(Bloomberg) -- The co-founder of a company that has been trusted by technology giants including Google and Twitter to deliver sensitive passwords to millions of their customers also operated a service that ultimately helped governments secretly surveil and track mobile phones, according to former employees and clients.
Since it started in 2013, Mitto AG has established itself as a provider of automated text messages for such things as sales promotions, appointment reminders and security codes needed to log in to online accounts, telling customers that text messages are more likely to be read and engaged with than emails as part of their marketing efforts.
Mitto, a closely held company with headquarters in Zug, Switzerland, has grown its business by establishing relationships with telecom operators in more than 100 countries. It has brokered deals that gave it the ability to deliver text messages to billions of phones in most corners of the world, including countries that are otherwise difficult for Western companies to penetrate, such as Iran and Afghanistan. Mitto has attracted major technology giants as customers, including Google, Twitter, WhatsApp, Microsoft’s LinkedIn and messaging app Telegram, in addition to China’s TikTok, Tencent and Alibaba, according to Mitto documents and former employees.
But a Bloomberg News investigation, carried out in collaboration with the London-based Bureau of Investigative Journalism, indicates that the company’s co-founder and chief operating officer, Ilja Gorelik, was also providing another service: selling access to Mitto’s networks to secretly locate people via their mobile phones.
That Mitto’s networks were also being used for surveillance work wasn’t shared with the company’s technology clients or the mobile operators Mitto works with to spread its text messages and other communications, according to four former Mitto employees. The existence of the alternate service was known only to a small number of people within the company, these people said. Gorelik sold the service to surveillance-technology companies which in turn contracted with government agencies, according to the employees.
Responding to Bloomberg’s questions, Mitto issued a statement saying that the company had no involvement in a surveillance business and had launched an internal investigation “to determine if our technology and business has been compromised.” Mitto would “take corrective action if necessary,” according to Mitto.
“We are shocked by the assertions against Ilja Gorelik and our company,” according to the company. “To be clear, Mitto does not, has not, and will not organize and operate a separate business, division or entity that provides surveillance companies access to telecom infrastructure to secretly locate people via their mobile phones, or other illegal acts. Mitto also does not condone, support and enable the exploitation of telecom networks with whom the company partners with to deliver service to its global customers.”
Gorelik didn’t respond to requests for comment. A Mitto representative declined to comment on Gorelik’s current role with the company.
Two former employees of a company that provides intelligence-gathering technology to government organizations and law enforcement said staff at the company had worked with Gorelik to install custom software at Mitto that their company’s customers could use to track the locations of mobile phones and, in some cases, obtain call logs for specific people. During the time the former employees say they engaged in the work, there was virtually no oversight of alleged surveillance carried out using Mitto’s systems, creating potential opportunities for misuse, they said.
In at least one instance, a phone number associated with a senior U.S. State Department official was targeted in 2019 for surveillance through the use of Mitto’s systems, according to a cybersecurity analyst familiar with the incident and documents reviewed by Bloomberg News. The analyst requested anonymity because of a confidentiality agreement. It’s not clear who was behind efforts to target the official, who wasn’t identified by the documents or the analyst.
Marietje Schaake, international policy director at Stanford University’s Cyber Policy Center, said the revelations were “troubling” and highlighted a “huge problem.”
“The biggest technology companies that provide critical services are blindly trusting players in this ecosystem who cannot be trusted,” said Schaake, after being told about Bloomberg’s and the Bureau’s reporting. “It’s dangerous for human rights. It’s dangerous for trust in an information society. And it’s dangerous for trust in companies.”
U.S. Senator Ron Wyden, a Democrat from Oregon and a member of the Senate intelligence committee, said in a statement to Bloomberg News that he had previously raised the alarm about security vulnerabilities in U.S. phone networks, which he feared could be exploited to spy on government officials. “I’m very concerned that the federal government has done nothing to protect federal employees from this sophisticated surveillance threat,” Wyden said.
