A single activist helped turn the tide against NSO Group, one of the world’s most sophisticated spy companies, which is now facing a cascade of lawsuits and scrutiny in Washington over damaging new allegations that its software was used to hack into government officials and dissidents around the world.
It all started with a software glitch on her iPhone.
An unusual bug in NSO spyware has allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to discover a wealth of evidence that an Israeli spyware maker helped hack her iPhone, according to six people involved in the incident. A mysterious fake image file on her phone, left behind by spyware by mistake, has alerted security researchers.
The discovery in al-Hathloul’s phone last year sparked a flurry of legal and government action that put the NSO on the defensive. How the hack was originally revealed is reported here for the first time.
Al-Hathloul, one of Saudi Arabia’s most prominent activists, is known for helping to lead the campaign to end Saudi Arabia’s ban on women driving. She was released from prison in February 2021 on charges of damaging national security.
Shortly after her release from prison, the activist received an email from Google warning her that state-backed hackers were trying to break into her Gmail account. Fearing that her iPhone had also been hacked, al-Hathloul contacted Canadian privacy rights group Citizen Lab and asked them to check her device for evidence, three people close to al-Hathloul told Reuters.
After six months of digging through her iPhone records, Citizen Lab researcher Bill Marchak made what he called an unprecedented discovery: a glitch in the surveillance software implanted in her phone left a copy of the malicious image file, rather than deleting it after it was stolen. target messages.
He said the find, the computer code left over from the attack, provided direct evidence that the NSO had created a spy tool.
“It was a game changer,” Marchak said. “We caught what the company thought was elusive.”
The discovery constituted a hacking plan and prompted Apple to notify thousands of other victims of state-backed hacking around the world, according to four people with direct knowledge of the incident.
Citizen Lab and al-Hathloul’s finding was the basis for Apple’s November 2021 lawsuit against the NSO, and also caused a stir in Washington, where US officials learned that the NSO’s cyberweapons were being used to spy on American diplomats.
The spyware industry has exploded in recent years as governments around the world buy phone hacking software that enables digital surveillance once reserved for a few elite intelligence agencies.
Over the past year, a number of revelations by journalists and activists, including the international journalism collaboration Pegasus Project, have linked the spyware industry to human rights violations, leading to more scrutiny of the NSO and its peers.
But security researchers say al-Hathloul’s discovery was the first to provide the blueprint for a powerful new form of cyber-espionage, a hacking tool that infiltrates devices without any user interaction, providing the most concrete evidence of the weapon’s scope to date. .
An NSO spokesperson said in a statement that the company does not use the hacking tools it sells — “the government, law enforcement and intelligence agencies do.” The spokesman did not respond to questions about whether his software was used to attack al-Hathloul or other activists.
But the spokesman said the organizations making the claims were “political opponents of cyber intelligence” and suggested that some of the claims were “contractually and technologically impossible.” The representative declined to provide details, citing confidentiality agreements with clients.
Without going into detail, the company said it has an established procedure for investigating alleged misuse of its products and has turned customers off due to human rights concerns.
Al-Hathloul had good reason to be suspicious – this was not the first time she had been followed.
A 2019 Reuters investigation revealed that in 2017 she was targeted by a group of American mercenaries who were stalking dissidents on behalf of the United Arab Emirates in a secret program called Project Raven that classified her as a “national security threat” and hacked into her iPhone. .
She was arrested and imprisoned in Saudi Arabia for almost three years, where, according to her family, she was tortured and interrogated using information stolen from her device. Al-Hathloul was released in February 2021 and is currently barred from leaving the country.
Reuters has no evidence that the NSO was involved in this earlier hack.
According to her sister Lena al-Hathlool, the experience of surveillance and imprisonment led Al-Hathloul to gather evidence that could be used against those who wield these tools. “She feels she has a responsibility to continue this fight because she knows she can make a difference.”
The type of spyware found by Citizen Lab on al-Hathloul’s iPhone is known as “zero click”. This means that the user can be infected without even clicking on the malicious link.
Zero-click malware typically deletes itself when it infects a user, leaving researchers and tech companies without a sample weapon to study. This could make it nearly impossible to gather hard evidence of an iPhone being hacked, security researchers say.
But this time it was different.
A software glitch left a copy of the spyware hidden on al-Hathloul’s iPhone, allowing Marchak and his team to obtain a virtual attack plan and proof of who orchestrated it.
“Here we had a shell casing from the crime scene,” he said.
Marchak and his team found that the spyware worked in part by sending image files to al-Hathloul via an invisible text message.
The image files tricked the iPhone into accessing all of its memory, bypassing security and allowing it to install spyware that could steal the user’s messages.
The Citizen Lab discovery provided strong evidence that the cyberweapon was created by the NSO, said Marchak, whose analysis was confirmed by researchers from Amnesty International and Apple, according to three people with direct knowledge of the situation.
According to Marchak, the spyware found on al-Hathloul’s device contained code showing it was communicating with Citizen Lab servers previously identified as being controlled by the NSO. Citizen Lab has named this new iPhone hacking method “ForcedEntry”. The researchers then provided the sample to Apple last September.
Having a plan of attack allowed Apple to fix the critical vulnerability and prompted them to notify thousands of other iPhone users who were targeted by the NSO software, warning them that they were being targeted by “government-sponsored attackers.”
It was the first time Apple took this step.
While Apple determined that the vast majority of them were attacked with the NSO tool, security researchers also found that spyware from a second Israeli vendor, QuaDream, exploited the same iPhone vulnerability, Reuters reported earlier this month. QuaDream did not respond to repeated requests for comment.
The victims ranged from dissidents critical of the Thai government to human rights activists in El Salvador.
Citing findings from al-Hathloul’s phone, Apple filed a lawsuit against NSO in federal court in November, alleging that the spyware maker violated U.S. laws by creating products designed “to target, attack, and harm Apple users, Apple products, and Apple”. Apple credited Citizen Lab with providing the “technical information” used as evidence in the lawsuit, but did not say it was originally obtained from al-Hathloul’s iPhone.
The NSO said its tools have helped law enforcement and saved “thousands of lives”. The company said some of the allegations attributed to the NSO software were not credible, but declined to elaborate on specific claims, citing confidentiality agreements with its customers.
Among those alerted by Apple were at least nine US State Department employees in Uganda who, according to people familiar with the matter, were attacked by the NSO software, sparking renewed criticism of the company in Washington.
In November, the US Department of Commerce blacklisted NSO for trade, preventing US companies from selling the Israeli firm’s software products, jeopardizing its supply chain.
The Commerce Department said the action was based on evidence that NSO spyware was being used to target “journalists, businessmen, activists, academics and embassy officials.”
In December, Democratic Senator Ron Wyden and 17 other lawmakers called on the Treasury Department to impose sanctions on the NSO Group and three other foreign surveillance companies they say helped authoritarian governments commit human rights abuses.
“When the public saw that you had US government officials hacked, it clearly got off the ground,” Wyden said in an interview with Reuters, referring to the attacks on US officials in Uganda.
Lina al-Hathloul, Lujain’s sister, said that financial blows to the NSO may be the only thing that can hold back the spyware industry. “They hit where it hurts the most,” she said.
© Thomson Reuters 2022