The Spyware Industry has recently come under massive scrutiny for its misuse and associated privacy issues. Nonetheless, this industry is vital for ensuring global security, aiding governments in identifying and thwarting threats such as terrorism, cyber attacks, and espionage, while also monitoring both authoritarian and failing states for prevention of global instability.

How digital espionage tools exacerbate authoritarianism across Africa | Brookings

Recent reporting about NSO Group’s surveillance tools—dubbed the “Pegasus Project”— makes clear that governments across Africa are also using spyware for purposes of international espionage. And these tools are being used in ways that risk worsening authoritarian tendencies and raise questions about whether security services are being properly held to account for their use.

BrookingsChinasa T. Okolo, Landry Signé

The Pall Mall Process tackles these challenges by uniting nations, experts, and industry leaders to create ethical guidelines and oversight mechanisms. This collaborative effort strives to ensure the responsible use of such technologies, balancing the demands of security with the global safeguarding of individual privacy.

In this article, I'll try to explain what incidents led to initiation of The Pall Mall Process, why was it necessary & how it can benefit everyone. Will try to keep this blog as simple and straightforward as I can, for the sake of all the readers. However, please forgive me if I'm not entirely successful in doing so. But yes, reading this one will take some time & before continuing further, a little bit about myself.

Hello! I am Ayush Singh. I am the CEO of A.R.P. Syndicate - A Global Cybersecurity Intelligence & Research Company with hyperspecialization in Shadow IT & Vulnerability Intelligence. Now let's move forward in this article!

ORIGINS

Since the inception of technology, leveraging exploitation of a zero day vulnerability for intrusive surveillance has often been done by Global Law Enforcement & Intelligence Agencies at their discretion. Alliances like The Five Eyes Intelligence, apart from deploying intelligence gathering tactics such as SIGINT, OSINT, HUMINT, GEOINT, etc., have also invested quite well in grooming an in-house team of researchers who identify vulnerabilities that can be weaponized to serve the means.

What countries are in the 5 Eyes, 9 Eyes, and 14 Eyes agreements? | Proton

A list of the Five Eyes countries of the UKUSA and other intelligence-sharing agreements, including the Nine Eyes and Fourteen Eyes.

ProtonRichie Koch

After the success of Operation Olympic Games, things started developing pretty violently in 2010s, which led to somewhat commercialisation & creation of this industry. Malware Intrusions started breaking records each year. Countries from all over the World started funding dedicated agencies to not just identify & eliminate these intrusions but to also build deterrence against it. That's when the term Advanced Persistent Threats (APT) started shaping the cybersecurity economy. Moreover, absence of strict laws or regulations, presence of high demand & influx of funding led to crucial aspects of cyberwarfare & cyberespionage getting commercialised.

A decade of hacking: The most notable cyber-security events of the 2010s

ZDNet takes a look over the most important data breaches, cyber-attacks, and malware strains of the last decade.

ZDNETCatalin Cimpanu

MARKET

First, let's cover the basics. Let's suppose some government has identified a few Lockbit Ransomware operators within its territory. Instead of immediately arresting them, they choose to constantly monitor them to understand how to inflict maximum damage on their organisation. To achieve this, the Law Enforcement Agencies (LEA) must oversee the operators' internet communications. However, it is nearly impossible to completely monitor these activities without controlling the various devices these ransomware operators are using.

What is commercial spyware?

As the victims of commercial spyware are highly targeted individuals, the sobering truth is that some attackers have the means to be able to spend six figures to compromise a single target.

Cisco Talos BlogHazel Burton

Commercial spyware targets highly specific individuals, often at considerable expense. Some attackers can afford to spend six figures to compromise a single target. In scenarios like the one described above, commercial spyware can be very effective.

Zero-days exploited in the wild jumped 50% in 2023, fueled by spyware vendors

Cybersecurity experts are warning that zero-day exploits, which can be used to compromise devices before anyone is aware they’re vulnerable, have become more common as nation-state hackers and cybercriminals find sophisticated ways to carry out their attacks.

