A single activist helped turn the tide against the NSO Group, one of the world’s most sophisticated spyware companies, now facing a cascade of legal action and scrutiny in Washington over damaging new allegations that its software was used to hack government officials and dissidents around the world.
It all started with a software glitch on your iPhone.
An unusual bug in NSO’s spyware allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to uncover a slew of evidence suggesting the Israeli spyware maker helped hack her iPhone, according to six people involved in the incident. . A mysterious fake image file inside your phone, left by spyware by mistake, has alerted security researchers.
The discovery on al-Hathloul’s phone last year set off a storm of legal and government action that put the NSO on the defensive. How the hack was initially discovered is reported here for the first time.
Al-Hathloul, one of Saudi Arabia’s most prominent activists, is known for helping to lead a campaign to end the ban on women drivers in Saudi Arabia. She was released from prison in February 2021 on charges of harming national security.
Shortly after her release from prison, the activist received an email from Google warning that state-backed hackers had tried to break into her Gmail account. Fearing that her iPhone had also been hacked, al-Hathloul contacted Canadian privacy rights group Citizen Lab and asked them to investigate her device for evidence, three people close to al-Hathloul told Reuters.
After six months of digging through his iPhone logs, Citizen Lab researcher Bill Marczak made what he described as an unprecedented discovery: a glitch in surveillance software implanted in his phone left a copy of the malicious image file, rather to delete himself, after stealing his target’s messages.
He said the discovery, the computer code left behind by the attack, provided direct evidence that the NSO built the spy tool.
“It was a game-changer,” Marczak said, “we took something that the company thought was unattainable.”
The discovery represented a hacking plot and prompted Apple to notify thousands of other victims of state-backed hacking around the world, according to four people with direct knowledge of the incident.
The Citizen Lab and al-Hathloul discovery provided the basis for Apple’s November 2021 lawsuit against the NSO and also had repercussions in Washington, where US officials learned that the NSO’s cyberweapon was used to spy on American diplomats.
In recent years, the spyware industry has seen explosive growth as governments around the world buy phone hacking software that enables the kind of digital surveillance that was once the preserve of only a few elite intelligence agencies.
In the past year, a series of revelations by journalists and activists, including the international journalism collaboration Pegasus Project, has linked the spyware industry to human rights violations, fueling greater scrutiny from the NSO and its peers.
But security researchers say al-Hathloul’s discovery was the first to provide a model of a powerful new form of cyberespionage, a hacking tool that penetrates devices without any user interaction, providing the most concrete evidence to date. weapon range. .
In a statement, an NSO spokesperson said the company does not operate the hacking tools it sells — “the government, law enforcement agencies and intelligence agencies do.” The spokesperson did not respond to questions about whether his software was used to target al-Hathloul or other activists.
But the spokesperson said the organizations making these claims were “political opponents of cyber intelligence” and suggested that some of the claims were “contractually and technologically impossible.” The spokesperson declined to provide details, citing client confidentiality agreements.
Without going into details, the company said it had a procedure in place to investigate alleged misuse of its products and had cut off customers over human rights concerns.
discovering the plan
Al-Hathloul had good reason to be suspicious – it wasn’t the first time she was being watched.
A 2019 Reuters investigation revealed that she was targeted in 2017 by a team of U.S. mercenaries who were keeping tabs on dissidents on behalf of the UAE under a secret program called Project Raven, which categorized her as a “threat to national security” and invaded. your iPhone. .
She was arrested and imprisoned in Saudi Arabia for nearly three years, where her family says she was tortured and interrogated using information stolen from her device. Al-Hathloul was released in February 2021 and is currently banned from leaving the country.
Reuters has no evidence that NSO was involved in this earlier hack.
Al-Hathloul’s surveillance and arrest experience made her determined to gather evidence that could be used against those wielding these tools, said her sister Lina al-Hathloul. “She feels like she has a responsibility to continue this fight because she knows she can turn things around.”
The type of spyware that Citizen Lab discovered on al-Hathloul’s iPhone is known as “zero-click,” meaning the user can be infected without ever clicking a malicious link.
Zero-click malware often deletes itself upon infecting a user, leaving researchers and tech companies without a sample of the weapon to study. That can make gathering hard evidence of iPhone hacks nearly impossible, security researchers say.
But this time it was different.
The software flaw left a copy of the spyware hidden on al-Hathloul’s iPhone, allowing Marczak and his team to obtain a virtual plan of the attack and evidence of whoever built it.
“Here we had the crime scene capsule,” he said.
Marczak and his team discovered that the spyware worked in part by sending image files to al-Hathloul via an invisible text message.
The image files tricked the iPhone into giving it access to all of its memory, bypassing security and allowing the installation of spyware that would steal a user’s messages.
The Citizen Lab discovery provided solid evidence that the cyber weapon was built by the NSO, said Marczak, whose analysis has been confirmed by researchers at Amnesty International and Apple, according to three people with direct knowledge of the situation.
The spyware found on al-Hathloul’s device contained code that showed it was communicating with Citizen Lab servers previously identified as being controlled by the NSO, Marczak said. Citizen Lab named this new iPhone hacking method as “ForcedEntry”. The researchers then provided the sample to Apple last September.
Having a plan of the attack in hand allowed Apple to patch the critical vulnerability and prompted them to notify thousands of other iPhone users who had been targeted by the NSO software, warning them that they had been targeted by “state-sponsored attackers”.
It was the first time Apple had taken this step.
While Apple determined that the vast majority were targeted by the NSO tool, security researchers also found that spy software from a second Israeli vendor QuaDream took advantage of the same vulnerability as the iPhone, Reuters reported earlier this month. QuaDream did not respond to repeated requests for comment.
Victims ranged from dissidents critical of the Thai government to human rights activists in El Salvador.
Citing findings obtained from al-Hathloul’s phone, Apple sued NSO in November in federal court alleging that the spyware maker violated US law by creating products designed “to target, attack and harm Apple users, Apple products and Apple and Apple”. Apple credited Citizen Lab with providing “technical information” used as evidence for the lawsuit, but did not reveal that it was originally obtained from al-Hathloul’s iPhone.
The NSO said its tools helped law enforcement and saved “thousands of lives”. The company said some of the claims attributed to NSO’s software were unreliable, but declined to elaborate on specific allegations citing confidentiality agreements with its customers.
Among those Apple alerted were at least nine US State Department officials in Uganda who were targeted by NSO software, according to people familiar with the matter, sparking a new wave of criticism against the company in Washington.
In November, the US Department of Commerce placed NSO on a trade blacklist, restricting US companies from selling the Israeli company’s software products, threatening its supply chain.
The Commerce Department said the action was based on evidence that the NSO spyware was used to target “journalists, business people, activists, academics and embassy officials”.
In December, Democratic Senator Ron Wyden and 17 other lawmakers urged the Treasury Department to sanction the NSO Group and three other foreign surveillance companies that they say have helped authoritarian governments commit human rights abuses.
“When the public saw that you had US government figures being hacked, that clearly changed the needle,” Wyden told Reuters in an interview, referring to the attack on US officials in Uganda.
Lina al-Hathloul, Loujain’s sister, said the financial blows to the NSO may be the only thing that can stop the spyware industry. “It hit them where it hurts,” she said.
© Thomson Reuters 2022