Meta says nearly 50,000 journalists and activists were targeted by sophisticated spying operations on Facebook and Instagram
Meta said Thursday that it removed roughly 1,600 fake accounts from Facebook and Instagram that were being used by seven "surveillance-for-hire" companies to target and compromise the accounts and devices of journalists and human rights activists around the world.
The seven surveillance providers implicated in the report are located in China, Israel, India and North Macedonia. Their alleged operations targeted nearly 50,000 people in over 100 countries on behalf of individual clients, business, and law firms based in at least 23 countries, including the U.S., Israel, China, and Saudi Arabia, according to Meta.
"The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts," Meta said in a blog post. "These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer regardless of who they target, or the human rights abuses they might enable."
Meta said the threat actors posed as journalists from prominent organizations such as FOX News, human rights activists and film and TV producers. They allegedly attempted to set up calls and obtain the target's contact information for future phishing attacks, according to Meta.
One group, which Meta did not name directly but said its analysis indicated usage by domestic law enforcement in China, deployed 100 Facebook and Instagram accounts to engage targets on social media and trick them into clicking on malicious software. Meta said the tools were being used to spy on minority groups in Myanmar, Hong Kong and the Xianjiang region of China.
The six other companies that Meta said were involved in the surveillance-for-hire work are Cobwebs Technologies, Cognyte, Black Cube, Bluehawk CI, BellTroX and Cytrox. Meta said it will send cease and desist letters to all six on Thursday.
Black Cube, an Israeli-based firm with offices in Britain and Spain, said in a statement to CBS News that it doesn't operate in the cyber world or attempt to hack users.
"Black Cube is a litigation support firm which uses legal Humint investigation methods to obtain information for litigations and arbitrations," the company said in a statement, adding that it works with law firms around the world to prove bribery, uncover corruption, and recover stolen assets.
Meital Levi Tal, a spokesperson for the online intelligence firm Cobwebs Technologies, said the company has not been contacted by Meta as of Thursday afternoon adding that Cobwebs "operates only according to the law and adheres to strict standards in respect of privacy protection."
Representatives for BellTrox, an Indian information technology firm, and Cytrox, the firm based in North Macedonia could not be reached while others did not immediately respond to a request for comment from CBS News.
"The cyber mercenaries often claim that their services are meant to focus on tracking criminals and terrorists," Gleicher said. He added that Meta's investigation revealed the companies are actually targeting journalists, dissidents, critics of authoritarian regimes, families of opposition figures, and human rights activists.
What is surveillance for hire?
According to Caroline Wong, chief strategy officer for the cybersecurity firm Cobalt, surveillance-for-hire "refers to a network of gig workers who are paid to collect and provide intelligence."
Wong told CBS News that assignments in this space typically include "snapping photos, filling out surveys, or doing other basic data collection or reporting."
Meta said it hopes Thursday's takedown report will raise public awareness about the surveillance for hire industry.
"We saw these companies tried to obfuscate the activity on our platform by engaging in innocent looking activities to try and blend with the noise and attempt to evade our detection," Mike Dvilyanski, Meta's head of cyber espionage investigation said on a call with reporters.
He added that the companies created multiple fake accounts targeting the same journalists and activists while also attempting to set up phone calls or in person meetings.
The three stages of surveillance
Gleicher said reconnaissance, engagement, and exploitation are the three phases that make up the "surveillance chain."
In the first phase, he said targets are "silently profiled" by cyber mercenaries on behalf of clients. During the engagement phase, the operators use social engineering tactics to build trust, solicit information, and trick victims into clicking on malicious links.
Gleicher said the engagement phase, which requires sophisticated social engineering tactics, is often prolonged because it involves creating backstops for the fake accounts and organizations across the internet, so they appear more legitimate. In the final "exploitation" phase the threat actors either deploy their own custom-built malicious software or acquire the tools from other vendors.
"They build trust and then in that third phase, the exploit phase, they abuse the trust they've just built, tricking targets into clicking on malicious links, downloading malware, and otherwise exploiting their devices," Gleicher said.
According to Meta's analysis, Cognyte and Cobwebs were involved in the first two phases of the operation for their clients. BlackCube, BlueHawk, and BellTroX were involved in all three phases, while Cytrox mainly operated in the exploitation phase.
Gleicher said the companies named in the threat report target users indiscriminately across the internet and added that the exploitation phase often occurs away from the platform, which makes it difficult for Meta to know how many of the 50,000 people clicked on compromising links.
"No single platform is going to see and be able to interdict the entire surveillance attack chain," Gleicher said, adding that Meta alerted industry peers and law enforcement partners about the surveillance operations.
He said the company is in the process of notifying all 50,000 users that they may have been targeted by the surveillance-for-hire operations.
