{ "id": "cd73eb87-8d98-46ee-9ba8-d45d8a04cf45", "created_at": "2026-04-06T00:13:12.080071Z", "updated_at": "2026-04-10T03:29:11.747867Z", "deleted_at": null, "sha1_hash": "084c32ab4dc9b73916613628dd407c037c7c968f", "title": "Running in Circles: Uncovering the Clients of Cyberespionage Firm Circles - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1708956, "plain_text": "Running in Circles: Uncovering the Clients of Cyberespionage\r\nFirm Circles - The Citizen Lab\r\nArchived: 2026-04-05 15:00:11 UTC\r\nSummary \u0026 Key Findings\r\nCircles is a surveillance firm that reportedly exploits weaknesses in the global mobile phone system to\r\nsnoop on calls, texts, and the location of phones around the globe. Circles is affiliated with NSO Group,\r\nwhich develops the oft-abused Pegasus spyware.\r\nCircles, whose products work without hacking the phone itself, says they sell only to nation-states.\r\nAccording to leaked documents, Circles customers can purchase a system that they connect to their local\r\ntelecommunications companies’ infrastructure, or can use a separate system called the “Circles Cloud,”\r\nwhich interconnects with telecommunications companies around the world.\r\nAccording to the U.S. Department of Homeland Security, all U.S. wireless networks are vulnerable to the\r\ntypes of weaknesses reportedly exploited by Circles. A majority of networks around the globe are similarly\r\nvulnerable.\r\nUsing Internet scanning, we found a unique signature associated with the hostnames of Check Point\r\nfirewalls used in Circles deployments. This scanning enabled us to identify Circles deployments in at least\r\n25 countries.\r\nWe determine that the governments of the following countries are likely Circles customers: Australia,\r\nBelgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala,\r\nHonduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the\r\nUnited Arab Emirates (UAE), Vietnam, Zambia, and Zimbabwe.\r\nSome of the specific government branches we identify with varying degrees of confidence as being Circles\r\ncustomers have a history of leveraging digital technology for human rights abuses. In a few specific cases,\r\nwe were able to attribute the deployment to a particular customer, such as the Security Operations\r\nCommand (ISOC) of the Royal Thai Army, which has allegedly tortured detainees.\r\n1. Background\r\nThe public discussion around surveillance and tracking largely focuses on well known technical means, such as\r\ntargeted hacking and network interception. However, other forms of surveillance are regularly and extensively\r\nused by governments and third parties to engage in cross-border surveillance and monitoring.\r\nOne of the widest-used—but least appreciated—is the leveraging of weaknesses in the global mobile\r\ntelecommunications infrastructure to monitor and intercept phone calls and traffic.\r\nWhile well-resourced governments have long had the ability to conduct such activity, in recent years companies\r\nhave emerged to sell these capabilities. For example, the Guardian reported in March 2020 that Saudi Arabia\r\nappeared to be “exploiting weaknesses in the global mobile telecommunications network to track citizens as they\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 1 of 23\n\ntravel around the US.” Other investigative reports indicated that journalists, dissidents, and opposition politicians\r\nin Nigeria and Guatemala were similarly targeted.\r\nAbuse of the global telephone system for tracking and monitoring is believed to be widespread, however it is\r\ndifficult to investigate. When a device is tracked—or messages intercepted—there are not necessarily any traces\r\non the target’s device for researchers or investigators to find. Meanwhile, cellular carriers have many technical\r\ndifficulties identifying and blocking abuses of their infrastructure.\r\nSS7 Attacks\r\nSignaling System 7 (SS7) is a protocol suite developed in 1975 for exchanging information and routing phone\r\ncalls between different wireline telecommunications companies. At the time of SS7’s development, the global\r\nphone network consisted of a small club of monopolistic telecommunications operators. Because these companies\r\ngenerally trusted each other, SS7 designers saw no pressing need to include authentication or access control.\r\nHowever, the advent of telecommunications deregulation and mobile technology soon began to challenge the\r\nassumption of trust. Even so, SS7 endured, thanks to a desire to maintain interoperability with older equipment.\r\nBecause of SS7’s lack of authentication, any attacker that interconnects with the SS7 network (such as an\r\nintelligence agency, a cybercriminal purchasing SS7 access, or a surveillance firm running a fake phone company)\r\ncan send commands to a subscriber’s “home network” falsely indicating that the subscriber is roaming. These\r\ncommands allow the attacker to track the victim’s location, and intercept voice calls and SMS text messages. Such\r\ncapabilities could also be used to intercept codes used for two-factor authentication sent via SMS. It is challenging\r\nand expensive for telecommunications operators to distinguish malicious traffic from benign behavior, making\r\nthese attacks tricky to block.\r\nToday, SS7 is predominantly used in 2G and 3G mobile networks (4G networks use the newer Diameter protocol).\r\nOne of SS7’s key functions in these networks is handling roaming, where a subscriber to a “home network” can\r\nconnect to a different “visited network,” such as when traveling internationally. In this situation, SS7 is used to\r\nhandle forwarding of phone calls and SMS text messages to the “visited network.” Although 4G’s Diameter\r\nprotocol includes features for authentication and access control, these are optional. Additionally, the need for\r\nDiameter networks to interconnect with SS7 networks also introduces security issues. There is widespread\r\nconcern that 5G technology and other advances will inherit the risks of these older systems.\r\nCircles\r\nWhile companies selling exploitation of the global cellular system tend to operate in secrecy, one company has\r\nemerged as a known player: Circles. The company was reportedly founded in 2008, acquired in 2014 by Francisco\r\nPartners, and then merged with NSO Group. Circles is known for selling systems to exploit SS7 vulnerabilities,\r\nand claims to sell this technology exclusively to nation-states.\r\nUnlike NSO Group’s Pegasus spyware, the SS7 mechanism by which Circles’ product reportedly operates does\r\nnot have an obvious signature on a target’s phone, such as the telltale targeting SMS bearing a malicious link that\r\nis sometimes present on a phone targeted with Pegasus.