We are publishing a new Citizen Lab report today, entitled “Running in Circles: Uncovering The Clients of Cyberespionage firm Circles,” authored by Bill Marczak, John Scott-Railton, Siddharth Rao, Siena Anstis, and Ron Deibert

Background

The global telecommunications ecosystem upon which we are all heavily dependent was not invented from scratch with a single well-thought plan. Instead, it went through successive waves of evolution over decades, intensifying in more recent years as new digital and mobile technologies have been invented. Security has been ad hoc, fragmented and reactive as a result, leaving a hodge-podge of legacy standards and protocols in place some of which are still open to serious exploitation.

Arguably the most significant of these is something called SS7, a protocol developed in 1975 to handle interoperability among wireline telecommunications firms. Back in the ‘70s — prior to the deregulation and privatization measures that swept through the worldwide industry — the telco marketplace was a much different place. It was more like an old boy’s club (and in many respects, still is). There were far fewer firms, and most of those in existence were either state-owned, crown corporations or utility-like monopolies. (The UK’s telco at the time, for example, was entirely state-run and was quaintly called “Post Office Communications”).

Ironically, SS7 was rolled out in 1975 to solve a preexisting flaw in existing “in-band” interoperability protocols that were at the time being exploited by so-called “phone phreaks” using “blue boxes” (instructions for which they shared in popular magazines) to hack their way into free long-distance phone calls. (A young Steve Wozniak, co-founder of Apple, infamously used one such blue box to make a long distance phone call to the Vatican posing as Henry Kissinger and asking to speak to the Pope).

To solve this problem (and protect revenue) SS7 was created as a new “out-of-band” signal protocol. SS7 has remained in place ever since, principally because there’s a lot of older equipment and systems still out there that require some means to function properly. SS7 is still predominantly used in 2G and 3G mobile networks, and even later generation 4G / 5G networks are susceptible to security issues because they need to interconnect with SS7 networks to work for everyone. One of its central functions today is to handle billing and other services as subscribers roam from one network to another network when they travel internationally.

The SS7 protocol’s “authentication” (such as it is) has relied mostly on trust among a small group of insiders. But as the global telco market rapidly diversified and numerous companies of all shapes and sizes have entered into the arena, SS7 has become ripe for exploitation. Access to the SS7 network can allow a malicious actor to track virtually any target’s location, and intercept voice calls and text messages (which, incidentally, can also be used to intercept codes used for two-factor authentication sent via SMS). 

In 2017, a joint investigation undertaken by CBC News and Radio Canada, in cooperation with German security researchers, demonstrated an SS7 attack against a sitting Canadian member of parliament. With only a telephone number, the investigators were able to use SS7 vulnerabilities to track the MP’s movements and intercept his calls over two separate Canadian telco networks. 

Although high-end nation-state intelligence agencies have been quietly benefiting from SS7’s weaknesses for a long time (thanks to their cozy relationships with their national telcos), privatization and deregulation have opened the door to a whole new array of entrants into that club, including criminals and cyber-surveillance firms.

Circles

Our report focuses on one such firm, a company called “Circles,” which was reportedly founded in 2008, and is known for selling systems to government security services to exploit SS7 vulnerabilities. (The company was acquired in 2014 by private equity firm Francisco Partners, who merged it with NSO Group — another regular on the Citizen Lab’s research radar for surveillance abuses). 

Circles’ operations are difficult to investigate and track. Unlike some other types of targeted surveillance, exploiting SS7 vulnerabilities does not leave traces on a target’s device for investigators like ours to discover. Up until recently, what little was known about Circles came from leaked documents or investigating reporting on a few country clients, like Nigeria. 

Our report opens for the first time a very large window into Circles’ global customer base.

Led by Citizen Lab senior researcher, Bill Marczak, we discovered that Circles’ installations on customers premises leave a distinguishing fingerprint associated with the Check Point firewall that it employs. With that fingerprint as our starting point, we used internet scanning methods, and gathered data from various sources and feeds to identify specific country clients. 

In total, we are able to determine that 25 governments and 17 specific government agencies are likely Circles’ customers: 

Australia, Belgium, Botswana (Directorate of Intelligence and Security Services), Chile (Investigations Police), Denmark (Army Command), Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala (General Directorate of Civil Intelligence), Honduras (National Directorate of Investigation and Intelligence), Indonesia, Israel, Kenya, Malaysia, Mexico (Mexican Navy; State of Durango), Morocco (Ministry of Interior), Nigeria (Defence Intelligence Agency), Peru (National Intelligence Directorate), Serbia (Security Information Agency), Thailand (Internal Security Operations Command; Military Intelligence Battalion; Narcotics Suppression Bureau), the United Arab Emirates (Supreme Council on National Security; Dubai Government; Royal Group), Vietnam, Zambia, and Zimbabwe.

A major theme of our work on the commercial surveillance marketplace is how a lack of controls around sales of these technologies to government clients with poor human rights and a lack of public accountability leads to major human rights abuses. Several of Circles’ government clients we identify above are especially disturbing in this regard. For example:

• We determined that the Security Operations Command (ISOC) of the Royal Thai Army, a unit which has allegedly tortured detainees, is a Circles client.
• We identified a Circles’ system operated by the Investigations Police of Chile (PDI). Chilean police have a checkered history around extra-legal surveillance against journalists and political opposition. 
• We identified a single Circles system in Guatemala that appears to be operated by the General Directorate of Civil Intelligence (DIGICI). The DIGICI has used surveillance equipment to conduct illegal surveillance against journalists, businesspeople, and political opponents of the government. Guatemala is presently in the midst of large public protests against government corruption.
• We identified ten Circles’ deployments in Mexico. Citizen Lab’s prior research has shown Mexico’s government has serially abused NSO Group’s Pegasus spyware to target reporters, human rights defenders, and the families of individuals killed & disappeared by cartels.
• We identified a Circles’ installation in Nigeria that is likely operated by that country’s Defence Intelligence Agency (DIA). A recent report by Front Line Defenders concluded that Nigeria’s government “has conducted mass surveillance of citizens’ telecommunications.”
• Our scanning identified what appear to be three active clients in the UAE: the UAE Supreme Council on National Security (SCNS) (المجلس الأعلى للأمن الوطني), the Dubai Government, and a client that may be linked to both Sheikh Tahnoon bin Zayed al-Nahyan’s Royal Group and former Fatah strongman Mohammed Dahlan.

It should be emphasized that Circles’ technology can be deployed against targets both domestically and abroad. In other words, the international reach afforded by Circles’ services allows despots and autocrats to silently target political opposition who may have gone into exile in foreign jurisdictions — a continuation of disturbing trends around transnational repression the Citizen Lab’s research is closely following. Some of the government clients we identified have been suspected of organizing extraterritorial targeted killings of dissidents and political opposition figures.

Unfortunately SS7 exploits are very difficult to guard against. In our report, we urge lawmakers, industry groups, and telecommunications companies to take immediate and meaningful steps to mitigate the long-standing technical weaknesses in SS7. We also urge high risk individuals associated with any of the countries listed above to migrate away from SMS-based two factor authentication immediately for all accounts where it is possible.

Read the full report here: https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/