Ep.

13: Spyware and ‘a world of Bond villains’

(MUSIC)

DINA TEMPLE-RASTON: In 2001, back in a time when logging onto the web sounded like
this…

(DIAL-UP SOUND)

TEMPLE-RASTON: …a University of Toronto professor named Ron Deibert had this hunch
about the Internet. He was pretty sure it wouldn’t just, well, spark joy.

He’d been watching how intelligence agencies used satellites to verify arms agreements and
wondered if those same technologies could be used to help civil society. So he founded a
group called The Citizen Lab.

The idea was to create a high-tech human rights watchdog — a kind of CSI of the Internet —
that would hold powers misusing technology to account.

And in the 21 years since, Deibert’s spidey sense that the Internet wasn’t going to be all
rainbows and unicorns has turned out to be exactly right, in ways that have even surprised
him.

RON DEIBERT: This is like an accidental contingent factor in history. We’ve surround
ourselves with technology that's invasive by design…we carry around with us 24 hours a day
devices that are vacuuming up as much personal, fine grain detail about us as human beings
and yet that ecosystem is entirely insecure.

TEMPLE-RASTON: But this isn’t just about privacy, though that’s part of it, too. These days,
we’re used to hacked networks and stolen emails.

What’s new is the next level: a spy in your pocket, on your phone. It has a name, spyware. And
its use has become so normalized…it seems like everyone is doing it. Not just despots and
autocrats anymore, but democratic countries too, where spyware is being deployed as a kind
of high-tech opposition research.

DEIBERT: To me this is the most serious threat to liberal democracy right now by far is what
we’re unleashing on ourselves.

1
(THEME MUSIC)

TEMPLE-RASTON: I’m Dina Temple-Raston, and this is Click Here, a podcast about all things
cyber and intelligence.

Today, a conversation with Ron Deibert of The Citizen Lab about the hack-for-hire industry.
It’s gone mainstream…and we look at what that means for civil society.

DEIBERT: It's like Frankenstein's monster has come home to haunt them.

TEMPLE-RASTON: We’ll be right back.

BREAK

(MUSIC)

TEMPLE-RASTON: When I first met Ron Deibert, more than ten years ago, he was known for
uncovering an attack on a surprising target.

CNN: ...into possible hacking of computers at the office of the dalai lama may have
uncovered a vast network of cyber espionage…

TEMPLE-RASTON: The office of the Dalai Lama, the exiled Tibetan leader, had asked The
Citizen Lab to take a look at their computers because something seemed off. They were
right. Deibert and his team pawed through the network and discovered a massive
surveillance operation.

This is Deibert on CNN in 2009, explaining what they’d found.

CNN: They could turn on web cameras, turn on audio devices to use as a listening device…

TEMPLE-RASTON: It turns out, Chinese hackers had accessed the Dalai Lama’s email
accounts. But it wasn’t just his Holiness: The Citizen Lab researchers uncovered a Chinese

2
state-sponsored intelligence gathering operation that targeted governments in 103
different countries.

The Citizen Lab called the spying operation GhostNet, and their report marked the first time
researchers had ever exposed the inner workings of a hack of this magnitude. What It made
clear was that many governments were starting to use sophisticated computer programs to
gather information.

Looking back on it, it was a sign, and most of us missed it.

TEMPLE-RASTON: So, when I first started talking to you years and years ago, we had the
Dalai Lama, right?

DEIBERT: Yes.

TEMPLE-RASTON: Back when you were doing the Dalai Lama project, did you see this
coming?

DEIBERT: No, I actually did not. And it's interesting to think back that it wasn't that long
ago, 2008, 2009. I was really focused on this as something governments are doing. And it
was only, you know, a couple of years later that it started to dawn on me, oh, there's this
big market for espionage, for digital espionage.

TEMPLE-RASTON: Espionage has come a long way since GhostNet. It is no longer just about
state-sponsored groups.

In the past 40 years, our global economy has created a class of billionaires and oligarchs
and a world full of clients willing to pay top dollar to stay in power or keep what they have.
And a new competitive industry willing to help them do that. We’ve been watching that
happen, and now spyware is widely available.

DEIBERT: So now, if you're a despot or an autocrat, or even a corrupt mogul somewhere, you
can order up a sophisticated privatized subversion campaign against any target — could be
you as a journalist; it could be some political opposition figure — as easy as ordering a
sweater on Ebay or Amazon.

