The Citizen Lab’s director dissects spyware and the ‘proliferating’ market for it

As the founder of the Citizen Lab, a University of Toronto-based organization known for detecting and diagnosing spyware infections worldwide, Ron Deibert has overseen investigations into privacy abuses in Hungary, Greece, Spain, Poland, El Salvador, Thailand and many other countries.

Deibert, who has been a leader in putting the rapidly growing spyware problem on the map, is the author of the new book “Chasing Shadows: Cyber Espionage, Subversion and the Global Fight for Democracy,” which chronicles his longtime battle against commercial surveillance technologies. 

In an interview with Recorded Future News, Deibert discussed his book’s fly-on-the-wall account of the evolution of spyware and how to detect it. He details the technical aspects of the Citizen Lab’s methods, why there is almost certainly spyware being used that hasn’t yet been discovered and how spyware companies continue to evolve to evade detection.

This conversation has been edited for length and clarity.

Recorded Future News: How did you first become aware of the spyware problem and begin Citizen Lab’s work in this area? You wrote in your book that you were partially inspired by thinking about how nuclear tests could be monitored.

Ron Deibert: I spent quite a lengthy period of time at [what was then called] Foreign Affairs Canada working on studies related to the use of commercial satellite reconnaissance for arms control verification. That experience was very formative for me, especially the idea of science-based, evidence-based technical systems being used to monitor governments to determine whether they’re cheating or not — if, in this case, a nuclear test ban ever came about. It was less about the nuclear part than it was about the technical infrastructure of this planetary-wide sensing system. 

It was about eight or nine years later that I got the opportunity to put together a proposal for what became the Citizen Lab and I had that image in mind, except applied to the internet. The idea was that there are technical systems that you can use to probe servers and computers and monitor network traffic that would allow you to document both what governments and corporations might be doing that we believe should be in the public interest. So it was very much the model in mind when I came up with the idea of the Citizen Lab. It wasn’t until quite a bit later that we came across the malware and targeted espionage.

RFN: You’ve said that your colleague Bill Marczak has developed methods for detecting spyware fingerprints, using network scanning and even monitoring command and control infrastructure belonging to spyware companies in order to proactively find infections. Can you talk a little bit about how this works?

RD: The methodologies that we use come at it from two different directions. One is on the network infrastructure side. Spyware companies, in order to mount their services, have a pretty complicated network infrastructure in place — a series of command and control servers. Those are designed to both send commands to infected devices and then extract information from devices that they’re spying on. It’s sent over the internet, over this complicated circuit, ultimately back to the government client headquarters. 

What we discovered over time, and this varies case to case, and I’m generalizing here, but basically those connections can be fingerprinted. You could scan the internet looking for computers that respond in a particular way. Sometimes we’re doing that to try to discover government clients. Sometimes we’re doing it to pinpoint infrastructure that’s implicated in targeted espionage. 

For example, when we were able to fingerprint a Sandvine [formerly Procera] device, a deep packet inspection device that was being used in Egypt to redirect [former Egyptian government official] Ahmed Eltantawy’s web requests, that was a good example of what I’m talking about. We were able to send commands, do network measurement tests and ultimately determine, yes, this particular piece of equipment is on this network path, it’s what intercepted this web request and redirected it to a website where his phone was implanted with spyware. 

LISTEN: Ron Deibert talked to the Click Here podcast in 2022 about spyware abuses taking place across the world.

The other path we take is on the victim side. We routinely enroll people in our studies and check their phones for spyware. Over time, we’ve gotten much, much better at doing forensics on the data that you can extract from a phone. That part is very revealing because if you are able to see exactly on a person’s phone evidence that they’ve been hacked with one or another particular spyware, you can usually see it right down to the second. That is really powerful information to have. Then you can go to the victim and say, ‘Well, what were you doing on April 21, 2021? Who were you meeting with?’ and so on. Over time, we’ve been able to get better at this. 

At the same time, the companies are hiding their tracks better as well. It helps that we’ve captured the exploits and the spyware for multiple firms over the years and done responsible disclosures so that gives us insight into how their exploits or their spyware actually work, and how they appear in terms of beaconing, sending commands over the internet and so forth. 

RFN: What percentage of existing infections do you think you detect with Citizen Lab’s network scanning and other remote checking for infection methods?

