About 50,000 Facebook users in over 100 countries were notified Thursday that they may have been the target of hackers employed by surveillance companies affiliated with government agencies or private clients.
Thursday’s notification came after a months-long investigation by Meta, Facebook’s parent company. The investigation focused on looking into what Meta officials called “cyber-mercenaries” who engage in “surveillance-for-hire.”
As a result, Facebook said it was enforcing actions against seven surveillance companies based in four countries. The actions include:
- Removing about 1,500 fake accounts.
- Blocking malicious web addresses.
- Sending cease-and-desist letters to the identified companies.
Meta’s investigators concluded the companies in question used Meta’s Facebook and Instagram subsidiaries for surveillance activities. Their main objective appears to have been to research and groom targets for later infections by spyware. Each step was part of the company’s broader targeting process called the “surveillance chain.”
The investigation’s final report, “Threat Report on the Surveillance-for-Hire Industry,” focused on past claims that such practices were traditionally used primarily against terrorists and serious criminals such as drug kingpins and pedophiles. However, Meta’s team found that surveillance companies chose to target politicians, human rights workers, journalists, dissidents and family members of opposition figures. The finding contrasted the assumption of past claims noted in the report.
These findings resemble the Pegasus Project, a global investigation of Israel-based surveillance company NSO Group. The Pegasus report was completed by The Washington Post and 16 other news organizations.
“The surveillance industry is much bigger than just one company, and it’s much bigger than just malware-for-hire,” said Nathaniel Gleicher, head of security policy for Meta. “The targeting we see is indiscriminate. They’re targeting journalists. They’re targeting politicians. They’re targeting human rights defenders. They’re also targeting ordinary citizens.”
Surveillance firm, Cytrox, based in North Macedonia, was among the companies that Meta had sanctioned. According to Thursday’s report, Meta said it had removed 300 Facebook and Instagram accounts the company used to engage and deceive targets. It also listed ten governments that hire Cytrox, including Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Ivory Coast, Vietnam, the Philippines and Germany.
Meta’s report exposed more than two dozen countries across six continents that used the surveillance services provided by the companies cited. Moreover, the victims of the surveillance activities were in more than 100 countries.