Citizen Lab details ongoing battle against spyware vendors

Citizen Lab senior researcher Bill Marczak said that while the organization has achieved some important wins against spyware proliferation, the progress is inevitably hindered by vendors that continually adapt their technologies and practices.

During the keynote at SANS Cyber Threat Intelligence Summit on Monday, Marczak led the session titled "Cybersecurity Is Geopolitical: Lessons From the Fight Against Mercenary Spyware Proliferation," where he discussed the attack surface, evolving technologies and potential mitigations. The Citizen Lab at the University of Toronto's Munk School has become one of the foremost authorities on commercial spyware and surveillance technology for mobile devices.

Marczak emphasized that defending against the threat, which governments commonly use to target human rights activists and journalists, is increasingly challenging and requires government regulations.

One of the main challenges Citizen Lab faces, he said, is vendors constantly adapting and changing tactics to allow the continuation of spyware use. NSO Group was one significant spyware player he highlighted, known for developing the Pegasus spyware used against U.K. government officials in 2022.

Marczak stressed that spyware doesn't work without the vendors' continuous support.

"What really drives the proliferation is the fact that the technology is packaged along with this service and updates and support. And it's this whole package rather than just the technology which is really allowing governments with potentially not very good technical expertise [to use] these incredible capabilities," Marczak said during the keynote.

The problem of commercial spyware, he said, goes back many years. In 2014, for example, a hacker leaked files allegedly stolen from Gamma Group International, a surveillance software vendor behind the FinFisher spyware product. The leaked data showed that FinFisher interacted with customers to troubleshoot and helped users circumvent security precautions to deploy the spyware on targeted victims.

Such support is crucial, Marczak said, because it would be "suboptimal" if a customer bought spyware and then antivirus programs detected it on mobile devices, rendering the product unusable. Therefore, the spyware vendors must be on hand to aid customers in their attempts to target specific individuals and bypass security features while remaining undetected.

Although spyware is marketed for use against criminals and terrorists, Marczak said it's often abused for political purposes. Commercial spyware vendors will look the other way, claiming that they only provide a service and that "any service can be abused."

That's where mercenary spyware comes in, Marczak said. Arguably the most significant case of abuse occurred in 2018 when NSO Group's Pegasus was linked to the murder of Saudi journalist Jamal Khashoggi. A lawsuit filed by Khashoggi's widow claimed that the Saudi government and NSO Group deployed spyware to intercept her husband's communications. While the lawsuit was later dismissed in 2022, a forensics investigation revealed Pegasus infections on the mobile phones of Khashoggi's associates.

"It's not just 'sell a product and forget it.' It's ongoing support, ongoing maintenance, without which the product is essentially useless," Marczak said. "There's a whole industry of companies that make up the mercenary spyware network."

Citizen Lab investigations often involve tracking NSO spyware through IP address scans and fingerprinting. In one investigation, when Citizen Lab made progress, NSO Group changed its servers to return a blank response, which made it more difficult for Citizen Lab to fingerprint. The back and forth went on for years, but more recently, Marczak said, Citizen Lab discovered a way to fingerprint and enumerate NSO Group servers despite the "extreme measures" enacted by the spyware vendor.