29th Aug 2022
By Crofton Black, Gabriel Geiger, Riccardo Coluccini
The European Union has begun to wake up to the threat posed by an out-of-control surveillance industry, with Israel’s notorious NSO Group and its Pegasus spyware in its crosshairs.
As European Parliament hearings into hacking scandals resume this week, an investigation led by collaborative newsroom Lighthouse Reports alongside EUobserver, Der Spiegel, Domani and Irpimedia reveals the unreported scale of operations at a shady European surveillance outfit, whose tools are in use all over the world, including in countries with a recent history of corruption and human rights violations.
Best value, save 34%
Student or retired? Then this plan is for you.
Our exclusive news stories and investigations. Influential. Investigative. Independent.
Watch our founder Lisbeth Kirk explain the reasons in this 30-second video.
Tykelab, a little-known company based in Italy, and its owner RCS Lab are quietly selling powerful surveillance tech inside and outside the EU, boasting that it can “track the movements of almost anybody who carries a mobile phone, whether they are blocks away or on another continent”.
The new investigation, based on confidential telecom data and industry sources, found the companies employing a range of tracking and hacking tools — including surreptitious phone network attacks and sophisticated spyware which gives full remote access to a mobile device — against targets in southeast Asia, Africa and Latin America, as well as inside Europe.
MEPs, telecom specialists and privacy experts have reacted with dismay to the revelations, describing them as a danger to rights and security, and calling on governments and industry to do more to regulate Europe’s spy firms.
“This is a story of a large spyware vendor abusing the rule of law, this time based within Europe,” MEP Sophie In ‘t Veld said. “It is high time that the entire spyware industry within the EU, which acts in a sort of twilight zone of legality, is regulated and sees the light of day. Limits have to be set, otherwise our democracy is broken.”
Edin Omanovic, advocacy director of the NGO Privacy International, said: “The threat posed by the mercenary spyware industry must now be clear to Brussels and European capitals: they need to take decisive action to protect networks, stop this trade and sanction companies complicit in abuses, as the US has already done.”
The new findings add to a wave of revelations about the activities of the spy industry.
Last year a consortium of reporters detailed how a powerful hacking tool called Pegasus had been widely used against journalists, human rights defenders and politicians.
More recently, similar software was found to have been used against a journalist and a politician in Greece.
Over the summer, an EU parliamentary committee has heard evidence from civil society experts and grilled a top representative of Israel’s NSO Group, which builds Pegasus.
But the activities of Tykelab are set to throw the spotlight on Europe’s own role in the growing scandal.
Confidential data from multiple industry sources, seen by this investigation, shows how the Italian company, which poses as an innocuous telecom services provider, has been quietly exploiting vulnerabilities in phone networks around the world on behalf of its customers.
Security specialists — who spoke to Lighthouse Reports on condition of anonymity because of the sensitivity of the topic — described how they had witnessed Tykelab carrying out phone surveillance on a grand scale.
The company has subleased dozens of network access points (known as “global titles” in the telecom industry) from legitimate telecom operators around the world and has been using them to probe weaknesses in countries’ networks and to secretly exfiltrate personal data — notably the locations of people using those networks.
The company has been spotted carrying out surveillance activities in countries including Libya, Nicaragua, Malaysia and Pakistan — as well as in Italy itself and elsewhere in the EU.
“They are becoming more and more active,” one expert with access to confidential telecom data, who has been tracking Tykelab’s activities across several phone networks for months, commented. “Since the start of this year, they’ve been increasing the number of attacks, and now it’s constant.”
Tykelab is part of a growing Italian surveillance conglomerate, RCS Lab, which has offshoots in France, Germany and Spain — as well as another little-publicised branch in Italy, Azienda Informatica Italiana.
The group has recently been purchased by another Italian security company, Cy4Gate.
Tykelab is based in Rome, tucked away on the second floor of a nondescript office block. But security specialists took notice last year when they saw that the company was routing large quantities of suspicious-looking traffic through a group of phone networks based 15,000km away in the South Pacific.
This was one of a series of red flags.
Confidential data shows how, on a single day this year, Tykelab used one phone operator — on a remote archipelago east of Australia — to send thousands of suspicious queries into Malaysia. The queries, in an unprotected or poorly protected network, result in disclosure of phone users’ locations.
