25 Sep, Sunday
19° C

Uncovering the Clients of Cyberespionage Firm Circles

Summary & Key Findings

  • Circles is a surveillance firm that reportedly exploits weaknesses in the global mobile phone system to snoop on calls, texts, and the location of phones around the globe. Circles is affiliated with NSO Group, which develops the oft-abused Pegasus spyware.
  • Circles, whose products work without hacking the phone itself, says they sell only to nation-states. According to leaked documents, Circles customers can purchase a system that they connect to their local telecommunications companies’ infrastructure, or can use a separate system called the “Circles Cloud,” which interconnects with telecommunications companies around the world.
  • According to the U.S. Department of Homeland Security, all U.S. wireless networks are vulnerable to the types of weaknesses reportedly exploited by Circles. A majority of networks around the globe are similarly vulnerable.
  • Using Internet scanning, we found a unique signature associated with the hostnames of Check Point firewalls used in Circles deployments. This scanning enabled us to identify Circles deployments in at least 25 countries.
  • We determine that the governments of the following countries are likely Circles customers: Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates (UAE), Vietnam, Zambia, and Zimbabwe.
  • Some of the specific government branches we identify with varying degrees of confidence as being Circles customers have a history of leveraging digital technology for human rights abuses. In a few specific cases, we were able to attribute the deployment to a particular customer, such as the Security Operations Command (ISOC) of the Royal Thai Army, which has allegedly tortured detainees.

1. Background

The public discussion around surveillance and tracking largely focuses on well known technical means, such as targeted hacking and network interception. However, other forms of surveillance are regularly and extensively used by governments and third parties to engage in cross-border surveillance and monitoring.

One of the widest-used—but least appreciated—is the leveraging of weaknesses in the global mobile telecommunications infrastructure to monitor and intercept phone calls and traffic.

While well-resourced governments have long had the ability to conduct such activity, in recent years companies have emerged to sell these capabilities. For example, the Guardian reported in March 2020 that Saudi Arabia appeared to be “exploiting weaknesses in the global mobile telecommunications network to track citizens as they travel around the US.” Other investigative reports indicated that journalists, dissidents, and opposition politicians in Nigeria and Guatemala were similarly targeted.

Abuse of the global telephone system for tracking and monitoring is believed to be widespread, however it is difficult to investigate. When a device is tracked—or messages intercepted—there are not necessarily any traces on the target’s device for researchers or investigators to find. Meanwhile, cellular carriers have many technical difficulties identifying and blocking abuses of their infrastructure.

SS7 Attacks

Signaling System 7 (SS7) is a protocol suite developed in 1975 for exchanging information and routing phone calls between different wireline telecommunications companies. At the time of SS7’s development, the global phone network consisted of a small club of monopolistic telecommunications operators. Because these companies generally trusted each other, SS7 designers saw no pressing need to include authentication or access control. However, the advent of telecommunications deregulation and mobile technology soon began to challenge the assumption of trust. Even so, SS7 endured, thanks to a desire to maintain interoperability with older equipment.

Because of SS7’s lack of authentication, any attacker that interconnects with the SS7 network (such as an intelligence agency, a cybercriminal purchasing SS7 access, or a surveillance firm running a fake phone company) can send commands to a subscriber’s “home network” falsely indicating that the subscriber is roaming. These commands allow the attacker to track the victim’s location, and intercept voice calls and SMS text messages. Such capabilities could also be used to intercept codes used for two-factor authentication sent via SMS. It is challenging and expensive for telecommunications operators to distinguish malicious traffic from benign behavior, making these attacks tricky to block.

Today, SS7 is predominantly used in 2G and 3G mobile networks (4G networks use the newer Diameter protocol). One of SS7’s key functions in these networks is handling roaming, where a subscriber to a “home network” can connect to a different “visited network,” such as when traveling internationally. In this situation, SS7 is used to handle forwarding of phone calls and SMS text messages to the “visited network.” Although 4G’s Diameter protocol includes features for authentication and access control, these are optional. Additionally, the need for Diameter networks to interconnect with SS7 networks also introduces security issues. There is widespread concern that 5G technology and other advances will inherit the risks of these older systems.


While companies selling exploitation of the global cellular system tend to operate in secrecy, one company has emerged as a known player: Circles. The company was reportedly founded in 2008acquired in 2014 by Francisco Partners, and then merged with NSO Group. Circles is known for selling systems to exploit SS7 vulnerabilities, and claims to sell this technology exclusively to nation-states.

