Leaders of the Israeli cyber intelligence firm Cognyte this February celebrated their first day of trading on Nasdaq by ringing the stock exchange’s opening bell. In remarks beamed across a giant screen in New York’s Times Square, CEO Elad Sharon celebrated his company’s success, including nearly half a billion dollars in annual revenues, 2,000 employees around the world, and 1,000 clients in 100 countries — including the U.S. Department of Justice. Sharon also touted Cognyte’s virtue, claiming it provided governments and businesses the tools they need to fight terrorism and stop crime. “Our analytics software empowers our customers to save lives,” Sharon said.
But on Thursday, Facebook banned Cognyte from its platform as it released the results of a six-month investigation by the social media giant’s security researchers. According to the report, Cognyte’s customers have targeted journalists and politicians around the world. Some of those clients were located in countries with dubious records on human rights such as Colombia, Kenya, Mexico, Thailand, and Indonesia. Also Thursday, Facebook took down about 100 Facebook and Instagram accounts linked to Cognyte.
Beyond Cognyte, the Facebook report took aim at five other firms and one unnamed Chinese entity that are part of what social media giant calls the “surveillance for hire” industry. Israel, where four of the six named companies were founded, appears to be a hub of the global industry.
According to Facebook, the firms abuse social media platforms to collect intelligence, including by manipulating people into revealing information and compromising their devices. Targets included journalists, dissidents, critics of authoritarian regimes, families of opposition members, human rights activists, celebrities, and even ordinary people. In total, the company says it took down approximately 1,500 accounts that it says were part of surveillance for hire operations. The social media company also notified about 50,000 people in 100 countries that their Facebook and Instagram accounts were targets of malicious activities by the seven entities identified in the report released Thursday.
Facebook outlined a three-step process that explained how the surveillance-for-hire industry operates. In the reconnaissance phase, the companies typically scrape information about a target from across the Internet, often using fake accounts to view social media profiles, friends, and likes. Next, the fake accounts built up trust by, for example, feigning a shared interest on a Facebook group and connecting with the target in seemingly innocuous ways. Some companies stopped there, but others abused this trust to hack the target. The most sophisticated actors may send veiled hacking tools that give them instant access to all the personal information stored on a cellphone or computer.
“Companies engage in this kind of thing because they think there’s a viable business model behind it,” Nathaniel Gleicher, Facebook’s head of security policy, told Rolling Stone. “A key part of our goal is demonstrating that, at least on our platforms, there isn’t.”
In addition to Cognyte, Facebook’s investigation names Cobwebs Technologies, Black Cube, and Bluehawk CI–all based in Israel. Also named in the report were BellTroX, a “hacking-for-hire” firm based in India, and Cytrox, a North Macdeonian company. A Chinese entity was surveilling minority groups in China’s Xingjian region, home to the country’s mostly Muslim Uighur minority, but Facebook was unable to identify the group. The Chinese entity made few mistakes and revealed little about itself. In one case, the Chinese entity’s online surveillance was paired with facial-recognition software which could allow for real-word tracking of a targets’ movements. Black Cube
Broadly, the report paints a picture of companies that have developed a powerful set of tools and techniques for extracting information from individuals, including sensitive data they wouldn’t otherwise be inclined to hand over. The companies often emphasize that they are trying to stop would-be criminals or terrorists, but the Facebook report says they are also be used by bad actors — including repressive regimes — to target vulnerable people and marginalize dissent.
Cobwebs Technologies, another Israeli surveillance-for-hire firm singled out by Facebook, has a growing U.S. business. Customers include the U.S. Department of Homeland Security and the Internal Revenue Service, according to a government spending database, as well as the Hartford, Connecticut police department. The company has also reportedly been making inroads into the U.S. intelligence community. In addition to work related to law enforcement activities, Facebook found Cobwebs often targeted activists, opposition politicians, and government officials in Hong Kong and Mexico.
A separate investigation by the Israeli newspaper Haaretz found Cognyte targeted members of the LGBTQ community in Indonesia and Azerbaijan, where an employee said he was asked how to use Facebook to check someone’s sexual inclinations.
Perhaps the best-known company in the Facebook report is Black Cube, the Israeli private intelligence firm that lawyers for movie producer Harvey Weinstein hired to suppress news stories exposing his predatory behavior toward women. Facebook said it was banning 300 Facebook and Instagram accounts linked to employees of Black Cube who used them to pose as graduate students, NGO and human rights workers, and film and TV producers. Facebook found a wide range of Black Cube customers — private individuals, businesses, and law firms around the world that it declined to name. Targets included Palestinian activists and real estate development and media in Russia.
In a statement, Black Cube said it does not undertake any phishing or hacking and does not operate in the cyber world. A representative said the company works with the world’s leading law firms on cases involving bribery, corruption, and stolen assets. “Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents’ activities are fully compliant with local law,” the company said.
The other companies named in the Facebook report were not immediately available for comment.
Another company banned by Facebook, Cytrox, was the subject of a separate but related report issued Thursday by the Canadian research group, Citizen Lab. Security researchers at Citizen Lab concluded with a high degree of confidence that Cytrox was behind a new, previously-unknown form of cellphone spyware called Predator.
Predator can quietly hoover up emails, texts, and photos and turn a cellphone into a personal monitoring device by remotely turning on a user’s microphone and record any call.
It was discovered on the iPhone of one of Egypt’s most prominent politicians in exile, Ayman Nour, a one-time presidential candidate who was jailed for years for daring to challenge the leadership’s stranglehold on power. Not only was Nour’s fully up-to-date and patched iPhone infected with Predator, but it had also been simultaneously infected with Pegasus, an even more sophisticated phone spyware made by the Israeli firm NSO Group. “It’s another reminder how dangerous the mercenary spyware industry is,” Citizen Lab’s Bill Marczak, who discovered Predator earlier this year, tells Rolling Stone.
Pegasus and Predator were unrelated, Citizen Lab found, and were being operated by two different nation-state clients. The Egyptian government was likely behind the Predator attack on Nour’s iPhone, in part because the spyware had been inserted by a message sent from an Egyptian number on WhatsApp. Egypt, however, is not a client of Pegasus, and it’s not clear who was behind that exploit, Marczak says.
Security investigators often struggle to pinpoint who is financing and directing the hacking and surveillance, but they have an easier time exposing the mercenaries doing the work. That trail frequently leads to Israel, where four of the six named companies were based. Cytrox, based in North Macedonia, was acquired by a retired Israeli colonel, Tal Dillian. The iPhone payload inside Cytrox’s Predator was referred to as “Nahum,” a minor prophet in the Hebrew Bible.
Israel is also home to NSO Group, the maker of Pegasus phone spyware, one of the most aggressive and sophisticated products on the open market. Pegasus has been so misused by its customers like Saudi Arabia and Mexico that NSO has become the target of widespread global opprobrium and is reportedly considering selling off its Pegasus spyware unit. Facebook was one of the first big tech firms to take action against NSO. It sued NSO in 2019 for using its WhatsApp servers to infect 1,400 phones belonging to attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials. Apple sued NSO last month.
Facebook’s ban