Skip to content
Israeli-based NSO Group is being criticised in a report that alleges that the company’s controversial Pegasus malware is being used to target activists, journalists, business executives & politicians on a widespread level, using a variety of exploits — including a zero-click zero-day in iOS.
This secretive Israeli firm was allegedly storing 50,000+ mobile phone numbers for activists, journalists, business executives & politicians — possible targets of iPhone & Android hacking.
Mobile Phone Numbers
A group of journalists levelled the allegations in a report called Pegasus Project, which was published Sun. It examined leaked data from the NSO Group, which revealed more than 50,000 mobile phone numbers worldwide that the firm was storing, states the report published by the Guardian newspaper.
The report accuses NSO Group of selling its spy tool, Pegasus, to unidentified 3rd-parties, including govts., who then use it to infect the phones of dissidents & other people who may be critical of a given regime. The malware can secretly take remote control of the phone to monitor activity, enabling “customers” to even read encrypted messages of their targets sent via Signal & Telegram.
Media Organisations
“The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016,” according to the Guardian report.
The Guardian, along with 16 additional media organisations, concluded that the NSO Group’s Pegasus malware is in widespread use & used to target more than just criminals & terrorists, as the company insists are the primary & only targets of its spyware.
In a statement issued by the NSO Group, it denies claims made in the Guardian report & those made by the Pegasus Project. It countered the report’s conclusions are based on “uncorroborated theories” that are “based on misleading interpretation of leaked data.”
Amnesty International
Amnesty International found in its report that the spyware is under active development, consistently adding zero-day exploits into the mix, including in iPhone attacks observed as recently as this month.
Those attacks have been effective against the latest version of iOS, & are “zero-click,” meaning that no user interaction or action is required to deliver an infection, according to the report.
“On the iPhone of a French human rights lawyer (CODE FRHRL2), we observed a lookup of a suspicious iMessage account unknown to the victim, followed by an HTTP request performed by the ‘com.apple.coretelephony’ process,” according to Amnesty International.
HTTP Request
“This is a component of iOS involved in all telephony-related tasks & likely among those exploited in this attack. We found traces of this HTTP request in a cache file stored on disk at /private/var/wireless/Library/Caches/com.apple.coretelephony/Cache.db, containing metadata on the request and the response. The phone sent information on the device including the model 9,1 (iPhone 7) and iOS build number 18C66 (version 14.3) to a service fronted by Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months.
At the time of this attack, the newer iOS version 14.4 had only been released for a couple of weeks.”
The report added that zero-click attacks have been observed since May 2018; the most recent attack was observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July.
Pegasus Victims
The Paris-based Forbidden Stories and Amnesty International were initially given access to the leaked list of 50,000 phone numbers. The Pegasus Project is careful to point out that the list of phone numbers does not indicate that all of those phones were targeted with an attack.
“The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets that NSO’s govt. clients identified in advance of possible surveillance attempts,” according to the report.
Security Lab
Reporters worked with researchers at Amnesty’s Security Lab to examine 67 phones believed to be targeted with the Pegasus malware. It found that more than half (37) had “traces of Pegasus activity” on them.
Also, forensic analysis of leaked NSO Group data “suggested” the Pegasus spyware was used by Saudi Arabia & the UAE to target phones of people close to murdered Washington Post journalist Jamal Khashoggi in the months after his death.
This suggestion has been totally denied by the company.
In the Headlines
In Oct. 2019, Facebook subsidiary WhatsApp sued NSO Group for creating tools allegedly used by its clients for reading the protected WhatsApp messages of journalists & human rights workers.
NSO Group maintains that its spy tools are meant to help law enforcement fight crime & terror. It has often asserted it is not complicit in any govt.’s misuse of its technology.
Demon Tongue
Meanwhile, a separate report by Citizen Lab published last week revealed that a private company, called variously Candiru, Grindavik, Saito Tech & Taveta (and dubbed “Sourgum” by Microsoft), is selling a malware dubbed Demon Tongue that’s being used for surveillance of dissidents by repressive regimes, even though it says itself that it sells its wares exclusively to govts. to combat terror, similar to the NSO Group.