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 2 of 23\n\nMost investigation of Circles has relied on inside sources and open source intelligence, rather than technical\r\nanalysis. For example, a 2016 investigation by Nigerian newspaper Premium Times reported that two state\r\ngovernors in Nigeria acquired Circles systems and used them to spy on political opponents. In one case, the\r\nsystem was installed at the residence of a governor. Our scanning found two Circles systems in Nigeria (Section\r\n4).\r\nDocuments filed as part of a lawsuit against NSO Group in Israel purport to show emails exchanged between\r\nCircles and several customers in the UAE. Most famously, the documents show Circles sending targets’ locations\r\nand phone records (Call Detail Records or CDRs) to the UAE Supreme Council on National Security (SCNS),\r\napparently as part of a product demonstration. The emails also indicate that intercepting phone calls of a foreign\r\ntarget has a higher chance of success when the target is roaming.\r\nThe same documents explain some facets of how the Circles system operated. The SCNS was set to receive two\r\nseparate systems: a standalone system that could be used for local interceptions and a separate system connected\r\nto the “Circles Cloud” (an entity with roaming agreements around the world) that could be used for interceptions\r\noutside of the UAE if desired.\r\nCircles System Component Function\r\nOffline, on-premises deployment Within-country targeting\r\nCircles Cloud Global targeting \u0026 interception\r\ntable 1\r\nIn 2015, IntelligenceOnline suggested that Circles started a bogus phone company called “Circles Bulgaria” to\r\nfacilitate interceptions around the world. More recently, a 2020 report by Forensic News raised questions as to the\r\ntrue business of FloLive, purportedly an “IoT connectivity” company. Forensic News found that FloLive appeared\r\nto be closely associated with Circles, and suggested that the company might be a “front for the hackers and private\r\nspies behind Circles.”\r\nThere is also limited information about how the Circles system integrates with NSO Group’s flagship Pegasus\r\nspyware, though a former NSO Group employee told Motherboard that Pegasus had an “awful integration with\r\nCircles,” and that Circles had “exaggerated their system’s abilities.”\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 3 of 23\n\n2. Fingerprinting \u0026 Scanning for Circles\r\nWhile searching Shodan, we observed interesting results in AS200068, a block of IP addresses registered to\r\nCircles Bulgaria (Figure 2). These results show hostnames of firewalls manufactured by Check Point, as well as\r\nthe hostnames of the firewalls’ SmartCenter instance. SmartCenter can be used to centrally manage multiple\r\nCheck Point firewalls1.\r\nThe SmartCenter hostnames in the Circles-registered AS200068 contain the domain name tracksystem.info. It\r\nseems clear that tracksystem.info is associated with Circles, as leaked documents show Circles employees\r\ncommunicating from @tracksystem.info email addresses. Additionally, per RiskIQ, 17 of the 37 IP addresses\r\npointed to by tracksystem.info or its subdomains are in AS200068 as well as AS60097, also registered to Circles\r\nBulgaria.\r\nWe searched for Check Point firewalls whose SmartCenter hostname contained tracksystem.info on Shodan,\r\nCensys, Fofa, and on Rapid7’s historical sonar-ssl dataset. We also searched for IPs that returned peculiar\r\n“random” TLS certificates2 matching the following regular expression, as we saw these certificates returned by\r\nCheck Point firewalls with tracksystem.info in their SmartCenter hostnames:\r\n/^C=[a-zA-Z0-9]{2}, ST=[a-zA-Z0-9]{3}, L=[a-zA-Z0-9]{3}, O=[a-zA-Z0-9]{4}, OU=[a-zA-Z0-9]{5}, CN=localhost$/\r\nOverall, we identified 252 IP addresses in 50 ASNs matching our fingerprints. Many had a “Firewall Host” field\r\nseemingly indicating that the systems were client systems, e.g., client-circles-thailand-nsb-node-2, though some\r\nused the word telco in place of client, and some had a generic name rather than a client name, e.g., cf-00-182-1. In\r\ncases where we identified Circles’ Check Point firewalls on a Transit/Access ISP (i.e., a non-datacenter ISP), we\r\nassumed that some agency of that country’s government was a customer of Circles.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 4 of 23\n\nSome of the clients that we identified have two-word nicknames, where the first word is a car brand that almost\r\nalways shares the same first letter as the country or state of the apparent customer. For example, Circles firewalls\r\nwhose IPs geolocate to Mexico are named “Mercedes,” those that geolocate to Thailand are named “Toyota,”\r\nthose that geolocate to Abu Dhabi are named “Aston,” and those that geolocate to Dubai are named “Dutton.”\r\nThe use of car brands to refer to clients was first reported by Haaretz, though the report indicated that this was an\r\nNSO Group practice, as opposed to Circles. Haaretz reported the following codenames: Saudi Arabia is “Subaru,”\r\nBahrain is “BMW,” and Jordan is “Jaguar.” Our scans did not reveal any Check Point firewalls linked to Circles\r\nwith the names Subaru or Jaguar, though we did identify firewalls with the name “BMW” located in Belgium.\r\n3. A Global List of Circles Deployments\r\nFrom the 252 IP addresses we detected in 50 ASNs, we identified 25 governments that are likely to be Circles\r\ncustomers. We also identified 17 specific government branches that appear to be Circles customers, based on\r\nWHOIS, passive DNS, and historical scanning data from Check Point firewall IPs or their neighbours.\r\nAustralia, Belgium, Botswana (Directorate of Intelligence and Security Services), Chile (Investigations\r\nPolice), Denmark (Army Command), Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala (General\r\nDirectorate of Civil Intelligence), Honduras (National Directorate of Investigation and\r\nIntelligence), Indonesia, Israel, Kenya, Malaysia, Mexico (Mexican Navy; State of\r\nDurango), Morocco (Ministry of Interior), Nigeria (Defence Intelligence Agency), Peru (National Intelligence\r\nDirectorate), Serbia (Security Information Agency), Thailand (Internal Security Operations Command; Military\r\nIntelligence Battalion; Narcotics Suppression Bureau), the United Arab Emirates (Supreme Council on National\r\nSecurity; Dubai Government; Royal Group), Vietnam, Zambia, and Zimbabwe.\r\nWhile our analysis yielded country results with high confidence, our efforts to determine the customer identity\r\nhave, in some cases, a lower degree of confidence.