Leaders of the Israeli cyber intelligence firm Cognyte this February celebrated their first day of trading on Nasdaq by ringing the stock exchange’s opening bell. In remarks beamed across a giant screen in New York’s Times Square, CEO Elad Sharon celebrated his company’s success, including nearly half a billion dollars in annual revenues, 2,000 employees around the world, and 1,000 clients in 100 countries — including the U.S. Department of Justice. Sharon also touted Cognyte’s virtue, claiming it provided governments and businesses the tools they need to fight terrorism and stop crime. “Our analytics software empowers our customers to save lives,” Sharon said.
But on Thursday, Facebook banned Cognyte from its platform as it released the results of a six-month investigation by the social media giant’s security researchers. According to the report, Cognyte’s customers have targeted journalists and politicians around the world. Some of those clients were located in countries with dubious records on human rights such as Colombia, Kenya, Mexico, Thailand, and Indonesia. Also Thursday, Facebook took down about 100 Facebook and Instagram accounts linked to Cognyte.
Beyond Cognyte, the Facebook report took aim at five other firms and one unnamed Chinese entity that are part of what social media giant calls the “surveillance for hire” industry. Israel, where four of the six named companies were founded, appears to be a hub of the global industry.
According to Facebook, the firms abuse social media platforms to collect intelligence, including by manipulating people into revealing information and compromising their devices. Targets included journalists, dissidents, critics of authoritarian regimes, families of opposition members, human rights activists, celebrities, and even ordinary people. In total, the company says it took down approximately 1,500 accounts that it says were part of surveillance for hire operations. The social media company also notified about 50,000 people in 100 countries that their Facebook and Instagram accounts were targets of malicious activities by the seven entities identified in the report released Thursday.
Facebook outlined a three-step process that explained how the surveillance-for-hire industry operates. In the reconnaissance phase, the companies typically scrape information about a target from across the Internet, often using fake accounts to view social media profiles, friends, and likes. Next, the fake accounts built up trust by, for example, feigning a shared interest on a Facebook group and connecting with the target in seemingly innocuous ways. Some companies stopped there, but others abused this trust to hack the target. The most sophisticated actors may send veiled hacking tools that give them instant access to all the personal information stored on a cellphone or computer.
“Companies engage in this kind of thing because they think there’s a viable business model behind it,” Nathaniel Gleicher, Facebook’s head of security policy, told Rolling Stone. “A key part of our goal is demonstrating that, at least on our platforms, there isn’t.”
In addition to Cognyte, Facebook’s investigation names Cobwebs Technologies, Black Cube, and Bluehawk CI–all based in Israel. Also named in the report were BellTroX, a “hacking-for-hire” firm based in India, and Cytrox, a North Macdeonian company. A Chinese entity was surveilling minority groups in China’s Xingjian region, home to the country’s mostly Muslim Uighur minority, but Facebook was unable to identify the group. The Chinese entity made few mistakes and revealed little about itself. In one case, the Chinese entity’s online surveillance was paired with facial-recognition software which could allow for real-word tracking of a targets’ movements.
Broadly, the report paints a picture of companies that have developed a powerful set of tools and techniques for extracting information from individuals, including sensitive data they wouldn’t otherwise be inclined to hand over. The companies often emphasize that they are trying to stop would-be criminals or terrorists, but the Facebook report says they are also be used by bad actors — including repressive regimes — to target vulnerable people and marginalize dissent.
Cobwebs Technologies, another Israeli surveillance-for-hire firm singled out by Facebook, has a growing U.S. business. Customers include the U.S. Department of Homeland Security and the Internal Revenue Service, according to a government spending database, as well as the Hartford, Connecticut police department. The company has also reportedly been making inroads into the U.S. intelligence community. In addition to work related to law enforcement activities, Facebook found Cobwebs often targeted activists, opposition politicians, and government officials in Hong Kong and Mexico.
A separate investigation by the Israeli newspaper Haaretz found Cognyte targeted members of the LGBTQ community in Indonesia and Azerbaijan, where an employee said he was asked how to use Facebook to check someone’s sexual inclinations.
Perhaps the best-known company in the Facebook report is Black Cube, the Israeli private intelligence firm that lawyers for movie producer Harvey Weinstein hired to suppress news stories exposing his predatory behavior toward women. Facebook said it was banning 300 Facebook and Instagram accounts linked to employees of Black Cube who used them to pose as graduate students, NGO and human rights workers, and film and TV producers. Facebook found a wide range of Black Cube customers — private individuals, businesses, and law firms around the world that it declined to name. Targets included Palestinian activists and real estate development and media in Russia.
In a statement, Black Cube said it does not undertake any phishing or hacking and does not operate in the cyber world. A representative said the company works with the world’s leading law firms on cases involving bribery, corruption, and stolen assets. “Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents’ activities are fully compliant with local law,” the company said.
The other companies named in the Facebook report were not immediately available for comment.
Another company banned by Facebook, Cytrox, was the subject of a separate but related report issued Thursday by the Canadian research group, Citizen Lab. Security researchers at Citizen Lab concluded with a high degree of confidence that Cytrox was behind a new, previously-unknown form of cellphone spyware called Predator.