3
TEMPLE-RASTON: Consider the case of Ethiopia. Back in 2017, some Ethiopian journalists
working overseas reached out to the Citizen Lab about suspicious emails.

After researchers dug into their electronic devices they found a surprising thing: spyware,
secretly dropped on their phones by an Israeli company called Cyberbit.

DEIBERT: You think about this: Ethiopia, one of the poorest countries in the world, [with]
less than twenty-five percent internet connectivity can, thanks to Cyber bit, undertake a
global cyber espionage operation, getting inside the devices of more than 20 victims around
the world. Like, that's truly unprecedented in terms of the capacity to effectively purchase
your own national security agency.

TEMPLE-RASTON: In the old days, if someone wanted to conduct surveillance it was

DEIBERT: They would have had to send agents to actually, you know, get inside his
apartment, put bugs in his space. Um, and even then the information wouldn't be that
useful because he'd have to be talking about something right next to the bug. Um, but now
with a push of a button, they can get inside his head.

TEMPLE-RASTON: And it turns out ground zero for the development of spyware is Israel.

DEIBERT: Israel is a very special case. So you have this very explicit startup culture. People
who have an intelligence background, maybe they go through their military service are
encouraged to develop businesses and, and market their techniques and skills to both
government clients and private sector clients.

TEMPLE-RASTON: You're talking about unit 8200.

DEIBERT: Yeah. And others as well.

TEMPLE-RASTON: Think of Unit 8200 as Israel’s NSA. A lot of promising computer geeks in
Israel do their mandatory military service at 8200 and then leave and start their own
businesses.

4
DEIBERT: I mean, I think it's broader than just one agency. There's a whole culture there that
for a long period of time has encouraged innovation around broadly speaking intelligence
gathering, let’s call it.

TEMPLE-RASTON: The Israeli investigative company Black Cube was started by an IDF
planning officer and has offices in Tel Aviv, London and Madrid.

On its website it says it uses “creative intelligence” to get jobs done.

DEIBERT: These are companies that are employed by you know a variety of potential clients,
not just governments, often law firms, you know, front companies, private equity firms, you
know, anyone that's involved in the kind of malfeasance that surrounds kleptocrats and
billionaire oligarchs. And they often go by benign sounding names like reputation
management or deep background checks.

TEMPLE-RASTON: But Deibert says if you look at these sorts of companies’ business models,
it’s often all about hacking.

DEIBERT: It's basically providing government clients with the ability to get inside a device.
Once you can get inside a device, you have effectively a goldmine of information that can be
used for passive data collection, just to gather intelligence about a target, but can also be
used for all sorts of harmful things.

TEMPLE-RASTON: Falsely incriminating information, data for blackmail…

Black Cube and a company you may have heard of — NSO Group — are just two key players.
There are dozens more, all around the world. Deibert says that the fact that just about
anyone can now get national security grade espionage in a box has led to something even
more worrying: Democracies are starting to use these techniques too.

(MUSIC)

TEMPLE-RASTON: As if to underscore just how prevalent spyware has become, some recent
news out of Spain: Just last month, Deibert and his team reported that the phones belonging
to dozens of pro-independence supporters in Catalonia were loaded with spyware.

NEWS: Pegasus software is once again back in the spotlight, this time for targeting
pro-independence supporters in Spain’s Catalonia…

5
TEMPLE-RASTON: Most of it was Pegasus, a spyware produced by the NSO Group. And some
of it was the handiwork of another Israeli company called Candiru.

NSO and Candiru responded by saying their products are meant to stop crime and terrorism.
And while The Citizen Lab couldn’t say with 100 percent certainty who had ordered up the
surveillance, in the report they wrote, “strong circumstantial evidence suggests a nexus with
Spanish authorities.”

Both the European Parliament and Spanish officials have opened investigations.

The Spanish government denies it was behind it.

Funny thing about that, though…

Just this week, the Spanish government announced that it had found Pegasus spyware on
the prime minister and the defense minister’s cell phones. Spanish authorities are trying to
determine whether other senior officials have been targeted as well

What's clear is that spyware is becoming so prevalent it caused one Citizen Lab researcher
to observe that a government can be a perpetrator in one incident and unwittingly be the
victim in another.

