Endpoint Security , Governance & Risk Management , Internet of Things Security

Researchers: 25 Countries Use 'Circles' Spyware

Application Tracks Individuals Via Mobile Phones
Researchers: 25 Countries Use 'Circles' Spyware
Map showing countries that are "likely" users of Circle's spyware (Source: The Citizen Lab)

Twenty-five countries are likely using spyware sold by a company called Circles that can snoop on mobile phone calls and text messages, according to The Citizen Lab, a research organization based at the University of Toronto.

See Also: 4 Key Elements of an ML-Powered NGFW: How Machine Learning Is Disrupting Network Security

Circles, a Bulgaria-based surveillance firm that sells offensive cyber technology exclusively to nation-states, is a sister company of Israel’s NSO Group, which also sells spyware. Circles’ technology operates by exploiting a common signal flaw in the global mobile phone system to enable call and text snooping as well as tracking of phones, according to The Citizen Lab.

Based on analysis of Circles' infrastructure, The Citizen Lab says the company's spyware and technology are likely being used by 25 countries around the world for cyberespionage. The countries are Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates, Vietnam, Zambia and Zimbabwe.

"Some of the specific government branches we identify with varying degrees of confidence as being Circles' customers have a history of leveraging digital technology for human rights abuses," The Citizen Lab's report notes. "In a few specific cases, we were able to attribute the deployment to a particular customer, such as the Security Operations Command of the Royal Thai Army, which has allegedly tortured detainees."

A spokesperson for Circles could not be immediately reached for comment.

Exploiting SS7

Circles' spyware operates by exploiting Signalling System No. 7, or SS7 - a protocol that enables information exchange and phone call routing between telecommunications companies, The Citizen Lab reports (see: Bank Account Hackers Used SS7 to Intercept Security Codes).

Researchers note that, because SS7 lacks proper authentication, attackers can exploit the protocol by sending commands to a telephone target's service provider, noting that the target is roaming. The service provider will then enable tracking of a target, even if the person is traveling internationally, as SS7 connects to the "visited network," the report notes. Cybercriminals, or surveillance firms, that purchase SS7 access can conduct the same type of tracking of targets.

"These commands allow the attacker to track the victim's location and intercept voice calls and SMS text messages. Such capabilities could also be used to intercept codes used for two-factor authentication sent via SMS," The Citizen Lab's report notes. "It is challenging and expensive for telecommunications operators to distinguish malicious traffic from benign behavior, making these attacks tricky to block."

In March, the The Guardian reported that Saudi Arabia was using the SS7 authentication weakness in the global telephone system to track its citizens as they were traveling in the U.S.

Also, the U.S. Department of Homeland Security has warned about how attackers can exploit SS7 weaknesses.

Link to NSO Group

Circle, which began operating in 2008, was acquired in 2014 by a U.S. private equity firm that now also owns NSO Group, according to Forbes.

Over the last year, NSO Group has come under scrutiny for selling offensive cyber capabilities that allegedly have been used by governments to spy on journalists and activists (see: Israeli Court Dismisses Complaint Against NSO Group).

"Unlike NSO Group’s Pegasus spyware, the SS7 mechanism by which Circles' product reportedly operates does not have an obvious signature on a target’s phone, such as the telltale targeting SMS bearing a malicious link that is sometimes present on a phone targeted with Pegasus," The Citizen Lab's report notes.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.