Predator can quietly hoover up emails, texts, and photos and turn a cellphone into a personal monitoring device by remotely turning on a user’s microphone and record any call.
It was discovered on the iPhone of one of Egypt’s most prominent politicians in exile, Ayman Nour, a one-time presidential candidate who was jailed for years for daring to challenge the leadership’s stranglehold on power. Not only was Nour’s fully up-to-date and patched iPhone infected with Predator, but it had also been simultaneously infected with Pegasus, an even more sophisticated phone spyware made by the Israeli firm NSO Group. “It’s another reminder how dangerous the mercenary spyware industry is,” Citizen Lab’s Bill Marczak, who discovered Predator earlier this year, tells Rolling Stone.
Pegasus and Predator were unrelated, Citizen Lab found, and were being operated by two different nation-state clients. The Egyptian government was likely behind the Predator attack on Nour’s iPhone, in part because the spyware had been inserted by a message sent from an Egyptian number on WhatsApp. Egypt, however, is not a client of Pegasus, and it’s not clear who was behind that exploit, Marczak says.
Security investigators often struggle to pinpoint who is financing and directing the hacking and surveillance, but they have an easier time exposing the mercenaries doing the work. That trail frequently leads to Israel, where four of the six named companies were based. Cytrox, based in North Macedonia, was acquired by a retired Israeli colonel, Tal Dillian. The iPhone payload inside Cytrox’s Predator was referred to as “Nahum,” a minor prophet in the Hebrew Bible.
Israel is also home to NSO Group, the maker of Pegasus phone spyware, one of the most aggressive and sophisticated products on the open market. Pegasus has been so misused by its customers like Saudi Arabia and Mexico that NSO has become the target of widespread global opprobrium and is reportedly considering selling off its Pegasus spyware unit. Facebook was one of the first big tech firms to take action against NSO. It sued NSO in 2019 for using its WhatsApp servers to infect 1,400 phones belonging to attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials. Apple sued NSO last month.
Facebook’s bans on what it called “security mercenaries” come as the social media giant is still dealing with the fallout from its own past failures to protect its users’ privacy. The company was fined a record $5 billion in 2019 by the Federal Trade Commission for deceiving users about their ability to control the privacy of their personal data.
Josephine Wolff, a professor of cybertechnology at Tufts University in Boston, acknowledged that Facebook has been entangled in privacy-related controversies, but she said the harms caused by the surveillance-for-hire firms were of a different order of magnitude. “To my mind, the harm that Facebook has done and the mistakes they have made have not constituted anything close to the same kind of threats to life and liberty that NSO Group or other spyware companies have enabled by helping authoritarian governments conduct surveillance on journalists, activists and human rights advocates,” Wolff said.
While other countries carefully restrict exports of cyber exploits, the Israeli government has allowed its booming tech sector to sell offensive technologies to repressive regimes. Part of the reason is that selling the technology gives Israel insight into other countries’ security needs and capabilities. “My take on it is that the Israeli government says, ‘They’re going to get it anyway, so it might as well be us,’” says Ian Amit, an Israeli security executive.
Israel also views sales of hacking tools as a way of fostering relations with some of its neighbors. The Israeli government encouraged NSO Group to continue working with Saudi Arabia even after the international condemnation that followed the brutal murder of Saudi journalist Jamal Khashoggi, The New York Times reported. Finally, there’s also a financial incentive for companies to sell to repressive regimes: It’s good for business. “The shadier countries pay more because they are unable to develop these tools themselves,” Amit said.
Israel’s booming tech sector can draw from a deep pool of homegrown talent versed in intelligence and cyberweapons. The largest unit in the Israel Defense Forces or IDF is Unit 8200, the equivalent of the U.S. National Security Agency. All Israelis serve in the military, and experience in “special IDF units” becomes a selling point later on in business, as it did for the founders of Cobwebs Technologies. Bluehawk CI’s founder, Guy Kleizman, was a senior IDF intelligence officer whose online bio claims he played a role in the 2007 operation that destroyed a nuclear reactor in Syria. Black Cube is known to employ former officers of Mossad, Israel’s intelligence service.
“Mercenary surveillance companies are casting a cloud over Israel’s vibrant tech and cybersecurity sector in the eyes of the world right now,” said Citizen Lab’s John Scott-Railton. “Imagine being a legitimate Israeli cybersecurity company and having to deal with this damage when you talk to potential customers or investors?”
Pressure has been mounting on Israel to close Pandora’s box and rein in its surveillance industry. In surprise move, the Biden administration last month blacklisted NSO Group for facilitating “transnational repression.” At a democracy summit hosted earlier this month by President Biden, the governments of the United States, Australia, Denmark, and Norway, joined by others, pledged to create nonbinding guidelines to prevent the spread of technologies used to enable human rights abuses. On Tuesday, a group of Democratic congressmen, including Sen. Ron Wyden and Rep. Adam Schiff, signed a letter calling on the Treasury Department to sanction NSO Group.
Facebook said part of its goal was to drive the conversation to cover the broader surveillance industry. Exploits like NSO’s Pegasus command attention but they are built upon the earlier, more mundane, but still critical work of reconnaissance and engagement. “If we as a society are going to put pressure on this industry, we’ve got to open the aperture to cover the whole surveillance attack chain,” said Gleicher.