Mitto’s partner networks have included Vodafone, Telefonica, MTN and Deutsche Telekom, according to company documents reviewed by Bloomberg. Vodafone said that its enterprise division has worked with Mitto in two countries to provide text-messaging services. A Telefonica representative said he wasn’t immediately able to confirm whether the company had a relationship with Mitto but said he was looking into the matter. MTN and Deutsche Telekom didn’t respond to requests for comment.
There’s no indication that the surveillance operation compromised any data of the tech companies that rely on Mitto to send messages. Representatives from Twitter and WhatsApp declined to comment. A spokesperson for LinkedIn, which Mitto has featured on a list of apparent clients on its website, said the company doesn't work with Mitto and declined to say whether it has in the past. Alibaba said it couldn’t immediately confirm any relationship with Mitto. Representatives from Google, Telegram, TikTok and Tencent didn't respond to requests for comment.
The investigation by Bloomberg News and the Bureau of Investigative Journalism is based on interviews with more than two dozen people, including former Mitto employees, surveillance industry insiders and cybersecurity professionals, as well as emails and documents describing the surveillance work. Nearly all of the former employees requested anonymity because they had signed confidentiality agreements or feared professional and personal retribution. Of the former employees interviewed for this story, only a handful said they knew specific details about the surveillance work.
The revelations offer another example of how governments and private contractors have allegedly exploited security weaknesses in global telecommunication systems to spy on people. There’s been a boom in technology tools that let governments hack, track and otherwise monitor people’s phones and communications, and the market for mobile phone surveillance technology has been valued as high as $12 billion. But despite the sector’s size, companies offering the tools often operate beyond public scrutiny and are subject to little regulation.
Many of the surveillance companies, such as Israel’s NSO Group, and their government clients say the technology is used to catch criminals and terrorists. But in recent years there have been numerous instances in which governments have used surveillance technology to spy on dissidents, journalists or others, according to reports by media organizations and digital rights groups.
“The private sector surveillance industry is growing fast, but it’s operating in the dark, without any accountability or transparency, and there have been real human rights implications because of that,” said Jonathon Penney, a research fellow at Citizen Lab, a research group at the University of Toronto that has repeatedly exposed alleged misuse of surveillance technology.
Mitto was co-founded in 2013 by Gorelik and Andrea Giacomini, European entrepreneurs who were bound by their interest in telecommunications. While Mitto’s headquarters are in Switzerland, most of its roughly 250 employees have been based in Germany and more recently, Serbia, according to former employees.
Gorelik began his career as an IT specialist working for IBM, before becoming a technology entrepreneur and investor, helping to create a dating app named Lovoo, according to business records.
At Mitto, he assisted in building the company’s technical infrastructure. Aspects of his behavior and management style raised concerns, according to former employees, who allege he sent emails under a pseudonym and installed spyware on their computers.
Mitto leased hundreds of “global titles” from telecom companies — unique addresses that are used to route messages, giving the Swiss company the ability to send text messages in bulk to people internationally.
In Mitto’s early days, the company’s primary business was providing marketing and advertising services. Businesses would pay Mitto to send out millions of text messages promoting products or events, according to former Mitto employees. The company also specialized in delivering security codes for its customers, sending out by text message one-time passwords and two-factor authentication codes that enable people to verify their identity when logging into or creating accounts on websites, according to former employees.
By 2017, Mitto had set up direct connections to mobile phone networks in more than 100 countries, and established partnerships with leading telecommunications companies.
Between 2017 and 2018, Gorelik started giving surveillance-technology companies access to Mitto’s networks, which were then used to locate and track people via their mobile phones, according to four former employees.
Signaling System 7
The alleged venture involved exploiting weaknesses in a telecom protocol known as SS7, or Signaling System 7, a sort of switchboard for the global telecoms industry. First developed in the 1970s, SS7 contains numerous known vulnerabilities that governments and private surveillance companies have in the past targeted to spy on phones.
A U.S. Department of Homeland Security report in 2017 noted that security holes in SS7 made it possible for an adversary to determine the physical location of mobile devices and intercept or redirect text messages and voice conversations.
