisticated platforms for rudimentary tools?
There’s evidence that some of these countries continue to purchase foreign surveillance technologies, including malware platforms such as those made by FinFisher, Hacking Team, or one of their now many competitors; and malware companies continue to attract clients. However, the spearphishing attempts against the activists in those four cases appeared to be conducted by operators engaged in the full hacking process, from delivery to compromise, a departure from the hands-off approach of surveillance vendors. (Historically, companies like Hacking Team and FinFisher have always claimed that their job was to simply provide the tools to their government customers, who would then operate them independently.)
The winds are changing. Malware services will be pulled in one of two directions, making it less tenable to be the middle operator that provides malware to any customer while pretending to be a reputable business.
On the one hand, law enforcement in North America and Europe will prefer domestic actors or more specialized operators that mirror defense contractors, such with the FBI’s sourcing of investigative techniques from Carnegie Mellon. Despite bluster about moving abroad, FinFisher is still based in Germany and when Chaouki Bekrar, the infamous vulnerability dealer who relishes in his portrayal as the ‘Darth Vader of Cybersecurity,’ decided to set up a new business, he did so in the United States. Government-focused surveillance companies can bellow about regulations, but there has been no flight from West because that’s where the real money is.
Surveillance vendors face more competition within an overall more difficult market and with greater risk.
Scraping the dredges of autocratic states with incompetent security agencies poses risks for the company itself. Government-grade malware vendors are ideal examples of an underappreciated aspect of cyber security: exposure risk.
North Korea can openly broadcast its development of nuclear weapons with the understanding that the demonstration of a thermonuclear device does not substantially enable South Korea to protect against an attack on Seoul. However, the analysis and attribution of North Korean malware enables antivirus companies to improve defensive protection and allows researchers to elaborate other operations. Thus the surveillance industry’s predicament: not only does an errant attack provide insight into the operations of a customer—one bad client can disrupt every operation connected to every client.
Hacking Team learned this repeatedly the hard way. When the Ethiopian Information Network Security Agency targeted independent journalists, Citizen Lab acquired a sample of the malware and used forensic investigative techniques to identify other customers. Seemingly unwilling to learn, when Ethiopia found a new vendor this year, they once again burned the company (Cyberbit) by inanely targeting a well known cybersecurity researcher with an attack written in Comic Sans font. This time too the incident painted a descriptive trail of the malware developer’s operations and potential other clients. Even more catastrophically, Google has taken the step of removing surveillance malware from NSO Group and other vendors off of victim devices and notifying users. Apple pushed down a patch that closed the infamous NSO’s iPhone exploit for other customers than the United Arab Emirates.
There is an open market to sell to law enforcement entities in Europe and North America; countries where non-Western surveillance companies are bound to be dismissed. While regulations sanctioning the use of malware by law enforcement is only now being written in many countries, there is a seemingly endless amount prospective clients outside of the so-called Western world from local police to national intelligence agencies.
When the same product is used across clients, attempted repression of anti-corruption campaigners presents the risk of disrupting counter-terrorism operations elsewhere.
Irresponsible vendors are a liability for clients, and for the public. The small returns on sales to autocrats may not be worth endangering such lucrative contracts. Here the “cyber arms dealers” metaphor breaks down—smart defense companies would not make such petty mistakes for such small money. This isn’t merely reputational: who wants to explain to a sheriff’s department that the implant tracking a drug trafficker was disabled because the Emirati government was trying to compromise the same well-known journalist for the fourth time.
Vendors will face a pressure to choose between law enforcement in the West and authoritarian countries.
While export controls have not led to the immediate cessation of human rights abuses, they have increased the burden on surveillance companies to provide technologies to some of the worst offenders around the world. These regulations have provided some transparency into the European market for surveillance technologies, facilitating pressure from human rights organizations on governments to deny licenses to sell to certain countries. Export controls will never end all abuses–export control authorities will always be subject to political pressure and reflect the foreign policy of states. But they are friction, and prospective changes to the EU’s export controls will only increase the scrutiny applied to such contracts. Due to these tightening regulations, the sale of malware to autocrats is now more costly and more likely to be publicly-exposed than before.
