Mollitiam Industries is the Newest Cyberweapons Arms Manufacturer

Wired is reporting on a company called Mollitiam Industries:

Marketing materials left exposed online by a third-party claim Mollitiam’s interception products, dubbed “Invisible Man” and “Night Crawler,” are capable of remotely accessing a target’s files, location, and covertly turning on a device’s camera and microphone. Its spyware is also said to be equipped with a keylogger, which means every keystroke made on an infected device — including passwords, search queries and messages sent via encrypted messaging apps — can be tracked and monitored.

To evade detection, the malware makes use of the company’s so-called “invisible low stealth technology” and its Android product is advertised as having “low data and battery consumption” to prevent people from suspecting their phone or tablet has been infected. Mollitiam is also currently marketing a tool that it claims enables “mass surveillance of digital profiles and identities” across social media and the dark web.

Posted on June 23, 2021 at 6:01 AM26 Comments

Comments

Clive Robinson June 23, 2021 7:26 AM

@ Bruce,

Mollitiam Industries is the Newest Cyberweapons…

Perhaps it’s time to start collecting a list of them.

And perhaps as importantly “the names” behind them.

Obviously they assume they can do what they want, so why not return the favour?

So a very fast bit of OSInt via the first page of a search gives,

“Already well-established in the Spanish-speaking world, the Spanish cyberintelligence startup will make its bow at ISS World in Dubai next week”

Dunn&Bradstreet indicate they are in “TOLEDO”. But…

https://www.crunchbase.com/organization/mollitiam-industries

Says Madrid, and Venture Capital funded. This site agrees and adds a couple of names as the funders,

https://www.alleywatch.com/profile/mollitiam-industries/

And this one gives an address abd partial phone number,

https://pitchbook.com/profiles/company/462012-40

So it is Toledo in Madrid Spain, but it’s not just “Venture Funding”, RT[1] have an article saying they are in part funded by EU Regional Development funding,

https://www.rt.com/news/526616-eu-funded-mollitiam-surveillance-tools/

So in all probability they are being “boosted on the public dime” to make a couple of VC sharks more cash. Thus their products could be more “air-ware” than anything else.

But you will find this,

“Mollitiam Industries, a service provider to Spain’s national intelligence centre CNI and joint cyberspcae command, Mando Conjunto de Ciberdefensa (MCCD), produces spyware adapted to Windows, MacOS and Android operating systems.”

And,

“Launched in 2018, the startup Mollitiam Industries is the jointly-owned cyber-offensive unit of the engineering consultancy In-Nova and the cyber-security firm StackOverflow Ltd. (which is not related to the US website of the same name).”

And this fun titbit,

“Vicente Furio Villaseca, VP Sales, Mollitiam Industries Antonio Ramos, Founder and COO, Mollitiam Industries This webinar is free and intended only for Law Enforcement, the government intelligence community and other government agencies. You must register with your government or corporate issued email address.”

So they are not exactly picky when it comes to who they talk to, thus probably not who they sell to either.

And linked in is “ever helpfull” even ib just search engines,

“Enrique L. MOLLITIAM INDUSTRIES. Universidad Politecnica de Madrid. Report this profile Experience Jefe de equipo MOLLITIAM INDUSTRIES Sep 2018 – Present 2 years 10 months. Research Collaborator Isdefe – UAH Research Chair Sep 2017 – Jul 2018 11 months. Alcalá de Henares y alrededores, España …”

The “Universidad Politécnica de Madrid” has a telecommunications engineering department it’s quite proud of “Escuela Técnica Superior de Ingenieros de Telecomunicación”(ETSIT). If you know where to look you can find the names of Faculty staff and student Members and what their research / thesis / studies are or were. So this might well give you one of the lead technical staff as they have been at the company since it started up…

Not so helpfull but usefull for “social engineering”,

“Gonzalo García – Belenguer – Head of Sales, EMEA MOLLITIAM INDUSTRIES. IE Business. Report this profile About Executive MBA – IE Business School, with demonstrated history of working in the international affairs industry.”

And that was all from just the first search page on “Mollitiam Industries”.

It also showed two other,”Mollitiam” companies that I assume are totaly unrelated one deals with Human Resources related stuff, the other with I assume “Medical can-i-bis”.

