Google researchers focused on the most complex hacking threats argued in a report published Tuesday that governments around the world should take more aggressive steps to combat the growth of a commercial spyware industry that is continuing to supply governments with invasive malware used to target journalists, human rights defenders, dissidents and political opponents.
Responsible for combating the most sophisticated threats to Google users, the company’s Threat Analysis Group said in their report that they are currently tracking roughly 40 commercial spyware vendors — an indication of how the industry has grown and advanced spyware capabilities have proliferated. The report notes that the industry is fluid with new companies opening shop every year and established ones reincorporating under new names.
Commercial spyware vendors enable highly effective and targeted surveillance for governments that may not have the in-house cyber expertise. These firms devote exceptional resources to weaponize previously undetected vulnerabilities — tracked in the industry as “zero-days” — and make them available to clients for use in surveillance.
“If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over,” the researchers wrote, noting that 20 of the 25 in-the-wild zero-days Google TAG discovered in 2023 were exploited by commercial spyware vendors.
Tuesday’s report welcomed efforts by the U.S. government to crack down on such vendors — including a 2023 executive order limiting U.S. government use of spyware and sanctions against key vendors — but said more could be done to regulate an industry implicated in widespread human rights abuses.
The report recommends that the U.S. government share more information about the implementation of its efforts thus far, as well as “setting heightened transparency requirements for the domestic surveillance industry, and setting an example to other governments by reviewing and disclosing its own historical use of these tools.”
The researchers also called on the U.S. government to impose “further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use.”
On Monday, the U.S. State Department announced it would begin denying visas for people seeking to travel to the U.S. who have been implicated in the misuse of commercial spyware. But the practical effect of the policy is not clear, and an anonymous administration official told reporters the move represents “an important signal to those involved in this industry.”
Despite a litany of government, NGO and journalistic reports in recent years documenting how commercial spyware firms have sold surveillance capabilities to governments that have gone on to use them against dissidents, opposition politicians and journalists, the industry’s key players continue to be implicated in human rights abuses.
Last week, for instance, Human Rights Watch reported that two of its staffers in Jordan, along with devices connected to at least 33 Jordanian and Jordan-based journalists, activists, and politicians, were targeted with NSO Group’s Pegasus spyware between 2019 and 2023.
Among the case studies included in Tuesday’s report is Carlos Dada, the co-founder and director of Salvadoran investigative news outlet El Faro. Dada’s phone and those belonging to 21 of his colleagues were infected with Pegasus by an unknown government client between June 2020 and November 2021, according to a Citizen Lab analysis.
Suspicion immediately fell to the government of El Salvador, led by President Nayib Bukele. El Faro staffers sued NSO Group in U.S. federal court in December 2022, demanding to know who the client was. That case is currently working its way through federal court in the Northern District of California.