The Discovery of a Government Malware and an Unexpected Spy Scandal

Conference:  BlackHat USA 2019



The presentation discusses the prevalence of electronic surveillance in Italy and the challenges of regulating the use of malware by governments.
  • Italy has a fragmented market with many boutique companies providing electronic surveillance services
  • There were 4,500 wiretaps done through electronic surveillance in one year in Italy
  • Governments will continue to use electronic surveillance as end-to-end encryption becomes more prevalent
  • The challenge is to identify the companies and people behind electronic surveillance and prevent abuse
The presentation describes an investigation into an Italian spyware company called eSurv, which was found to be illegally monitoring innocent people. The company's CEO and CTO are now under house arrest. The investigation was prompted by a police agent discovering empty servers in the server room during a routine check. The servers were supposed to contain wiretapping data, but eSurv had sent empty servers to the prosecutors. Additionally, prosecutors in one office could access wiretap data from any other office, and employees were even listening in to phone calls and reading text messages in the office as a lunch break hobby.


In early 2019, we revealed the existence of a new intrusion software built and primarily used in Italy by the authorities. The company that created this software managed to stay under the radar for several years, until we identified their Android mobile surveillance product, dubbed “Exodus.”Exodus is a spyware equipped with extensive collection capabilities, able to turn a phone into a faithful surveillance companion—and distributed openly on the Google Play store. At the same time, it has some significant problems, both at the code level, and how it was deployed in the wild, accumulating hundreds of infections. Little did we know, this was only going to be the tip of an iceberg that went deeper and darker than we expected—a major spy scandal in the heart of Europe.The “Exodus” scandal is a poster boy for the sorry, dangerous state of the spyware industry, also known as the “lawful intercept” industry. Due to the growing ubiquity of encryption on online services and communication systems, traditional passive wiretapping is becoming increasingly ineffective and collecting data off of the devices directly has become the new frontier of surveillance. The so-called “lawful intercept” industry is worth $12 billions, according to Moodys. NSO Group, one of the market leaders, employs 600 people, and has more than 40 customers all over the world.How did we get here?In this talk, we’ll delve into the case study of eSurv, a small Italian government contractor that was providing spyware all over Italy. From there, we’ll go back in time and draw the history of lawful intercept. From the 90s, where it was all Windows Trojans and some Symbian RATs, to the 2000s with the first professionalized boutique companies that made spyware for police and intelligence agencies all over the world. Finally, we’ll look at the present, where several companies battle to control a global unregulated market outside of the Five Eyes.This is spaghetti, pizza, and spyware, a talk with the full spicy backstory of a threat intel and journalistic investigation.



Post a comment