[1] Yes I know, who RT is, but generally they do “white propaganda” and I’ve not yet found a technology article where I could not verify the details elsewhere.

Clive Robinson June 23, 2021 8:15 AM

@ All,

They might be in Spain but they are in effect US led through a UK company,

https://find-and-update.company-information.service.gov.uk/company/08054620/officers

Who maybe using,

https://innova.co.uk/innova-capital/

As the “boosters”.

Esspecially curious about the US directors of the UK company, I have a feeling they will lead to the East of the Mediterranean, possibly to a number of other undesirable companies if not Government/Mil agencies. The name and birth year match with,

https://en.m.wikipedia.org/wiki/Joel_Spolsky

Which has a photo of him standing in the London office…

I guess his book sales etc will take a significant knock when this gets out… Not sure why Wired did not find it and chase up on it.

He also appears to be “involved” with “RelSci” (Relationship Science)

https://relationshipscience.com/person/avram-joel-spolsky-3816658

Not sure if that is because he’s prominent and wealthy or he’s signed up in some way. RelSci claim to have verified information on 10million “movers and shakers” abd 1.8million organisations.

Very interestingly, the second director of the London Company resigned three years ago, Why? Might be a pertinent question when you realise that is about the time this Spanish company was setup.

I’ll stop digging at this point and let others have a sniff around.

Martin June 23, 2021 10:19 AM

Story in Motherboard:

Executives from French companies Amesys and Nexa Technologies have been indicted after their company’s surveillance technology was used by authoritarian governments in Libya and Egypt to target activists. They were even charged with complicity in acts of torture.

echo June 23, 2021 6:24 PM

I tend to dissent from this blogs premise quite strongly. I don’t believe “boys toys” or media driven populism are the biggest security threats nor necessarily relevant. I believe the biggest threat is a failure of science and the law at a strategic level. Some of that is by design at governance level. It’s where most of the dictators and wannabe dicators get their hacks in. Human rights are almost always the first to go. The mechanims enabling abuse always the last to be examined.

The French have shown willingness in prosecuting a former French president and now French business executives too?

Now this document and its history is quite interesting. It’s also interesting to consider who associates with who and what tools and forms of tools they develop to facilitate oppression and evade scrutiny of the law.

https://en.wikipedia.org/wiki/Declaration_of_the_Rights_of_Man_and_of_the_Citizen

JonKnowsNothing June 23, 2021 8:45 PM

@echo

re: I believe the biggest threat is a failure of science and the law at a strategic level… The French have shown willingness in prosecuting …

Perhaps you have not spent enough time reading lots of history. Human Rights, Citizen Rights, Laws and Definitions, Governments, Legal Systems, even borders change quite often.

The only monolithic aspect is one’s personal lifetime. Within a framework of 30-80+ years, things may appear to move glacially. Then something somewhere snaps, it can be anything, change in the flow of a river, loss of crops and reduced harvests and all the myriad encounters people have with the climate and other people, and of course problems of culture, language and expectations.

Change may seem to be slow but then it can be fast, so fast it happens before you are even aware what took place. It is the unexpected part of change that defies quantifying. And that is precisely what makes change possible.

tl;dr

Some years ago on a TV Antique Valuation program a person had a small box about the size of a modern cigarette pack. Inside the box was a set of sticks with number along the sides. They tipped the sticks out on the table and you could see they all had different numbers along each side.

The Antique’s Specialist said they were Victorian Children’s School Math Counting Sticks. By lining up the numbers on the sticks you could do basic maths.

Now you cannot even line up sticks when the battery runs down.

Adios June 23, 2021 9:34 PM

Speaking of Spain and Android spyware, John McAfee died today in a Spanish prison. For the last month he Tweeted constantly about malicious insiders – engineers and spies working at Google, Microsoft, Apple and Facebook that were embedding spyware and backdoors for foreign nations. https://twitter.com/officialmcafee/status/1400482858741948424

These tools are installed on every corporate computer or their apps on employee’s devices – both of which have the ability to hoover up all of your data, including login and passwords. Is this the source of compromised credentials resulting in a rash of high profile ransomware attacks?

Are any Tech Thought Leaders brave enough to admit malicious insiders are the greatest threat Cybersecurity and nothing can detect them? The only way to prevent this is to not hire them. We first need to admit this is happening and then agree that it is unacceptable. There are solutions provided there is will.

I wonder why he was in Spain? He’s been very vocal about Android’s vulnerabilities for many years. https://www.androidcentral.com/john-mcafee-interview-highlights

I agree with him that corporate IT (and cybersecurity) is rash with fakes. John spoke about how malicious insiders are often charismatic and I think that’s a major clue. The most talented geeks are neurodivergent – definitely not smooth operators.

His Tweets over the past year are pretty disturbing. A lot of food for thought.

Clive Robinson June 23, 2021 11:25 PM

@ Weather,

Maltego[1], was not necessary, just the first page of a DuckDuckGo search for most of it, then as one of the refrences was to a UK limited company a quick search on the UK Conpanies house which showed the two directors full names and year of birth.

Sometimes OSInt is very simple and can not in any way be described as “Open Search that anybody can make”.

Which as I indicated,

“Why did Wired not do so?”

Is it just “Joel Spolsky” and his IT Industry “star status” who got his start at Microsoft developing Basic for Excell[2], and went on to write books and found the code cutters short cut “Stack Overflow” so many use?

Or some other reason…

[1] https://en.m.wikipedia.org/wiki/Maltego

[2] I’m told, but can not verify it’s Joel Spolsky’s code that ended up in Word, and was then used by an “unknown” Microsoft person to release the first proof of concept of a “Macro-virus” on a Microsoft Tech Update CD. If anyone knows more of the details, I’m sure many would be interested from a historical perspective.

echo June 24, 2021 12:32 AM

@JonKNowsNothing

Perhaps you have not spent enough time reading lots of history. Human Rights, Citizen Rights, Laws and Definitions, Governments, Legal Systems, even borders change quite often.

The only monolithic aspect is one’s personal lifetime. Within a framework of 30-80+ years, things may appear to move glacially. Then something somewhere snaps, it can be anything, change in the flow of a river, loss of crops and reduced harvests and all the myriad encounters people have with the climate and other people, and of course problems of culture, language and expectations.

Change may seem to be slow but then it can be fast, so fast it happens before you are even aware what took place. It is the unexpected part of change that defies quantifying. And that is precisely what makes change possible.

I have a fair idea of this and quite aware of it. I’m also aware of lots of microscopic details within my sphere of interest. The big problem is dealing with people with job titles who don’t know their own material or history of things which is, itself, the cause of a lot of problems. And, yes, the same people try to beat me around the head with it from their own extremely narrow professional viewpoint which leaves all this stuff out. In fact I’ve just been having a discussion elsewhere before checking on this blog and reading your comment on exactly this kind of material.

I made the point about the lack of focus on strategic issues at the governance level and left it to the reader to reflect very simply because a lot of issues people call “political” have a lot of very precise reasons for why they happen and that the complexity of the number of domains involved is too much to discuss and more a question of “backwards rationalising” and “look and feel”. This is something missed on this blog as the topic of discussion is usually the technochratic reducable to mathematics. The role of conceit, hubrice, ignorance, blind spots, reactivity, and yes feelings is underestimated as much as the subconcious and expression or heuristics and perception. A security blog of all places should know that things are not always what they seem and sources are not always capable of being determined, and so it is with the mind hence purpose and intent which can to a degree be determined and not always then.

I would rpattle on but I’m tired so will just end this here.

Weather June 24, 2021 1:05 AM

@clive
My story isn’t that great, about Microsoft ,DNS,iis,logs,kernel or had bugs, but I gave that up plus the five energy shots a day, I’m aculate thinking about starting a technical job fixing computer, I have to get to grapes with new systems but.. If zero day intive paid I would be in a different group.
Anyway I would like to buy you a beer, but I doubt our lines will cross .
And lay off echo.

Clive Robinson June 24, 2021 1:17 AM

@ Weather, ALL,

Remind me to “copy read”…

In my above I said,

“Sometimes OSInt is very simple and can not in any way be described as “Open Search that anybody can make”.”

I left the word “not” out before “Open”.

My point being if you use anything other than the simplest of tools some idiot –read prosecution psycho– will claim you have some dark evil ju-ju powers or some such and should be burnt at the stake or modern equivalent to progress their political career.

But… It also demonstrates why there is too much information up on the Internet…

Speaking of which, anyone else remember the shocking behaviour of one of those “drunken” lawyers who were filing all those stupid court cases after the US election? And more importantly how a couple of people on this blog apparently only using first pages of Google searches not only identified one of them by their real name, but who her relatives were, her probable GOP political plans, phone numbers and most supprising, a video on the Internet of the inside of her house from a real-estate site… Which was confirmed because of a photo she was in of her and one of the other lawyer “friends” –who was also trolling the courts– swilling large glasses of cheap plonk in her kitchen…

If you were to right that up in a political intrigue novel or similar no one would think it credible, yet as I’ve found it’s almost trivial.

Which if you think about it is a real problem for society as it’s a fundemental but unconscious disconnect from reality that is going to hurt people badly…

Weather June 24, 2021 2:11 AM

@clive
Yes I know sha256 exploit will be bad, its why I’m trying to send it to the devil, ahay they don’t do everything bd.

name.withheld.for.obvious.reasons June 24, 2021 3:01 AM

How about a judicial system that cannot be held accountable for creating an environment where cyber weapons, such as drones, are a means to deliver summary judgements that have yet to see a day in court. But, more importantly; how technological systems create a systematized approach to state sponsored killing. Come on man…

24 JUN 2021 — The Grim Reaper, U.S. Justice Comes Knocking
When clarity can get you, well, who knows?

While researching the subject of extrajudicial law, the rabbit hole (Atlantic Article) pointing to SCOTUS opened up at a place I was unfamiliar with. A recent decision from the court about the death penalty, framed from a different perspective, not of a death-row inmate but of targeted individual working in Syria as a journalist. As the contrast between the two situations of capital punishment, the death-row inmate having been afforded a deliberative process, AND, Federal prison executions don’t OFTEN kill innocent bystanders, if ever.

Some facts:
50 people on Federal death-row
2533 people in state prisons on death-row
3797 people killed in drone strikes (under Obama)
XXXX people killed in drone strikes (under #45, administration lacked reporting)

In the case before the court, Bilal Kareem claimed he’d repeatedly nearly been killed five times under conditions similar to other drone strikes. In reporting, as a journalist his contacts and sources were often individuals adjacent or associated with al-Qaeda where he often used a cellphone to make contact.

Kareem’s Five Questions (No, three sir!)
1. had any determination reached by the government call for his death;
2. if yes, did the government attempt to kill him;
3. how was any summary judgement reached;
4. what facts formed the basis for such a judgement
5. and was he still targeted for death.

The court refused on every corner of the case; a lack of standing; non-justiciable political questions; and state secrets. So, has this U.S. citizen been placed on extrajudicial kill list? The answer citizen, their is no due process accountability.

The U.S. Court of Appeals, DC, sided with the government citing that Kareem had failed to produce enough evidence that the five aerial bombings he was involved in were actual U.S. drone strikes. But the bright light in this situation, no one knows the number of executions or innocents who died in the past 4 years in drone attacks.

echo June 24, 2021 1:00 PM

@name.withheld.for.obvious.reasons

The court refused on every corner of the case; a lack of standing; non-justiciable political questions; and state secrets. So, has this U.S. citizen been placed on extrajudicial kill list? The answer citizen, their is no due process accountability.

The U.S. Court of Appeals, DC, sided with the government citing that Kareem had failed to produce enough evidence that the five aerial bombings he was involved in were actual U.S. drone strikes. But the bright light in this situation, no one knows the number of executions or innocents who died in the past 4 years in drone attacks.

The US has a fundamental disregard for human rights. I can think of mechanisms which may be available in theory the court could use but they don’t seem interested in even this question.

There is also the thought that they have assessed this individual as a legitimate risk and therefore a target or may simply be used them as a beacon to target their drones. Doubtless some legal hoops would have been jumped if this was the case.

Note again the lack of concern for human rights while there is a possibility abusive actions are given the unlimited legal resources and red carpet treatment.

I wonder which political appointee is bikeshedding.

MikeA June 24, 2021 1:03 PM

@JonKnowsNothing

I’d suspect that those “Victorian Children’s School Math Counting Sticks” were actually Napier’s Bones, an aid to computation whose use was not restricted to children (or Victorians).

A I typed this, a memory of the IBM 1620 surfaced…

Andrew Kennedy June 24, 2021 3:25 PM

Clive, you’ve demonstrated one issue with OSINT – fact that when there’s a lot of data available referencing the terms you’re interested in, it can be hard to find the particular relevant information you need. So, I did some quick searches myself, using the simplest, basic tools available (no dark magic!) and found out the correct information…

They might be in Spain but they are in effect US led through a UK company […] Esspecially curious about the US directors of the UK company, […] The name and birth year match with […] Joel_Spolsky

By which you refer to the programming Q&A site Stack Overflow, previously known as Stack Exchange, and run by Joel Spolsky.

I guess his book sales etc will take a significant knock when this gets out… Not sure why Wired did not find it and chase up on it.

The reason Wired didn’t chase it up is given in one of the quotes you listed:

Mollitiam Industries is the jointly-owned cyber-offensive unit of the engineering consultancy In-Nova and the cyber-security firm StackOverflow Ltd. (which is not related to the US website of the same name).

In fact, the Spanish connection you posited was correct; the parent company is called Stackoverflow SL, and their Website and Twitter are as follows:

Started in 2006 by the founder Antonio Ramos Varon who also studied in Madrid, at the Universidad Complutense de Madrid. His LinkedIn and the company details are here:

Looks like Ramos Varon was the producer for some Spanish hacking TV show called “Mundo Hacker” as well!

I just wanted to clear up the idea that Joel Spolsky is anything to do with this, or that Wired might be covering this up. Enjoy…

@grkvlt

Clive Robinson June 24, 2021 4:02 PM

@ Andrew Kennedy,

Look again more carefully

cyber-security firm StackOverflow Ltd

Is a “UK company” registered at the UK Companies house, and as I noted there is a photo of Joel Spolsky standing in their London Office on the Wikipedia page… So I’d say there is fair indication he is the –now sole– director of it.

So there is more there than you are thinking.

Also consider this,

“Stack Overflow” is a registered name, thus to open a Company by the same name is asking for a lot of trouble via the EU, unless there is some form of permission that Joel Spolsky has given…

Hence there are questions that Joel Spolsky might want to address…

Faustus June 24, 2021 8:09 PM

@Clive Thank you for demonstrating nice clear research on an important issue.

@echo Your approach and Clive’s can be complementary, no?

Me, I like just about every aspect of this thread.

JonKnowsNothing June 24, 2021 9:03 PM

@MikeA

re: I’d suspect that those “Victorian Children’s School Math Counting Sticks” were actually Napier’s Bones…

I looked at some images and I think that’s exactly what I saw.

I checked out Wikipedia on them and was enchanted with the whole aspect! The rotary versions both cylinders and wheels just awesome stuffs.

Old tech still rules!

I only had a slide rule… some day an Antikythera mechanism!!!

===

ht tps://en.wikipedia.org/wiki/John_Napier

John Napier of Merchiston (/ˈneɪpɪər/;[1] 1 February 1550 – 4 April 1617), nicknamed Marvellous Merchiston, was a Scottish landowner known as a mathematician, physicist, and astronomer. He was the 8th Laird of Merchiston. His Latinized name was Ioannes Neper.

John Napier is best known as the discoverer of logarithms. He also invented the so-called “Napier’s bones” and made common the use of the decimal point in arithmetic and mathematics.

ht tps://en.wikipedia.org/wiki/Napier%27s_bones

Napier’s bones is a manually-operated calculating device created by John Napier of Merchiston, Scotland for the calculation of products and quotients of numbers. The method was based on lattice multiplication, and also called ‘rabdology’, a word invented by Napier.

