The NSO Group and the WhatsApp incident

As reported in May 2019, WhatsApp identified and shortly thereafter fixed a vulnerability that allowed attackers to inject commercial spyware on to phones simply by ringing the number of a target’s device.

Last Oct 29th 2019, WhatsApp was publicly attributing the attack to NSO Group, an Israeli spyware developer that also goes by the name Q Cyber Technologies.

Citizen Lab’s Role

After the incident, Citizen Lab volunteered to help  WhatsApp identify cases where the suspected targets of this attack were  members of civil society, such as human rights defenders and  journalists.

As part of our investigation into the incident, Citizen Lab has  identified over 100 cases of abusive targeting of human rights defenders  and journalists in at least 20 countries across the globe, ranging from  Africa, Asia, Europe, the Middle East, and North America that took  place after Novalpina Capital acquired NSO Group and began an ongoing  public relations campaign to promote the narrative that the new  ownership would curb abuses.

We continue to investigate the incident, and conduct outreach with the  individuals targeted with these attacks to assist them in becoming more  secure, and to better understand the cases.

What is NSO?

NSO Group, which also goes by the name Q Cyber  Technologies, is an Israeli-based company which develops and sells  spyware technology. It is majority owned by Novalpina Capital, a  European private equity firm. For more information on NSO Group, you can  find a summary of key public reporting here.

NSO Group claims it sells its spyware strictly to government clients  only, and all of its exports are undertaken in accordance with Israeli  government export laws and oversight mechanisms. However, the number of  cases in which their technology is used to target members of civil  society continues to grow.

A Multi-Year History of Abuses

Citizen Lab—along with organizations such as R3D, Privacy  International, EFF, and Amnesty International—has closely tracked how  NSO Group’s surveillance technology has been turned against political  dissidents, lawyers, journalists, and human rights defenders. Among the  many companies Citizen Lab has tracked, NSO Group stands out in terms of the reckless abuse of its spyware by government  clients. Although the technology is marketed as a tool to assist  governments in lawful investigations into crime and terrorism, Citizen  Lab has identified dozens of cases where journalists, human rights activists and defenders, lawyers, international investigators, political opposition groups, and other members of civil society have been targeted with its spyware, called “Pegasus.”

What is Pegasus?

NSO Group / Q Cyber Technologies’ flagship spyware, which  is usually branded as Pegasus but which may have other names (including  Q Suite), is among some of the most sophisticated spyware available on  the market and can infiltrate both iOS and Android devices. To monitor a  target, a Pegasus operator uses multiple vectors and tactics,  including zero-day exploits and deception, to penetrate security  features in popular operating systems and silently install Pegasus  without the user’s knowledge or permission.

What Can Pegasus Do?

Once Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s  private data, including passwords, contact lists, calendar events, text  messages, and live voice calls from popular mobile messaging apps. The  operator can even turn on the phone’s camera and microphone to capture  activity in the phone’s vicinity, and use the GPS function to track a  target’s location and movements.

How Do Infections Happen?

The spyware can be placed on phones using multiple vectors, or means of infection. The WhatsApp exploit from May 2019 was one such vector.

Other vectors used in prior cases of NSO targeting include tricking  targets into clicking on a link using social engineering. For example,  in 2017, the wife of a murdered Mexican journalist was sent alarming text messages concerning her husband’s murder,  designed to trick her into clicking on a link and infecting her phone  with the Pegasus spyware. In 2018, a close confidant of Jamal Khashoggi was targeted in Canada with a fake package  notification, resulting in the infection of his iPhone. Citizen Lab has  tracked more than two dozen cases using similar techniques.
There are serious implications of this technology in the killing of Khashoggi.

Not all vectors are publicly known. Once the spyware is implanted, it  provides a C&C server with regular, scheduled updates designed to  avoid extensive bandwidth consumption. Pegasus is designed to be  stealthy and evade forensic analysis, avoid detection by anti-virus  software, and can be deactivated and removed by operators.

Commercial Spyware Abuse: A Global Problem

NSO Group has claimed that it has strict controls over  how its spyware is sold and used, and robust company oversight  mechanisms to prevent abuse. The new majority owner, Novalpina, has pledged to bolster these mechanisms in various ways. However, Citizen Lab  research, and the research of other groups, has consistently presented a  different and more troubling picture of abuse. Citizen Lab and others  have repeatedly raised questions to Novalpina and NSO Group about  whether their public statements about human rights compliance will make a  difference in practice, pointing to inconsistencies and contradictions  in their purported due diligence. NSO Group and Novalpina Capital have  dismissed these questions and concerns.

The WhatsApp incident, and the more than 100 cases of abusive  targeting that are associated with it, clearly verify the serious  concerns Citizen Lab and others have raised. NSO Group spyware is being  sold to government clients without appropriate controls over how it is  employed by those clients. They are, in turn, using NSO’s technology to  hack into the devices of members of civil society, including  journalists, lawyers, political opposition, and human rights  defenders—with potential lethal consequences.

We believe that remedying this problem will not be easy or simple.  It will require a coalition of stakeholders, including governments, the  private sector, and civil society to reign in what is now a “wild west”  of unmitigated abuse. As it stands, NSO Group and other spyware  companies are equipping repressive governments with powerful tools to  spy on those who hold them to account. With powerful surveillance  technology such as this roaming free, there is nowhere to hide and no  one will be safe from those who wish to cause harm. Not acting urgently  on this critical public emergency threatens liberal democracy and human  rights worldwide.

Read the full article at the original website

References:

  • Website