29 December 2020

Offshore espionage

Liviu Ioniţă

The telecommunication networks from … Guernsey and Jersey were used to spy. Guernsey and Jersey are two provinces encompassing more islands from the English Channel, about 14 miles of the France coast: the Channel Islands.

Image source: Mediafax

The two bailiwicks are dependencies of the British Crown, but not parts of the United Kingdom.

A journalistic investigation of the Bureau of Investigative Journalism, a non-profit independent organization created in 2010, based in London, and The Guardian, led to the conclusion that the telecommunication infrastructure from Guernsey and Jersey proved to be extremely vulnerable to the exploitation of private intelligence companies.  To what end? The interception of communications from various countries.

The service suspect: the Israeli company Rayzone Group.

What does the Bureau of Investigative Journalism and The Guardian material say?

The private intelligence companies are using telephone networks based in Channel Islands to allow the initiation of surveillance operations against people in the entire world, including British and American citizens.

The “systemic vulnerabilities” in the global telecommunication infrastructure from the Jersey and Guernsey provinces are being exploited by corporate espionage companies.

The Bureau of Investigative Journalism is quoting experts in the industry, according to which phone operators from Channel Islands are an “extremely soft route” towards Great Britain, and the attacks coming from the islands seem to target rather individuals on the entire globe, than actually being mass surveillance cases.

They access “private information on targets, such as location information or, in more sophisticated applications, the content of calls and messages or other highly sensitive data”.

Journalists come to the conclusion that the private intelligence companies can rent the access from telephone networks operators, which, then, can be exploited to allow tracking the location of users in the entire world. Also, they can intercept calls and other private data, including bank accounts and emails.

These intrusions are based on what is technically called “global titles” (an address used to track warning messages in the telecommunication networks) and SS7 (the Signal System 7, a set of signaling protocols used for mobile phones).

The signals, conceived to help mobile operators to track the place their clients are, are sent through a global switchboard for the SS7, needed for the functioning of the telecommunication networks, but which can be used also by the state and corporate security agencies for more “questionable purposes”.

Independent intelligence companies can lease access points (global titles) to local telecommunication networks and then use them to access SS7 and send signals to phone around the world to track users’ locations, something currently used by the telecommunication operators.

SS7 was, during time, described as a “toxic” system, which can “be abused to geolocate people”.

According to the same investigation, the telecommunication signals sent from the Channel Islands networks to phone numbers in Great Britain can be treated as being internal signals and can avoid the installed firewalls for the prevention of foreign access.

Such operations can avoid the global interceptions, because it uses the +44 country code, which belongs to Great Britain, a trustable territory. Although the Channel Islands networks use Great Britain’s country code, it does not follow the British rule, though it can be “exploited by the spy companies”.

Sure Guernsey, one of the Channel Islands telecoms operators identified in this investigation as a transit point for malicious signals, says that it “does not lease access directly or knowingly to organizations for the purposes of locating and tracking individuals or for intercepting communications content”, but said its traffic goes through “UK operators’ firewalls in the same way as any other international operators’ traffic”, yet it admits that “all access points to the networks can be used abusively”.

Sure Guernsey, which belongs to the Batelco telecommunication company from Bahrain, works not only in the Channel Islands, but also in the Man Island, the Falkland Islands, Saint Elena, Ascension and the British territory of the Indian Ocean.

Another network operator identified for the use of this object for illegal purposes, Jersey Airtel, says that the measures they take are preventing activities that could compromise the clients’ security.

A new Telecoms Security Bill, presented to Parliament three weeks ago, aims to strengthen UK networks and safeguard them from these kinds of attacks, but the UK government does not have jurisdiction over the Channel Islands or other offshore British territories, and the British authorities in the Telekom field and the security services almost have no competences over the Channel Islands.

In the journalistic investigation, it is also presented an example related to the exploitation of the SS7 system for surveillance operations. The Channel Islands networks were used to locate princes Latifa al-Maktoum, the daughter of Dubai’s sheikh, who wanted, in 2018, to escape from her country he thought of as a prison. Latifa went to India, by sea, where she planned to take the plane from to the US, but she was caught off the Indian coasts in only eight days.