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 5 of 23\n\nWe also found evidence of at least four systems that we were unable to connect to a particular country (Appendix\r\nA).\r\n4. Spotlight on Concerning Circles Deployments\r\nOur research identified deployments in 25 countries. In several cases, we were able to go further and identify\r\ntechnical elements pointing to a particular government customer with varying degrees of certainty. Troublingly, in\r\na number of these cases, the government as a whole, or the government client in particular, have a history of\r\nmisuse of surveillance technologies and human rights abuses. While several cases are highlighted here, Appendix\r\nA lists the additional deployments found by our fingerprinting.\r\nBotswana\r\nWe identified two Circles systems in Botswana: an unnamed system and a system named Bentley Bullevard that\r\nappears to be operated by Botswana’s Directorate of Intelligence and Security Service (DISS), as TLS certificates\r\nused on the Check Point firewalls were signed by a self-signed TLS certificate for “CN=sid.org.bw” which is a\r\ndomain name used by the Directorate of Intelligence and Security. The DISS is sometimes referred to as the\r\n“Directorate of Intelligence and Security” (DIS).\r\nClient Name Possible Identity Dates Active Firewall IPs\r\nBentley\r\nBullevard\r\nDirectorate of Intelligence and\r\nSecurity Service (DISS)\r\n2015/6/1 –\r\nPresent\r\n129.205.243.1 – 3\r\n129.205.243.60 –\r\n62\r\n41.79.138.17 – 19\r\n   \r\n2015/6/1 –\r\n2020/9/10\r\n168.167.45.100 –\r\n102\r\ntABLE 2\r\nSurveillance Abuses in Botswana\r\nThere are multiple recent reports of the abuse of surveillance equipment in Botswana to suppress reporting and\r\npublic awareness of governmental corruption. In 2014, it was reported that the DISS participated in using\r\nsurveillance and jamming technology developed by Elbit Systems to conduct “electronic warfare” against the\r\nmedia. In addition, the DISS has reportedly engaged in attempts to compromise the privacy of relationships\r\nbetween sources and reporters.\r\nChile\r\nOur scanning identified what appeared to be a single Circles system in Chile, codename Cadillac Polaris. The\r\nsystem appears to be operated by the Investigations Police of Chile (PDI), as the Check Point firewalls identify the\r\nclient as “Chile PDI.” The PDI is Chile’s main law enforcement agency. The Chile PDI was also a customer of\r\nHacking Team’s Remote Control System (RCS) spyware, although they claimed that the spyware was only used\r\nfor prosecuting crimes with prior judicial authorization.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 6 of 23\n\nClient Name Possible Identity Dates Active Firewall IPs\r\nCadillac\r\nPolaris\r\nInvestigations Police of Chile\r\n(PDI)\r\n2015/9/12 –\r\nPresent\r\n186.103.207.10 –\r\n12\r\nTable 3\r\nSurveillance Abuses in Chile\r\nBetween 2017 and 2018, Chile’s other major national police agency, the Carabineros, reportedly illegally\r\nintercepted the calls, WhatsApp chats, and Telegram messages of multiple journalists. Chilean police also\r\nintercepted the communications of Indigenous Mapuche leaders and cited intercepted chats to justify the arrests.\r\nHowever, officials were later prosecuted for planting false evidence on the leaders’ phones.\r\nGuatemala\r\nWe identified a single Circles system in Guatemala, Ginetta Galileo. The system appears to have been operated by\r\nthe General Directorate of Civil Intelligence (DIGICI), as public WHOIS information records that the firewall IPs\r\nare registered to “Dirección General de Inteligencia Civil.”\r\nClient\r\nName\r\nPossible Identity Seen in Scan Firewall IPs\r\nGinetta\r\nGalileo\r\nGeneral Directorate of Civil\r\nIntelligence (DIGICI)\r\n2015/6/1 –\r\n2016/5/2\r\n190.111.27.165 –\r\n167\r\nTABLE 4\r\nSurveillance Abuses in Guatemala\r\nA 2018 investigation by Guatemalan newspaper Nuestro Diario found that an Israeli arms dealer sold a variety of\r\nspy tools, including NSO Group’s Pegasus spyware and a Circles system, to a secret unit within DIGICI. The unit\r\nreportedly used the equipment to conduct illegal surveillance against journalists, businesspeople, and political\r\nopponents of the government. The surveillance arose amidst extreme physical threat to members of civil society. A\r\nrecent report identified over 900 attacks between 2017-2018 in Guatemala, originating from both government and\r\nnon-state actors.\r\nMexico\r\nWe identified what appear to be ten Circles systems in Mexico. One system, Mercedes Ventura, appears to have\r\nbeen used by the Mexican Navy (SEMAR). All firewall IPs for the Mercedes Ventura system were in /24s with\r\nmultiple other IP addresses that are pointed to by domain names and return valid TLS certificates for\r\nsemar.gob.mx and other websites linked to the Mexican Navy. An unnamed system appears to have been used by\r\nthe State of Durango, as one of its firewall IPs was also pointed to by dozens of subdomains of durango.gob.mx.\r\nAdditional details about the Mexico Circles systems are in Appendix A.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 7 of 23\n\nReporting has previously connected the Mexican government to the purchase of other SS7 surveillance\r\nequipment, such as ULIN made by Ability, as well as a system codenamed SkyLock sold by Verint Systems Inc.\r\nSurveillance Abuses in Mexico\r\nMexico has an extensive history of surveillance abuses. Notably, our prior research has shown that entities within\r\nMexico’s government serially abused NSO Group’s Pegasus spyware to target over 25 reporters, human rights\r\ndefenders, and the families of individuals killed and disappeared by cartels. The pattern of abuses extends to other\r\nforms of digital surveillance.\r\nHuman rights organizations have documented that Mexico’s Navy has been responsible for civilian casualties in\r\nconflicts and human rights violations, including illegal detention, kidnapping, torture, and sexual torture. Mexico’s\r\nNational Human Rights Commission recently confirmed this pattern in a recommendation.\r\nMorocco\r\nOur scanning identified what appeared to be a single Circles system in Morocco. The Morocco client’s IPs are in\r\nthe same /27 as several websites of the Bureau central d’investigation judiciaire (BCIJ), and are in the same /26 as\r\nthe website of the Moroccan Auxiliary Forces (FA). Both the FA and BCIJ are under the auspices of Morocco’s\r\nMinistry of Interior. A government agency in Morocco also appears to be a client of Circles’ affiliate NSO Group,\r\nthough the identity of this Moroccan agency has not been established.