Full Report
Report informing readers about the threat to UK industry and society from commercial cyber tools and services.
Analysis Summary
# Tool/Technique: Commercial Spyware & Hacking-as-a-Service (HaaS)
## Overview
This report details the proliferation of high-end commercial cyber tools and the "Hacking-as-a-Service" (HaaS) ecosystem. These tools are developed by commercial entities and sold to global customers (often governments) to perform targeted surveillance, data exfiltration, and intelligence gathering against individuals and organizations.
## Technical Details
- **Type**: Malware family (Spyware) | Tool (Exploit Frameworks) | Technique (Zero-click exploits)
- **Platform**: Mobile (iOS, Android), Desktop (Windows, macOS)
- **Capabilities**: Remote surveillance, microphone/camera activation, message exfiltration (including encrypted apps), and location tracking.
- **First Seen**: Proliferation accelerated significantly from 2013 onwards; report published April 2023.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing]
- [T1203 - Exploitation for Client Execution]
- **[TA0002 - Execution]**
- [T1204.001 - User Execution: Malicious Link]
- **[TA0005 - Defense Evasion]**
- [T1406 - Obfuscated Files or Information]
- **[TA0007 - Discovery]**
- [T1426 - System Information Discovery]
- **[TA0009 - Collection]**
- [T1430 - Location Tracking]
- [T1512 - Data from Local System]
- [T1429 - Audio Capture]
## Functionality
### Core Capabilities
- **Surveillance**: Persistent access to device microphones and cameras for real-time monitoring.
- **Data Exfiltration**: Stealing contact lists, call logs, emails, and SMS.
- **Encrypted App Interception**: Bypassing end-to-end encryption by scraping data directly from the device's screen or memory (intercepting Signal, WhatsApp, Telegram).
### Advanced Features
- **Zero-Click Exploits**: Delivery methods that require no user interaction (e.g., via specially crafted hidden messages in iMessage or WhatsApp).
- **One-Click Exploits**: Sophisticated social engineering via SMS or email links targeted at specific high-value individuals.
- **Persistence Management**: Advanced techniques to survive reboots while remaining hidden from mobile security software.
## Indicators of Compromise
*Note: Specific hashes are frequently rotated by commercial vendors to avoid detection.*
- **File Names**: Often masquerade as system files or popular app updates.
- **Network Indicators**:
- Communications with C2 servers often hosted on legitimate cloud infrastructure (e.g., AWS, Azure) to blend in with normal traffic.
- Defanged Example: `hxxps[://]secure-update-services[.]com`
- **Behavioral Indicators**:
- Sudden increases in data usage (upload).
- Rapid battery drain due to constant sensor activation.
- Presence of unauthorized configuration profiles on mobile devices.
## Associated Threat Actors
- **Commercial Vendors**: NSO Group, Candiru, Intellexa, DSIRF.
- **Users**: State-sponsored actors, law enforcement agencies, and private entities globally.
## Detection Methods
- **Behavioral Detection**: Monitoring for unusual API calls (e.g., an unrelated app requesting camera access) or unauthorized data exfiltration patterns.
- **Device Auditing**: Using specialized tools like the Mobile Verification Toolkit (MVT) to scan for known commercial spyware artifacts.
- **Network Monitoring**: Identifying traffic to known "dead-drop" points or obfuscated C2 domains.
## Mitigation Strategies
- **Regular Updates**: Promptly installing OS security patches to close "Zero-Day" vulnerabilities.
- **Device Hardening**: Enabling "Lockdown Mode" (on iOS) or equivalent high-security settings for "at-risk" individuals.
- **Reboot Cycles**: Frequently restarting mobile devices to disrupt non-persistent exploits.
- **App Minimalization**: Reducing the attack surface by deleting unused applications and limiting permissions.
## Related Tools/Techniques
- **Pegasus**: Mobile spyware developed by NSO Group.
- **Predator**: Spyware developed by Cytrox/Intellexa.
- **Subzero**: Malware developed by DSIRF.
- **Vulnerability Research**: Commercial sale of "Zero-Day" vulnerabilities to the highest bidder.