- NSO Group faces legal action in Washington over allegations that its software has been used to hack into government officials and dissidents.
- A mysterious fake image file accidentally left behind by spyware, security researchers tipped off.
- Discovery amounted to a hacking blueprint and led Apple Inc to notify thousands of other state-sponsored hacking victims around the world.
WASHINGTON: A single activist helped turn the tide against NSO Group, one of the world’s most advanced spyware companies that now faces a cascade of legal action and criticism in Washington over new allegations that its software has been used to target government officials and dissidents about the hack the world.
It all started with a software problem on her iPhone.
An unusual flaw in NSO’s spyware allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to uncover a wealth of evidence pointing to the Israeli spyware maker helping to hack its iPhone, according to six people involved in the incident. were involved. A mysterious fake image file in her phone, accidentally left behind by the spyware, tipped security researchers.
The discovery on al-Hathloul’s phone last year sparked a storm of legal and government action that has placed the NSO on the defensive. How the hack was initially discovered is reported here for the first time.
Al-Hathloul, one of Saudi Arabia’s most prominent activists, is known for helping lead a campaign to end the ban on female drivers in Saudi Arabia. She was released from prison in February 2021 on charges of violating national security.
Shortly after her release from prison, the activist received an email from Google warning her that state-backed hackers had attempted to hack into her Gmail account. Fearing that her iPhone had also been hacked, al-Hathloul contacted Canadian privacy rights group Citizen Lab and asked them to examine her device for evidence, three people close to al-Hathloul said. Reuters.
After six months digging through her iPhone records, Citizen Lab researcher Bill Marczak made what he described as an unprecedented discovery: A malfunction in the surveillance software implanted on her phone had left a copy of the malicious image file instead of remove himself after stealing his target’s messages.
He said the finding, computer code left behind by the attack, provided direct evidence that NSO built the spy tool.
“It was a game changer,” Marczak said. “We caught something that the company thought was out of reach.”
The discovery amounted to a hacking blueprint and prompted Apple Inc to notify thousands of other state-sponsored hacking victims around the world, according to four people with direct knowledge of the incident.
The Citizen Lab and al-Hathloul find formed the basis for Apple’s November 2021 lawsuit against NSO and also reverberated in Washington, where US officials learned that NSO’s cyber weapon was being used to spy on US diplomats.
In recent years, the spyware industry has seen explosive growth as governments around the world buy phone hacking software that enables the kind of digital surveillance once reserved for just a few elite intelligence agencies.
Over the past year, a series of revelations from journalists and activists, including the international journalism partnership Pegasus Project, has linked the spyware industry to human rights abuses, leading to more critical scrutiny of NSO and its colleagues.
But security researchers say al-Hathloul’s discovery was the first to provide a blueprint for a powerful new form of cyber-espionage, a hacking tool that penetrates devices without any user interaction, and provides the most concrete evidence yet of the magnitude of cyber-espionage. the weapon .
In a statement, an NSO spokesperson said the company does not use the hacking tools it sells — “government, law enforcement and intelligence agencies do.” The spokesperson did not answer questions about whether his software was being used to attack al-Hathloul or other activists.
But the spokesperson said the organizations making these claims were “political opponents of cyber intelligence” and suggested some of the allegations were “contractually and technologically impossible”. The spokesperson declined to provide details, citing confidentiality agreements with customers.
Without going into details, the company said it had an established procedure to investigate alleged misuse of its products and cut off customers over human rights issues.
Discover the blueprint
Al-Hathloul had good reason to be suspicious – it wasn’t the first time she had been watched.
a 2019 Reuters investigation revealed that in 2017 she was targeted by a team of US mercenaries who were monitoring dissidents on behalf of the United Arab Emirates as part of a secret program called Project Raven, which categorized her as a “national security threat” and her iPhone hacked.
She was arrested and imprisoned in Saudi Arabia for nearly three years, where her family says she was tortured and interrogated using information stolen from her device. Al-Hathloul was released in February 2021 and is currently banned from leaving the country.
Reuters has no evidence that NSO was involved in that earlier hack.
Al-Hathloul’s experience with surveillance and captivity made her determined to gather evidence that could be used against those wielding these tools, her sister Lina al-Hathloul said. “She feels she has a responsibility to continue this fight because she knows she can change things.”
The type of spyware that Citizen Lab discovers on al-Hathloul’s iPhone is known as a “zero click,” meaning the user can be infected without ever clicking a malicious link.
Zero-click malware usually removes itself when a user is infected, leaving researchers and tech companies with no sample of the weapon to study. That could make collecting hard evidence of iPhone hacks nearly impossible, security researchers say.
But this time it was different.
The software flaw left a copy of the spyware on al-Hathloul’s iPhone, allowing Marczak and his team to get a virtual blueprint of the attack and evidence of who built the attack.
“Here we had the shell casing from the crime scene,” he said.
Marczak and his team found that the spyware worked in part by sending photo files to al-Hathloul via an invisible text message.
The image files tricked the iPhone into accessing all of its memory, bypassing security, and allowing the installation of spyware that would steal a user’s messages.
The Citizen Lab discovery provided solid evidence that the cyberweapon was built by NSO, said Marczak, whose analysis was confirmed by researchers from Amnesty International and Apple, according to three people with direct knowledge of the situation.
The spyware found on al-Hathloul’s device contained code showing it was communicating with servers Citizen Lab had previously identified as controlled by NSO, Marczak said. Citizen Lab called this new iPhone hacking method “ForcedEntry”. The researchers then delivered the sample to Apple last September.
With a blueprint of the attack in hand, Apple was able to fix the critical vulnerability and led to thousands of other iPhone users who had been targeted by NSO software, warning them that they had been targeted “by the state sponsored attackers”.
It was the first time that Apple took this step.
While Apple determined that the vast majority had been targeted by the NSO tool, security researchers also discovered spy software from a second Israeli vendor, QuaDream, that exploited the same vulnerability in the iPhone. Reuters reported earlier this month. QuaDream has not responded to repeated requests for comment.
The victims ranged from dissidents critical of the Thai government to human rights activists in El Salvador.
Citing the findings of al-Hathloul’s phone, Apple sued NSO in federal court in November because the spyware maker had violated U.S. laws by building products designed “to serve Apple users, Apple products, and to attack, attack and harm Apple”. Apple credited Citizen Lab for providing “technical information” used as evidence for the lawsuit, but did not reveal that it was originally obtained from al-Hathloul’s iPhone.
NSO said its tools have helped law enforcement and saved “thousands of lives.” The company said some allegations attributed to NSO software were not credible, but declined to comment on specific claims citing confidentiality agreements with its customers.
Among those Apple warned were at least nine US State Department employees in Uganda who had been targeted by NSO software, according to people familiar with the matter, sparking a new wave of criticism of the company in Washington.
In November, the US Department of Commerce blacklisted NSO for trade, restricting US companies from selling the Israeli company’s software products, threatening its supply chain.
The Commerce Department said the move was based on evidence that the NSO’s spyware was being used to target “journalists, businessmen, activists, academics and embassy employees.”
In December, Democratic Senator Ron Wyden and 17 other lawmakers called on the Treasury Department to punish the NSO Group and three other foreign surveillance companies they say have helped authoritarian governments commit human rights abuses.
“When the public saw US government figures being hacked, the needle was clearly in motion,” Wyden said Reuters in an interview, referring to the targeting of US officials in Uganda.
Loujain’s sister Lina al-Hathloul said the financial blows to NSO may be the only thing deterring the spyware industry. “It hit them where it hurts,” she said.