\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\n  Ministry of Interior 2018/3/14 – Present 105.145.40.27-28\r\nTABLE 5\r\nSurveillance Abuses in Morocco\r\nMorocco has been connected to multiple cases of surveillance abuse over the past decade, ranging from the\r\ntargeting of human rights organizations with Hacking Team’s spyware to a string of more recent cases in which\r\nNSO Group’s Pegasus spyware was used to target civil society within Morocco and abroad.\r\nNigeria\r\nOur scanning identified two Circles systems in Nigeria. One system may be operated by the same entity as one of\r\nthe Nigerian customers of the FinFisher spyware that we detected in December 2014. The firewall IPs are in the\r\nsame /27 as the IP address of the FinFisher C\u0026C server we detected in our 2014 scans (41.242.50.50). The other\r\nclient appears to be the Nigerian Defence Intelligence Agency (DIA), as its firewall IPs are in AS37258, a block of\r\nIP addresses registered to “HQ Defence Intelligence Agency Asokoro, Nigeria, Abuja.”\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 8 of 23\n\nClient\r\nName\r\nPossible Identity Seen in Scan Firewall IPs\r\n \r\nNigeria Defence Intelligence Agency\r\n(DIA)\r\n2015/6/1 –\r\n2017/4/25\r\n196.1.133.7 – 9\r\n \r\nUnknown FinFisher operator from\r\nDecember 2014.\r\n2015/6/1 –\r\nPresent\r\n41.242.50.42 –\r\n47\r\ntable 6\r\nSurveillance Abuses in Nigeria\r\nMembers of civil society in Nigeria face a wide range of digital threats. A recent report by Front Line Defenders\r\nconcluded that Nigeria’s government “has conducted mass surveillance of citizens’ telecommunications.” The\r\nCommittee to Protect Journalists (CPJ) has also reported multiple cases of the Nigerian government abusing\r\nphone surveillance.\r\nAn investigation by Nigerian newspaper Premium Times found that Nigerian governors of Bayelsa and Delta\r\nstates purchased systems from Circles to spy on their political opponents. In Delta State, Premium Times reports\r\nthat the system was installed at the “governor’s lodge,” and operated by employees of the Governor, rather than\r\npolice. In Bayelsa State, the governor reportedly used the Circles system to spy on his opponent in an election, as\r\nwell as his opponent’s wife and aides. The investigation also found that the two Circles systems were imported\r\nwithout the proper authorizations from Nigeria’s Office of the National Security Adviser.\r\nThailand\r\nOur scanning identified what appear to be three current clients in Thailand. The firewall IP addresses for Toyota\r\nRegency are in the same /29 as the online “War Room” of the Royal Thai Army’s Internal Security Operations\r\nCommand (กองอำ นวยการรักษาความมั่นคงภายใน), known as ISOC for short3. The firewall IP addresses for an\r\nunnamed system are in the same /29 as a wiki that displays the logo of the Military Intelligence Battalion (MIBn)\r\n(กองพันข่าวกรองทางทหาร), which appears to be a division of the Army Military Intelligence Command (หน่วย\r\nข่าวกรองทางทหาร), Thailand’s main military intelligence agency. The third system, Toyota Dragon, is\r\nidentified by its Check Point firewalls as “Thailand NSB”, which we believe is a reference to the Narcotics\r\nSuppression Bureau.\r\nClient\r\nName\r\nPossible Identity Seen in Scan Firewall IPs\r\n \r\nRoyal Thai Army Military\r\nIntelligence Battalion (MIBn)\r\n2019/3/19 –\r\nPresent\r\n110.164.191.212 –\r\n214\r\n122.154.71.180 –\r\n182\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 9 of 23\n\nClient\r\nName\r\nPossible Identity Seen in Scan Firewall IPs\r\nToyota\r\nRegency\r\nRoyal Thai Army Internal security\r\nOperations Command (ISOC)\r\n2016/7/12 –\r\nPresent\r\n110.164.72.2 – 4\r\nToyota\r\nDragon\r\nRoyal Thai Police Narcotics\r\nSuppression Bureau (NSB)\r\n2015/9/12 –\r\nPresent\r\n203.149.46.164 –\r\n166\r\ntable 7\r\nSurveillance Abuses in Thailand\r\nThailand has a history of leveraging a wide range of surveillance technologies to monitor and harass civil society.\r\nPrevious Citizen Lab research also identified a Pegasus spyware operator active within Thailand.\r\nThe ISOC has been accused of torturing and waterboarding activists, and suing activists who allege torture at the\r\nhands of the military. Recently, disturbing reports have emerged of abductions of Thai dissidents who live outside\r\nof Thailand. In one case, three Thai dissidents living in Laos who criticized Thailand’s military disappeared, and\r\ntheir bodies were later discovered by a Thai fisherman. Their bodies were “disemboweled and stuffed with\r\nconcrete posts” and their limbs broken. While these abductions and killings have not been conclusively attributed\r\nto the Royal Thai Army, the disappearances are reported to have happened while the leader of Thailand’s former\r\nmilitary junta Prayut Chan-o-cha (ประยุทธ์ จันทร์โอชา) was visiting Laos. Chan-o-cha is the current Prime\r\nMinister of Thailand, as well as the director of ISOC.\r\nUnited Arab Emirates\r\nOur scanning identified what appear to be three active clients in the UAE: the UAE Supreme Council on National\r\nSecurity (SCNS) (الوطين لألمن األعلى المجلس(, the Dubai Government4, and a client that may be linked to both Sheikh\r\nTahnoon bin Zayed al-Nahyan’s Royal Group and former Fatah strongman Mohammed Dahlan.\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\n  Royal Group\r\n2019/8/27 –\r\nPresent\r\n94.206.102.68 – 70\r\nAston\r\nAndromeda\r\nUAE Supreme Council of\r\nNational Security\r\n2016/4/4 –\r\nPresent\r\n213.42.167.106 –\r\n108\r\n91.72.225.2 – 4\r\nDutton Dolche Dubai Government\r\n2016/12/5 –\r\nPresent\r\n151.253.54.210 –\r\n212\r\n91.75.44.84 – 86\r\nTABLE 8\r\nRoyal Group\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 10 of 23\n\nWe found an unnamed UAE Circles system whose Check Point firewalls were in the same /25 as websites for\r\nRoyal Group companies including Mauqah Technology, which famously acquired and operated Hacking Team’s\r\nRCS spyware and, in 2012, used the system to target (among others) UAE activist Ahmed Mansoor. The\r\ncommand and control (C\u0026C) server for that spyware briefly pointed to an IP address registered to Sheikh Tahnoon\r\nbin Zayed Al-Nahyan, the chairman of Royal Group and the UAE’s now National Security Advisor. Sheikh\r\nTahnoon was also closely linked to ToTok, a popular chat app that was banned from the Apple and Google Play\r\nstores after the New York Times reported it was linked to UAE intelligence.