Unlike NSO Group’s Pegasus spyware, the SS7 mechanism by which Circles’ product reportedly operates does not have an obvious signature on a target’s phone, such as the telltale targeting SMS bearing a malicious link that is sometimes present on a phone targeted with Pegasus.

Most investigation of Circles has relied on inside sources and open source intelligence, rather than technical analysis. For example, a 2016 investigation by Nigerian newspaper Premium Times reported that two state governors in Nigeria acquired Circles systems and used them to spy on political opponents. In one case, the system was installed at the residence of a governor. Our scanning found two Circles systems in Nigeria (Section 4).

Documents filed as part of a lawsuit against NSO Group in Israel purport to show emails exchanged between Circles and several customers in the UAE. Most famously, the documents show Circles sending targets’ locations and phone records (Call Detail Records or CDRs) to the UAE Supreme Council on National Security (SCNS), apparently as part of a product demonstration. The emails also indicate that intercepting phone calls of a foreign target has a higher chance of success when the target is roaming.

In 2015, IntelligenceOnline suggested that Circles started a bogus phone company called “Circles Bulgaria” to facilitate interceptions around the world. More recently, a 2020 report by Forensic News raised questions as to the true business of FloLive, purportedly an “IoT connectivity” company. Forensic News found that FloLive appeared to be closely associated with Circles, and suggested that the company might be a “front for the hackers and private spies behind Circles.”

There is also limited information about how the Circles system integrates with NSO Group’s flagship Pegasus spyware, though a former NSO Group employee told Motherboard that Pegasus had an “awful integration with Circles,” and that Circles had “exaggerated their system’s abilities.”

2. Fingerprinting & Scanning for Circles

While searching Shodan, we observed interesting results in AS200068, a block of IP addresses registered to Circles Bulgaria (Figure 2). These results show hostnames of firewalls manufactured by Check Point, as well as the hostnames of the firewalls’ SmartCenter instance. SmartCenter can be used to centrally manage multiple Check Point firewalls.

The SmartCenter hostnames in the Circles-registered AS200068 contain the domain name It seems clear that is associated with Circles, as leaked documents show Circles employees communicating from email addresses. Additionally, per RiskIQ, 17 of the 37 IP addresses pointed to by or its subdomains are in AS200068 as well as AS60097, also registered to Circles Bulgaria.

We searched for Check Point firewalls whose SmartCenter hostname contained on ShodanCensysFofa, and on Rapid7’s historical sonar-ssl dataset. We also searched for IPs that returned peculiar “random” TLS certificates matching the following regular expression, as we saw these certificates returned by Check Point firewalls with in their SmartCenter hostnames:/^C=[a-zA-Z0-9]{2}, ST=[a-zA-Z0-9]{3}, L=[a-zA-Z0-9]{3}, O=[a-zA-Z0-9]{4}, OU=[a-zA-Z0-9]{5}, CN=localhost$/

Overall, we identified 252 IP addresses in 50 ASNs matching our fingerprints. Many had a “Firewall Host” field seemingly indicating that the systems were client systems, e.g., client-circles-thailand-nsb-node-2, though some used the word telco in place of client, and some had a generic name rather than a client name, e.g., cf-00-182-1. In cases where we identified Circles’ Check Point firewalls on a Transit/Access ISP (i.e., a non-datacenter ISP), we assumed that some agency of that country’s government was a customer of Circles.

Some of the clients that we identified have two-word nicknames, where the first word is a car brand that almost always shares the same first letter as the country or state of the apparent customer. For example, Circles firewalls whose IPs geolocate to Mexico are named “Mercedes,” those that geolocate to Thailand are named “Toyota,” those that geolocate to Abu Dhabi are named “Aston,” and those that geolocate to Dubai are named “Dutton.”

The use of car brands to refer to clients was first reported by Haaretz, though the report indicated that this was an NSO Group practice, as opposed to Circles. Haaretz reported the following codenames: Saudi Arabia is “Subaru,” Bahrain is “BMW,” and Jordan is “Jaguar.” Our scans did not reveal any Check Point firewalls linked to Circles with the names Subaru or Jaguar, though we did identify firewalls with the name “BMW” located in Belgium.

3. A Global List of Circles Deployments

From the 252 IP addresses we detected in 50 ASNs, we identified 25 governments that are likely to be Circles customers. We also identified 17 specific government branches that appear to be Circles customers, based on WHOIS, passive DNS, and historical scanning data from Check Point firewall IPs or their neighbours.

While our analysis yielded country results with high confidence, our efforts to determine the customer identity have, in some cases, a lower degree of confidence.

We also found evidence of at least four systems that we were unable to connect to a particular country (Appendix A).

