information security

Meta says PH among countries with clients of cyber mercenary firm Cytrox

Gelo Gonzales
Meta says PH among countries with clients of cyber mercenary firm Cytrox

META. A woman holds smartphone with Facebook logo in front of a displayed Facebook's new rebrand logo Meta in this illustration picture taken October 28, 2021

Dado Ruvic/Reuters

Cytrox is behind 'Predator,' a spyware similar to the NSO Group's 'Pegasus'

Meta said on Thursday, December 16, that it has banned “cyber mercenaries” from the global surveillance-for-hire industry.

In the report, “Taking Action Against the Surveillance For Hire Industry,” the company said it permanently banned accounts found to have links with seven cyber mercenary firms that the company identified after what it described as a “months-long investigation.” The company also alerted around 50,000 people believed to be targeted. 

These firms, according to Meta, are part of an industry “that targets people to collect intelligence, manipulate and compromise their devices and accounts across the internet.” The company said that while these cyber mercenaries often say that they only target criminals and terrorists, Meta’s investigation found that “targeting is indiscriminate” and “includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists.”

Meta said that people in over 100 countries were targeted. But it also specified in its threat report that one of the seven firms, Cytrox, was found to have clients in the Philippines. “Our investigation identified customers in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam, the Philippines, and Germany. Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia,” the company’s threat report said. 

Cytrox was identified to have been in the “exploitation” phase of surveillance activities, which is the part where a hacker-for-hire is tasked with phishing and injecting malware, with the primary goal of “device-level surveillance and monitoring.” 

Said Meta: “The ultimate goal is to enable device-level surveillance and monitoring of mobile phones or computers. At that point, depending on the exploit, the attacker can access any data on the target’s phone or computer, including passwords, cookies, access tokens, photos, videos, messages, address books, as well as silently activate the microphone, camera, and geo-location tracking.” 

The two other phases in Meta’s report are reconnaissance (monitoring targets commonly through fake social media accounts) and engagement (establishing trust with target). 

Meta didn’t specify any of the clients of Cytrox nor did it provide Philippines-specific information but said the company removed about 300 accounts on Facebook and Instagram linked to Cytrox. It also provided information on what the firm does. 

“This North Macedonian company develops exploits and sells surveillance tools and malware that enable its clients to compromise iOS and Android devices,” Meta said. 

Meta, with help from Citizen Lab, which was among the organizations that worked on exposing the Pegasus spyware, found “a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media services.” Meta has a full list of the domains in the appendix of their report.  

“They used these domains as part of their phishing and compromise campaigns. Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites,” the company said.

Citizen Lab report

A separate report published on the same date by Citizen Lab revealed more on the inner workings of Cytrox. Citizen Lab identified Cytrox’s Pegasus-like Predator spyware, and found it in the iPhones (iOS 14.6) of two Egyptians: exiled opposition figure Ayman Nour, and an anonymous exiled journalist. 

Curiously, Pegasus was also found simultaneously with Predator in Nour’s device. The report also explored Cytrox’s links to a consortium called “Intellexa” which is seen as a competitor to the NSO Group, the Israeli company behind Pegasus.

Citizen Lab said that theirs is the “first investigation to discover Cytrox’s mercenary spyware being abused to target civil society.” 

These attacks, the organization said is “a pattern that we expect will persist as long as autocratic governments are able to obtain sophisticated hacking technology.” 

“Absent international and domestic regulations and safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future,” it added. –

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.