Italian firm accused of running Pegasus-style spyware


A small firm owned by the Italian company implicated in a recent phone-hacking scandal has been using tracking software to secretly monitor the communications of people all over the world, according to an NGO.

Tykelab, a subsidiary company of RCS based in Rome in Italy, has been spying on behalf of its clients on citizens of countries with poor human rights records and authoritarian regimes, including Libya and Iraq, a report by Lighthouse has revealed.

ADVERTISEMENT

The company advertises itself on LinkedIn as a “competent software developer and system integration company” that specializes in fraud management and security assessment.

Other countries targeted by Tykelab include Nicaragua, Malaysia, Mali, and Costa Rica, according to Lighthouse. Nor has the EU itself escaped surveillance, with citizens of Greece, Portugal, and even Italy itself tracked by Tykelab via dozens of unsecured phone networks in the Pacific.

This security loophole has gone unpatched in the eight years since it was discovered, a gift to government and private agencies wishing to conduct surveillance. Lighthouse blames this on the telecoms industry practice of leasing network access points to parties who can then use it for spying. Mobile phone regulator the GSMA claims the industry is powerless to effectively detect surveillance operations being conducted in this manner on networks.

The Tykelab revelation is reminiscent of the recent imbroglios involving its parent firm RCS Labs, which was found to be spying on citizens of Italy and Kazakhstan in May, and Israeli company NSO Group, whose Pegasus software has been deployed in recent years against journalists, lawyers and human rights activists.

Lighthouse’s investigation revealed that spyware used and marketed by Tykelab includes Ubiqo, which can “track the movements of almost anybody who carries a mobile phone, whether they are blocks away or on another continent.” Tykelab also offers follow-up analysis services, said Lighthouse.

“Our findings originated with two confidential sources in the telecom industry,” said Lighthouse. “They had both independently been tracking significant volumes of suspicious traffic sent through a group of phone networks – much of it ostensibly from islands in the South Pacific. Through technical and other data they determined, independently from each other, that this traffic originated in Italy with a company called Tykelab.”

Tykelab’s website claims misleadingly to be “an innocuous telecom services provider” but according to Lighthouse sources “its traffic had no legitimate purpose other than surveillance.”

Like father, like son

ADVERTISEMENT

Tykelab’s parent company RCS is itself no stranger to spyware controversy. Described by Lighthouse as “an Italian company with a long history of interception activities both in Italy and abroad,” it was outed in December by Cy4Gate, which made the disclosure to shareholders after it acquired Aurora Group, of which RCS is part.

Its surveillance products include Hermit, a phone-hacking tool that once installed on a device can be used to record calls and remotely access messages, call logs, contacts, photos, and other sensitive data. The spyware was recently uncovered by a parallel investigation conducted by cybersecurity analysts at Google and Lookout, along with fake web pages masquerading as Apple and Facebook to lure target persons into downloading it.

The findings come at an awkward moment for the EU, which is holding parliamentary hearings into NSO’s use of Pegasus, in the wake of a wave of hacking scandals that have seen politicians and journalists increasingly targeted by spyware.

“Our investigation has thrown the spotlight on the EU itself and Europe’s role in the high-risk proliferation of commercial surveillance technology,” said Lighthouse. “Our findings show Tykelab’s surveillance traffic reaching all over the world – the Italian company’s systems have been targeting people in Libya, Costa Rica, Nicaragua, Pakistan, Malaysia, Iraq and Mali, to give only a few specific examples, as well as in Greece, Macedonia, Portugal and Italy.”

It added: “MEPs, security specialists and privacy experts, looking at our findings, expressed deep concern at the risks associated with the untransparent trade in powerful spy tech, and questioned whether EU member states were doing enough to regulate it.”

The European Parliament’s rapporteur for surveillance technology export controls, Markéta Gregorová, told Lighthouse: “Commercial cyber-surveillance secretly sold to anyone willing to pay is a global security risk for all of us inside and outside the European Union. This service gets human right activists and journalists tortured and killed.”

Cybernews reached out to Tykelabs for comment, but when we contacted the company via the email address specified, we received an automated response saying it did not exist.