Did a U.S. defense contractor help create the next generation of spyware weapons?

The Washington Post relates a fascinating little cloak-and-dagger story that ends with a heck of a punchline: a U.S. defense contractor was apparently working with foreign companies that create spyware and virus programs to develop new tools for spying on people, potentially both foreign and domestic.

CloudShield Technologies, a California defense contractor, dispatched a senior engineer to Munich in the early fall of 2009. His instructions were unusually opaque.

As he boarded the flight, the engineer told confidants later, he knew only that he should visit a German national who awaited him with an off-the-books assignment. There would be no written contract, and on no account was the engineer to send reports back to CloudShield headquarters.

His contact, Martin J. Muench, turned out to be a former developer of computer security tools who had long since turned to the darkest side of their profession. Gamma Group, the British conglomerate for which Muench was a managing director, built and sold systems to break into computers, seize control clandestinely, and then copy files, listen to Skype calls, record every keystroke and switch on Web cameras and microphones at will.

According to accounts the engineer gave later and contemporary records obtained by The Washington Post, he soon fell into a shadowy world of lucrative spyware tools for sale to foreign security services, some of them with records of human rights abuse.

The American engineer’s job involved helping adapt these “digital weapons” to run on his company’s highly specialized equipment… which was primarily sold to the Pentagon.  After a year or so, CloudShield ended its partnership with the malware companies, without marketing any of the hardware it had designed.  Although the Post article doesn’t get into the details of this hardware, the most benevolent possible explanation would be that CloudShield wanted to use the expertise gained from working with the malware creators defensively, making the products it sold to the U.S. military more difficult to hack.

But the rest of the article makes it sound like the fruits of this cooperation were entirely offensive in nature.  The virus vendors ended up with “a new generation of “network injection devices” which “harness malicious software to specialized equipment attached directly to the central switching points of a foreign government’s national Internet grid.”

In other words, simply by viewing unencrypted data infused with this next-gen malware, a computer can be injected with Trojan-horse viruses that allow data flowing across the Internet to be monitored, or even subtly changed.  What sort of “unencrypted files” could have been infected?  One of the examples given is YouTube videos.  You watch an infected video, you get the virus.  Holy cow.  (Alerted by the author of the report that prompted the Washington Post to conduct its own investigation, Morgan Marquis-Boire of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, companies like Google and Microsoft have spent the past month fixing the vulnerabilities that allowed these “injection systems” to operate.  They evidently are not yet 100 percent finished with this process.)

This is all very similar to some of the spyware tools used by the NSA, as revealed by Edward Snowden’s document leaks.  It doesn’t seem as if the NSA benefited from the work done by CloudTechnologies with foreign spyware creators; rather, their work put viral tools on par with the NSA’s best digital weapons into the hands of some shady customers, including a few authoritarian governments and hacker groups.  WikiLeaks is one of the Gamma Group’s customers, for example.  The companies involved, including CloudShield and Gamma Group’s rival Hacking Team, insist their products are used only for “lawful intercepts” – not just espionage, but law-enforcement activities against pedophiles, kidnappers,etc. – and are not sold to blacklisted entities.  

The engineer who leaked his story to Marquis-Boire (or at least, the man widely suspected of being that engineer) also said he doesn’t think any aspect of the project was illegal.  But it certainly is hair-raising, and has been cited as part of the argument for “the death of clear text” – i.e. the encryption of all Internet communications, including the seemingly innocuous business of watch cat videos.  The Internet began as a wild frontier, then became a place of glorious creative anarchy… and now it’s starting to look like a dystopia ruled by electronic warlords and digital gangs, in which every traveler must wear heavy armor.