On Saturday, January 19, we presented research on our latest investigation into nation-state surveillance programs during a session called, “Behind Enemy Lines: Inside the operations of a nation state’s cyber program” at ShmooCon in Washington, DC.
Overview of research
Based on attacker communications found on a command and control server, this talk provides rare insight into a nation state’s $23 million surveillance program, including the build or buy decisions they deliberated on. Key findings include:
- Conversations between the government group tasked with building this capability and a range of both notorious and lesser known private sector vendors selling 0-day exploits for both mobile devices and desktop computers.
- The revelation of new bespoke Android and iOS surveillanceware.
- The low barrier to entry and proliferation of mobile surveillance capabilities for groups and governments with varying budgets.
- Demonstrations of 0-day attacks that could be purchased for exclusive use.
Throughout many of our investigations into the targeted use of custom surveillanceware against mobile endpoints, we’ve often wondered exactly what factors influenced an adversary’s decision to internally develop or externally purchase this capability. For the first time, we now have direct evidence of some of the deliberations that occur when a nation state group is tasked with developing a cyber surveillance program. As with our research into other high profile malware families and threat actors like Pegasus, Dark Caracal, Desert Scorpion, FrozenCell, ViperRAT, and SilverHawk, it’s clear adversaries have a staggering amount of options.
Surveillanceware programs as a business decision
We’ve noticed a trend in the surveillanceware ecosystem where attackers consider the same decisions and trade-offs that any other engineering organization would. In fact, in their decision-making process on whether to create or purchase a surveillance solution, they asked questions around budget, resourcing, desired implant capabilities, the need for exploits, viable attack vectors, and vendor products. We saw these above questions asked when this particular nation-state communicated with and trialed many solutions from vendors such as NSO Group, Verint, FinFisher, HackingTeam, IPS, Expert Team, Wolf Intelligence, and others.
These messages were uncovered during an in-depth investigation and reverse engineering effort into the infrastructure and malware tooling that this group built themselves. These messages also revealed many potential 0-days that a buyer could purchase along with their cost, effectiveness, and seller guarantee for both mobile and desktop operating systems.
“This is the only inexpensive way to get to the iPhone, except for the [Israeli] solution for 7 million and that’s only for WhatsApp. We still need Viber, Skype, Gmail, and so on.”
- Buyers debating their build decision for iOS malware
“There are a lot of Android OS versions and the hardware differences between devices is making it a pain to use these exploits. They need tuning for each targeted environment!”
- Buyers debating buying exploits for their Android malware
Ultimately this nation-state decided to build the tooling for their cyber surveillance program themselves, and our research shows that they have been highly effective, as we discovered several hundred custom malware samples attributed to them that have collected what we estimate to be 50GB of exfiltrated data. That said, this actor made several operational security missteps, which resulted in their discovery and allowed us to gain long term visibility into their operations. This access and level of insight show how creative some adversaries have to be in the development of their surveillance tooling.
Our continued research into nation-state surveillance illustrates that it is now standard and practical for a nation-state or group of any size to acquire or build up its surveillance capabilities. These capabilities affect citizens, employees, and corporations worldwide that do business with and travel to and from these countries. While we see a lot of mobile surveillanceware being built and designed for use by nation-states, these tools could be commercialized to target the enterprise by non-nation states actors too. As we continue to move toward a post-perimeter world, CISOs that do not prioritize mobile security may put their enterprises at risk, since these surveillance capabilities are not only widespread, but exist with different incentives and use cases from traditional security models.
Learn more about how to protect your users and corporate data with a post-perimeter security strategy.