While there are newer telecom protocols available, mobile network operators continue to use SS7-based technologies despite security concerns, in part because it is costly and complex to replace, according to Tobias Engel, a researcher who specializes in mobile phone network security. Mobile phone network operators can use firewalls to identify and block surveillance attempts that exploit SS7 security weaknesses, but those systems need to be regularly updated and tested to be effective, he said.
Mitto’s deals with telecommunications companies, according to former employees, provided the company with SS7 access, which Mitto could use to route text messages in bulk across the world’s mobile networks.
But in that process, “there’s a lack of audit and a lack of accountability” that opens up the possibility for SS7 access to be exploited for surveillance purposes, according to Pat Walshe, a privacy expert with more than two decades of experience in the telecommunications industry.
The four former Mitto employees familiar with Gorelik’s alleged activities said he provided surveillance services to multiple companies. Gorelik also told some colleagues that he had connections to a national spy agency in the Middle East and was helping that country’s defense ministry track people’s locations, according to the former employees. Bloomberg isn’t naming the country at the behest of a Mitto representative, who said it could endanger its employees.
Four former employees of Cyprus-based firm TRG Research and Development said Mitto’s network was used by their company to provide surveillance services to customers from 2019 to 2021. The employees requested anonymity due to confidentiality agreements.
‘Data Fusion Engines’
TRG provides a software platform to governments and law enforcement agencies, called Intellectus, that uses third-party applications to provide information requested by government agencies. TRG on its website says its mission is to “help our customers in the fight against crime and terror,” providing them with “conclusions based on our data collection and data fusion engines.”
Two of the former TRG employees said staff at the company had worked directly with Gorelik, using Mitto’s access to global mobile phone networks to obtain location data on targeted mobile phones and, in some cases, call logs showing who particular people were contacting and when. The other two former employees said they knew TRG had utilized Mitto’s network but didn’t confirm whether Gorelik had any personal involvement.
A TRG spokesperson denied the allegations and said the company has never had a “commercial relationship” with Mitto and hasn’t worked with Gorelik. “If anyone within TRG or Mitto has had such relationships, it is a personal relationship and is not related to TRG,” the spokesperson said. A Mitto representative declined to comment on the company’s alleged relationship with TRG.
Intellectus is operated solely by customers, the spokesperson said.
Government customers sign an end-user statement verifying the technology is used in according with their national laws and verifying there is no abuse of the system, the TRG spokesperson said. “TRG has an internal legal & compliance department which conducts thorough due-diligence checks for each and every end user,” the spokesperson said. “Automated algorithms in Intellectus may detect any misuse in regards to usage of the system, which subsequently block access of the respective user(s).”
Recent publicly posted job advertisements for roles at TRG have sought people with expertise in telecommunications signaling protocols such as SS7, as well as knowledge of “lawful interception,” an industry term understood to mean surveillance of communications. Images on TRG’s website show the Intellectus system can be used to track people’s locations, monitor their call and text-message records and identify their connections on Facebook.
The TRG spokesperson said the company doesn’t have spying or signaling abilities. “The personnel we hire are part of the TRG roadmap for providing the fusion solution to fight crime and terror,” the spokesperson said. “Such a solution requires many different vertical know-how in order to be a market leader.”
The four former TRG employees said that their work with Mitto’s network was carried out by them in their capacity as TRG employees and that the some of the company’s senior executives knew about it.
Gorelik had personally installed custom TRG software within Mitto’s computer networks, two of the former TRG employees alleged. They said that TRG’s software had established what’s called a “signaling connection” between Mitto and specific mobile network operators. Such connections are intended to be used for legitimate purposes including routing calls or messages to phones.
However, TRG’s software could be used to spy on targeted phones for government customers, according to the four former TRG employees. TRG’s software could send requests to mobile phone networks that could trick them into sending back a trove of data, according to the former TRG employees.
The full roster of customers for the surveillance business isn’t known, and Bloomberg wasn’t able to verify several companies that were identified by the former Mitto employees and several people working in the surveillance industry as purchasing the service.
Other surveillance firms have allegedly sold capabilities that exploit vulnerabilities in SS7 protocols to government customers, including the Israeli firm Rayzone and Bulgaria-based Circles, according to previous reports from the Bureau of Investigative Journalism and Citizen Lab.