Cyber Security News | The RecordJonathan Greig

Here’s a rough outline of how some of its most significant aspect will work:

1. Initial Attack Vector (IAV) Discovery: Just like any other kind of vector, this one also has two components (Targets & Vulnerabilities). The target can be anything from a simple HTTP Server to an actual individual. Likewise vulnerability doesn't essentially requires to be an extremely sophisticated work of code. It can simply be a leaked credential. But yeah for the sake of little less simplicity, let's just assume that the target is a latest iPhone. Now, the objective is to find a vulnerability, or a series of vulnerabilities, that allows total control over the iPhone without any interaction from the victim (0-click).
2. Vulnerability Research: Discovering such vulnerabilities can get extremely challenging and time-consuming if you don't already have one. Some prominent eastern nation-states prefer to use vulnerabilities, that got reported by their national white hat researcher, at their discretion. Others prefer to either conduct an in-house secretive research or if that's not possible, they will just buy it directly from black hat researchers. This is where the zero-day vulnerability/exploit market becomes valuable.
3. Exploit Acquisition: In simple terms, the zero-day exploit market lists demands for specific vulnerabilities, in this case, a zero-click Remote Code Execution (RCE) combined with Local Privilege Escalation (LPE), is required. A vulnerability researcher would submit a discovered vulnerability to the marketplace, most probably in hopes of getting paid at once, and the Law Enforcement Agency (LEA) would purchase it but will most likely pay the sum in instalments or however it's mentioned in the broker's contract.
4. Weaponisation: Once the vulnerability is acquired, it needs to be weaponized. This means creating an undetectable malware that can be uploaded to the target device. The malware is designed to communicate with a Command & Control (C&C) server, which allows the agency to perform operations and extract intelligence—all without being detected. To ensure that the malware doesn't trip stuffs like EDRs & similar protection, this phase can get somewhat artistic & creative in nature. Most stuffs done in this phase end up building & orchestrating something that's sort of never seen before.
5. Commercialisation: Most incapable & outdated Law Enforcement Agencies (LEA) will prefer that they buy the entire thing as a product/service from a company that develops this "spyware", allowing them to simply utilise the ready-made software.

With this strategy, the government chooses to monitor rather than arrest the identified operators initially. They use commercial spyware and vulnerabilities obtained from the zero-day market to covertly gain control over the operators' devices, allowing for in-depth intelligence gathering and ultimately causing greater disruption to the criminal organisation.

This is perhaps the simplest and most straightforward explanation, but in reality, such operations are conducted very opaquely, with tactics varying constantly based on numerous factors such as budget, time, target, resource availability, buyer, supplier, involved regions, etc.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware

Talos revealed that rebooting an iOS or Android device may not remove the Predator spyware produced by Intellexa. Intellexa knows if their customers intend to perform surveillance operations on foreign soil.

Cisco Talos BlogVitor Ventura

Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus - The Citizen Lab

Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Using Internet scanning, we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.

The Citizen LabBill Marczak

Often, attributing such attacks, once detected, becomes more complex and challenging than explaining the attack itself. Take Operation Triangulation, for example. We don't know who developed the exploits, who sold them, who the targets were, or what the objectives were. It could have been corporate espionage, a government's covert operation, or something entirely different. However, as a result, we do know, with ultimate surety now, that systems relying on "security through obscurity" are never truly secure.

Switzerland now requires all government software to be open source

The United States remains reluctant to work with open source, but European countries are bolder.

ZDNETSteven Vaughan-Nichols

These types of incidents will continue and likely increase dramatically as long as governments act irresponsibly, technology vendors neglect user security, and an open market exists for such malicious activities.

Operation Triangulation

We discovered a previously unknown mobile APT campaign targeting iOS devices. We are calling this campaign “Operation Triangulation”

SecurelistIgor Kuznetsov

PROBLEM

Now the market itself isn't the problem. But its driving factor is & a commoners' perception of cyberwarfare, cyberespionage and, in a limited sense, offensive cybersecurity is. You just can't defend against an intelligence-led intrusive offensive solution without access to the same intelligence. Simply put, defensive strategies are fundamentally flawed in itself, cause if you are really good at doing offense, you will possess the intelligence required to bypass technologies like EDR, Firewall & all that so offense always ends up being at least one step ahead of defense.

Even today, everyone is blindly investing in most cutting edge cyber security solutions, and these solutions do stop the attacks happening in volume, yes. But the primary concerning fact remains intact - The nation-state threat actor that couldn't be stopped over a decade ago, can't be stopped today either & its domestic solutions are silently sold & thriving in the global markets.

Bombs and viruses: The shadowy history of Israel’s attacks on Iranian soil

From cyberattacks and assassinations to drone strikes, Israel-linked plots have targeted Iran for years.

