Terrifying cyber weapon ‘against which there’s no defense’: Experts on NSO’s spyware
The embattled company’s tech exploits are ‘pretty incredible’ and ‘pretty terrifying,’ say security analysts; users are ‘passive, don’t have to click on anything, have no control’
NSO’s “clever” spyware technology offers a cyber weapon “against which there is no defense” and amounts to “great work, from an engineering perspective,” cybersecurity experts and researchers said this week.
The Israeli company’s flagship spyware, Pegasus, is considered one of the most powerful cyber-surveillance tools available on the market, giving operators the ability to effectively take full control of a target’s phone, download all data from the device, or activate its camera or microphone without the user knowing. The company has once again been making headlines in recent weeks as revelations about the reach of its technology, and the consequences, keep piling up.
In a deep technical dive into how the spyware works, cybersecurity researchers Ian Beer and Samuel Groß said NSO developed capabilities that use “one of the most technically sophisticated exploits we’ve ever seen,” and would have previously thought these would “be accessible to only a handful of nation states.”
Beer and Groß are cybersecurity experts at Google Project Zero, the company’s team of security analysts tasked with finding zero-day vulnerabilities, potential breach points in software that may be unknown to the developers and for which a patch has not yet been developed. These security flaws can be exploited by hackers in a cyberattack.
Their analysis specifically covered NSO’s capabilities against iPhones, for which Apple has filed a lawsuit against the Herzliya-based company. But NSO has similar zero-click capabilities that can also target Android devices, the researchers said.
NSO was offering clients “zero-click exploitation technology” where targets, even very technically savvy ones, are completely unaware they are being targeted, said Beer and Groß. It is essentially a cyber “weapon against which there is no defense,” they added.
“In the zero-click scenario, no user interaction is required, meaning that the attacker doesn’t need to send phishing messages; the exploit just works silently in the background,” Beer and Groß wrote.
The breach begins the moment a target receives a text message, whether they see it or not, in an exploit Beer and Groß called “pretty incredible, and at the same time, pretty terrifying.”
In a zero-click exploit, “the user is totally passive, they don’t have to click on anything, they have no control,” said Gili Moller, the General Manager in Israel of Swiss-headquartered cybersecurity multinational Acronis. The cyber protection company recently opened an innovation center in Israel, where the local industry was one of the top three leading sectors for global investments this year.
Moller told The Times of Israel this week that the exploit, as NSO had designed it, was “great work, from an engineering perspective.” The flaw related to how Apple parsed (or processed) GIF images — the small animated images popular on social media and in meme culture — sent and received over iMessage, the native messaging platform in iPhones.
Except NSO used a “fake GIF” exploit, disguising a PDF as a GIF file and injecting it with code to execute the breach on the target’s phone.
Developers at Apple had basically reused a code for parsing PDFs first written by Xerox, a practice that is very common, said Moller. NSO’s spyware was able to “hide a code on the pixel level so that when the text message is received, a code is activated and it’s game over in a way.”
“It’s a bit like science fiction. The target did nothing, all they did was receive a message, and the attacker gains full control,” explained Moller.
Finding such vulnerabilities is very difficult, and involves long, hard work, he added.
The exploit, said security consultant Gabriel Avner, was a “clever, well-done attack” that “undermines what precautions people can take.”
“Security experts have been saying for ages, ‘don’t click on suspicious links’ even from people you may know, but along came NSO” with a zero-click exploit, Avner told The Times of Israel.
The Israeli company had previously used one-click exploits, where targets had to actively click on a link as part of a phishing attack, to activate Pegasus’ powerful spyware and control functions on a phone.
John Scott-Railton, a senior researcher Citizen Lab, a cybersecurity watchdog organization in Toronto, wrote on Twitter this week that the Google analysis showed just how “enormously sophisticated” and “dangerous” the spyware was.
“This kind of capability was previously only seen with top-tier cyber powers. Should send a chill down your spine,” he wrote.
A torrent of criticism
Citizen Lab has been running investigations on NSO and other cyber-surveillance firms for several years, tracking some of their technologies across the world.
This summer, Citizen Lab and Amnesty International unveiled an in-depth probe that found that the firm’s software had been used by many countries with poor human rights records to hack the phones of thousands of human rights activists, journalists, and politicians from Saudi Arabia to Mexico.
NSO has been facing a torrent of international criticism over the allegations. The issue became a diplomatic concern with numerous Israeli allies, like France, who demanded answers after reports revealed the software was being used within their countries.
In early November, the US Department of Commerce blacklisted NSO, restricting the firm’s ties with American companies over allegations that it “enabled foreign governments to conduct transnational repression.” The US also blacklisted a second Israeli company, Candiru.
The move is said to have played a role in finally pushing Israel to dramatically scale back the number of countries to which local companies can sell cyber technologies and impose new restrictions on the export of cyber warfare tools. The Israeli Defense Ministry must authorize the sale of spyware firms’ products abroad.
In the meantime, the accusations have kept coming. Just this week, the Washington Post reported that NSO’s Pegasus spyware was placed on the cellphone of the wife of journalist Jamal Khashoggi months before he was murdered in the Saudi consulate in Istanbul in 2018. This development was immediately preceded by reports that the spyware also targeted Polish opposition politicians and an Indian activist.
The Israeli company has repeatedly denied that its spyware was used to target Khashoggi or those close to him, and has insisted its products were meant only to assist countries in fighting serious crime and terrorism. However, due to the broad definitions some of its client countries use for these offenses, the software appears to have been used against a broad range of figures.
The ensuing fallout has greatly affected the company, which was at risk of defaulting on about $500 million of debt and had its credit rating take a dramatic hit, leading to issues of solvency within the company.