DEIBERT: The interesting thing is, we often think about problems in the world, like, there
are a bunch of bad countries over here, and we're the good countries. The ways people talk
about, for example, foreign influence operations: Oh, this is something we need to think about
and defend against. When, actually, the root of the problem is deep inside liberal democratic
countries themselves.

(MUSIC)

TEMPLE-RASTON: When we come back, why this new high-tech surveillance has become
such a hard problem to tackle.

This is Click Here.

6
BREAK

TEMPLE-RASTON: Speaking with Deibert, you can’t help but wonder if this rise in the
hack-for-hire industry was somehow avoidable and whether we missed something along the
way.

TEMPLE-RASTON: And this has been going on a really long time, and we haven't noticed it?
Or is it kind of new?

DEIBERT: I think it's both in a way. It's been going on for longer than I think a lot of people
realize, but it is a relatively new thing. However, I think now it's certainly becoming more
apparent to a lot of policymakers, but it is something relatively new.

TEMPLE-RASTON: Is it inexpensive? I mean, do we have a range? Like, what's your

DEIBERT: That's a really interesting question. And of course there are a lot of potential
clients out there that have deep pockets and don't really — for them, 10 million is trivial.
But then you can also accomplish the same thing very cheaply. So we produced this report
called Dark Basin, where we were working for about a year on what we believed was a
massive global cyber espionage campaign, targeting politicians, civil society activists
working on completely different topics like net neutrality and climate change, lawyers, on
and on.

TEMPLE-RASTON: Deibert says The Citizen Lab researchers started pawing through this
massive network and kept thinking that it must be the Russians or the Chinese. And then
the attackers made a mistake, which allowed The Citizen Lab to identify who they were.

To Deibert’s surprise, it was a company — called BellTroX

DEIBERT…based in a small shop in Delhi, India. They actually advertise their services on
LinkedIn using this kind of benign sounding language like due diligence, reputation
management, and yet they were employed seemingly by a wide variety of clients.

7
TEMPLE-RASTON: The case has been unusual in that some of its employees and associates
have actually been held to account – at least in the U.S. One of its directors was indicted in
California back in 2015 for a hack-for-hire scheme, and a few weeks ago an Israeli private
investigator pleaded guilty in federal court to crimes related to HIS role in the BellTroX
operation.

DEIBERT: You may have a client like a big multinational company that then hires a law firm.
The law firm hires a private investigator. The private investigator hires a hack-for-hire
company and the hack for hire company in this case is based in India.

TEMPLE-RASTON: Ron Deibert says there’s no simple solution to a problem so rooted in the
global economy.

DEIBERT: It's a bit of a chicken and egg thing. So there's so many more government clients,
which increases the value of the companies providing this type of service, which in turn
undercuts systems of accountability and independent journalism and civil society, which
leads to yet more abuse of power. So it's a kind of, self-fulfilling dynamic that's happening
right now that we need to somehow first recognize and get out of.

TEMPLE-RASTON: But there are steps governments can take to curb this. Late last year, a
bunch of hack-for-hire companies, including NSO Group and Candiru, appeared on a
Commerce Department entity list. It is a kind of black list that requires Americans to get an
exemption from the Department to even do business with them.

The Commerce Department said evidence suggested that the companies had developed
and supplied spyware to foreign governments who used their spyware to target
government workers, journalists and activists. And Deibert said it wasn’t just an empty
government gesture.

DEIBERT: Immediately after that happened, Moody's downgraded NSO’s credit rating. That's
a tangible impact on that company's viability, and it goes to show how regulations matter.
Don't forget: These companies that I'm talking about make their investors — usually big
private equity and pension funds — a lot of money. So getting at the root of it is important.

(MUSIC)

8
TEMPLE-RASTON: Five years from now, 10 years from now, are we going to have this under
control?

DEIBERT: Uh, I hope so. I don't think we'll have it under control. Realistically, I think things
are getting worse rather than better. Right now, it's like we put the crazy kleptocrats in
charge, and they're running the world. And we're just not set up to understand it. It's kind of
like we're living in a world of James Bond villains. That’s the world order we live in right now.

TEMPLE-RASTON: That was Citizen Lab founder Ron Deibert.

