Vanja Švajcer

September 25, 2023 11:14 am Published by

Attackers have long used commercial products developed by legitimate companies to compromise targeted devices. These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware. This threat initially came to light with the leaks of HackingTeam back in 2015, but gained new notoriety with public reporting on the NSO Group, and, in the years that have followed, the landscape has exploded.

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware. A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” As recently as June 2023, the European Parliament’s plenary session voted on an ongoing investigation concerning the illicit usage of NSO’s Pegasus and equivalent surveillance spyware by EU member states (PEGA report).

However, limited legal and legislative actions are yet to have an immediate positive effect on curbing the use of commercial spyware. Despite these steps toward limiting the operations of these spyware companies, they are likely to keep operating in any region as long as it's financially and legally feasible. Increasing scrutiny with export regulations, criminal liability and fines may be a way forward towards ensuring that their activity does not go beyond the legitimate purposes they advertise. We dig into technical and ethical details of commercial spyware threats.

 

Vanja Svajcer works as a Technical Leader at Cisco Talos. He is a security researcher with more than 20 years of experience in malware research, cyber threat intelligence and detection development. Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks all the time spent hunting in telemetry data to find new attacks is well worth the effort. He presented his work at conferences such as Virus Bulletin, RSA, CARO, AVAR, BalCCon and others.

Categorised in: 2023

This post was written by user_298812