The data examined by the Bureau of Investigative Journalism shows that the use of Channel Islands for this recovery “operation” is not a singular case, but there are “hundreds of intrusion attempts, through Sure Guernsey and Jersey Airtel, in the North America, Europe and Africa networks in august this year”.

The same data shows that the Israeli company Rayzone Group has been active, in the last two years, "significantly on the global telephone surveillance market".

Rayzone Group leased the access point (the "global title") to the Sure Guernsey network, used in connection with the surveillance of Princess Latifa at the time of the recovery operation.

Between August 2019 and April 2020, Rayzone "was able to target more than 60 countries, with thousands of signals being sent to more than 130 different networks".

The list includes Spain (where The Guardian and El País revealed, in July, that "a Catalan politician has been targeted in a possible case of domestic political espionage"), as well as Serbia, the Netherlands, Bulgaria, Denmark, Portugal, Cyprus and Bosnia and Herzegovina. According to the journalistic investigation, Rayzone Group also leased access - directly or indirectly - to global headlines in Iceland, Sweden and Switzerland.

Overall, the data obtained by the Bureau of Investigative Journalism "shows a certain level of activity in almost every country in Europe" and suggests "the expansion of companies such as Rayzone, which have reached other parts of the world", networks "being strongly targeted in Israel, Hong Kong, Thailand, Guatemala, the Dominican Republic and the USA”, and, on a smaller scale, Morocco, Sudan, Libya, Palestine, Syria and Iran.

In August 2019, the USA and Bosnia were "special activity scenes", in October, the Netherlands, in December, Spain and Portugal, in March 2020, Serbia, Bulgaria, Pakistan and Israel, and in April, Spain.

In March, Rayzone Group sent "several thousand intrusive signals to UK phones", which, while mainly targeting UK mobile numbers, appear to have targeted "other people from 27 countries, including Thailand, Jordan, Egypt, Russia, Spain, Ukraine and Malaysia ”.

The data available to journalists does not indicate whether an attack was successful or what its purpose was, but, "in some cases, dozens of signals were directed to a device, suggesting a significant attempt at surveillance".

A "detailed list of findings" was presented to Rayzone, which declined to comment, saying the answers would involve "regulatory and trade secret issues and a risk to ongoing operations for the company's customers, counter-terrorism operations and severe crimes”.

The Rayzone group also denied any role in the operation to capture Princess Latifa al-Maktoum, saying that "any attempt to associate the company with activities that could have been carried out by others is misleading and untrue".

Who is Rayzone Group?

The company's Tel Aviv website, founded in 2010, states that the company delivers boutique intelligence-based solutions.

"Terrorism and crime pose a direct threat to the security of citizens worldwide, and to international stability and prosperity. It is a persistent global threat that knows no border, nationality or religion. Rayzone Group Matrix concept and solutions focus on improving awareness of the threat, developing capabilities to prepare and respond, and enhancing law enforcement agencies capabilities”.

Rayzone systems are connected to each other by the MATRIX concept, "a complete intelligence methodology that combines all aspects of the information cycle - collection, information, storage, processing, analysis and dissemination", the main component being TA9, the big data analysis platform.

TA9 is a software platform "specialized in the development of investigation and information systems". It offers "smart solutions for a variety of fields, including communication, cybernetics, finance and security," using "the extensive experience of technology-savvy veterans in the Israeli intelligence community". IntSight, the company's "emblematic" solution, is "the most comprehensive and comprehensive big data intelligence and investigation system for intelligence and law enforcement agencies".

Rayzone claims to be a "designer and manufacturer of state-of-the-art cyber & intelligence solutions for law enforcement agencies around the world", including GeoMatrix - a "tactical geolocation intelligence system that provides real-time historical location to any subscriber". GSM/UMTS/3G/4G worldwide", Piranha - "collector and manager of cellular identifiers", Arrowcell - elimination of the active GSM interception system (detection, prevention and location).

In 2017, the Rayzone group launched the VEGAS system, designed to allow security services to intercept communications from any wireless router.

VEGAS uses "a tactical method of infiltrating a network" where, once installed, it "performs in-line interceptions and fully monitors networks, providing persistent and continuous information". VEGAS can intercept multiple networks simultaneously in different locations.

Some said that VEGAS reflects “two major changes that have taken place in the world of operational cyber intelligence: the aspiration of security services to stay away from their service providers and the need for the same structures to benefit from comprehensive target data".