This increased friction creates real problems for surveillance vendors. Consider that despite six-figure deals, Hacking Team’s overall operations were not immensely profitable. Raw materials are growing more costly, threatening decreasing margins. Leaked emails show Hacking Team’s desperate attempts to source new exploits. An even more vivid example about the increased difficulty for middle tier surveillance companies to acquire valuable exploits is described in a deal with Mauritania gone awry.
Compared to five year ago, surveillance vendors face more competition within an overall more difficult market and with greater risk.
The other trend in the malware market, which may be evident in the four recent reports, is outsourcing to international hackers-for-hire, smaller malware vendors, and domestic contractors.
FinFisher and Hacking Team never had anything special other than branding and post-sales services. Their malware platforms are only marginally more sophisticated in functionality than off-the-shelf “remote access tools,” such as Netwire and AlienSpy (both of which are publicly-purchasable and have been effectively used in political and economic espionage campaigns). There’s some indication that code from common spyware even was stolen or licensed for the specialized market. The primary differences between Hacking Team and Netwire are in slightly easier to use interfaces, features to enable evidence collected by the malware to be used in court, better attention on non-detectability, technical support, and a stunning array of aftermarket services, including subscriptions to prepackaged exploits.
Bear in mind that a license to Netwire costs $90 per user per year, and can be pirated. Whereas FinFisher costs a base €1,445,940 for only ten infections (additional victims cost at least €2,340.00 each), according to leaked documents. Customer support? At least a quarter million euros per year. Exploits, of course even more.
Not only do the malware companies not have an entirely unique product, it’s questionable whether they are the most efficient tool.
Not only do the malware companies not have an entirely unique product, it’s questionable whether they are the most efficient tool. As device protections improve, the easiest route to the private communications of a dissident is not malware, but credential theft—stealing passwords, an easier attack to orchestrate. People’s entire lives are on their email and social network accounts—a bit of social engineering is sufficient. After all, the breach of John Podesta’s emails appears to have been accomplished through a simple Google impersonation page sent to hundreds or thousands of others. But credential theft is different from Hacking Team’s normal services and lends more to sustained espionage by dedicated and integrated teams.
Commodity spyware will accomplish many of the goals not covered by credential theft, such as location tracking and interception of chat messages. Why bother with acquiring scarce exploits and other nondurable goods, such as software signing certificates, unless it’s absolutely necessary?
Nor was Hacking Team able to create the internal technical capacity for their clients that was lacking in the first place. Despite spending $384,000 on Hacking Team, Azerbaijan’s Ministry of National Security repeatedly failed to understand the basics of the platform, according to leaked emails. Hacking Team’s leaked inboxes are filled with exchanges mocking their Azerbaijani client and others for their basic incompetence. If a security entity cannot use Netwire, then they are not going to have more success with Hacking Team. How long would Azerbaijan pay for a product it could not use?
Thus the market trend is also driven by a race to the bottom. Criminal operations are less expensive, ask even fewer questions, and will perform the whole attack on their own. By some indication, Qatari surveillance against labor rights activists appears to have been conducted by a South Asian hacker-for-hire group. This group had also targeted jihadist organizations in Pakistan and economic institutions elsewhere in Asia, blending counterterrorism with cybercrime. For Qatar, the extracurricular activities of its contractor makes little difference. Sufficient talent can be sourced anywhere—even non-government groups like Hamas have developed a formidable cyber espionage capacity and the post-Hacking Team attacks in Azerbaijan appeared to use locally developed malware.
This is cause for some optimism for human rights defenders targeted by government hacking, despite the threat of the democratization of spying with more countries engaging in intrusive surveillance. The narrowing of the middle of the market could be a positive outcome for dissidents. If authoritarian regimes skip on the consultative services provided by foreign companies and opt for more simple methods, then they sacrifice the unique advantage of professional malware provided by sophisticated developers. This increases the chances that attacks will fail due to poor execution or lack of exploits, and malware will be more frequently detected. The quality of attacks may decrease (as hinted at in the cases of former Hacking Team and FinFisher customers) and state sponsored malware campaigns could be (slightly) easier to defend against.
A changing security ecosystem will force a decision for Hacking Team and its successors such NSO Group: do they see themselves as giant defense contractors Raytheon or the infamous (and now imprisoned) weapons merchant Viktor Bout?
Get six of our favorite Motherboard stories every day by signing up for our newsletter.