4. Spotlight on Concerning Circles Deployments

Our research identified deployments in 25 countries. In several cases, we were able to go further and identify technical elements pointing to a particular government customer with varying degrees of certainty. Troublingly, in a number of these cases, the government as a whole, or the government client in particular, have a history of misuse of surveillance technologies and human rights abuses. While several cases are highlighted here, Appendix A lists the additional deployments found by our fingerprinting.


We identified two Circles systems in Botswana: an unnamed system and a system named Bentley Bullevard that appears to be operated by Botswana’s Directorate of Intelligence and Security Service (DISS), as TLS certificates used on the Check Point firewalls were signed by a self-signed TLS certificate for “” which is a domain name used by the Directorate of Intelligence and Security. The DISS is sometimes referred to as the “Directorate of Intelligence and Security” (DIS).

Surveillance Abuses in Botswana

There are multiple recent reports of the abuse of surveillance equipment in Botswana to suppress reporting and public awareness of governmental corruption. In 2014, it was reported that the DISS participated in using surveillance and jamming technology developed by Elbit Systems to conduct “electronic warfare” against the media. In addition, the DISS has reportedly engaged in attempts to compromise the privacy of relationships between sources and reporters.


Our scanning identified what appeared to be a single Circles system in Chile, codename Cadillac Polaris. The system appears to be operated by the Investigations Police of Chile (PDI), as the Check Point firewalls identify the client as “Chile PDI.” The PDI is Chile’s main law enforcement agency. The Chile PDI was also a customer of Hacking Team’s Remote Control System (RCS) spyware, although they claimed that the spyware was only used for prosecuting crimes with prior judicial authorization.

Surveillance Abuses in Chile

Between 2017 and 2018, Chile’s other major national police agency, the Carabineros, reportedly illegally intercepted the calls, WhatsApp chats, and Telegram messages of multiple journalists. Chilean police also intercepted the communications of Indigenous Mapuche leaders and cited intercepted chats to justify the arrests. However, officials were later prosecuted for planting false evidence on the leaders’ phones.


We identified a single Circles system in Guatemala, Ginetta Galileo. The system appears to have been operated by the General Directorate of Civil Intelligence (DIGICI), as public WHOIS information records that the firewall IPs are registered to “Dirección General de Inteligencia Civil.”

Surveillance Abuses in Guatemala

A 2018 investigation by Guatemalan newspaper Nuestro Diario found that an Israeli arms dealer sold a variety of spy tools, including NSO Group’s Pegasus spyware and a Circles system, to a secret unit within DIGICI. The unit reportedly used the equipment to conduct illegal surveillance against journalists, businesspeople, and political opponents of the government. The surveillance arose amidst extreme physical threat to members of civil society. A recent report identified over 900 attacks between 2017-2018 in Guatemala, originating from both government and non-state actors.


We identified what appear to be ten Circles systems in Mexico. One system, Mercedes Ventura, appears to have been used by the Mexican Navy (SEMAR). All firewall IPs for the Mercedes Ventura system were in /24s with multiple other IP addresses that are pointed to by domain names and return valid TLS certificates for and other websites linked to the Mexican Navy. An unnamed system appears to have been used by the State of Durango, as one of its firewall IPs was also pointed to by dozens of subdomains of Additional details about the Mexico Circles systems are in Appendix A.

Reporting has previously connected the Mexican government to the purchase of other SS7 surveillance equipment, such as ULIN made by Ability, as well as a system codenamed SkyLock sold by Verint Systems Inc.

Surveillance Abuses in Mexico

Mexico has an extensive history of surveillance abuses. Notably, our prior research has shown that entities within Mexico’s government serially abused NSO Group’s Pegasus spyware to target over 25 reporters, human rights defenders, and the families of individuals killed and disappeared by cartels. The pattern of abuses extends to other forms of digital surveillance.

Human rights organizations have documented that Mexico’s Navy has been responsible for civilian casualties in conflicts and human rights violations, including illegal detention, kidnapping, torture, and sexual torture. Mexico’s National Human Rights Commission recently confirmed this pattern in a recommendation.


Our scanning identified what appeared to be a single Circles system in Morocco. The Morocco client’s IPs are in the same /27 as several websites of the Bureau central d’investigation judiciaire (BCIJ), and are in the same /26 as the website of the Moroccan Auxiliary Forces (FA). Both the FA and BCIJ are under the auspices of Morocco’s Ministry of Interior. A government agency in Morocco also appears to be a client of Circles’ affiliate NSO Group, though the identity of this Moroccan agency has not been established.

Read the full article Source – Citizenlab

Post a Comment