Resources

Spyware Group NSO’s Pegasus Targeted Up To ‘Tens of Thousands’

WhatsApp’s newly unsealed court documents have exposed the extensive reach of NSO Group’s Pegasus spyware operation, which targeted “between hundreds and tens of thousands” of devices, according to testimony from the company’s head of research and development. The Israeli surveillance firm charged government customers up to $6.8 million for one-year licenses, generating at least $31 million in revenue in 2019 alone, TechCrunch first reported.

The documents detail previously unknown hacking tools named “Hummingbird,” “Eden,” and “Heaven,” developed specifically to compromise WhatsApp users’ devices. The revelations emerge from WhatsApp’s ongoing 2019 lawsuit against NSO Group for alleged violations of U.S. anti-hacking laws.

27

NSO, Not Government Clients, Operates Its Spyware

Legal documents released in ongoing US litigation between NSO Group and WhatsApp have revealed for the first time that the Israeli cyberweapons maker — and not its government customers — is the party that “installs and extracts” information from mobile phones targeted by the company’s hacking software. The new details were contained in sworn depositions from NSO Group employees, portions of which were published for the first time on Thursday.

It comes five years after WhatsApp, the popular messaging app owned by Facebook, first announced it was filing suit against NSO. The company, which was blacklisted by the Biden administration in 2021, makes what is widely considered the world’s most sophisticated hacking software, which — according to researchers — has been used in the past in Saudi Arabia, Dubai, India, Mexico, Morocco and Rwanda. […] At the heart of the legal fight was an allegation by WhatsApp that NSO had long denied: that it was the Israeli company itself, and not its government clients around the world, who were operating the spyware. NSO has always said that its product is meant to be used to prevent serious crime and terrorism, and that clients are obligated not to abuse the spyware. It has also insisted that it does not know who its clients are targeting. […]

To make its case, WhatsApp was allowed by Judge Phyllis Hamilton to make its case, including citing depositions that have previously been redacted and out of public view. In one, an NSO employee said customers only needed to enter a phone number of the person whose information was being sought. Then, the employee said, “the rest is done automatically by the system.” In other words, the process was not operated by customers. Rather NSO alone decided to access WhatsApp’s servers when it designed (and continuously upgraded) Pegasus to target individuals’ phones.
A spokesperson for NSO, Gil Lainer, said in a statement: “NSO stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system. We are confident that these claims, like many others in the past, will be proven wrong in court, and we look forward to the opportunity to do so.”

30

NSO Group Exploited WhatsApp Zero-Day Even After Lawsuit

NSO Group Technologies Ltd. continued to develop spyware that used multiple zero-day WhatsApp exploits even after the instant messaging firm sued the Israeli surveillance firm over violation of federal and state anti-hacking laws, revealed a court filing filed by the messaging app and its parent company Meta that was published on Thursday.

Court filings reveal that NSO continued using WhatsApp servers to install Pegasus spyware on phones by calling the targeted device, even after the messaging platform detected and blocked the exploit in May 2019.

The allegations stem from a series of cyberattacks against WhatsApp users, including journalists, dissidents, and human rights advocates.

29

Spyware Scandals Are Ripping Through Europe

The ripple effects of the scandal are reaching the heart of the European Union. Over the past 13 months, it has been revealed that spyware had targeted opposition leaders, journalists, lawyers and activists in France, Spain, Hungary, Poland and even staff within the European Commission, the EU’s cabinet-style government, between 2019 and 2021. The bloc has already set up an inquiry into its own use of spyware, but even as the 38-person committee works toward producing a report for early 2023, the number of new scandals is quickly mounting up. What sets the scandal in Greece apart is the company behind the spyware that was used. Until then the surveillance software in every EU scandal could be traced back to one company, the notorious NSO Group. Yet the spyware stalking Koukakis’ phone was made by Cytrox, a company founded in the small European nation of North Macedonia and acquired in 2017 by Tal Dilian — an entrepreneur who achieved notoriety for driving a high-tech surveillance van around the island of Cyprus and showing a Forbes journalist how it could hack into passing people’s phones.