VEGAS would provide "an effective and highly productive covert surveillance solution" in an era in which terrorist and criminal organizations around the world use civilian technologies such as encryption, restricted forums, private areas of social networks, encrypted messaging programs, etc., and security services cannot conduct their information collection operations efficiently without the necessary technology ”.

Rayzone’s product, ECHO - Global Virtual SIGINT System - is, as the company describes it, "a strategic SIGINT system that provides intelligence and law enforcement agencies with comprehensive, diverse and detailed information about international Internet users."

ECHO uses "a full stealth data collection method for any internet user, with no need for cooperation from either the target or any technological or commercial entity". ECHO is compatible with many types of devices and systems, so "no pre-installation of any physical equipment is required".

ECHO provides a web-based platform that allows users immediate access to perform simple queries as well as complex investigations, both for gathering information about a particular point of interest ("target-centered approach") and for mass collection of data of all internet users in a country ("data-based approach").

Rayzone, whose president, Yohai Bar-Zakai Hasidoff, is the former deputy commander of Unit 8200, is seeking to enter the market for intelligence services, from interceptions to cyber intrusion.

Recently, Forbes magazine asked the company for information about ECHO and how to collect the data, but Rayzone did not comment.

Citing "several anonymous sources in the Israeli intelligence industry", Forbes believes that "the practice is becoming commonplace" in the market for Israeli companies, and "the idea of being able to provide police and intelligence analysts with a mountain of global location data will attract, probably, the governments hungry to supervise people of interest or entire populations ”.

According to Forbes, this year saw an increase of government secret services’ will to obtain data "sometimes controversial: location data, taken from popular smartphone applications".

And speaking of Israeli services, Rayzone is not the only one who has attracted attention.

Bsightful ltd, "a top-secret startup backed by one of the world's largest surveillance vendors, the US company Verint", stores application location data for Forbes sources, running what is known as the Demand Side Platform /DSP, a software tool for digital advertisers, aimed at "surveillance dealers". It is not clear to whom Bsightful sells the location data it obtains.

Setting up a "white label DSP" (a white label - a product or service of a company that other companies rebrand to make it look like they did) allows surveillance companies to obtain data that has been intended, exclusively to help marketing campaigns and advertisers.

The Bsightful ltd website states that the company "solves brand, digital and cultural problems for complex companies" and works "only with brave customers who are ready to approach problems in new ways".

Forbes also requested information from Bsightful ltd and Verint, but got no response this time either.

Earlier this year, Reuters reported on at least three years of FBI investigations into the involvement of spyware marketer NSO Group in possible hacking of USA residents and companies, as well as gathering information about different governments.

The company, based in Herzliya, Israel, is best known for marketing Pegasus software, a spyware that, once installed, is able to access the smartphone's camera and microphone to record, in real time, what is happening, and can monitor messages, calls, emails and various applications (FaceTime, Facebook, Skype, Viber, etc.).

NSO and the Pegasus software, which the company claims to deliver to intelligence services and law enforcement agencies around the world, only for beneficial purposes in combating terrorism and crime, have, however, long been under the scrutiny of organizations focused on human rights, including Citizen Lab, attached to the University of Toronto, R3D, Privacy International, EFF and Amnesty International.

Amnesty International also reacted to the Rayzone group, saying that "alarming (journalistic) revelations must be a wake-up call to governments to restrict the surveillance industry, which is clearly out of control".

Surveillance and telecommunications companies "unscrupulously exploiting vulnerabilities in mobile networks pose a significant threat to privacy, security and other human rights".

The SS7 protocol, which mobile operators use for essential services, including billing and other roaming operations, due to its "inherent vulnerabilities", is used "maliciously" by those who want to take advantage of the operation of mobile networks for to carry out cyber attacks”.

SS7 has become "a valuable resource that many companies in the surveillance industry are trying to access, an example being the Israeli surveillance provider NSO Group".

The solution, at least from the perspective of the non-governmental organization for human rights, would be to introduce, in an appropriate way, security requirements in national telecommunications legislation, including requiring telephone operators to revoke illegitimate access to SS7, the use of platforms encrypted communications, securing online accounts so as to reduce their compromise.

Could the review of contracts between companies involved in supervision and intelligence services be a solution for this problem as well?