Al JazeeraAl Jazeera

Israel has always been at top of this game, and as of 2024, ex-Israeli Special Forces Personnel are the ones leading top Israeli Cyber Security Companies are everywhere. In simpler words, military-grade cyber security capabilities have been out in the market for quite a while now, accessible to any government willing to pay for it. Provided these solutions were in limited hands being used only by governments for ensuring the national security, things should have gone pretty well like this. Governments who don't have the best cybersecurity talent, could have just some of their natural resources to get hands on this solution to ensure greater safety & security in their territories. Unfortunately, things went way beyond just that, cause after all, money rules.

The spy, the lawyer and their global surveillance empire - ICIJ

How an Israeli cyber-surveillance kingpin and his attorney ex-wife exploited Cypriot loopholes to build one of the world’s most notorious spyware firms.

International Consortium of Investigative JournalistsDavid Kenner

More than 80 countries have purchased spyware, British cyber agency warns

More than 80 countries have purchased spyware over the past decade, Britain’s cyber agency warned in an intelligence assessment released Wednesday.

Cyber Security News | The RecordAlexander Martin

Taking advantage of growing market, certain leaders, across the entire global cyber security industry, began normalising the behaviour of putting profits over ethics & honour. This brought very powerful solutions in the hands of some allegedly unworthy & irresponsible people working for authoritative regimes which resulted to its unethical & unlawful application across the globe.

How NSO became the company whose software can spy on the world

The Pegasus project has raised new concerns about the Israeli firm, which is a world leader in the niche surveillance market

The GuardianStephanie Kirchgaessner

The hacking industry faces the end of an era

But even if NSO Group is no more, there are plenty of rivals who will rush in to take its place. And the same old problems haven’t gone away.

MIT Technology ReviewPatrick Howell O’Neill

RESPONSE

The route to response began on March 27, 2023, when POTUS issued the Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security.

Later on March 29-30, 2023, United States co-hosted The First Summit for Democracy. During this summit, the governments of Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States released a joint statement condemning the misuse of commercial spyware.

2023 Summit for Democracy: Over 45 organisations call on states to protect citizens against the abuse of spyware - Business & Human Rights Resource Centre

Business & Human Rights Resource Centre

On April 19, 2023, United Kingdom's National Cyber Security Centre (NCSC), released a report on The threat from commercial cyber proliferation. This report was meant for "informing readers about the threat to UK industry and society from commercial cyber tools and services" which mentioned multiple key judgements on of it being -

Commercial cyber tools and services lower the barrier to entry to state and non-state actors in obtaining cost-effective capability and intelligence they would not otherwise be able to develop or acquire themselves. This commercial proliferation will almost certainly be transformational on the cyber landscape.

Then again in November 10-11, 2023, an informal dialogue took place at The Paris Peace Forum discussing the threat posed by cyber mercenaries, including the misuse of commercial spyware, and the need for strict domestic and international controls on the proliferation and use of such technology.

Built upon that dialogue, Britain & France together convened “big tech leaders, legal experts, and human rights defenders,” and the “vendors involved in developing and selling cyber intrusion tools and services.” in a conference held at Lancaster House in London on February 6, 2024.

Together, they signed an international agreement termed as The Pall Mall Process, which addressed not only threats from spywares but also "commercially available cyber intrusion capabilities, cyber intrusion companies, vulnerability and exploit marketplace & destructive or disruptive cyber capability".

On that same day, Google released Threat Analysis Group's (TAG) Report on How the commercial surveillance industry works and what can be done about it & US announced visa restriction policies against the ones involved in commercial spyware trade.

The Pall Mall Process: Tackling the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities (Lancaster House, London, 6 Feb. 2024)

We, as participant representatives of States, international organisations, private industry, academia, and civil society met to participate in an (…)

France Diplomacy - Ministry for Europe and Foreign AffairsMinistère de l’Europe et des Affaires étrangères

The most recent joint statement, released on March 18, 2024, indicated that additional nations, enterprises, and academic institutions have joined the international effort to counter the proliferation and misuse of commercial spyware.

The Pall Mall Process on Cyber Intrusion Capabilities

The process significantly neglects the role of governments in proliferation of these capabilities.

DefaultTyler McBrien

CONCLUSION

Again, I want to make one thing very clear: there is no defense against targeted, intelligence-led cyber offensives that exploit zero-day vulnerabilities especially on undocumented targets. You can't simply defend against enemies when they alone have the Initial Attack Vector (IAV). But that can change when you have the same IAVs.