Gorelik’s association with the surveillance industry was a closely guarded secret within Mitto, according to former employees. But one cybersecurity professional working in the telecommunications industry had suspicions.
One particular incident stood out from November 2019. A sudden flurry of signaling messages, which are commonly used to request location information about a particular phone, were targeted at the senior U.S. State Department official, according to records of telecommunication network activity seen by Bloomberg and a cybersecurity analyst who reviewed them. The analyst spoke on condition of anonymity due to a confidentiality agreement.
At least 50 of the signaling messages were sent to a U.S. phone network used by the official at a rate of one or more every second, seeking information about the person’s mobile phone and its location, the records show. The signaling messages were traced back to 15 different countries, where they had been sent through a series of unique addresses — or global titles — that were all leased by Mitto, according to the records.
On another occasion, in July 2020, Mitto’s network was linked to attempted surveillance of a person located in South East Asia, whose identity also wasn’t provided, according to the analyst. Global titles used by the company in Russia, Zambia, Madagascar and Denmark sent out a coordinated burst of signaling messages targeting the person’s phone, the records show. The messages included a command that can be deployed to surreptitiously access text messages, according to the cybersecurity analyst.
The analyst said the attempts targeting the State Department official and the person in South East Asia were flagged as malicious by security systems and blocked. Mitto’s system was detected engaging in similar activity on dozens of other occasions, according to the analyst and the records.
The data, the analyst said, made it clear that Mitto's infrastructure had been used to enable signaling attacks globally. The analyst didn’t identify which surveillance technology company, if any, was involved in the alleged incidents.
For those who say they knew about it, Gorelik’s alleged surveillance work at Mitto caused some discomfort. The company, which bills itself as the industry’s “most trusted” provider of text message services, says it offers those services “free of any potential threats and risks.”
Three of the former employees at Mitto said they quit in part because they felt the work allegedly carried out by Gorelik in the surveillance sector had posed a conflict, undermining the company’s ability to guarantee the privacy and security of messages it processed.
Some of Gorelik’s behavior had raised other concerns too, the former employees said.
For more than a year, ending at the start of 2017, Gorelik was rarely in the company’s offices and sent emails and messages under the name “Ingo Gross,” according to seven former employees. The former employees said Mitto managers told them that Gorelik couldn’t use his real name for legal reasons that were never explained.
Shortly after that, Gorelik began to spy on some colleagues, using the company’s access to telecommunication networks to sometimes check his employees’ locations, six former employees said. Gorelik was also known to sometimes question employees’ use of their work computers for non-business purposes.
It later became clear how he knew what websites they were visiting. In the summer of 2019, a group of developers at Mitto’s office in Berlin discovered that Gorelik had installed a spy tool on work computers, which would take a screenshot every two minutes. Bloomberg reviewed images showing the spy tool in operation. It is illegal for companies to install spyware on employee computers in Germany unless there is solid evidence of criminal behavior or serious breach of duty, according to Henriette Picot, a Munich-based commercial technology lawyer.
Mitto said in a statement that it “uses customary and legal techniques” to monitor such things as who is accessing its computer network and internet activity on a random basis or based on concrete suspicions.
“None of our employees has ever brought to our attention that they feared illegal spyware was being used on their company-provided workstations,” the company wrote.
Some of the employees confronted Gorelik, who explained in a staff meeting that he had deployed the spy tool due to concerns about employees leaking proprietary information, the former employees said.
Mitto later scaled down its presence in Germany and relocated to Belgrade, Serbia, according to Stefan Link, a former senior customer support engineer. He said he didn’t have knowledge of the alleged surveillance service.
Link, who worked in Berlin for the company, said that his own job was outsourced to Serbia and his contract not renewed when it expired in mid-2018. “It was leadership based on fear,” he said, citing the alleged spying on employees’ computers and Gorelik’s occasional berating of colleagues. “And you didn’t know who you could trust.”
(Ryan Gallagher is a reporter for Bloomberg News, and Crofton Black is a reporter for the Bureau of Investigative Journalism).