And This is Click Here

(THEME MUSIC)

TEMPLE-RASTON: And now a quick update from Ukraine…

(MUSIC)

TEMPLE-RASTON: Alex Riabtsev is part of a global crowd sourced mapping collective called
OpenStreetMap. But if you’re in the middle of war, it turns out open source mapping
presents a problem.

RIABTSEV: We started to notice that there are some edits on the map. After the edit, there
were airstrikes and rocket strikes on the places that were edited by some users on
OpenStreetMap.

TEMPLE-RASTON: What happened was this: One of the OpenStreets map volunteers in
Ukraine helpfully changed the coordinates on an airport. A short time later, Russians
bombed it. It happened again with a local oil field, and then a local hospital.

RIABTSEV: We can't prove 100% that the air strike is after the edit, but if there are 1, 2, 3
edits, and after these edits there are airstrikes, that might be not only a coincidence.

TEMPLE-RASTON: In response, Riabtsev said he and the OpenStreet map volunteers in

9
They just stopped changing things.

RIABTSEV: Editing maps could be potentially the source of information for our enemy to
correct their airstrikes and rocket strikes. And when we are not editing the map, they do not
[have] information about what is destroyed and what is not destroyed. So they are not able
to correct their airstrikes and rocket strikes.

TEMPLE-RASTON: So I asked if he and the OpenStreet map volunteers might go a little bit
further and, well, maybe insert some mistakes on those maps the Russians seem to be
using. He was incredulous.

RIABTSEV: Providing fake information is counter to open street map ground rules. After the
discussion we said, No, it's not the way we should do [it].

TEMPLE-RASTON: Riabtsev says even in war time, maps shouldn’t be political; they should
reflect the truth on the ground. Although you could make a case that deciding not to change
them isn’t necessarily telling the whole truth on the ground.

OpenStreetMap has dealt with this issue before with Crimea. After 2014, the collective
began mapping the region as part of Russia.

RIABTSEV: And we said no because Crimea is Ukraine, and [the] United Nations and all
other international organizations see Crimea as part of Ukraine. Nowadays, if you go to
OpenStreetMap website, you could see that Crimea belongs to both Ukraine and Russia.
And [the] Ukrainian community believes this is a small victory of OpenStreetMap.

TEMPLE-RASTON: A small victory amongst many.

This is Click Here.

(HEADLINE MUSIC)

TEMPLE-RASTON: Here are a few of the top cyber and intelligence stories of the past week:

Internet service for the town of Kherson in Ukraine is now running through a Russian
network instead of a Ukrainian telecom. Ukrainian officials and internet access monitor
Netblocks said there was a near-total internet blackout across Kherson this past Saturday.
Ukrainian telecom officials investigated and found breaks in the fiber optic backbone.

10
Service returned on Sunday but all the internet traffic is now going through Russia’s
Miranda and Rostelecom networks.

A year-long bug bounty program focusing on parts of the U.S. defense industrial base found
more than 400 vulnerabilities in the DIB’s networks. Nearly three hundred security
researchers with HackerOne, a bug bounty vendor, participated in the exercise. According to
the firm, they found 401 vulnerabilities that were deemed actionable and required
remediation. The program included 41 entities and 348 systems over the course of the year,
just a sliver of the estimated hundreds of thousands of companies that contract directly
with the Pentagon and other defense department agencies.

The Cybersecurity and Infrastructure Security Agency (CISA) urged companies and other
organizations Wednesday to take a long, hard look at its list of the top 15 routinely
exploited vulnerabilities in 2021. Among them: Log4Shell, Microsoft bugs ProxyLogon and
ProxyShell as well as a vulnerability affecting Atlas-sian products. The head of CISA Jen
Easterly reminded cyber security officials that cyber criminals go back to what works so they
tend to target the same critical vulnerabilities they’ve exploited in the past until companies
address them.

Today’s episode was produced by Will Jarvis and Sean Powers. It was edited by Karen Duffin,
with fact-checking from Darren Ankrom. Ben Levingston composed our theme and original
music for the episode. We had additional music from Blue Dot Sessions.

Click Here is a production of The Record by Recorded Future.

And we want to hear from you. Please leave us a review and rating wherever you get your
podcasts. And you can connect with us at ClickHereshow.com

I’m Dina Temple-Raston. We’ll be back on Tuesday.

11