No trace of activity exists on the phone itself, and there is little an individual user can do to prevent the attack.
More data shows how, over a 10-day period in June, the company used 11 different global titles from islands in the Pacific to target people in Costa Rica, Nicaragua, Libya and Pakistan, as well as Iraq, Mali, Macedonia, Greece and Portugal, as well as in Italy itself.
“We see them probing networks — persistently and systematically checking for ways to bypass protections — and we also see them carrying out more blatant and targeted tracking of individuals,” the analyst who compiled this set of data said.
“While most of these attacks aim at forcing location disclosure, in Libya we saw activities consistent with attempts to intercept calls or SMS messages,” he added.
The analyst described how, in addition to more obvious instances of surveillance traffic, the company appeared also to be exploring weaknesses in global phone networks more broadly.
A map of the company’s activity showed how over just two days in June the company probed networks in almost every country in the world.
“This bears the hallmarks of a major scanning operation designed to figure out which networks worldwide are least well defended,” the analyst commented.
Jean Gottschalk from the US-based mobile security consultancy Telecom Defense, who reviewed the findings, described the data as “clearly unwanted traffic”.
“The specific messages that were observed are typically sent by geolocation platforms whose goal is to track movements of high value targets,” he said.
Since the early 2010s, it has been public knowledge that the antiquated SS7 system — the glue which holds global mobile networks together by allowing phone companies to know where their customers are when they are roaming — can be exploited for surveillance purposes.
A crop of specialist firms emerged, offering to perform such exploits for government clients. Some phone operators have employed sophisticated firewalls to counter surveillance threats to their customers. But in general the industry sees the problem as difficult and expensive to fix.
Behind the scenes, however, telecom professionals have started raising the alarm about Tykelab’s activities.
A confidential report for a private industry forum attributed over 27,000 network attacks to Tykelab in parts of Africa, south east Asia and Europe in the first half of 2022.
And in Canada, according to an email obtained by Lighthouse Reports, the government’s Cyber Security Centre (CCCS) recently identified several of Tykelab’s global titles as “high risk due to malicious usage”.
The CCCS’s finding resulted in a call to cut off a small portion of Tykelab’s access to global phone networks. But Pat Walshe, former director of privacy at the mobile phone trade association GSMA, said that more needed to be done.
“These revelations call for an immediate investigation by regulators and immediate action by the industry,” he said.
GSMA’s chief technology officer, Alex Sinclair, commented: “Organisations improperly using leased global titles must be stopped. The lack of transparency of the true originator of traffic has allowed some third parties to use the SS7 protocol for nefarious reasons. Unfortunately, operators cannot always identify the source and purpose of signalling messages received from anonymous third parties, making this action difficult and inconsistent.”
One of the analysts investigating Tykelab’s activities emphasised that the company was working outside accepted practices in the telecom industry.
“There’s no justification for an Italian entity using global titles from the South Pacific to send established tracking packets aimed at individuals in Libya and Nicaragua — no justification except the obvious,” he said.
Tykelab’s widespread network access has enabled its parent company, RCS Lab, to offer a sophisticated intelligence service to its clients via a package called Ubiqo.
A sales brochure describes how Ubiqo can “track the movements of almost anybody who carries a mobile phone, whether they are blocks away or on another continent” and “generate insights by processing movement patterns, meeting locations and times.”
The company has announced that it is hoping to expand its foothold in overseas markets — something that the public travails of its rival NSO Group may help it to do. It formerly acted as a foreign reseller for the defunct Hacking Team, according to emails leaked in 2015.
The new findings come alongside other reports of RCS Lab’s hacking technology.
In June, cyber security firm Lookout and Google’s Threat Analysis Group fingerprinted Tykelab and RCS Lab as responsible for a previously unknown surveillance tool, called Hermit, initially found to be active in Italy and Kazakhstan.
Lookout has also just identified another instance of hacking by Hermit in the EU — this time in Romania.
Users are tricked into downloading Hermit after receiving links ostensibly from their phone companies or other service providers. Once installed, Hermit can surreptitiously record audio in the room as well as accessing contacts, photos, messages, calendar events and stored files.
Lookout’s Threat Intelligence Researcher, Justin Albrecht, said that although Hermit’s method of installation was less sophisticated than that of Pegasus, its capabilities were similar.
