A smartphone with the website of Israel’s NSO Group, which created the Pegasus spyware. Photo: AFP
Asian Angle
by Alessandro Arduino
Asian Angle
by Alessandro Arduino

From the Middle East to China, Pegasus spyware revelations show the spread of hacking as a service

  • Canada, the US and Switzerland are among the so-called ‘liberal democracies’ where use of the Israeli spy software has been detected
  • The line that separates cyber defence from cyber mercenaries is easily blurred, and China presents a challenge for regulating private espionage
More than two decades ago, the Middle East ushered in the era of private military companies (PMCs) and the return of mercenaries. Since the United States – during the invasion of Iraq – opened the proverbial Pandora’s Box of privatising what was once a state monopoly on violence, there has been abundant coverage of the activities of armed contractors and mercenaries from Libya to Ukraine.

In the past decade, private military contractors and mercenary outfits have proliferated, from conflicts in the Middle East to those in its neighbouring regions. The Russian Wagner group in Africa, Syrian mercenaries in the Nagorno-Karabakh war, and the Colombian kill team that recently assassinated Haiti’s president are cases in point.

US accuses Chinese hackers of stealing Mekong River data from Cambodia

Now, the Middle East is once again a Petri dish for a different virus: the privatisation of cyber intelligence services. While Russia, North Korea and China have always been accused by the West of being leaders in state-sponsored hacking – both in launching disruptive cyberattacks as well as for having links with cyber criminals bent on lucrative ransomware heists – the spotlight in the cybersecurity realm is now being trained on private Israeli companies.
In the murky world of espionage, intelligence for hire is not new, but recent trends in the commodification of military-grade spyware have raised awareness of private cybersecurity companies that offer spy-for-hire services. Spyware is a kind of malware that allows hackers to control a system remotely, enabling them to monitor their targets’ computers and mobile devices. Increasing demand, lack of regulation, and a low barrier to entry have all helped to make cyber espionage a fast-growing industry.
While Israel is a world leader in the field, it does not have a monopoly on the spyware market. Photo: AFP

The Abraham Accords exposed what was previously an open secret: Israeli security cooperation with some Gulf states. The exposé by media outlets of Pegasus, the Israeli firm NSO Group’s spyware, revealed that such antics are not limited to repressive regimes – Canada, the US and Switzerland are among the so-called “liberal democracies” where use of Pegasus has been detected.

While Israel is a world leader in the field, it does not have a monopoly on the spyware market. The Italian firm Hacking Team was engulfed in scandal after the revelation that its Galileo software had possibly been sold to Egypt. This came to light after Giulio Regeni, a young Italian researcher from Cambridge University, was found dead in 2016. He had been tortured so badly that his body was disfigured.

Is Asia hackers’ next target for a Massive Attack?

Regeni was researching Cairo’s independent trade unions when he was killed, and a judge in Rome later ruled that four Egyptian security officials should stand trial for his murder. Widespread reports that the Egyptian security service had used Galileo to track the researcher later led to the Italian government placing export restrictions on the software. Hacking Team’s client list includes government agencies around the world and commercial entities, including banks.

Cheap and widely available spoofing tools are altering the landscape of the already murky world of surveillance. Even the European Union, which bills itself as a leader in privacy and digital rights protection, is having trouble regulating private espionage among its 27 members .

China presents another challenge altogether. Several Chinese companies are among the global leaders in AI face-recognition applications for a variety of uses, and their cheaper solutions make them competitive players in the global market. The country’s national cybersecurity law carves out Chinese cyberspace as sovereign territory, and Beijing’s strict control over Big Data flow and storage, as well as the authorities’ unfettered access to companies’ servers, all stand to compound the impact of China’s “private” technology companies.


US, Britain and EU accuse China of sponsoring massive Microsoft email server hack

US, Britain and EU accuse China of sponsoring massive Microsoft email server hack
The recent accusation by the US and its allies that China was behind the Microsoft Exchange hack is worrying. Washington and Beijing are already engaged in a high-stakes strategic rivalry. Name-calling can only make things appreciably worse, and accelerate the spat towards the point of no return.

It is not too late to put the genie back into the bottle. The recent call by the United Nations for countries to exercise greater oversight on the sale of military-grade cyber technologies is timely. The first step towards this is to challenge the traditional regulatory framework that deals with dual-use technologies. All technologies tend to be susceptible to more than one use, and there is a need for updated rules delineating commercial applications from governments’ national security requirements.

A more daunting task is differentiating private security companies from cyber mercenaries, and identifying when private sector efforts to augment government espionage capabilities cross the proverbial red line – the Wild West nature of the internet only makes this more difficult.

Hacking as a service is a very fluid area, and the line that separates cyber defence from cyber mercenaries is easily blurred. The cybersecurity industry is poorly regulated and prone to abuse, but it is a fast growing and very profitable one. Societal trends sparked as a result of Covid-19 – working from home, using online meeting platforms, and the burgeoning use of cloud computing – have increased the opportunities for non-state actors to satisfy governments’ ravenous appetites for spyware and automated intelligence gathering.

States are already using proxies to commit criminal acts in cyberspace. The logical next step will be an increase in kinetic cyber operations – aimed at disabling, disrupting, or destroying digital infrastructure or functions – carried out by private cybersecurity companies. Leaving this dangerous business to mercenaries motivated only by profit risks escalating matters into uncharted territory.

Dr Alessandro Arduino, an expert on security issues, is Principal Research Fellow at the Middle East Institute at the National University of Singapore