\r\nA leaked 2014 invoice indicates a deal between Circles and Al Thuraya Consultancy and Researches LLC, which\r\nappears to be linked to Royal Group. Records obtained by Lebanese newspaper Al Akhbar from the Abu Dhabi\r\nChamber of Commerce and records on companies.rafeeg.ae show that Al Thuraya shares a PO Box number (“PO\r\nBox 5151, Abu Dhabi”) and fax number (““8111112””) with Royal Group. Additionally, Al Thuraya’s commercial\r\nlicense shows “Dhahi Mohammed Hamad Al-Thumairi” as one of the company’s two partners. Al-Thumairi\r\ntrained in jiu-jitsu with Sheikh Tahnoon’s adopted son Faisal Alketbi, received jiu-jitsu encouragement from\r\nSheikh Tahnoon himself, and named his first son “Tahnoon.” Another of Sheikh Tahnoon’s jiu-jitsu mentees\r\nshowed up in the ToTok case as the sole director of Breej Holding, the company listed as the app’s iOS developer.\r\nAl Thuraya has been reported to be the consultancy of Mohammed Dahlan, the former head of the Palestinian\r\nPreventive Security (الوقائي األمن(, and a former member of Fatah’s Central Committee. Dahlan was ejected from\r\nFatah in June 2011, and subsequently fled to the UAE. Indeed, the leaked 2014 invoice shows Al Thuraya’s\r\naddress as “POB 128827, Abu Dhabi, United Arab Emirates,” which is listed in WHOIS records for Dahlan’s\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 11 of 23\n\ndahlan.ps website from September 2013, and was used by Dahlan in June 2017 when he unsuccessfully sued\r\nLondon-based online newspaper Middle East Eye for libel. Dahlan reportedly ran an assassination program for the\r\nUAE in Yemen that targeted and killed opposition politicians. Dahlan was also reportedly involved in the recent\r\ndeal that normalized relations between the UAE and Israel.\r\nUAE Supreme Council of National Security\r\nIn a leaked 2015 exchange, a UAE Supreme Council of National Security (SCNS) official, Ahmed Ali Al-Habsi,\r\nasked Circles to intercept calls for certain phone numbers, apparently as part of a product demonstration. We\r\nfound a Circles system named Aston Andromeda whose firewall IPs were registered to the same SCNS official per\r\npublic WHOIS data.\r\nThe leaked documents also detail a 2016 Circles sale to the UAE National Electronic Security Authority (NESA)\r\n(اإللكرتوني لألمن الوطنية الهيئة (through DarkMatter. While NESA is a subsidiary of the SCNS per UAE law, we are not\r\nsure whether the SCNS demo and DarkMatter/NESA deals are related. After Reuters’ reporting on the NESA’s\r\nProject Raven hacking campaign, the NESA was split up into several agencies, including the Signals Intelligence\r\n.(جهاز استخبارات اإلشارة) Agency\r\nSurveillance Abuses in the UAE\r\nThe UAE government is a documented serial abuser of surveillance technologies to suppress dissent and persecute\r\ncritical voices. Some prominent activists, like Ahmed Mansoor, an Emirati prisoner of conscience who has been\r\nimprisoned by the UAE since 2017, have been surveilled using technology from Hacking Team, Gamma Group’s\r\nFinFisher, technology developed by Project Raven, and NSO Group’s Pegasus spyware.\r\nThe UAE’s use of former U.S. National Security Agency employees to target the devices of dissidents, journalists,\r\nand political opponents is also well documented, as is the apparent use of this targeting to unmask and jail\r\nbloggers and others critical of the government. In some cases, the targets included Americans.\r\nZambia\r\nWe identified what appears to be a single Circles system in Zambia, operated by an unknown agency.\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\n    2018/1/30 – 2018/2/6 165.56.2.13\r\ntable 9\r\nSurveillance Misuse in Zambia\r\nIn 2019, Zambia reportedly arrested a group of bloggers who ran an opposition news site with the aid of “a cyber-surveillance unit in the offices of Zambia’s telecommunications regulator,” which “pinpointed the bloggers’\r\nlocations” and was “in constant contact with police units deployed to arrest them.” While Circles’ solution allows\r\ngovernments to track phones, it is not clear if Zambia’s Circles system was used in this case.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 12 of 23\n\nDiscussion\r\nCircles is part of a large and growing global surveillance industry catering to government clients. Many of the\r\ngovernment clients who appear to have acquired and/or deployed Circles technology have a dismal record of\r\nabuses of human rights and technical surveillance capabilities. Many lack public transparency and accountability,\r\nand have minimal or no independent oversight over the activities of their security agencies.\r\nCircles: Another Industry Player Fueling the Proliferation of Unaccountable Surveillance\r\nIt is difficult to investigate and track surveillance companies like Circles that exploit flaws in the SS7 protocol.\r\nMany SS7 attacks require no engagement with targets themselves, and leave no visible artefacts on targets’\r\ndevices that may inadvertently reveal an operation. The lack of transparency from telecommunications providers\r\nabout abuses also helps surveillance companies, and their customers, evade exposure, further increasing the\r\nlikelihood of misuse.\r\nThe authoritarian profile of some of Circles’ apparent government clients is troubling, but not surprising. Over the\r\npast decade, the explosion of the global surveillance industry has fueled a massive transfer of spy technology to\r\nproblematic regimes and security services. These customers have leveraged their newly-acquired capabilities to\r\nabuse human rights and neutralize political opposition, even beyond their borders. Circles is an especially\r\nconcerning case because of their close relationship and reported integration with NSO Group, which has a\r\nnotorious record of enabling surveillance abuses.\r\nThe Expanding, Unregulated Surveillance Industry\r\nResearch by the Citizen Lab and others, including Amnesty International and Privacy International, has\r\ndemonstrated that the surveillance industry is poorly regulated and its products are prone to abuse. The “self-regulation” that companies claim to practice does not seem to have stemmed the growing tide of abuse cases. In a\r\n2019 report on the surveillance industry, the U.N. Special Rapporteur on the promotion and protection of the right\r\nto freedom of opinion and expression called for “an immediate moratorium on the global sale and transfer of\r\nprivate surveillance technology until rigorous human rights safeguards are put in place to regulate such practices\r\nand guarantee that governments and non-State actors use the tools in legitimate ways.”