In that interview, Dilian said he had acquired Cytrox and absorbed the company into his intelligence company Intellexa, which is now thought to now be based in Greece. The arrival of Cytrox into Europe’s ongoing scandal shows the problem is bigger than just the NSO Group. The bloc has a thriving spyware industry of its own. As the NSO Group struggles with intense scrutiny and being blacklisted by the US, its less well-known European rivals are jostling to take its clients, researchers say. Over the past two months, Cytrox is not the only local company to generate headlines for hacking devices within the bloc. In June, Google discovered the Italian spyware vendor RCS Lab was targeting smartphones in Italy and Kazakhstan. Alberto Nobili, RCS’ managing director, told WIRED that the company condemns the misuse of its products but declined to comment on whether the cases cited by Google were examples of misuse. “RCS personnel are not exposed, nor participate in any activities conducted by the relevant customers,” he says. More recently, in July, spyware made by Austria’s DSIRF was detected by Microsoft hacking into law firms, banks, and consultancies in Austria, the UK, and Panama.

255

Pegasus Spyware Used Against Thailand’s Pro-Democracy Movement

NSO Group’s Pegasus spyware was used to target Thai pro-democracy protesters and leaders calling for reforms to the monarchy. “We forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus spyware,” reports Citizen Lab. “The observed infections took place between October 2020 and November 2021.” Here’s an excerpt from the report:
Introduction: Surveillance & Repression in Thailand: The Kingdom of Thailand is a constitutional monarchy with a parliamentary-style government divided into executive, legislative, and judiciary branches. The country has been beset by intense political conflict since 2005, during the government of former Prime Minister Thaksin Shinawatra. Corruption allegations against the regime culminated in a military coup on September 19, 2006 that ousted Thaksin. The military launched another coup on May 22, 2014 and seized power following mass protests against the civilian government led by Thaksin’s sister, Yingluck Shinawatra. The junta claimed that the 2014 coup was needed to restore order and called itself the National Council for Peace and Order (NCPO).

Findings: Pegasus Infections in Thailand: On November 23, 2021, Apple began sending notifications to iPhone users targeted by state-backed attacks with mercenary spyware. The recipients included individuals that Apple believes were targeted with NSO Group’s FORCEDENTRY exploit. Many Thai civil society members received this warning. Shortly thereafter, multiple recipients of the notification made contact with the Citizen Lab and regional groups. In collaboration with Thai organizations iLaw and DigitalReach, forensic evidence was obtained from notification recipients, and other suspected victims, who consented to participate in a research study with the Citizen Lab. We then performed a technical analysis of forensic artifacts to determine whether these individuals were infected with Pegasus or other spyware. Victims publicly named in this report consented to be identified as such, while others chose to remain anonymous, or have their cases described with limited detail.

Civil Society Pegasus Infections: We have identified at least 30 Pegasus victims among key civil society groups in Thailand, including activists, academics, lawyers, and NGO workers. The infections occurred from October 2020 to November 2021, coinciding with a period of widespread pro-democracy protests, and predominantly targeted key figures in the pro-democracy movement. In numerous cases, multiple members of movements or organizations were infected. Many of the victims included in this report have been repeatedly detained, arrested, and imprisoned for their political activities or criticism of the government. Many of the victims have also been the subject of lese-majeste prosecutions by the Thai government. While many of the infections were detected on the devices of prominent figures, hacking was also observed against individuals who are not publicly involved in the protests. Speculatively, this may reflect the attackers’ intent to uncover details about how opposition movements were organized, and may have been prompted by specific financial transactions that would have been known to Thai financial institutions and the government, but not the public.

274

EU Found Evidence Employee Phones Compromised With Spyware

In a July 25 letter sent to European lawmaker Sophie in ‘t Veld, EU Justice Commissioner Didier Reynders said iPhone maker Apple had told him in 2021 that his iPhone had possibly been hacked using Pegasus, a tool developed and sold to government clients by Israeli surveillance firm NSO Group. The warning from Apple triggered the inspection of Reynders’ personal and professional devices as well as other phones used by European Commission employees, the letter said. Though the investigation did not find conclusive proof that Reynders’ or EU staff phones were hacked, investigators discovered “indicators of compromise” â” a term used by security researchers to describe that evidence exists showing a hack occurred.

257

Edward Snowden Calls For Spyware Trade Ban Amid Pegasus Revelations

Snowden, who in 2013 blew the whistle on the secret mass surveillance programs of the US National Security Agency, described for-profit malware developers as “an industry that should not exist.” He made the comments in an interview with the Guardian after the first revelations from the Pegasus project, a journalistic investigation by a consortium of international media organizations into the NSO Group and its clients. […] Snowden said the consortium’s findings illustrated how commercial malware had made it possible for repressive regimes to place vastly more people under the most invasive types of surveillance. For traditional police operations to plant bugs or wiretap a suspect’s phone, law enforcement would need to “break into somebody’s house, or go to their car, or go to their office, and we’d like to think they’ll probably get a warrant,” he said. But commercial spyware made it cost-efficient for targeted surveillance against vastly more people. “If they can do the same thing from a distance, with little cost and no risk, they begin to do it all the time, against everyone who’s even marginally of interest,” he said. “If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.”

Part of the problem arose from the fact that different people’s mobile phones were functionally identical to one another, he said. “When we’re talking about something like an iPhone, they’re all running the same software around the world. So if they find a way to hack one iPhone, they’ve found a way to hack all of them.” He compared companies commercializing vulnerabilities in widely used mobile phone models to an industry of “infectioneers” deliberately trying to develop new strains of disease. “It’s like an industry where the only thing they did was create custom variants of Covid to dodge vaccines,” he said. “Their only products are infection vectors. They’re not security products. They’re not providing any kind of protection, any kind of prophylactic. They don’t make vaccines — the only thing they sell is the virus.”

Snowden said commercial malware such as Pegasus was so powerful that ordinary people could in effect do nothing to stop it. Asked how people could protect themselves, he said: “What can people do to protect themselves from nuclear weapons? “There are certain industries, certain sectors, from which there is no protection, and that’s why we try to limit the proliferation of these technologies. We don’t allow a commercial market in nuclear weapons.” He said the only viable solution to the threat of commercial malware was an international moratorium on its sale. “What the Pegasus project reveals is the NSO Group is really representative of a new malware market, where this is a for-profit business,” he said. “The only reason NSO is doing this is not to save the world, it’s to make money.” He said a global ban on the trade in infection vectors would prevent commercial abuse of vulnerabilities in mobile phones, while still allowing researchers to identify and fix them. “The solution here for ordinary people is to work collectively. This is not a problem that we want to try and solve individually, because it’s you versus a billion dollar company,” he said. “If you want to protect yourself you have to change the game, and the way we do that is by ending this trade.”

456

Despite the Hype, iPhone Security No Match For NSO Spyware

The text delivered last month to the iPhone 11 of Claude Mangin, the French wife of a political activist jailed in Morocco, made no sound. It produced no image. It offered no warning of any kind as an iMessage from somebody she didn’t know delivered malware directly onto her phone — and past Apple’s security systems. Once inside, the spyware, produced by Israel’s NSO Group and licensed to one of its government clients, went to work, according to a forensic examination of her device by Amnesty International’s Security Lab. It found that between October and June, her phone was hacked multiple times with Pegasus, NSO’s signature surveillance tool, during a time when she was in France. The examination was unable to reveal what was collected. But the potential was vast: Pegasus can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories, according to security researchers and NSO marketing materials.

The spyware can activate cameras or microphones to capture fresh images and recordings. It can listen to calls and voice mails. It can collect location logs of where a user has been and also determine where that user is now, along with data indicating whether the person is stationary or, if moving, in which direction. And all of this can happen without a user even touching her phone or knowing she has received a mysterious message from an unfamiliar person — in Mangin’s case, a Gmail user going by the name “linakeller2203.” These kinds of “zero-click” attacks, as they are called within the surveillance industry, can work on even the newest generations of iPhones, after years of effort in which Apple attempted to close the door against unauthorized surveillance — and built marketing campaigns on assertions that it offers better privacy and security than rivals.

[…] Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple’s reputation for superior security when compared with its leading rivals, which run Android operating systems by Google. The months-long investigation by The Post and its partners found more evidence to fuel that debate. Amnesty’s Security Lab examined 67 smartphones whose numbers were on the Forbidden Stories list and found forensic evidence of Pegasus infections or attempts at infections in 37. Of those, 34 were iPhones — 23 that showed signs of a successful Pegasus infection and 11 that showed signs of attempted infection.

457

With Israel’s Encouragement, NSO Sold Spyware to UAE and Other Gulf States

The Israeli spyware firm has signed contracts with Bahrain, Oman and Saudi Arabia. Despite its claims, NSO exercises little control over use of its software, which dictatorships can use to monitor dissidents.

The Israeli firm NSO Group Technologies, whose software is used to hack into cellphones, has in the past few years sold its Pegasus spyware for hundreds of millions of dollars to the United Arab Emirates and other Persian Gulf States, where it has been used to monitor anti-regime activists, with the encouragement and the official mediation of the Israeli government.

NSO is one of the most active Israeli companies in the Gulf, and its Pegasus 3 software permits law enforcement authorities to hack into cellphones, copy their contents and sometimes even to control their camera and audio recording capabilities. The company’s vulnerability researchers work to identify security threats and can hack into mobile devices independently (without the aid of an unsuspecting user, who, for example, clicks on a link).

551