We have discovered a family of targeted surveillance malware for mobile devices used by the government of Kazakhstan, Italian law-enforcement authorities, and previously deployed against the Kurdish minority in the conflict-plagued northeastern Syrian region of Rojava.
The malware, which we named Hermit, is connected to Italian-based surveillance tech vendor RCS Lab S.p.A. and a related company called Tykelab Srl. Using a combination of malware reverse engineering, threat intelligence investigations and OSINT we discovered Hermit being used in Kazakhstan following protests earlier this year, which were violently suppressed by the Kazakh government with the help of Russian armed forces. We also uncovered past business dealings of RCS Lab with other surveillance vendors.
RCS Labs operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group that created FinFisher. Collectively, branded as “lawful intercept” companies, they claim to only sell to customers that have legitimate reasons to use spyware, such as intelligence and enforcement agencies. In reality, these companies operate in a gray market where they sell malware as a service to governments for surveillance purposes, including regimes that have questionable human rights records. These products have been mired in controversy as many have been discovered to target journalists, human rights defenders, politicians and business leaders.
This session will explore the discovery of the Hermit malware, its capabilities and methods as well as the OSINT research that led to its attribution to RCS Lab and Tykelab.