\r\nAs the surveillance industry continues to grow relatively unimpeded, spaces for legitimate democratic activity will\r\ncontinue to shrink. Governments’ ability to protect their citizens, as well as their own essential services and\r\nnational security, will also continue to erode. Fixing this problem will require a direct focus on reforming the\r\nsurveillance industry, including, among other steps:\r\nThe enactment of more robust domestic, regional, and international legal frameworks—equipped with\r\nmeaningful transparency, enforcement, and oversight mechanisms—to control the export and import of\r\nsurveillance technology;\r\nMandatory due diligence obligations on surveillance companies and enforcement mechanisms with tough\r\npenalties for breaches of such obligations; and,\r\nLegislative amendments to fix any legal and regulatory gaps such that parties harmed by surveillance\r\ntechnology can bring claims against companies for these harms.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 13 of 23\n\nIn addition to these broader measures focused on the surveillance industry, we believe that the vulnerabilities\r\ninherent in the global telecommunications system require urgent action by governments and telecommunications\r\nproviders. The global telecommunications sector provides significant opportunity for abuse by the surveillance\r\nindustry and its customers in light of the continued failure of telecommunications operators and states to prevent\r\nsuch exploitation. In the discussion below, we set out clear actions that legislators and wireless operators must\r\ntake to prevent continued exploitation and abuse.\r\nSounding the Alarm: A Clear and Present Threat to National Security\r\nAccording to a recent study, the vast majority of telecommunications networks around the globe are vulnerable to\r\nthe kind of techniques reportedly used by Circles. As has been widely reported, the industry has sought to\r\ndownplay and conceal these risks. It is no surprise that reporting indicates that SS7 has been abused by countries\r\nlike Saudi Arabia to target individuals around the world, including in the U.S.\r\nA recent survey of E.U. wireless security by the European Union Agency for Cybersecurity (ENISA) concluded\r\nthat a majority of operators had security measures that could “only cover basic attacks.” Troublingly, reporting of\r\nthe scale of these threats remains difficult to achieve, as SS7 abuse is not within current reporting obligations for\r\nthe European telecommunications sector.\r\nIn addition, it is known within the industry that some countries fail to meet basic obligations of due diligence and\r\noversight with respect to their networks, enabling foreign entities access to SS7 and Diameter for the purposes of\r\nconducting global surveillance.\r\nWe believe that the historically limited public information about abuses has enabled the telecommunications\r\nindustry to further minimize the problem. There is no public reporting from most telecommunications companies\r\nabout the scale of the threats to users, the number of attacks identified and blocked, or a roadmap for addressing\r\nthese threats in the future. This state of affairs will result in predictable, preventable harm to customers across the\r\nglobe.\r\nRisks in the U.S.\r\nIn April 2017, the U.S. Department of Homeland Security (DHS) conducted a major study that concluded: “all\r\nU.S. carriers are vulnerable to these exploits, resulting in risks to national security, the economy, and the Federal\r\nGovernment’s ability to reliably execute national essential functions.” According to the DHS report, “SS7 and\r\nDiameter vulnerabilities can be exploited by criminals, terrorists, and nation-state actors/foreign intelligence\r\norganizations” and “many organizations appear to be sharing or selling expertise and services” that could be used\r\nto conduct such espionage.\r\nIn response to a 2017 letter by Senator Ron Wyden requesting information about what steps U.S. carriers were\r\ntaking to secure their networks, AT\u0026T acknowledged that “hundreds of carriers now have access to SS7, many of\r\nthem in unstable or unfriendly nations where credentials can be compromised…even sold on the open market for a\r\nfee.” The company went on to acknowledge that “the trust model is no longer fully reliable.”\r\nIn a 2018 letter to the Federal Communications Commission (FCC), Senator Wyden revealed that an unnamed\r\nU.S. carrier had suffered a SS7-related breach of customer information, which it reported to federal authorities.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 14 of 23\n\nSubsequent investigative reporting revealed that the FCC had ignored expert recommendations by the DHS and\r\ninstead espoused a voluntary compliance program at the urging of the wireless industry. Additionally, the reporting\r\nfound that, although SMS messages are vulnerable to SS7 interception, the wireless industry successfully lobbied\r\nthe National Institute of Standards and Technology (NIST) to keep SMS text messages as an approved method of\r\ntwo factor authentication in U.S. government standards.\r\nThe troubling inability of the U.S. government and telecommunications sector to address SS7 vulnerabilities is\r\nmirrored in many countries around the world.\r\nRisks in Canada\r\nIn 2017, a joint investigation undertaken by CBC News and Radio Canada, in cooperation with German security\r\nresearchers, demonstrated an SS7 attack against a sitting member of parliament, Matthew Dubé. With only a\r\ntelephone number, the investigators were able to use SS7 vulnerabilities to track Dubé’s precise movements and\r\nintercept his calls. The tests were conducted over both the Rogers and Bell networks.\r\nIn its 2018 annual report, Canada’s Privacy Commissioner noted the investigation, flagged SS7 security\r\nweaknesses, and called on the Canadian government and industry to work together to resolve them. In response,\r\nCanada’s signals intelligence agency, the Communications Security Establishment (CSE), said that “the security\r\nissues surrounding SS7, have been known for some time” and that it had been working with industry partners to\r\nresolve them. However, CSE also asserted that it “is unable to discuss further details of meetings with industry\r\npartners, and we cannot disclose the participation of individual, private telecommunications partners.”\r\nFor guidance, the CSE suggested the public visit a “mobile security” information page, now available on the\r\nnewly established Canada Centre for Cyber Security website in a section on “infographics.” However, the website\r\nand accompanying infographic do not mention SS7 explicitly and provide only basic advice on mobile security\r\npractices.