Apple Sues Israeli Spyware Maker NSO Group Over Pegasus Attacks

In a statement, the company also praised the efforts of Citizen Lab and Amnesty “for their groundbreaking work to identify cyber surveillance abuses and help protect victims”.

New Delhi: Apple on Tuesday announced that it had filed a lawsuit against Israel’s NSO group and its parent company to hold it accountable for what it calls the “surveillance and targeting” of the company’s users.

The case, filed in a Northern California court, provides new information on how the NSO Group appears to have infected the devices of victims with its flagship Pegasus spyware.

“To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices,” the company said in a statement.

Apple’s move comes weeks after the United States government placed the company on a federal trade blacklist. The Biden administration determined that the NSO’s phone hacking tools had been used by foreign governments to “maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

The lawsuit also comes a few months after a consortium of international media organisations — including The Wire — revealed that Pegasus had likely been abused in thousands of cases spread across ten countries.

The consortium, called the ‘Pegasus Project’, was supported by forensic analysis conducted by Amnesty International’s Security Lab, the methodology of which was peer-reviewed by the University of Toronto’s Citizen Lab

Both organisations were praised specifically by Apple in their statement put out on Tuesday.

“Apple commends groups like the Citizen Lab and Amnesty Tech for their groundbreaking work to identify cyber surveillance abuses and help protect victims. To further strengthen efforts like these, Apple will be contributing $10 million, as well as any damages from the lawsuit, to organizations pursuing cybersurveillance research and advocacy,” the company’s statement noted.

“Apple will also support the accomplished researchers at the Citizen Lab with pro-bono technical, threat intelligence, and engineering assistance to aid their independent research mission, and where appropriate, will offer the same assistance to other organizations doing critical work in this space.”

Experts have described Pegasus as sophisticated, military-grade surveillance technology that allows the operator unlimited access to a victim’s device — everything from private conversations to even the ability to hijack a smartphone’s camera.

The NSO Group maintains that it sells this software only to “vetted” government clients across the world. In July 2021, as part of the Pegasus Project, The Wire revealed that the verified numbers of over 300 Indians were on a leaked list of potential Pegasus targets.

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering.

Exploit discovered by Citizen Lab

Apple’s legal complaint centres around the  NSO Group’s ‘FORCEDENTRY’, the name for an exploit for a now-patched vulnerability previously used to break into a victim’s Apple device.

This exploit was discovered first by Citizen Lab.

“To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks,” the company said.

“Apple is notifying the small number of users that it discovered may have been targeted by FORCEDENTRY. Any time Apple discovers activity consistent with a state-sponsored spyware attack, Apple will notify the affected users in accordance with industry best practices.”

mm

Author: Anuj Srivas

Anuj Srivas is Business Editor at The Wire, where he writes and analyses issues at the intersection of technology and business. He can be reached at anuj@cms.thewire.in and on Twitter at @AnujSrivas.