Hacked Journalists: Meet the Spyware Investigators Fighting Back
For over a decade, journalists and human rights activists have faced a growing threat: sophisticated government hacking. From Ethiopia to Hungary, India to Saudi Arabia, authorities have deployed powerful spyware to compromise the phones of those holding them accountable. This surveillance isn't just digital; it often escalates to real-world intimidation, harassment, and, tragically, even murder. But a dedicated team is fighting back, offering a crucial lifeline to those targeted.
The Rise of Mercenary Spyware and the Need for Defense
The proliferation of mercenary spyware – tools like those developed by NSO Group, Intellexa, and Paragon – has dramatically increased the risk to journalists, human rights defenders, and dissidents. These tools allow governments to remotely access devices, steal data, and monitor communications with alarming ease. The scale of this problem is significant, with reports indicating a global surge in targeted attacks. This has created an urgent need for specialized support to identify and mitigate these threats.
Access Now’s Digital Security Helpline: A Frontline Resource
In response to this escalating crisis, a team of approximately a dozen digital security experts, primarily based in Costa Rica, Manila, and Tunisia, has emerged as a critical resource. Working for the New York-headquartered nonprofit Access Now, through its Digital Security Helpline, they provide essential assistance to those who suspect they’ve been hacked.
“The idea is to provide this 24/7 service to civil society and journalists so they can reach out whenever they have… a cybersecurity incident,” explains Hassen Selmi, who leads the incident response team at the Helpline, to GearTech. This constant availability is vital, as attacks can happen at any time and require immediate attention.
Bill Marczak, a senior researcher at the University of Toronto’s Citizen Lab, a leading authority on spyware investigation, describes Access Now’s Helpline as a “frontline resource” for potential victims. His assessment underscores the importance of this often-overlooked support system.
Apple’s Threat Notifications and the Helpline’s Growing Role
The Helpline’s importance has been further amplified by Apple’s recent practice of sending “threat notifications” to users who may have been targeted by mercenary spyware. Recognizing the complexity of these alerts, Apple has long directed victims to Access Now’s investigators for assistance.
Selmi describes the scenario: “Having someone who could explain it to them, tell them what they should do, what they should not do, what this means… This is a big relief for them.” The notifications can be frightening and confusing, and Access Now provides the crucial guidance needed to navigate the situation.
Digital rights experts generally agree that Apple’s approach is a positive step, even if it appears to be delegating responsibility to a small nonprofit team. For Access Now, being mentioned in Apple’s notifications was “one of the biggest milestones” for the helpline, significantly increasing its visibility and caseload.
A Dramatic Increase in Cases: From 20 to 1,000 Per Year
The number of cases handled by the Helpline has skyrocketed in recent years. Selmi and his colleagues now investigate around 1,000 suspected government spyware attacks annually. Approximately half of these cases lead to full investigations, with around 5% – roughly 25 cases – resulting in confirmed spyware infections, according to Mohammed Al-Maskati, the helpline’s director.
This represents a significant increase from 2014, when Access Now investigated around 20 cases per month. Initially, the team consisted of three to four people in each timezone (Costa Rica, Manila, and Tunisia) to ensure 24/7 coverage. While the team has grown, it remains relatively small, with fewer than 15 people currently working for the helpline. The organization has expanded its presence to Europe, the Middle East, North Africa, and Sub-Saharan Africa, recognizing these regions as hotspots for spyware activity.
Several factors contribute to this increase: greater awareness of the helpline, the wider availability of government spyware, and proactive outreach to potentially targeted populations. The global reach of spyware is expanding, and Access Now is working to meet the growing demand for its services.
The Investigation Process: Triage, Analysis, and Support
When someone contacts the helpline, investigators first verify that the individual falls within their mandate – meaning they are part of civil society, not a business executive or lawmaker. They then prioritize cases based on urgency and potential risk.
The initial assessment involves gathering information about why the person believes they were targeted and the devices they own. This helps determine the type of data needed for analysis. Following a remote check of the device, investigators may request a full device backup for a more thorough examination.
“For each known kind of exploit that has been used in the last five years, we have a process on how to check that exploit,” Selmi explains. The team maintains a comprehensive understanding of known hacking techniques and can identify signs of intrusion.
“We know more or less what is normal, what is not,” Selmi adds. This expertise is crucial for distinguishing between legitimate activity and malicious intrusions.
Beyond technical analysis, Access Now handlers provide advice on mitigating the risk, such as recommending a new device or implementing other security precautions. The team recognizes that each case is unique and requires a tailored approach.
The Human Cost and the Need for Holistic Support
“It’s different from person to person, from culture to culture,” Selmi emphasizes. “I think we should do more research, get more people on board — not just technical people — to know how to deal with these kinds of victims.” The emotional and psychological impact of being targeted by spyware is significant, and Access Now is striving to provide more holistic support.
Collaboration and the CiviCERT Network
Access Now doesn’t operate in isolation. The helpline actively supports similar investigative teams in other regions, sharing documentation, knowledge, and tools. This collaboration is facilitated through CiviCERT, a global network of organizations dedicated to assisting civil society members targeted by spyware.
“No matter where they are, [victims] have people who could talk to and report to,” Selmi states. “Having these people talk their language and know their context helped a lot.” CiviCERT extends the reach of support to individuals who might otherwise be inaccessible.
Staying Ahead of the Curve: Future Challenges and Opportunities
The fight against mercenary spyware is an ongoing battle. As technology evolves, so too will the tactics of those who seek to exploit it. Access Now and its partners must continue to innovate and adapt to stay ahead of the curve. This includes investing in research, expanding the team, and strengthening collaboration with other organizations.
The increasing sophistication of spyware and the growing number of attacks demand a coordinated and comprehensive response. Organizations like Access Now are playing a vital role in protecting journalists, human rights activists, and dissidents from the dangers of government surveillance. Their work is essential for safeguarding freedom of expression and promoting a more just and equitable world.
Have you received a notification from Apple, Google, or WhatsApp about being targeted with spyware? Or do you have information about spyware makers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.