Table of Contents
  • Home
  • /
  • Blog
  • /
  • Secret Spy Software Used by Intelligence Agencies Around the World
November 17, 2023

Secret Spy Software Used by Intelligence Agencies Around the World

Spy Software Used By Intelligence Agencies Around The World

How does one come to know of the mass surveillance projects and secret spy software used by intelligence agencies from around the world? Most of the western software mentioned here was leaked by Edward Snowden, who exposed that the (Five Eye) US, Australia, Canada, New Zealand, and the United Kingdom were all involved in a collaborative network that intercepted communications between individuals around the world, and even on native soil.

Specialized groups or think tanks that identify and track state actors over the years have identified shady organizations and groups believed to be associated with certain Governments. Additionally, in some countries, right-to-information requests have yielded some information. Apart from rare exceptions where a government declares that certain technologies are being used, most of the time, it is never accepted that specific software has been implemented. The extent to which it was used is typically downplayed. In case a country falls victim to an attack or is breached somehow. Such instances are also not likely to be reported or accepted.

At times, such spy software(s) have been discovered after botched attempts to install them. Note that, for the most part, these names are the codenames, or what are officially known as cover names of the software. Some publications to keep track of such surveillance campaigns and programs include The Intercept, Homeland Security Today, and The Guardian. Another source of information is blogged by cybersecurity firms such as Symantec and Kaspersky.

Lets throw some light on popular mass surveillance projects and secret spy software used by intelligence agencies to intercept communications between individuals around the world and even on native soil.


These are the software that all work on the same basic principle. The physical infrastructure where most of the internet traffic in the world is funneled is tapped into. These may include national exchanges, international gateways, or fiber optic backbones. A simple way to understand this is that the signals are intercepted, and there are keyword-based searches for certain words and phrases, such as bomb or attack. The monitoring is continuous and in real-time.

#1. RAMPART-A & XKeyscore

RAMPART-A is a US system disclosed by Snowden that began way back in 1992 when the fiber-optic infrastructure was being set up around the world. The global congestion points of fiber-optic traffic are tapped into, with agreements signed between participating nations. All kinds of communication are tapped by this system, including fax, VOIP calls, and instant messages. RAMPART-A works in tandem with an XKeyscore, a program that can figure out the surfing habits of individual users and create a profile known as a fingerprint. After that, just based on surfing habits alone, a particular tagged user can be tracked in meat space and cyberspace. These profiles allow agencies to bypass attempts to anonymize internet use.

#2. Tempora & PRISM

Tempora is a system used by the UK government which is similar to both RAMPART-A and XKeyscore. Perhaps, the most well-known mass surveillance software is PRISM. According to a leaked slideshow by Snowden, there are a number of big tech companies participating in the system, including Yahoo!, Google, Microsoft, Facebook, and Apple. The system exploits the fact that most of the internet traffic passes through America, as the traffic has the tendency to use the cheapest available route rather than the most direct route. Most of the actual hardware for the internet is also located in the US. PRISM can apparently be used to intercept emails, voice chats, file transfers, and social networking details.


India too has a system in place called NETRA (Network Traffic Analysis). That is the actual name of the system, and it has been publicly disclosed and discussed as well. The system is capable enough to monitor all kinds of things, including status messages, video calls, tweets, and shared images. Initially, the system was used by RAW, but it is now used by domestic security agencies as well.


The Russian version, called STORM, began by being implemented on telecom infrastructure in the early 90s. The same system has evolved and is now used to intercept internet traffic as well by tapping into the infrastructure of internet service providers. Unlike implementations by other countries, the same system can be used for targeted individual surveillance as well.

Many other countries have similar systems in place, and in some countries, mass surveillance is simply not covert. Here you can see the list of government mass surveillance projects.


Pegasus is a software developed by an Israeli cyberweapons community known as the NSO group. The software uses undisclosed vulnerabilities to compromise the smartphones of targeted individuals. The software can be installed on the devices of users through just a text message or a WhatsApp forward, without the need for any further interaction. Once compromised, all the information on the device can be tapped, including instant messages, calls, and passwords. The data from the microphone or the camera can also be obtained. The NSO group officially claims that the software is available only to authorized government agencies. Cellebrite, an Israeli company, has not revealed the full extent of its association with the NSO group, but there have been some employees moving between the two organizations, and both have been known to use similar exploits in their tools. There are some indications that it was Cellebrite that unlocked Syed Rizwan Farooks iPhone for the FBI, a terrorist who was involved in the 2015 terrorist attack in California. The FBI was fighting Apple in court over unlocking that phone. Software with many technical similarities to Pegasus was used to compromise Jeff Bezos smartphone. In the wake of the novel Coronavirus outbreak, Cellebrite is approaching governments with methods to find out the information needed for contact tracing. Without the cooperation of the users, according to a Reuters report.

#6. VAULT 7

The most exciting and recent information on spy tools appeared on WikiLeaks over a series of disclosures collectively known as the Vault 7 Leaks. All the spy software used by intelligence agencies listed in the Vault 7 leaks was used between 2013 to 2016.

At times, the CIA actually repurposed the tools used by cybercriminals for their own use, which provided the additional function of hiding the origin and use of the spyware if it was to be discovered. These are a collection of incredibly ingenious and specific software that is used on targeted individuals.


Sonic Serewdriver is software that allows an Apple computer to be persistently compromised by installing malware on the firmware. Even if the firmware is password-protected, the malware is stored in the Thunderbolt to Ethernet adapter during boot time.


Brutal Kangaroo is a tool that allows snooping on single air-gapped machines or air-gapped networks. The attack works by first compromising an appliance plugged into the internet. When a USB device is used on this machine, the software jumps onto the drive. Then, when the USB device is used on a machine on an air-gapped network, the malicious software begins its snooping and begins to store data back on the USB drive. When the drive is connected back to a machine linked to the internet, the data is beamed to the agent.


CherryBlossom is a tool that allows wireless routers to be compromised, which means that all the data passing through the router is also compromised. The tool allows loading exploits to execute a variety of man-in-the-middle attacks. Operators can control, monitor, and even change the data being transmitted from the router or access point to a machine or device. The attack could be used in public Wi-Fi hotspots, or in hotels, or airports.


Dumbo is a tool that can be used to compromise webcams or security cams. The related processes to recording videos can be interrupted or stopped. Any recorded footage can also be corrupted. The software is loaded through a pen drive and can be used to mask the physical movements of operatives through an area.


The Marble Framework is an obfuscation tool that prevents any forensic investigators from associating malware on a compromised machine with the CIA. A devious approach by the software was to first use text in a foreign language, such as Chinese or Farsi, then obfuscate that language. Investigators would believe that the software was attempting to cover up the use of language and end up making the wrong conclusion.


While all of these might seem really scary, spy software used by intelligence agencies is pretty advanced and not available to the average script kiddie. Only those who may be the individual targets of attacks have to worry about these tools or similar ones.

Thanks for reading this article. If you find this article interesting, please visit our site to read more such interesting articles.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription