Russian authorities used Cellebrite phone-cracking technology to break into a device belonging to a prominent domestic human rights activist they arrested and imprisoned, despite the company canceling its contract with the Russian government, according to a report published Thursday.

The University of Toronto’s Citizen Lab reached its conclusions after analyzing a phone belonging to Andrey Pivovarov and examining court documents he provided confirming the usage of Cellebrite’s UFED product.

Pivovarov was arrested in March 2021, sentenced in 2022 and released in 2024 as part of a prisoner exchange. Citizen Lab found evidence that authorities accessed his phone around June 2021 while the phone was in Russian government hands.

Investigators also said it appears Russian authorities might have used information it got from Pivoarov’s phone to surveil other regime opponents, combining information in the court documents with the later targeting of fellow dissident Anastasiya Burakova in a hacking campaign linked to Russia’s Federal Security Service (FSB).

“The historic architecture of Cellebrite forensic systems means that much of the functionality in the UFED product has continued to operate long after updates cease,” Citizen Lab said in its report. “Furthermore, Cellebrite systems have historically featured an offline mode. Consequently, the way Cellebrite’s technology was designed appeared to make it difficult for the company to meaningfully cut off problematic customers.

“While Cellebrite has argued that its cancellations in Russia … went beyond what was legally required, this investigation contributes evidence that the contract cancellation did not immediately block Russia from leveraging Cellebrite’s tools for political persecution,” it continued.

Cellebrite provided a response to Citizen Lab’s report, saying that Cellebrite’s technology would be ineffective in Russia today.

“Any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorized,” Cellebrite spokesperson Victor Cooper told CyberScoop, echoing the Citizen Lab response. “The Cellebrite hardware previously sold, prior to March 2021, would now be incompatible with modern devices and would operate without our technical support, our consent or any legal sanction from Cellebrite. Rapid technology advances render legacy digital forensic hardware and software ineffective within a short period of time. Russia remains permanently on our restricted-customer list.”

The Russian Embassy in Washington, D.C. did not immediately respond to a request for comment.

The post Russia uses Cellebrite to break into human rights activist’s phone, even after cancellation of contract appeared first on CyberScoop.

Meta said Monday that it caught a spearphishing campaign linked to spyware maker NSO Group despite a court injunction, prompting the tech giant to file a contempt-of-court complaint.

The company won a civil case last year against NSO Group barring it from targeting WhatsApp users and securing $168 million in damages, although NSO Group has been appealing the ruling.

But Meta says NSO Group, makers of the Pegasus spyware, isn’t honoring the permanent injunction.

“We successfully disrupted NSO-linked social engineering attempts, after investigating user reports,” it said in a blog post. “They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO. We also caught them creating test accounts and groups on WhatsApp, which we took down.”

Meta said the campaign resembled spyware infections that hit journalists and activists in Jordan from 2019 to 2023.

NSO Group didn’t respond to requests for comment about Meta’s accusations.

One top researcher who tracks spyware said NSO Group’s actions are an argument for keeping them on the U.S. sanctions “entity” list that the company has fought to be removed from since its designation in 2021.

“NSO’s own actions make the strongest argument for why they should stay on the Entity list,” John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, wrote on social media. “And reaffirm that the decision to put them there was the right one.”

Meta made the same argument.

“When a malicious company on the US government’s Entity List continues to defy US courts, existing restrictions must remain firmly in place,” it said in its blog post. “Easing them would undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk.”

Lawmakers have sought information on the federal government’s prospective use of NSO Group tech and other kinds of spyware, despite a blacklist, given close ties between the company’s new executive chairman and President Donald Trump.

The post Meta accuses NSO Group of defying spyware injunction, files contempt of court complaint appeared first on CyberScoop.

Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.