A single activist helped turn the tide against NSO Group, one of the world’s most sophisticated spyware companies, which is now facing a barrage of legal action and scrutiny in Washington as a result of damaging new allegations that its software was used to hack government officials and dissidents all over the world.
It all started with a bug in her iPhone’s software.
According to six people engaged in the event, a unique flaw in NSO’s spyware allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to unearth a plethora of evidence suggesting the Israeli spyware company had helped hack her iPhone. Security researchers were alerted by a weird phony image file left behind by the spyware on her phone.
Last year’s discovery on al- Hathloul’s phone sparked a barrage of legal and government action, putting NSO on the defensive. For the first time, the method through which the hack was discovered is detailed.
One of Saudi Arabia’s most notable campaigners, Al-Hathloul, is known for leading a campaign to overturn the country’s prohibition on women driving. In February 2021, she was released from prison on allegations of endangering national security.
The activist received an email from Google shortly after her release from prison, informing her that state-sponsored hackers had attempted to break into her Gmail account. Al-Hathloul called the Canadian privacy rights group Citizen Lab, fearful that her iPhone had also been hacked, and urged them to investigate her device for proof, according to three people close to al-Hathloul.
After six months of sifting through her iPhone data, Citizen Lab researcher Bill Marczak uncovered a “unique” discovery: after stealing the communications of its target, the surveillance program placed on her phone had left a duplicate of the malicious picture file rather than erasing it.
According to him, the discovery of computer code left behind by the hack gave direct evidence that NSO created the spying tool.
“It was a game-changer,” Marczak remarked. “We caught something the company thought was impossible to catch.”
According to four people with direct knowledge of the incident, the revelation amounted to a hacker blueprint, prompting Apple Inc to warn thousands of additional state-backed hacking victims throughout the world.
The findings of Citizen Lab and al-Hathloul were the basis for Apple’s lawsuit against NSO in November 2021, and they echoed in Washington, where US officials learned that NSO’s cyberweapon was used to eavesdrop on American diplomats.
The spyware market has seen tremendous expansion in recent years as governments throughout the world purchase phone hacking software that enables the kind of digital surveillance that was previously only available to a few elite intelligence services.
A succession of discoveries by journalists and activists, including the international media cooperation Pegasus Project, have linked the spyware sector to human rights breaches over the last year, prompting increased scrutiny of NSO and its competitors.
However, security experts claim that the al-Hathloul discovery was the first to reveal a blueprint for a powerful new kind of cyberespionage, a hacking tool that enters devices without requiring human involvement, providing the most concrete evidence of the weapon’s scope.
An NSO spokeswoman said in a statement that the business does not operate the hacking tools it offers, instead of relying on “government, law enforcement, and intelligence organizations.” When asked if their software was used to target al-Hathloul or other activists, the representative declined to comment.
The organizations making those claims, however, are “political opponents of cyber intelligence,” according to the spokesperson, who also argues that some of the allegations are “contractually and technologically unfeasible.” Client confidentiality restrictions were cited as a reason for the spokesperson’s refusal to share specifics.
Without going into detail, the company stated that it had a mechanism in place to evaluate alleged product misuse and that it had cut off clients due to human rights concerns.
THE BLUEPRINT’S DECLARATION
It wasn’t the first time Al-Hathloul had been monitored, so she had reason to be cautious.
According to a 2019 reporters investigation, she was targeted in 2017 by a group of American mercenaries who surveilled dissidents on behalf of the United Arab Emirates under a secret program known as Project Raven, which classified her as a “national security threat” and hacked into her iPhone.
She was detained and imprisoned in Saudi Arabia for nearly three years, according to her relatives, where she was tortured and interrogated using information seized from her phone. Al-Hathloul was freed in February 2021, although he is still barred from leaving the country.
According to reporters, there is no evidence that NSO was engaged in the previous breach.
According to her sister Lina al-Hathloul, al-experience Hathloul’s with monitoring and jail made her resolve to acquire evidence that may be used against those who utilize these technologies. “She believes she owes it to herself to keep fighting because she thinks she can make a difference.”
Citizen Lab discovered “zero-click” spyware on al-iPhone, Hathloul’s which means the user can be infected without ever clicking on a malicious link.
When zero-click malware infects a user, it frequently deletes itself, leaving researchers and tech corporations with no sample of the weapon to investigate. According to security experts, this makes acquiring hard evidence of iPhone intrusions very impossible.
This time, however, things were different.
Because of a software flaw, a copy of the spyware was left on al-iPhone, Hathloul’s allowing Marczak and his team to have a virtual blueprint of the attack and proof of who was behind it.
“We have the bullet casing from the crime site right here,” he explained.
The spyware, according to Marczak and his team, worked in part by delivering photo files to al-Hathloul via an undetectable text message.
The picture files fooled the iPhone into giving them full access to its memory, circumventing security, and allowing malware to harvest a user’s communications to be installed.
According to three sources with firsthand knowledge of the matter, the Citizen Lab discovery presented convincing evidence that the cyberweapon was produced by NSO, according to Marczak, whose analysis was corroborated by experts from Amnesty International and Apple.
According to Marczak, the spyware found on al-device Hathloul’s had code that indicated it was connecting with servers previously identified by Citizen Lab as being owned by NSO. This new iPhone hacking approach has been dubbed “ForcedEntry” by Citizen Lab. Last September, the researchers delivered the sample to Apple.
With the attack plan in hand, Apple was able to patch the significant flaw and tell thousands of other iPhone owners who had been targeted by NSO software that they had been targeted by “state-sponsored attackers.”
This was the first time Apple has done so.
While Apple confirmed that NSO’s malware was responsible for the vast majority of the attacks, security experts also revealed that espionage software from a second Israeli vendor, QuaDream, exploited the same iPhone weakness, according to Reuters earlier this month. QuaDream has not responded to demands for comment on multiple occasions.
Dissidents critical of Thailand’s government to human rights campaigners in El Salvador were among the victims.
Apple sued NSO in federal court in November, citing evidence obtained from al-phone, Hathloul’s alleging that the spyware maker had broken US laws by creating products designed “to target, attack, and harm Apple users, Apple products, and Apple.” Apple credited Citizen Lab with providing “technical information” that was used as evidence in the lawsuit but did not say if it came from al-iPhone. Hathloul’s
The National Security Organization claims that its technologies have aided law enforcement and saved “thousands of lives.” Some of the charges attributed to NSO software were not credible, according to the business, but it declined to comment on particular claims due to confidentiality agreements with its clients.
According to those familiar with the situation, Apple informed at least nine US State Department employees in Uganda who were targeted with NSO malware, prompting a new round of outrage against the corporation in Washington.
NSO was placed on a trade blacklist by the US Commerce Department in November, preventing American companies from selling the Israeli firm’s software and jeopardizing its supply chain.
The action was based on evidence that NSO’s spyware was used to target “journalists, businesses, activists, academics, and embassy staff,” according to the Commerce Department.
Senator Ron Wyden of Oregon and 17 other Democrats asked the Treasury Department in December to blacklist NSO Group and three other foreign monitoring firms for allegedly assisting authoritarian governments in human rights violations.
In an interview with reporters, Wyden said, “When the public saw you had U.S. government people getting hacked, that quite clearly pushed the needle.” He was alluding to the targeting of US officials in Uganda.
Loujain’s sister, Lina al-Hathloul, believes the financial blows to NSO may be the only thing that will dissuade the spyware industry. “It touched them right where they were hurting,” she explained.