\r\nLegislators: Do This Now\r\nGovernments across the globe should take action to protect their citizens and their own operations.\r\nTelecommunications regulatory bodies should conduct regular audits of national networks and mandate carriers to\r\nidentify, disclose, and address vulnerabilities.\r\nThe U.K. government has shown promising leadership in addressing carrier security, with recently proposed\r\nlegislation that requires carriers to secure their networks and gives Ofcom (the U.K. telecommunications\r\nregulator) the authority to ensure compliance. The newly proposed powers granted to Ofcom include the ability to\r\nconduct audits and to compel the production of records and other information related to a carrier’s security efforts.\r\nThe proposed law would also, for the first time, require carriers to disclose compromises to their customers and\r\nprovide for fines in some cases.\r\nThe European Union has also taken note of telecommunication network vulnerabilities and made recent\r\nrecommendations that encourage EU nations to conduct regular analyses of the threat landscape, adopt minimum\r\nsecurity standards, and require incident reporting. We also note that Nordic regulators have undertaken efforts to\r\nestablish best practices for protecting their infrastructure from SS7 attacks.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 15 of 23\n\nIn contrast, the U.S. FCC has shown no will to compel carriers to report incidents or undertake serious security\r\nimprovements. Given the rapid proliferation of SS7 and Diameter exploitation technologies both to states and\r\nnon-state actors, it seems likely that without urgent action, U.S. consumers and government operations will be\r\ntargeted by an increasingly wide range of potential threats.\r\nWireless Carriers: Do This Now\r\nWe urgently recommend that telecommunication companies examine SS7 and Diameter traffic originating from\r\nproviders in countries where we have identified a Circles deployment for patterns of abuse. The SS7 and Diameter\r\nexploitation marketplace, as well as the wireless threat landscape, are constantly evolving. The recommendations\r\nprovided by the DHS are highly relevant: every major wireless carrier should receive an independent SS7 and\r\nDiameter audit every 12-18 months, and should address any identified vulnerabilities. The ENISA also provides a\r\nrange of security recommendations for carriers.\r\nWe are aware that some providers, such as a number of U.S. companies, are experimenting with SS7 firewalls,\r\nwhich show promise in reducing some types of attacks. We urge providers to publicly disclose their roadmaps for\r\naddressing SS7 and Diameter vulnerabilities, and believe that information about SS7 threats should be included in\r\ntelco companies’ transparency reporting going forward.\r\nSounding the Alarm: Recommendations for High Risk Users\r\nWhether you are a journalist, human rights defender, or government employee, telecommunication network\r\nvulnerabilities may make it possible for adversaries to intercept your verification SMSes and compromise your\r\naccounts. If you believe you face threats because of who you are or what you do from any of the countries\r\nmentioned in this report, or even a country not listed above, we urge you to migrate away from SMS-based two\r\nfactor authentication immediately for all accounts where it is possible. Directions on how to use a security key for\r\nsome of your accounts are here.\r\nIn addition, for accounts on popular apps such as Signal, WhatsApp and Telegram, we urge you to immediately\r\nenable a security PIN or password for your account.\r\nDirections for Signal\r\nDirections for WhatsApp\r\nDirections for Telegram\r\nAcknowledgements\r\nThanks to Rapid7 and Censys for providing research access to their data feeds.\r\nBill Marczak’s work on this report was supported, in part, by the International Computer Science Institute and the\r\nCenter for Long-Term Cyber Security at the University of California, Berkeley.\r\nThe authors would like to thank Jeffrey Knockel for peer review and Stephanie Tran for research assistance.\r\nSpecial thanks to several other reviewers who wish to remain anonymous as well as TNG.\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 16 of 23\n\nFinancial support for this research has been provided by the John D. and Catherine T. MacArthur Foundation, the\r\nFord Foundation, the Hewlett Foundation, Open Societies Foundation, the Oak Foundation, and Sigrid Rausing\r\nTrust.\r\nAppendix A: Circles Deployments, Continued\r\nAustralia\r\nWe identified a single Circles system in Australia. We cannot verify the identity of the operator. The system’s\r\nCheck Point firewall was also reachable through an IP address in a Malaysian datacenter (EstNOC Malaysia),\r\nwhich appears to be forwarding traffic onwards to the Australian IPs. The Australian IPs, on Optus and TPG,\r\ngeolocate to Australia’s capital Canberra, per MaxMind.\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\n2018/10/30 – Present\r\n220.101.113.194 – 196\r\n27.33.222.130 – 132\r\n220.245.33.62\r\n103.230.142.4\r\ntable 10\r\nBelgium\r\nClient Name Possible Identity Dates Active Firewall IPs\r\nBMW Bagel 2017/2/25 – Present\r\n81.246.73.98 – 100\r\n84.199.16.226 – 228\r\ntable 11\r\nDenmark\r\nWe identified a single client in Denmark, Dodge Diamondback, which appears to be the Danish Army Command\r\n(Hærkommandoen). The firewall IPs for the system are in a range of IP addresses named “BSC-HOK-NET,” and\r\nWHOIS data shows an associated phone number (+45 9710 1550) that a Google search reveals is linked with the\r\nDanish Army. We believe that “HOK” is a reference to the Danish “Army Operational Command,” which was\r\nrestructured in 2014 and is now apparently known as the Danish “Army Command.”\r\nClient Name\r\nPossible Identity\r\nSeen in Scan\r\nFirewall IPs\r\nDodge\r\nDiamondback\r\nArmy Command\r\n(Hærkommandoen)\r\n2015/6/1 –\r\n2020/4/30\r\n80.63.69.243 –\r\n245\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 17 of 23\n\ntaBLE 12\r\nEcuador\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\nExcalibur Cosmos   2015/6/1 – 2019/9/17 181.113.61.242 – 244\r\n    2015/6/1 – 2017/2/13\r\n181.211.37.50 – 52\r\n181.39.50.66 – 68\r\nTABLE 13\r\nEl Salvador\r\nClient Name Possible Identity Seen in Scan\r\nFirewall IPs\r\nEvoque Lempa   2017/2/13 – Present 201.247.172.155 – 157\r\ntable 14\r\nEstonia\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\n    2018/10/30 – Present\r\n193.40.226.194 – 196\r\n193.40.226.66 – 68\r\ntable 15\r\nEquatorial Guinea\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\n    2013/10/30 – Present 193.251.153.1 – 3\r\ntable 16\r\nHonduras\r\nWe identified two Circles systems in Honduras. One unnamed system appears to have been operated by the\r\nNational Directorate of Investigation and Intelligence (DNII), as public WHOIS information records that the\r\nfirewall IPs are registered to “DNII.”