RD: It’s partial, it’s never comprehensive. We get little bits and pieces of things on both ends. We’re obviously not scanning everybody in the world. We’re only seeing a partial glimpse of victim sets. And likewise, with the infrastructure scanning, for various reasons, depending on how things are configured, you’re not seeing everything all the time. 

RFN: Bill Marczak used this capability to detect a Pegasus infection on a device belonging to exiled Saudi dissident Omar Abdulaziz, a friend of slain journalist Jamal Khashoggi. Marczak was doing some sleuthing as you just described. 

Abdulaziz and Khashoggi, whom the Saudi regime murdered in an embassy, were working together on a program to counter Saudi propaganda before Khashoggi died. Can you discuss the Citizen Lab’s findings?

RD: We only discovered after we published our report [on the Pegasus infection] on October 1 that Omar and Jamal had been friends, and as you read in the book, what precipitated that was Omar sending me a message saying, ‘Jamal has gone missing. I’m very afraid.’ That was the first time I had heard that they had been communicating over many, many months. They were confidantes. They had been planning activities around pro-democracy activism — that is the way I would characterize it — that from the perspective of the Saudi regime, which is intolerant of that type of activism, would be pretty provocative. 

We also then found out, as did Amnesty International, that a large number of people around Jamal had their phones infected with Pegasus. We don’t know what happened to Jamal’s devices because his fiancee turned them over to Turkish intelligence, but we do know that his fiancee herself, his wife, many other Saudi activists, journalists who covered the case like [New York Times reporter] Ben Hubbard, all had their phones hacked by the Saudi operator using Pegasus spyware. Obviously [the Saudis] had cast a surveillance net around Jamal Khashoggi, which would allow them to see and listen in on everything that he was communicating and planning. 

To what extent that precipitated the decision to execute him, we just don’t know, but it obviously would be instrumental in discovering his travel plans, who he’s talking to and so forth. 

RFN: The Saudis continued to be able to buy NSO Group’s Pegasus spyware even after the Khashoggi killing.

RD: We saw Saudi hacking after that for sure. I don’t know how long that went on … They were active for a while, at least, afterwards and then I heard that they were cut off.

RFN: The United Arab Emirates has in the past reportedly hired hackers from the NSA to create bespoke spyware in an effort known as Project Raven, including a zero-click type of spyware that the regime referred to as Karma. In your book, you say little is known about Karma, even today. Do you think governments like the UAE may be developing spyware that is not traceable? I’m wondering if they might be investing in surveillance tools that are Pegasus-like in house?

RD: For sure, I think it’s safe to say that they are. I don’t have specific evidence of what tools — we haven’t been able to discover any. However, if you just read the regional news and the defense and intelligence news, there’s lots of stories about money being thrown at individuals and organizations to come and set up shop in the UAE — offensive cybersecurity firms, a lot of stuff being done under AI and cybersecurity. So it continues to be a place that offers lucrative contracts for a lot of vendors. 

RFN: How would AI contribute to creating spyware?

RD: It just makes everything faster so you can do a lot of, maybe, reconnaissance on the target using AI in ways that you couldn’t before. It could be used to accelerate the identification of vulnerabilities in software platforms that then could be attacked with exploits.

RFN: I wonder where the talent is coming from for these regimes that are so interested in developing spyware and don’t have access to Pegasus.

RD: I think there’s lots of talent. Restrictions don’t apply to people coming out of Israel [as they do in the U.S. for former national security officials developing spyware for foreign regimes]. In Israel it’s a different legal umbrella around what you’re allowed to do as far as I know. I just think there are lots of companies out there that stand to make a lot of money doing this or related types of surveillance. There are a lot of very talented engineers. You throw enough money at a problem, you can attract people and there is no end of government clients that want this technology so I still see it as a proliferating and growing market.

RFN: Can you talk through how NSO acquires zero-click exploits? Can other spyware firms like Candiru or Paragon or others deliver zero-click spyware?

RD: The zero-click part of it is not Pegasus, per se. What happens is you have an exploit for a platform and that exploit is used to pry open the device. That’s where the zero-click part of it would come in and then you load Pegasus on. Pegasus, as far as I know, hasn’t really evolved much. It’s got the same features. It’s like the Microsoft Word of spyware. Maybe there are new things on the margins, but it’s the exploits that are the key part here. If we just focus on that for a minute, it really depends on where companies source these from. So the NSO Group might develop them in-house. They might also go out and purchase them on the market. 

