The Cyber-Mercenaries Are Coming: It’s Time To Protect Your Execs From Prying Eyes

Back in mid-September, US government security agency CISA ordered all federal agencies to patch two zero-day vulnerabilities in OS, iPadOS and macOS devices. These were just the latest never-before-discovered software bugs exploited to deliver the notorious Pegasus spyware—whose developer, NSO Group, is at the centre of multiple lawsuits.

The Israeli firm is one of many commercial spyware companies dubbed “cyber-mercenaries” by Western governments and technology companies. They and a more shadowy group of hackers-for-hire represent a growing threat to organisations of all sizes and sectors—facilitating industrial espionage, government snooping and other nefarious activities.

If even Jeff Bezos’s phone can get hacked by these groups, it’s time to take the threat seriously.

Who Are The Cyber-Mercenaries?

Cyber-mercenary is a term used in different ways by different parties. Broadly speaking, we can split it into two types of threat actors:

Commercial spyware makers: These firms operate in a legal grey area, claiming to sell spyware and exploits to governments only for legitimate law enforcement and intelligence gathering purposes. In reality, their tools are often found targeting journalists, dissidents, rights activists and other opponents of usually autocratic regimes. Citizen Lab discovered the two zero-days cited above on the phone of an employee at a Washington-based civil society organisation.

Examples of these firms include NSO Group, Circles, Intellexa, Cytrox and BellTroX InfoTech Services.

Hackers-for-hire: These are more obviously criminal groups which have no pretence of operating as semi-legitimate commercial organisations. However, like commercial spyware makers, their work with clients is kept strictly confidential. Although they also target journalists, activists and other high-risk individuals, such groups may also offer their services for industrial espionage, enabling otherwise reputable organisations to maintain plausible deniability.

Groups include the Deceptikons, Dark Basin and Void Balaur.

In both cases, cyber-mercenary groups have suspected links to various intelligence agencies. Three former US intelligence officers were exposed in 2021 for working as hackers-for-hire for the UAE government and subsequently sued alongside commercial spyware maker DarkMatter. Intellexa is said to be run by a former Israeli spy. And a separate report revealed a “unique and short–lived connection” between the attack infrastructure used by Void Balaur and the Russian Federal Protective Service (FSO).

How Do Attacks Work?

Hackers-for-hire have a vast range of techniques, tactics and procedures (TTPs) at their disposal. But like most threat actors, where they are able, they will opt for the quickest and easiest way to achieve their goals. That could mean phishing and info-stealing malware and its main tools to compromise its victims and using legitimate tools like PowerShell for post-intrusion activity. They may target commercial email, social and messaging accounts as well as their corporate equivalents and back-end IT systems.

“The biggest threat these mercenary groups pose is they don’t care about the target. For the right amount of money, mercenaries, by definition, will execute a contract at the expense of any ethics. This puts critical infrastructure, healthcare, and other vital sectors in the crosshairs of who’s ever willing to pay,” SentinelOne chief security advisor Morgan Wright tells ISMS.online.

 “The people and organisations most at risk are the ones who do the least to protect themselves. Employees put themselves at risk when they overshare information about themselves on sites like LinkedIn or various social media platforms.”

Uncovering The Spyware Threat

However, in the case of commercial entities, TTPS can be significantly more sophisticated. Zero-day vulnerabilities are painstakingly researched, often targeting Apple devices with zero-click intrusions that the user doesn’t even need to interact with to become infected. Then spyware is deployed to access the victim’s messages, emails, photos, logins, address books, app usage, location data, and device microphone and camera. 

Corelight cybersecurity specialist Matt Ellison describes the groups behind such threats as displaying “the appearance and behaviours of an unscrupulous arms dealer”. No one in an organisation is safe, although senior executives would seem to be a natural target given the level of influence and access they have.

“It can vary and depends on the role, the organisation and the aim of the cyber mercenary’s customer,” Ellison tells ISMS.online. “It is definitely an extra level of threat over and above the typical cyber-threats seen by the majority of commercial organisations.”

The US Hits Back

Fortunately, the US government has shifted its attitudes significantly recently, adding several commercial spyware makers to an “entity list”—including Candiru, NSO Group, Intellexa and Cytrox. This will make it more challenging on paper for these firms to buy components from US companies. A Presidential Executive Order also seeks to prevent the federal government from purchasing any spyware that foreign nations have used to spy on activists and dissidents. This should reduce commercial opportunities for such developers.

The US is also trying to coral other governments to take a similarly hard line. The tech industry has joined forces to curb the activities of cyber-mercenaries, concerned not only about human rights but also the stockpiling of vulnerabilities, which ultimately makes the digital world a more dangerous place.

An ISMS And Beyond

But in the meantime, what can organisations do to mitigate the threat to their executives and critical IT/data assets? An information security management system (ISMS) can provide a good baseline of security, which may help to mitigate many of the techniques hackers-for-hire use to compromise targets. However, SentinelOne’s Wright warns against complacency.

“Nothing is a guarantee against being compromised. Identifying weaknesses and policy issues is the beginning of a journey to a robust cybersecurity capability,” he argues. “Compliance helps sustain awareness of the big things.”

Organisations must also go beyond the basics if they want to repel more advanced commercial spyware attacks leveraging zero-day vulnerabilities.

“The very nature of these tools and how they are used and deployed typically means they are a level of difficulty to detect that is substantially higher than your average malware or ransomware,” says Corelight’s Ellison. “If you are in an organisation that is more likely to be threatened by these tools, it is important to address them separately within the framework you use to secure your organisation.”

Kaspersky explains that users should be trained to spot the warning signs of spyware: rapidly depleting battery and possibly high data usage. Further steps to mitigate the threat include regularly patching the device OS and other software, multi-factor authentication (MFA), device anti-malware, and daily reboots. On iOS devices, high-risk users are urged to disable iMessage and FaceTime. For the attacks mentioned at the top of this article, Lockdown Mode also helps.

Yet even Kaspersky was compromised by a sophisticated spyware operation. Organisations must manage the risk as best they can, practice their incident response plans regularly and build cyber-mercenaries into their threat profiling.