When it comes to defending against foreign cyber powers, many U.S. national security experts tend to hype up countries with powerful hacking capabilities, such as China, Iran, Russia, and North Korea.
Regarding state-sponsored malware campaigns, though, the security community needs to dig deeper, says Cooper Quintin, a security researcher and programmer at the Electronic Frontier Foundation.
“We’ve found lots of countries now are starting to get hacking programs. It’s a lot of countries you wouldn’t expect,” Quintin said Friday during CyberTalks, a virtual event produced by Scoop News Group. “We’ve seen state-sponsored malware coming out of Kazakhstan, Lebanon, Morocco, Ethiopia, and all sorts of countries that haven’t previously been well known for their hacking capabilities.”
The countries themselves haven’t necessarily developed hacking capabilities, though they appear to be outsourcing cyber-operations to third parties, or shopping around for commercial hacking tools in an effort to mask government involvement, according to Quintin.
The government of Kazakhstan, for instance, is connected to a phishing effort to trick victims into downloading surveillance software, according to the EFF. But the operation also has links with Appin, an Indian company that allegedly provides offensive cyber capabilities on a contract basis, researchers say. Another Indian cybersecurity company, called BellTroX, has also recently been running contracted cyber-operations for clients, according to Citizen Lab, the human rights watchdog group.
“State-sponsored hacking and spyware has basically become commoditized,” Quintin said. “There’s an industry for it now.”
It’s not just Indian companies expanding the playing field, of course. Human rights advocates and victims have alleged that governments, including Morocco and Saudi Arabia, also have deployed surveillance tools developed by an Israeli software surveillance firm, NSO Group, to monitor dissidents, journalists and other targets.
NSO Group consistently denies claims its technology is used in these kinds of incidents, saying it only provides its technologies to governments for legitimate operations targeting terrorists and criminals.
Digital rights organizations have raised concerns about governments’ expanding access to commercial spyware for years. But in recent months, efforts to limit spyware organizations’ ability to spread their surveillance tools around the world have encountered roadblocks.
In July, an Israeli court shut down a request from Amnesty International that NSO Group’s export license, a move that would have limited who is authorized to use NSO Group’s products. Meanwhile, an ongoing WhatsApp lawsuit against NSO Group for allegedly using the messaging app to spy on thousands of journalists and dissidents has been paused in recent months, while NSO Group appeals a ruling on its planned defense.
Quintin says these kinds of setbacks for victims should serve as a reminder that advocates can’t put all their eggs in one basket. “I don’t think there is a one-size-fits-all solution,” Quintin said Friday, suggesting that the United Nations and the international community could be taking more action to tamp down on the proliferation of state-sponsored malware.
Last year the U.N.’s Special Rapporteur on freedom of opinion and expression called for a moratorium on the sale, transfer and export of surveillance technology, apparently to no avail.
U.S. lawmakers are starting to take note of the risks of commercial spyware. Earlier this year, the Senate Intelligence Committee approved a proposal that would direct the U.S. intelligence community to analyze foreign governments’ use of commercially available surveillance software.
Quintin applauded the measure, suggesting these kinds of investigations could contribute to eventual efforts to hold malware shops accountable.
“I think there’s a role to play for government, but I think that is more in intelligence and in fact finding, in bringing the facts of what’s going on to international bodies like the United Nations to have a better understanding to take action,” Quintin said.