\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 18 of 23\n\nPossible\r\nIdentity\r\nPossible Identity Seen in Scan Firewall IPs\r\n \r\nNational Directorate of Investigation\r\nand Intelligence (DNII)\r\n2017/6/29 –\r\nPresent\r\n181.210.19.211 –\r\n213\r\nHonda Thor  \r\n2016/7/12 –\r\nPresent\r\n190.4.27.122-124\r\nHonda\r\nHonduras\r\n    (Circles IPs)\r\ntable 17\r\nIndonesia\r\nClient Name\r\nPossible Identity\r\nSeen in Scan Firewall IPs\r\n    2018/9/11 – Present 203.142.69.82 – 84\r\n    2018/9/4 – Present 117.102.125.50 – 52\r\ntable 18\r\nIsrael\r\nWe identified a single system in Israel. However, this system was not labeled as a “client” system, and was instead\r\nlabeled as a “telco” system. Additionally, the name “Lexus” does not have the first letter “I” for Israel, which is\r\ninconsistent with other client naming schemes.\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\nTelco Lexus Canola     82.166.142.26 – 28\r\ntable 19\r\nKenya\r\nWe identified a single system in Kenya. Though MaxMind geolocates the IP addresses to Mauritius, a traceroute\r\nindicates that the IP addresses are in Kenya. The name “Kali” appears inconsistent with other client naming\r\nschemes, as we are not aware of any automotive brand named “Kali.”\r\nClient Name\r\nPossible Identity\r\nSeen in Scan Firewall IPs\r\nTelco Kali Rainbow     41.72.215.226 – 228\r\ntable 20\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 19 of 23\n\nMalaysia\r\nWe identified one Circles system in Malaysia, named Pixcell Mazda Farmer. We cannot verify the identity of the\r\noperator. We believe Pixcell is a reference to a Circles device, whose description in United States Federal\r\nCommunication Commission (FCC) and United States Patent and Trademark Office (USPTO) documents\r\nsuggests it is a portable IMSI catcher. While the Pixcell model that underwent the FCC approval process\r\napparently starting in October 2016 has WCDMA (3G) support, a January 2017 photograph of the Pixcell model\r\nsubmitted to the USPTO appears to indicate that WCDMA support was removed, and support for LTE (4G) was\r\nadded, based on the absence of a “WCDMA” status light, and an “LTE” status light in its place.\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\nPixcell Mazda Farmer   2016/9/25 – 2018/4/17 60.54.119.242 – 244\r\nMazda Sky     (Circles IPs)\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 20 of 23\n\ntable 21\r\nMexico\r\nClient Name Possible Identity\r\nSeen in Scan\r\nFirewall IPs\r\n    2018/10/16 – Present 189.240.115.18 – 20\r\nMercedes Panda   2015/6/1 – Present\r\n187.217.170.233 –\r\n235\r\n189.240.245.141\r\n189.240.254.193 –\r\n195\r\n189.240.254.202 –\r\n204\r\n189.240.254.209 –\r\n211\r\n189.240.254.217 –\r\n219\r\n201.147.171.225 –\r\n227\r\n201.147.171.233 –\r\n235\r\nMercedes Koala  \r\n2015/9/12 –\r\n2017/10/24\r\n187.174.194.23 – 28\r\nMercedes Dathomir     (Circles IPs)\r\nMercedes Sirius  \r\n2015/9/12 –\r\n2016/8/6\r\n201.157.58.162 –\r\n164\r\nMercedes Camelot  \r\n2015/6/1 –\r\n2019/10/1\r\n187.217.188.220 –\r\n222\r\n187.217.80.162 –\r\n164\r\nMercedes Ventura\r\nSEMAR (Mexican\r\nNavy)\r\n2015/6/1 –\r\n2017/8/15\r\n187.217.108.81 – 83\r\n201.116.62.192 – 194\r\nMercedes\r\nNightingale\r\n    (Circles IPs)\r\ncheckpoint-a State of Durango 2015/6/1 –\r\n2020/4/30\r\n187.141.19.195\r\n201.139.227.74\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 21 of 23\n\nClient Name Possible Identity\r\nSeen in Scan\r\nFirewall IPs\r\n201.148.31.122\r\ncp.slp.mx  \r\n2015/6/1 –\r\n2017/12/5\r\n187.141.246.178\r\ntable 22\r\nPeru\r\nWe identified a single Circles system in Peru, which appears to be operated by Peru’s National Intelligence\r\nDirectorate (DINI), as some of its firewall IPs were in a /27 registered to “DIRECCION NACIONAL DE\r\nINTELIGENCIA – DINI” per public Whois data. The system is named Porsche Pisco. Interestingly, DINI was\r\nreported to have a surveillance project called “Pisco” that was under development in 2015. The Associated Press\r\nreported in 2016 that one of Project Pisco’s contracts was with Israeli interception company Verint.\r\nClient\r\nName\r\nPossible Identity Seen in Scan Firewall IPs\r\nPorsche\r\nPisco\r\nNational Intelligence Directorate\r\n(DINI)\r\n2015/6/8 –\r\n2018/2/13\r\n168.121.46.82 – 83\r\n181.177.233.20 –\r\n22\r\ntable 23\r\nSerbia\r\nWe identified a single Circles system in Serbia, which appears to be operated by Serbia’s Security Information\r\nAgency (BIA), which was also a customer of FinFisher.\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\nShkoda\r\nSambu\r\nSecurity Information Agency\r\n(BIA)\r\n2015/6/1 –\r\n2015/7/6\r\n195.178.51.242 –\r\n243\r\n195.178.51.252\r\ntable 24\r\nVietnam\r\nClient Name Possible Identity Seen in Scan Firewall IPs\r\nVolvo Halogen   2015/10/12 – Present 113.161.106.74 – 76\r\ntable 25\r\nZimbabwe\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 22 of 23\n\nClient Name Possible Identity Seen in Scan Firewall IPs\r\n    2013/11/4 – 2014/1/6 196.27.103.36 – 38\r\nZagato Zeus   2015/9/12 – 2017/9/19 197.155.229.194 -196\r\nZimbabwe Telcel   2018/3/27 – Present 41.79.56.33 – 34\r\ntable 26\r\nUnknown Countries\r\nWe found names for several other Circles systems appearing in IP ranges registered to Circles. Because these\r\nnames were never recorded in IP ranges that might belong to Circles customers, we are unsure of their identity.\r\nThe names were: GTR Whitehippo, Icarus Shemer, Kodik Kite, and Opel Oranit.\r\nSource: https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nhttps://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/" ], "report_names": [ "running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles" ], "threat_actors": [ { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3f42c8f4-2cf1-4555-abff-b19852033aec", "created_at": "2023-11-08T02:00:07.099084Z", "updated_at": "2026-04-10T02:00:03.41336Z", "deleted_at": null, "main_name": "TA499", "aliases": [ "Vovan", "Lexus" ], "source_name": "MISPGALAXY:TA499", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434392, "ts_updated_at": 1775791751, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/084c32ab4dc9b73916613628dd407c037c7c968f.pdf", "text": "https://archive.orkl.eu/084c32ab4dc9b73916613628dd407c037c7c968f.txt", "img": "https://archive.orkl.eu/084c32ab4dc9b73916613628dd407c037c7c968f.jpg" } }