Going forward, as a nation-state, you can always acquire these IAVs for reasons such as ensuring defense against them, using them for counter-terrorism operations & in fact certain countries even hope of achieving cyber deterrence with them & end up choosing them as the primary forms of retaliation/espionage tactics, you can say.

Now, considering these two scenarios, let's see how that can go wrong. :

1. Purchasing IAVs: As a government, if you buy an IAV from an international seller, you can use it effectively against terrorist groups or less resourced threats. However, you can't use it effectively against another country that also bought the same tool. Both countries have the same capability, canceling each other's advantage.
2. Lack of Oversight: If your government doesn't oversee the international seller, you can't expect continued access to the best tools. The company may sell the same or better products to others, chasing quick and large profits. This means you lose the advantage of having exclusive, cutting-edge intelligence.

These are some basic scenarios & there are even more but these ones in particular are enough teach us two very crucial lessons:

• Exclusive Intelligence is Key: Exclusive access to unique intelligence tools is essential for maintaining an edge. Otherwise, it's not "intelligence" but just "news".
• Multilateral Oversight and Control: Governments need to monitor and control the international entities they rely on for such capabilities to ensure they always have top-tier tools and to prevent these tools from being widely available.

In essence, relying on international spyware companies for critical intelligence puts a country at a disadvantage. Intelligence tools must be exclusive and tightly controlled to be effective. Therefore, investing in domestic capabilities and while maintaining good relationship yet strict oversight over global vendors, despite the public opinion or official reaction, ensures a unique advantage in cyber warfare.

Moreover, these technologies can achieve great results when used for good and ethical causes & it becomes crucial to ensure that users of these technologies are fully considered and subject to multilateral oversight. Completely banning their sale is not practical & highly preposterous, as they can significantly enhance global security. That's why a policy backed by global cyber diplomats like The Pall Mall Process is necessary to ensure such advanced technology doesn’t fall into the wrong hands or get used unethically.

No proposal to ban NSO Group: Government

“No, Sir. There is no proposal for banning any group named ‘NSO Group’,” Minister of State of Electronics and IT Rajeev Chandrasekhar said in a written reply to the Rajya Sabha.

The HinduSpecial Correspondent

While concluding this article, I want to highlight the situation in India. To build cyber capabilities, India primarily relies on technology transfer from its allies. While this strategy works well for short-term success, in the long term, investing in original, in-house, and exclusive research and intelligence is essential for gaining an upper hand in cyber warfare. If you cannot quickly build and evolve upon that technology, you risk relying on outdated tech that won’t deliver the expected results.

TECHNOLOGY TRANSFER IN INDIA » Legallands LLP

Technology transfer is a fast-growing activity in the research and development system. “technology transfer”

Legallands LLPLegallands

While attending an international conference in New Delhi, I couldn't help but laugh at a delusional statement made by India’s top Cyber Security Adviser: "There is light at the end of the tunnel." For a country that prefers to spend more funds on international solutions over fostering domestic cutting-edge cyber innovation and capacity building, that light seems more like the headlamp of an oncoming unstoppable silent train, steadily advancing to obliterate everything in its path.

OpenAI adds former NSA chief to its board

OpenAI on Thursday announced Paul Nakasone, former director of the National Security Agency, will join its board of directors.

CNBCHayden Field

iSoon leak sheds light on China’s use of extensive hacker-for-hire ecosystem

Read our analysis of the iSoon leak, where we examine what can be learned about China’s hacker-for-hire ecosystem and preference for cyber outsourcing

Hunt & HackettRebecca Lumley

Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages

As part of our continuous threat hunting efforts across the Asia-Pacific region, BlackBerry discovered Pakistani-based APT group Transparent Tribe targeting the government, defense and aerospace sectors of India.

BlackBerryThe BlackBerry Research and Intelligence Team

In my optimistic view, it's similar to how you can't control the wind, but you can always monitor and track your direction because of it, and quickly get back on course when favourable winds arrive. So, while India may not currently seem to be on the right path or making the right decisions, it will ultimately reach a position that benefits us Indians the most.

Thanks for your time. Have a good day!

Uncontrolled access to data, with no audit trail of activity and no oversight would be going too far. This applies to both commercial and government use of data about people.

- John Marlan Poindexter, Former National Security Advisor of the United States