At first glance, the Israeli startup Cobwebs Technologies seems like just another cybercompany. On its website, the firm proudly declares that it’s “a world leader in web intelligence.” In 2019, when it announced that it had raised $10 million, the company claimed to have developed a search engine for intelligence information and said it wanted to be the “Google for intelligence.”
Early in the coronavirus crisis, Cobwebs announced that it had developed a product that would predict the spread of the pandemic, and even boasted that it was working with the Defense Ministry’s Administration for the Development of Weapons and Technological Infrastructure.
But the report released Thursday by Meta, Facebook’s parent company, exposes a more secretive element of the company’s activities. The report describes Cobwebs, three other Israeli companies and three outfits from India, China and North Macedonia as “cyber mercenaries.”
According to Meta, Cobwebs activates counterfeit accounts for its clients that conduct surveillance online, including on social networks such as Facebook, Instagram, WhatsApp and Twitter. For example, the clients can collect information on activists, politicians and government officials around the world.
The counterfeit accounts also join communities and forums, tricking people to reveal personal data and later hacking the targets’ phones or computers. Cobwebs has clients in the United States but also in Bangladesh, Saudi Arabia and elsewhere.
Meta’s report was anything but circumspect. It named the Israeli companies Cobwebs, Cognyte, Bluehawk and Black Cube, as well as North Macedonia’s Cytrox (which is apparently Israeli-owned), India-based firm BellTroX and “an unknown entity in China.” They are described as belonging to a “global surveillance-for-hire industry” whose methods are similar to that of the Israeli company NSO Group Technologies.
“Given the severity of their violations, we have banned them from our services,” Meta writes. “We also alerted around 50,000 people who we believe were targeted by these malicious activities worldwide, using the alert system we launched in 2015. We recently updated it to provide people with more granular details about the types of targeting and the actor behind it so they can take steps to protect their accounts, depending on the phase of the surveillance attack chain we detect in each case.”
- 'We’re on the U.S. blacklist because of you': The dirty clash between Israeli cyberarms makers
- Spyware from two Israeli firms used to hack dissidents' phones in Egypt, India
- ‘Trust the dictator’: Israel’s new method of 'supervising' cyber arms exports
- Israel's shame: NSO and Pegasus are a danger to democracy around the world
For the most part, the cybersecurity industry operates under the radar. While most companies don’t specialize in sophisticated hacking tools like NSO, the targets and methods are similar. These companies make sure they operate in a legally gray area and consider themselves legitimate intelligence-gathering firms.
Indeed, intelligence collection by countries and companies is done as a matter of course. Though some of the firms say their tools help fight terror or crime, Facebook is shining a spotlight on, for example, the hacking of devices of journalists, human rights activists and regime opponents in some 100 countries, including non-democracies.
In the report, Meta doesn’t discuss the clients’ motives, but these might include companies’ collecting intelligence on competitors, regimes surveilling their opponents, and people or organizations gathering intelligence for extortion or legal claims. “Find some dirt on him for me,” CEOs and politicians around the world might tell their people – who then contact the Israeli spyware purveyors.
Meta’s report is rare; the company hardly ever gets down to this level of detail. The cybersecurity companies gather intelligence by exploiting the platforms owned by Meta – WhatsApp, Facebook and Instagram. This lets Meta’s investigators identify the targets, clients and method of operation.
In the first stage, the counterfeit account makes contact with the target and persuades him or her to carry on a conversation and provide information such as contact details or passwords.
In the second stage, surveillance software is implanted in the target’s phone or computer; it can be a sophisticated cyberwarfare tool or merely an off-the-shelf product. Either way, it allows full surveillance of one’s digital life. The Israeli companies named by Meta either performed some or both of these stages.
Besides Cobwebs, Meta also named Cognyte, the firm headed by Elad Sharon that was spun off from Israeli company Verint in 2019. According to the report, Cognyte sells tools to manage counterfeit accounts on social media sites from Facebook to YouTube to Russia’s Vkontakte. The tools, Meta says, allow clients “to social-engineer people and collect data.”
In other words, they get the victim to, for example, reveal sensitive details or click on a malicious link. Cognyte’s clients are located in countries including Israel, Colombia, Kenya, Morocco, Jordan and Indonesia. Among the targets: journalists and politicians.
Black Cube, a corporate intelligence company headed by Dan Zorella, is already familiar with controversy. According to Meta, the company enables clients to pose as other people and acquire a person’s email address for the purpose of phishing attacks.
Targets have been identified in the medical industry, mining, energy and among nonprofit groups. Other targets have included Palestinian activists, people in the Russian media, and experts in academia, high tech and finance.
Bluehawk, headed by Guy Klisman, an alumnus of Israeli Military Intelligence’s research division, provides spyware options including the collecting of legal information and the management of counterfeit accounts designed to persuade people to install malware. One common practice is to pose as a journalist. Victims have included Emirati and Qatari politicians and businesspeople.
