The reactions are multiplying since the revelations around Pegasus, the spyware of the Israeli company NSO, used to monitor tens of thousands of people. But society is anything but an isolated case. For several years, a real market has been formed, as the vein of espionage seems inexhaustible: “NSO Group is very well known, but it is not the only company to sell ‘cyber weapons’. There is an entire ecosystem ”, noted Baptiste Robert, “ethical hacker”, on Twitter.
“A huge market” and professionalized
“The spyware market is huge and very lucrative”, confirms Gérard Peliks, information security expert and retired from the cybersecurity division of Airbus. Difficult to give a precise figure for a universe in which companies such as NSO Group hardly seek the light. On the victim side, companies targeted by attacks often prefer to remain silent, “Out of shame, whereas reporting each incident would allow us to react better”, regrets the expert.
In total, “Cybersecurity, if we amalgamate attack and defense, weighs several tens of billions of euros”, he specifies, recalling that “Everyone attacks and spies on everyone: France is not left out”. France is not lacking in know-how, with sales of surveillance equipment to Egypt and Libya by Amesys and Nexa Technologies in 2021.
→ EXPLANATION. “Project Pegasus”: what we know about this new case of mass surveillance
If customers can be mafias anxious to cover their activities, they are indeed “Especially governments which spy via very competent mafia teams, which they equip with sophisticated tools”, insists Gérard Peliks, citing the case of the APT28 group, employed by Russia in a series of operations.
Hackers have an inexhaustible source of flaws in the most common systems and applications on smartphones: flaws that can be sold to other attackers or to software publishers, in order to play on all fronts. “A flaw found in Android is trading for several million euros”, says Gérard Peliks.
The elite segment of cybersurveillance
With the level of technicality of its software, and its forty state clients willing to spend millions of dollars, NSO Group belongs to the elite segment of cybersurveillance, only a handful of companies being able to offer activation of the surveillance software. remotely, without any interaction with the victim. The target does not need to click on a link, go to a fake site or reply to a message.
In the lower range of services, some software will require only one interaction with the victim: this is the case of the Candiru software, which requires the owner of the targeted smartphone to open a message or a trapped link. ” In general, hacking techniques have improved », Notes Corinne Hein, cybersecurity expert, for whom the Pegasus affair will “Accelerate awareness of the need to protect oneself, including individually ».
« It is impossible to achieve zero risk “, Concedes Gérard Peliks, according to whom” we can bring it at least to a level that is not acceptable, but known “. Citing the example of Airbus, he believes that the budget to be devoted to cybersecurity should be as large as that of traditional security: “ The cost is high, but if it can keep the business from collapsing, it is worth the effort. »
Flaws in regulations
Faced with these elaborate attacks and this jungle, the regulations are still weak: there has certainly been, since 1995, the Wassenaar arrangement, which relates to the control of exports of dual-use goods and technologies, to which software has been covered since 2013. spies and interception systems. An agreement that brings together 42 states, including the United States, Russia, Japan, the United Kingdom and France. But not China, nor Israel, while the implementation of the commitments is left to the entire discretion of the states.
At the end of 2020, the European Union admittedly approved a series of new export rules to limit the sale of cybersurveillance devices to states that do not respect human rights. Amnesty International, at the origin of the revelations on the Pegasus affair, demands for its part “ an immediate moratorium on the export, sale, transfer and use of surveillance technologies ».
Pegasus, iconic case
The Pegasus software, developed by the Israeli company NSO Group, is said to have made it possible to spy on the numbers of around 50,000 people around the world, including politicians (including Emmanuel Macron), human rights activists and business leaders from different countries and journalists.
On July 21, Reporters Without Borders called on the Israeli government to impose a moratorium on the export of Pegasus spyware.
Among other expert surveillance companies, Saito Tech Limited (also Israeli), developed the software ” Devil’s tongue ”(Devil’s tongue). Better known as Candiru, it helped extract information from several applications used by victims, including Gmail, Skype, Telegram and Facebook.