Two recent court cases expose the capabilities of publicly available spyware and how businesses and governments use them for malicious purposes. Credit: Daviles / Getty Images The U.S. Department of Justice (DOJ) released information surrounding the guilty plea of Mexican businessman Carlos Guerrero and his conspiracy to sell and use hacking tools that were manufactured by companies in Italy, Israel, and elsewhere. Guerrero had a bevy of companies that he stood up for this purpose, with the Tijuana-based Elite de Carga being among the most prominent.Of particular note, according to court documents, which included his plea agreement, Guerrero and a co-conspirator, Daniel Moreno, together in August 2014 met with representatives of “Italian Company A” (believed to be Hacking Team) in San Diego, where the Italians demonstrated their devices and their capability to intercept wireless communications and to geolocate targets of interest. Elite de Carga would sell these capabilities to the Mexican state government of Baja and Durango for what was tacitly understood to be for political as well as law enforcement purposes.Spyware tools available to businesses, political groups and governmentsIn 2020, the Cartel Project initiative conducted by Forbidden Stories (a global network of investigative journalists) took a deep dive into the global political connections of the Mexican drug cartels, including those in Mexico. This effort, coupled with the organization’s Pegasus Project, served to lay bare how surveillance technologies being sold by Israel’s NSO Group and others were being used for illicit purposes.All told, in 2020 at least 20 different companies were selling technologies in Mexico to businesses, political groups, and both federal and state governments. Mexican journalist Manuel Diaz observes how, “Sophisticated systems, such as Pegasus, have been used by all Mexican governments to break into opposition leaders, businessmen, and companies for the purpose of pressuring them or to ease questioning or to deny public contracts. Unfortunately, government entities spy on citizens instead of criminal organizations.”The use of technology for illicit competitive intelligence purposes was further evidenced, by Guerrero directly, when in December 2015, Guerrero and Moreno opted to “intercept the phone calls of a business competitor’s cellular phone to benefit Guerrero’s consortium.” This intercept occurred in both the United States and Mexico. At this time Guerrero expanded the availability of surveillance devices to other manufacturers or application developers from other countries. They went on to create an on-demand service for $25,000 per month. In 2016 to 2017 the services offered by Elite de Carga included signal jammers, Wi-Fi interception tools, IMSI catchers, WhatsApp hacking capability, geolocation, and cellphone interception. Elite de Carga sold its services to clients in both the United States and Mexico for the purposes of collecting information on targets. An example provided by the DOJ showed how a client hired Elite de Carga to “hack the phone and email account of a Florida-based sales representative of a large Mexican business in exchange for $25,000 from a Mexican business client.”In yet another instance, Guerrero “arranged for a Mexican mayor to gain unauthorized access to a political rival’s Twitter, Hotmail and iCloud accounts.”U.S. Attorney Randy Grossman said, “Today’s guilty plea helps stem the proliferation of digital tools used for repression and advances the digital security of both U.S. and Mexican citizens. This Office is committed to disrupting malicious cyber activities and mitigating unlawful surveillance.”SteathGenie case another example of spyware risksContemporaneous with the efforts of Guerrero in California/Mexico, a separate case was unfolding that led to an indictment and subsequent guilty plea on the east coast of the U.S. Hammad Akbar was indicted for the sale and usage of the application StealthGenie, which was hosted out of a data center in Ashburn, Virginia. StealthGenie could record all incoming/outgoing voice calls, intercept calls, monitor calls within a 15-foot radius, and monitor voicemail, address books, calendars, etc. all without the knowledge of the user. One can imagine how such capability could be exploited at trade events or other opportunities where proximity allowed to be within 15-feet of a target of interest.The court documents highlight how “StealthGenie could be installed on a variety of different brands of mobile phones, including Apple’s iPhone, Google’s Android, and Blackberry Limited’s Blackberry. Once installed, it could intercept all conversations and text messages sent using the phone. The app was undetectable by most users and was advertised as being untraceable.”CISO awareness of spyware and surveillance risksAccording to a DOJ press release, “Guerrero also admitted that the hacking tools and technologies he brokered would be used for commercial and personal purposes by private clients.” This admission by Guerrero may serve as a useful peg upon which CISOs and CSOs may anchor their awareness briefings highlighting the efforts that an unscrupulous competitor or a nation-state supporting a competitor may resort. The targeting of employees and their devices may occur at any time at any location. That said, highlighting this risk as a part of the travel briefing program would seem prudent. Where warranted, consider a periodic and unannounced review of company devices for the existence of spyware or other extraneous applications that may serve as leverage for the criminal or unscrupulous competitor to garner intellectual property or trade secrets. Related content news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Botnets Botnets news Hackers book profit by scamming Booking.com customers Malicious elements are using Vidar infostealer to gain access to Booking.com’s management portal and defraud customers. By Gagandeep Kaur Dec 04, 2023 4 mins Cyberattacks Cybercrime Security opinion Proactive, not reactive: the path to ensuring operational resilience in cybersecurity The experience of the financial sector in dealing with threats is instructive to anyone in the cybersecurity space — there’s no substitute for getting out ahead of potential risks and problems. By Cameron Dicker Dec 04, 2023 6 mins Financial Services Industry Financial Services Industry Financial Services Industry feature 4 budget-savvy strategies for building an effective purple team Building a purple team is not only for organizations with a generous budget. From the shoestring one-person operation harnessing open-source power to the well-oiled machine of a comprehensive team, organizations of all sizes have a pathway to heighte By Maril Vernon Dec 04, 2023 14 mins Threat and Vulnerability Management IT Training Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe