Apple Files Lawsuit Against NSO Group for its Pegasus Spyware Attacks
For a brief primer, Pegasus is essentially spyware that can be silently deployed against a target and used to monitor everything on a person’s mobile device. According to the filing, the Pegasus software was first identified by researches at Citizen Lab at the University of Toronto, where it was discovered Pegasus could initiate what is known as a “zero-click exploit,” meaning it could deploy without any input from the user. The attack, which Citizen Lab named FORCEDENTRY, worked in several stages. First, the company allegedly contacted Apple’s servers in the US to identify other Apple users, then worked to confirm the target was using an iPhone. Next it sent “abusive data” to the target via iMessage, which disabled logging and allowed it to upload a bigger file, which was the payload. That bigger file was stored on iCloud servers, then delivered to the targets’ phones. One the Pegasus payload was in-place, it began communicating to a command-and-control server, whereby a person could send commands to the phones. This allowed 3rd parties to control the phones remotely, vacuuming up call logs, web browser history, contacts, and even let them turn the phone’s microphone and camera on, and send what it captured back to the nefarious server. A consortium of global journalists launched an investigation in July into this situation, dubbed the Pegasus Project, and found, “Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi.”
This seems like pretty standard spyware stuff, but what’s so remarkable about it is the zero-click aspect, as typically a user has to initiate the deployment of malware/spyware by clicking on a link sent to them, or take some kind of action. Not this time. This type of activity is only possible because NSO Group and other companies like it employ researchers who work to discover unknown vulnerabilities in popular software such as iOS, Microsoft Windows, and others, and use these gaps in security to develop software that can penetrate target devices before the developer catches on that there’s a flaw. The security holes are typically known as Zero Days, because the developer has had zero days to fix the security flaw. Companies like Apple, Microsoft, Google and others have massive cyber security teams of their own who work to find these security flaws before rogue actors do, but given the complexity of the software involved, it’s a never-ending battle against companies like NSO Group. Also, in September Apple patched the vulnerabilities that allowed Pegasus to run with its iOS 14.8 update, and in its press release the company notes, “Apple has not observed any evidence of successful remote attacks against devices running iOS 15 and later versions.”
This is not the first time NSO Group has been in the headlines. The US government blacklisted the company earlier this month, “after determining that its phone-hacking tools had been used by foreign governments to ‘maliciously target’ government officials, activists, journalists, academics and embassy workers around the world,” according to The Post. The company is also embroiled in a lawsuit with WhatsApp over claims its spyware was used to hack 1,400 users of its app. Earlier this month, the Ninth Circuit Court of Appeals rejected NSO Group’s claim that it should have “sovereign immunity” in the case.
If you’re interested in a deep-dive on the NSO Group, the podcast Darknet Diaries recently posted an episode about it, including an interview with the Citizen Lab researchers that discovered Pegasus. You can also read Apple’s full complaint right here.