“Pegasus and Hermit are both powerful surveillance tools,” he said. “Practically all communications and personal data on a device infected by either malware would be exposed to the entity conducting the surveillance.”
Hermit needs a phone user to click on an infected link for it to compromise a device.
Both Google and Lookout published lists of web addresses which were used to lure targeted users to unwittingly download the software. They included domains masquerading as Apple and Facebook, as well as Italian telecom providers such as Wind, TIM, Kena, Iliad and Ho Mobile.
Further analysis by Lighthouse Reports, using the internet domain database WhoIsXML, has unearthed an additional spoof domain for Vodafone. This analysis shows that that RCS Lab purchased some of these fake domains as early as 2015, while others were bought in March this year — indicating years of potential hacking operations by the company.
Tykelab’s sibling company, Azienda Informatica Italiana, is described in corporate documentation as the company in the RCS Lab group “focused on research and development services in support of the Spyware unit”.
Social media profiles of current and former employees show that they build interception software for iPhone and Android devices.
One manager noted that in recent years he had focused on making the company’s product easier to sell abroad, and that as a result the system was sold in Italy “and in several foreign countries.”
A spokesman for RCS Lab, by email, told Lighthouse Reports that the company’s core business is “products and services are provided to law enforcement agencies to support the prevention and investigation of serious crimes such as acts of terrorism, drug trafficking, organised crime, child abuse, corruption, etc.
“RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorisation from the competent national authorities.
“The products supplied to customers are installed at their facilities, and RCS Lab personnel are not permitted under any circumstances to carry out operational activities in support of the customer or to have access to the processed data. Due to binding confidentiality agreements, RCS Lab cannot disclose any details about its customers.
“The Cy4gate Group, of which RCS Lab is a member, adheres to the UN Global Compact and therefore condemns all forms of human rights violations. RCS Lab’s products are provided with a clear, specific, and exclusive purpose: to support law enforcement agencies in the prevention and suppression of heinous crimes.”
Continued foreign expansion is a major plank of the strategy for the new Cy4Gate — RCS Lab conglomerate.
The two companies have “commercial relations with governments concentrated in the Gulf, Central Asia and Latin America,” according to shareholder disclosures, with executives planning “a greater diversification of clientele through expansion of the corporate segment and strengthening our position abroad.”
But such overseas growth is likely to be controversial for the Italian group, and put RCS Lab and its new owners under further scrutiny.
“Commercial cyber-surveillance secretly sold to anyone willing to pay is a global security risk for all of us inside and outside the European Union,” said Markéta Gregorová, the European Parliament’s rapporteur for surveillance technology export controls. “This service gets human right activists and journalists tortured and killed.”
Crofton Black, Gabriel Geiger and Riccardo Coluccini are journalists with the Amsterdam-based investigative journalism collective Lighthouse Reports.
This investigation by Lighthouse Reports is being jointly published with Der Spiegel, Domani and Irpimedia.
, your membership gives you access to all of our stories. We highly appreciate your support and value your feedback. If you have any thoughts on this story, we would love to hear it.
"We will not continue to work with a customer that is targeting a journalist illegally," Chaim Gelfand, chief compliance officer of NSO Group told MEPs — but shed little light on EU governments' use of its Pegasus spyware.
The leader of the Catalan government, Pere Aragonès, denounced the use of the Israeli-made Pegasus spyware against Catalan politicians and MEPs during a visit to Brussels.
I was spied on using Pegasus while being an MEP in the EU Parliament — this attack on the home of European democracy must have consequences.
The European Commission says people should file their complaints with national authorities in countries whose governments are suspected of using an Israeli-made Pegasus spyware against them.
The European Parliament has adopted two flagship policies aimed at enacting consumer rights and transparency of online platforms — despite concerns from digital advocates, human rights defenders and some MEPs.
European countries must assess media that pose a threat to their national security and impose sanctions in an "information war," EU commissioner Věra Jourová said.
A recent consultation, which ended in June, constituted the first step toward legislation from Brussels on a digital euro. From a legislative standpoint, adoption of a digital euro will particularly require laws in areas such as privacy and anti-money laundering.
Companies and lobby groups like Spotify, Google and International Federation of the Phonographic Industry (IFPI) were able to lobby member states using live knowledge of the trilogue discussions on content-ranking systems, advertising and liability for search engines.