NSO was now said to be considering shutting down its Pegasus operation and selling the entire company to an American investment fund, Bloomberg reported last week, citing officials involved in the talks.
Not just NSO
Tim Willis, head of Project Zero at Google, said that there were “many companies that provide similar exploitation capabilities and services,” and that “taking action against one company (NSO), while noble and fosters a discussion, doesn’t address the root of this problem.”
“The takeaway here isn’t “NSO exceptionalism”. It’s just that NSO was caught this time and we get a peek at how they are attacking iOS/iMessage,” wrote Willis on Twitter, adding that “we need to keep making 0-day incrementally harder for attackers.”
Moller, of Acronis, reiterated that NSO was indeed not the only company with such offensive cyber-surveillance capabilities, but there was a “snowball effect on NSO.”
Citizen Lab revealed last week in a new investigation that another Israeli company, Cytrox, also developed commercial spyware that was recently found on an iPhone belonging to an Egyptian dissident. Cytrox’s Predator software targeted Apple’s iOS operating system using single-click links sent via WhatsApp (owned by Facebook/Meta), according to the organization’s research. Facebook sued NSO Group in 2019 for allegedly violating its WhatsApp messenger app.
But the bigger discovery, in a joint Citizen Lab probe with Facebook/Meta, was that Cytrox has customers in countries beyond Egypt, including Armenia, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.
Meta announced last Thursday a flurry of takedowns of accounts affiliated with seven surveillance-for-hire firms — including Cytrox and four other Israeli companies — and notified about 50,000 people in more than 100 countries including journalists, dissidents and clergy who may have been targeted by them. It said it deleted about 300 Facebook and Instagram accounts linked to Cytrox, which appears to operate out of North Macedonia.
Citizen Lab researcher Bill Marzak told the Associated Press that the Cytrox malware appears to pull the same tricks as NSO Group’s Pegasus product — in particular, turning a smartphone into an eavesdropping device and siphoning out its vital data. One captured module records all sides of a live conversation, he said.
Cytrox was part of a shadowy alliance of surveillance tech companies known as Intellexa that was formed to compete with NSO Group. Founded in 2019 by a former Israeli military officer and entrepreneur named Tal Dilian, Intellexa includes companies that have run afoul of authorities in various countries for alleged abuses.
On its website, Intellexa has described itself as “EU-based and regulated, with six sites and R&D labs throughout Europe,” but lists no address. Its web page is vague about its offerings, although as recently as October it said that in addition to “covert mass collection” it provides systems “to access target devices and networks” via Wi-Fi and wireless networks. Intellexa said its tools are used by law enforcement and intelligence agencies against terrorists and crimes including financial fraud.
Cyber defense
On an individual level, most people “don’t have to worry about zero-click exploits,” said Avner, the security consultant. They just need to “practice better [cyber] hygiene, like closely checking URLs, and using second channels of communications” to verify any suspicious-sounding messages from people we may know, he added.
“Most cyber attacks can be prevented with two-factor authentication,” or 2fa, Avner said, a method that adds an extra layer of protection to ensure the security of online accounts beyond a username and password.
If a security agency “wants to get into your phone, it’ll likely get in,” said Moller. “There’s no such thing as 100% protection.”
But cyberattacks are not a predetermined fate, said Moller. Companies and organizations can protect themselves by deploying cybersecurity services that reduce their attack surfaces, the number of all possible points where an unauthorized user can gain access, testing their systems, and educating their workforces against social engineering, Moller explained.
Social engineering is a manipulation technique, used by cyber intelligence and cyber surveillance companies, to trick people into divulging private or confidential information or making security-related mistakes.
“Individuals and businesses can prevent the majority of potentially disastrous hacks,” said Moller. “By being aware of the risks and adopting a ‘defense in depth’ approach. For example, maintaining a preventative measure protocol, like regularly upgrading software with the latest and greatest version of the software, using two-factor authentication (2fa), not reusing passwords etc. Businesses can outsource these components and use patch management solutions (like the ones Acronis provides).”
“In addition, as post-breach actions (or in suspicion of a breach), there are services that enable extracting forensic information from the device (like a smartphone) to see whether it was hacked”.
For individuals protection should come from governments and regulators, Moller argued.
“Just like we have the police, and the military, and the Shabak [Israel’s internal security service], there need to be cyber defenders. Authorities need to take responsibility and provide more oversight into companies’ practices,” he concluded.
Agencies and TOI staff contributed to this report.
While the heart of The Times of Israel’s work takes place in Israel, so many of Jerusalem’s actions are influenced by those in Washington’s halls of power.
As ToI’s US bureau chief, I work to gain access to decision-makers in the United States government so our readers can understand the US-Israel relationship beyond the platitudes evident in public statements.
I'm proud of our ability to inform without sensationalizing, our dedication to be fast while ensuring accuracy, and our determination to present Israel's entire, complex story.
Your support through The Times of Israel Community helps us continue to keep readers around the world properly informed about the critical Israel-US relationship. Do you appreciate our news coverage? If so, please join the ToI Community today.
- Jacob Magid, The Times of Israel's US bureau chief
We’re really pleased that you’ve read X Times of Israel articles in the past month.
That’s why we started the Times of Israel eleven years ago - to provide discerning readers like you with must-read coverage of Israel and the Jewish world.
So now we have a request. Unlike other news outlets, we haven’t put up a paywall. But as the journalism we do is costly, we invite readers for whom The Times of Israel has become important to help support our work by joining The Times of Israel Community.
For as little as $6 a month you can help support our quality journalism while enjoying The Times of Israel AD-FREE, as well as accessing exclusive content available only to Times of Israel Community members.
Thank you,
David Horovitz, Founding Editor of The Times of Israel