CISOs, beware of spyware tools for illicit competitive intelligence

The U.S. Department of Justice (DOJ) released information surrounding the guilty plea of Mexican businessman Carlos Guerrero and his conspiracy to sell and use hacking tools that were manufactured by companies in Italy, Israel, and elsewhere. Guerrero had a bevy of companies that he stood up for this purpose, with the Tijuana-based Elite de Carga being among the most prominent.

Of particular note, according to court documents, which included his plea agreement, Guerrero and a co-conspirator, Daniel Moreno, together in August 2014 met with representatives of “Italian Company A” (believed to be Hacking Team) in San Diego, where the Italians demonstrated their devices and their capability to intercept wireless communications and to geolocate targets of interest. Elite de Carga would sell these capabilities to the Mexican state government of Baja and Durango for what was tacitly understood to be for political as well as law enforcement purposes.

Spyware tools available to businesses, political groups and governments

In 2020, the Cartel Project initiative conducted by Forbidden Stories (a global network of investigative journalists) took a deep dive into the global political connections of the Mexican drug cartels, including those in Mexico. This effort, coupled with the organization’s Pegasus Project, served to lay bare how surveillance technologies being sold by Israel’s NSO Group and others were being used for illicit purposes.

All told, in 2020 at least 20 different companies were selling technologies in Mexico to businesses, political groups, and both federal and state governments.

Mexican journalist Manuel Diaz observes how, “Sophisticated systems, such as Pegasus, have been used by all Mexican governments to break into opposition leaders, businessmen, and companies for the purpose of pressuring them or to ease questioning or to deny public contracts. Unfortunately, government entities spy on citizens instead of criminal organizations.”

The use of technology for illicit competitive intelligence purposes was further evidenced, by Guerrero directly, when in December 2015, Guerrero and Moreno opted to “intercept the phone calls of a business competitor’s cellular phone to benefit Guerrero’s consortium.” This intercept occurred in both the United States and Mexico. At this time Guerrero expanded the availability of surveillance devices to other manufacturers or application developers from other countries. They went on to create an on-demand service for $25,000 per month.

In 2016 to 2017 the services offered by Elite de Carga included signal jammers, Wi-Fi interception tools, IMSI catchers, WhatsApp hacking capability, geolocation, and cellphone interception. Elite de Carga sold its services to clients in both the United States and Mexico for the purposes of collecting information on targets. An example provided by the DOJ showed how a client hired Elite de Carga to “hack the phone and email account of a Florida-based sales representative of a large Mexican business in exchange for $25,000 from a Mexican business client.”

In yet another instance, Guerrero “arranged for a Mexican mayor to gain unauthorized access to a political rival’s Twitter, Hotmail and iCloud accounts.”

U.S. Attorney Randy Grossman said, “Today’s guilty plea helps stem the proliferation of digital tools used for repression and advances the digital security of both U.S. and Mexican citizens. This Office is committed to disrupting malicious cyber activities and mitigating unlawful surveillance.”

SteathGenie case another example of spyware risks

Contemporaneous with the efforts of Guerrero in California/Mexico, a separate case was unfolding that led to an indictment and subsequent guilty plea on the east coast of the U.S. Hammad Akbar was indicted for the sale and usage of the application StealthGenie, which was hosted out of a data center in Ashburn, Virginia. StealthGenie could record all incoming/outgoing voice calls, intercept calls, monitor calls within a 15-foot radius, and monitor voicemail, address books, calendars, etc. all without the knowledge of the user. One can imagine how such capability could be exploited at trade events or other opportunities where proximity allowed to be within 15-feet of a target of interest.

The court documents highlight how “StealthGenie could be installed on a variety of different brands of mobile phones, including Apple’s iPhone, Google’s Android, and Blackberry Limited’s Blackberry.  Once installed, it could intercept all conversations and text messages sent using the phone. The app was undetectable by most users and was advertised as being untraceable.”

CISO awareness of spyware and surveillance risks

According to a DOJ press release, “Guerrero also admitted that the hacking tools and technologies he brokered would be used for commercial and personal purposes by private clients.” This admission by Guerrero may serve as a useful peg upon which CISOs and CSOs may anchor their awareness briefings highlighting the efforts that an unscrupulous competitor or a nation-state supporting a competitor may resort.

The targeting of employees and their devices may occur at any time at any location. That said, highlighting this risk as a part of the travel briefing program would seem prudent. Where warranted, consider a periodic and unannounced review of company devices for the existence of spyware or other extraneous applications that may serve as leverage for the criminal or unscrupulous competitor to garner intellectual property or trade secrets.