What we can say for sure is that the cost of purchasing exploits has risen. It’s now something like $25 million for an Apple exploit. That’s because Apple keeps patching and making it harder. It’s kind of like an arms race. So it’s getting more expensive, and that’s also why we might be seeing spyware companies using different types of exploits, ones that don’t puncture the operating system of an iPhone, because it’s just so expensive to do that now. They might be going after lower-hanging fruit like targeting specific applications. 

RFN: How likely do you think it is that advanced spyware exists that we don’t even know about because it is truly untraceable?

RD: No doubt entities like the NSA have extremely serious technology that Citizen Lab and other groups might never be able to detect.

RFN: In recent years, there have been increasing reports of governments targeting members of civil society with spyware in the West, including in Spain, Poland, Italy and Greece. Given the scale of the problem there and Europe’s overall focus on regulating data privacy, what do you make of the continent’s lack of response to the spyware scourge?

RD: It’s sad and it’s irresponsible, and what it shows is that this is not just an authoritarian problem. This is very powerful technology. I think it must be quite addictive for those who are using it … 

The problem with most democratic countries, and I would say my country included, Canada, is you have a lot of local police, a lot of entities below national intelligence agencies that potentially could be customers and for whom there is not really adequate oversight. That’s a recipe for the abuse of this type of technology. And that’s precisely what we’ve seen in Spain, Greece, Hungary, Poland and now Italy. And it wouldn’t surprise me if there are more countries, democratic countries, that are discovered abusing spyware.

RFN: Several American private equity firms have invested heavily in spyware companies. 

RD: I wouldn’t say it shocks me. I think it’s pretty par for the course for private equity. They’re going to invest in anything that’s going to make their fund profits and spyware sales tend to be quite lucrative … I would hope that with enough awareness about the problems of abuse, investors will start to wake up to not only the moral part of it, but, actually, the fiduciary risks around it, because the more that these companies are exposed, I think their value drops. They risk being subjected to sanctions and that could really hurt investors. Part of the aim of the work that we do is to try to raise that awareness.

RFN: NSO defends the rampant human rights abuses made possible by Pegasus by saying it can’t control who its clients choose to target. Is that a thin excuse? What else could NSO do to stop the targeting of civil society?

RD: They definitely could be doing more due diligence and making that due diligence public. For example, when they claim that they cut off clients, they could give more details about why they did that and what steps they took to investigate. At the same time, I think that it ultimately is not really a long-term solution to the problem to have companies police themselves. We need to have some kind of government regulation in this space to prevent the abuse of power. 

RFN: I have heard from experts that testing for spyware varies. Quick checks can be done, akin to rapid COVID tests, while more thorough tests involving a deeper dive, are the equivalent of a PCR test. How confident are you that Citizen Lab can detect all types of spyware, and especially Pegasus, even after a phone has been reset or an operator has chosen to self destruct the spyware, particularly with rapid tests?

RD: It’s very challenging to do what we do because the adversaries are constantly trying to modify how they go about infecting a device precisely to evade the type of forensic analysis that groups like the Citizen Lab do. We’re not 100% certain all the time … But we have a pretty good record. We have a lot of fingerprints of spyware infections that we can draw from. When we do determine that a phone has been infected with a particular type of spyware, we definitely wouldn’t be saying that without confidence in what we’re seeing. 

As you say, the manufacturers take steps to evade or even self destruct the infection. And that makes it more challenging for groups like us. 

RFN: NSO says it doesn’t allow clients to target American phone numbers. But a list emerged which showed U.S. citizens with U.S. phone numbers as Pegasus targets. 

RD: They claim that they restrict their clients from targeting plus one country codes [American numbers]. That’s not a technical restriction, that’s just a soft rule …

The other thing I’ll point out is we’ve had several examples of individuals whose phones were hacked and under surveillance while they were meeting with U.S. government officials.

RFN: We also know that, with its Karma spyware, the UAE was trying to infect American phone numbers.

RD: That’s right.

RFN: In October, it emerged that Immigration and Customs Enforcement had signed a $2 million contract with spyware firm Paragon Solutions. Do you fear that the Trump administration could begin deploying spyware to target members of civil society? 

RD: I just don’t know. I think we should all be prepared for the worst.