Member Login
menu

Revelation Of 25 Countries That Are Clients Of Surveillance Firm Associated With NSO Group

01/12/2020

In the modern days of the internet and technology, surveillance and spying don't require close encounters.

Gone are the days where government send spies across borders behind "enemy lines" to gather information about targets. Not anymore that governments need physical access to targets' belongings to uncover secrets. With the internet, anyone with the right set of tools and knowledge, can conduct espionage.

And this time, security firm Citizen Lab released a report about the clients of 'Circle', a surveillance firm founded in 2008 that reportedly exploits weaknesses in the global mobile phone systems.

In the report, it is said that Circles is affiliated with NSO Group, the Israeli intelligence company that develops the notorious Pegasus spyware.

For starters, Circles said that its products work without having to hack targets' devices, and said that it only sell its products to nations and states.

According to leaked documents, Circles' clients can purchase a system that they connect to their local telecommunications companies’ infrastructure, or can use a separate system called the “Circles Cloud,” which interconnects with telecommunications companies around the world.

Circles, NSO Group logo.

On their research, the team at Citizen Lab who scanned the internet found "a unique signature associated with the hostnames of Check Point firewalls used in Circles deployments." This enables the researchers to identify Circles deployments in at least 25 countries.

"From the 252 IP addresses we detected in 50 ASNs, we identified 25 governments that are likely to be Circles customers. We also identified 17 specific government branches that appear to be Circles customers, based on WHOIS, passive DNS, and historical scanning data from Check Point firewall IPs or their neighbours."

The researchers determined that the following governments are likely Circle's clients:

  1. Australia.
  2. Belgium.
  3. Botswana (Directorate of Intelligence and Security Services).
  4. Chile (Investigations Police).
  5. Denmark (Army Command).
  6. Ecuador.
  7. El Salvador.
  8. Estonia.
  9. Equatorial Guinea.
  10. Guatemala (General Directorate of Civil Intelligence).
  11. Honduras (National Directorate of Investigation and Intelligence).
  12. Indonesia.
  13. Israel.
  14. Kenya.
  15. Malaysia.
  16. Mexico (Mexican Navy; State of Durango).
  17. Morocco (Ministry of Interior).
  18. Nigeria (Defence Intelligence Agency).
  19. Peru (National Intelligence Directorate).
  20. Serbia (Security Information Agency).
  21. Thailand (Internal Security Operations Command; Military Intelligence Battalion; Narcotics Suppression Bureau).
  22. The United Arab Emirates (Supreme Council on National Security; Dubai Government; Royal Group).
  23. Vietnam.
  24. Zambia.
  25. Zimbabwe.

"Some of the specific government branches we identify with varying degrees of confidence as being Circles customers have a history of leveraging digital technology for human rights abuses. In a few specific cases, we were able to attribute the deployment to a particular customer, such as the Security Operations Command (ISOC) of the Royal Thai Army, which has allegedly tortured detainees," the post added.

Clients of Circles.
Clients of Circles, as of 2020. (Credit: Citizen Lab)

These countries are said to be clients of Circle, which is associated with NSO Group after it was merged with the Israeli company in 2014.

And Circles here, sells systems that exploit SS7 vulnerabilities.

SS7, or Signaling System 7, is a protocol suite developed back in 1975 for exchanging information and routing phone calls between different wireline telecommunications companies.

At the time, the global phone network consisted of a small number of telecommunications operators. Because these companies were monopolistic, they generally trusted each other. This is why at that time, the developers of SS7 didn't include authentication or access control.

In the modern world where the internet can connect anyone, transferring any kind of digital data to even the most remote places on Earth, trust has become an issue. But still, SS7 is still maintained in order for interoperability of more modern devices with older equipment.

Because of SS7’s lack of authentication, attackers can exploit the SS7 network to send commands to a subscriber’s “home network” to falsely indicate that the subscriber is roaming.

Indonesia, a client of Circle, an affiliate to the NSO Group.
Indonesia, is one the clients of Circle, an affiliate to the NSO Group. (Credit: Citizen Lab)

Through this method, the attacker could track targets' location, intercept voice calls and text messages.

SS7 can lso abuse connection to track and monitor targets, in a way that it is difficult to be investigated.

"When a device is tracked—or messages intercepted—there are not necessarily any traces on the target’s device for researchers or investigators to find. Meanwhile, cellular carriers have many technical difficulties identifying and blocking abuses of their infrastructure," the report said.

"Unlike NSO Group’s Pegasus spyware, the SS7 mechanism by which Circles’ product reportedly operates does not have an obvious signature on a target’s phone, such as the telltale targeting SMS bearing a malicious link that is sometimes present on a phone targeted with Pegasus."

At this time, SS7 is predominantly used in 2G and 3G mobile networks.