Another firm mentioned by Meta is North Macedonia-based Cytrox, which develops hacking tools similar to those of NSO. According to a report by Citizen Lab, a University of Toronto research group that focuses on abuses of surveillance technology, Cytrox has close ties with organizations and businesspeople in Israel. According to a 2019 article in Forbes, Cytrox was acquired by the Israeli Tal Dillian, a former commander of a Military Intelligence technology unit and now a cyberwarfare entrepreneur.
Meta attacking Israel?
Gathering information on users, of course, is at the heart of Meta’s business model, and the company controlled by Mark Zuckerberg has been implicated in its own surveillance and information-collection scandals such as the Cambridge Analytica affair. Facebook also bought the Israeli app Onavo that let Facebook gather data on its users’ actions.
Sources close to Cobwebs attack Meta. “Facebook first chose to go to the media and only later informed the companies. If they were truly concerned about their users’ well-being, they would have first approached the companies and not the media, as is customary,” one source said.
“Cobwebs is a standard company; there are dozens like it around the world. Not one of its many competitors in the United States or Europe is mentioned in the report, which leads you to the conclusion that this is a well-orchestrated attack against Israeli companies in an attempt to show that Meta is protecting its users.”
Meanwhile, digital surveillance and spyware tools have become an extremely popular export sector for Israel. These companies exploit the abundance of information amassed over the years by the IDF in the cyber and intelligence fields and combine it with prowess in information analysis and digital advertising. Thus they’re strong technically, but sometimes ethically less so.
There is nothing new about Israeli high-tech firms operating in gray areas when it comes to violating privacy and acquiring data. For instance, the software company Glassbox got in trouble with Apple after it was revealed that it enabled apps to secretly record iPhone users’ actions.
Also, an add-on of the Israeli company Similarweb was blocked by Google’s Chrome browser because it tracked users’ web surfing, while a VPN add-on of the Israeli company Hola (of the outfit now known as Bright Data) has been repeatedly accused of violations of privacy and data security – until is was recently blocked and removed by Chrome.
But the companies named by Meta do espionage of an entirely different level. It’s very possible that these firms aren’t taking into account that the rules of the game are starting to change.
The Meta report is part of a wave of events showing that the technology sector’s patience with spyware companies is wearing thin. The tech giants may themselves be intelligence gathering empires, but they’re less conciliatory when it comes to Israeli third-party companies exploiting their platforms to conduct surveillance and collect data on their users.
Israel lacks supervision
Similarly, governments and regulatory agencies in the United States and Europe are beginning to realize that the phenomenon must be addressed. “It’s significant, because it shows this is not the problem of a single company or a handful of companies. It’s an industry-wide problem,” John Scott-Railton, a senior researcher at Citizen Lab, told Bloomberg.
The evidence is what has happened in recent months to NSO. Despite its claims that it’s working against terror and crime, it has been sued by Facebook and Apple, with the U.S. administration slapping on sanctions (and on another Israeli cyberwarfare company, Candiru).
Last week, Google released a report with unprecedented detail on the methods of Pegasus, the hacking tool developed by NSO. According to foreign media reports, all this has gotten NSO to consider shutting down or selling its cyberwarfare operations.
Should this process worsen, the Israeli cyberwarfare and spyware industries, which still enjoy freedom of action, will have to show greater accountability, change the way they operate, become more transparent, alter their business models or maybe even close down. This wouldn’t be the first time; pressure from the technology giants once destroyed an entire industry that developed in Israel: invasive toolbars that took over people’s browsers and computers. A clutch of Israeli companies had to shut down or change direction.
Yet somehow all the pressure on Israeli companies is coming from foreign governments and corporations. Aside from the media and a few civil society groups, no government ministry, agency or regulator – not the departments that oversee exports at the economics and defense ministries, not the Privacy Protection Authority and not the National Cyber Directorate – have expressed any special interest in supervising or restricting use of dubious practices of Israeli spyware companies.
These companies offer their services to nondemocratic regimes, and this is happening even though most of these firms depend on the expertise of IDF veterans.
Black Cube said in a statement: “Black Cube does not engage in any phishing or hacking and does not operate in the cyberworld. Black Cube is a litigation support firm that uses legal human-intelligence investigation methods to obtain information for litigations and arbitrations. Black Cube works with the world’s leading law firms in proving bribery, uncovering corruption and recovering hundreds of millions in stolen assets. Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents’ activities are fully compliant with local laws.”
Cobweb said: “Our products are based on open source data and we operate solely in accordance with the law and the strictest standards of privacy protection.”
Bluehawk said: “The Bluehawk company rejects the claims of Meta, whose representatives have never made contact with the company to clarify matters. The company operates in business information research and support for litigation procedures, and does not engage in any way in espionage or phishing, and is not close in its operations to the companies listed by Meta, because the research and collection is carried out solely from open sources.”
Cognyte did not immediately comment.