Using the multiplication tables embedded in the rods, multiplication can be reduced to addition operations and division to subtractions. Advanced use of the rods can extract square roots. Napier’s bones are not the same as logarithms, with which Napier’s name is also associated, but are based on dissected multiplication tables.

ht tps://en.wikipedia.org/wiki/Lattice_multiplication

Lattice multiplication, also known as the Italian method, Chinese method, Chinese lattice, gelosia multiplication,[1] sieve multiplication, shabakh, diagonally or Venetian squares, is a method of multiplication that uses a lattice to multiply two multi-digit numbers. It is mathematically identical to the more commonly used long multiplication algorithm, but it breaks the process into smaller steps, which some practitioners find easier to use.[2]

The method had already arisen by medieval times, and has been used for centuries in many different cultures.

ht tps://en.wikipedia.org/wiki/Antikythera_mechanism

The Antikythera mechanism is an ancient Greek hand-powered orrery, described as the oldest example of an analogue computer used to predict astronomical positions and eclipses decades in advance. It could also be used to track the four-year cycle of athletic games which was similar to an Olympiad, the cycle of the ancient Olympic Games.

(url fractured to prevent autorun)

Cyber Hodza June 24, 2021 9:54 PM

@Clive – thanks for dissenting the company for everyone to see.
May I be cheeky and suggest they add a customer-testimonials section to their website?
Entries may include something like :

“Very impressed by your softwares ability to conduct massive surveillance of our political opponents mobile phones , including collection of of all their correspondence, allowing us to interfere with regular democratic process and hack them to our advantage”

Andrew Kennedy June 25, 2021 10:47 AM

@clive no, sorry you’re jumping to unwarranted conclusions here. Check the Companies House data for Stack Overflow Limited, you can see its the successor entity to Stack Exchange Limied, and is fairly obviously the controlling company for the programming Q&A website https://stackoverflow.com and is nothing to do with this. The reason Joel Spolsky is pictured in front of his companies offices in London is that it’s his company. Just not a security software and services company based in Spain!

The Spanish company Stack Overflow SL however, is run by Antonio Ramos Varon as CEO, and he is also the CTO of the company in the article, Mollitiam. See this link where he is speaking at a conference https://ausape.com/revistadigital/r-59-3/firmainvitada/

Hope that clears things up for you.

@grkvlt

Andrew Kennedy June 25, 2021 10:59 AM

@clive, here’s more on the pitfalls of poor OSINT … looks like Bruce is similarly “involved” in “relsci” https://relationshipscience.com/person/bruce-schneier-3403338

It’s a database of links between individuals found by searching public records etc. Presence in it doesn’t mean anything in and of itself, in the same way that my presence in the phone book doesn’t mean I’m something to do with British Telecom 😉

@grkvlt

Clive Robinson June 25, 2021 1:44 PM

@ Andrew Kennedy

It’s a database of links between individuals found by searching public records etc.

You are obviously not reading what I’ve written and thus drawing false conclusions of your own.

So,

1, “And that was all from just the first search page on “Mollitiam Industries”.”

2, “Not sure if that is because he’s prominent and wealthy or he’s signed up in some way. RelSci claim to have verified information on 10million “movers and shakers” abd 1.8million organisations.”

So I’ve already indicated that his link to RelSci is either because,

1, “they think”
2, “he’s signed”

but either way, they claim not me that it’s

“Verified information”

You saying,

“in the same way that my presence in the phone book doesn’t mean I’m something to do with British Telecom”

Being in the,”British Telecom” “Phone Book” means two things,

1, You do have “something to do with British Telecom”.

2, You have “verified it”.

So is the opposite of what you claim with,

“Presence in it doesn’t mean anything in and of itself”

Andrew Kennedy June 25, 2021 2:18 PM

@clive, OK fair point – I read too much into what you were implying there with the “relsci” link. I guess that shows me how easy it is to draw the wrong conclusion from things on the internet, right?

I’ll leave this now, i don’t think there much else useful we can add – skstchy companies are going to be sketchy whether they are from the UK or Spain…

@grkvlt

Faustus June 25, 2021 2:44 PM

@Adios

How would you detect malicious insiders? Certainly excluding any techie with any charisma would exclude the most effective tech leaders.

However, if the mal-insiders are active (changing code), a good source management system should be able to identify the malicious, by tracking back whoever committed the backdoor code. The code could be discovered by bug bounty, desk checking, or static or dynamic analysis.

If the problem is leakage of secret material this could be addressed by a wide range of watermarking approaches that allow the source to be determined.

I think Spain is where the arrest warrants / extradition requests caught up with McAfee.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.