ToI investigatesThis capability 'should send a chill down your spine'

Terrifying cyber weapon ‘against which there’s no defense’: Experts on NSO’s spyware

The embattled company’s tech exploits are ‘pretty incredible’ and ‘pretty terrifying,’ say security analysts; users are ‘passive, don’t have to click on anything, have no control’

Ricky Ben-David

Ricky Ben-David is a Times of Israel editor and reporter

An Israeli woman uses her phone in front of a building in Herzliya that housed the NSO Group intelligence firm, August 28, 2016. (Jack Guez/AFP/File)
An Israeli woman uses her phone in front of a building in Herzliya that housed the NSO Group intelligence firm, August 28, 2016. (Jack Guez/AFP/File)

NSO’s “clever” spyware technology offers a cyber weapon “against which there is no defense” and amounts to “great work, from an engineering perspective,” cybersecurity experts and researchers said this week.

The Israeli company’s flagship spyware, Pegasus, is considered one of the most powerful cyber-surveillance tools available on the market, giving operators the ability to effectively take full control of a target’s phone, download all data from the device, or activate its camera or microphone without the user knowing. The company has once again been making headlines in recent weeks as revelations about the reach of its technology, and the consequences, keep piling up.

In a deep technical dive into how the spyware works, cybersecurity researchers Ian Beer and Samuel Groß said NSO developed capabilities that use “one of the most technically sophisticated exploits we’ve ever seen,” and would have previously thought these would “be accessible to only a handful of nation states.”

Beer and Groß are cybersecurity experts at Google Project Zero, the company’s team of security analysts tasked with finding zero-day vulnerabilities, potential breach points in software that may be unknown to the developers and for which a patch has not yet been developed. These security flaws can be exploited by hackers in a cyberattack.

Their analysis specifically covered NSO’s capabilities against iPhones, for which Apple has filed a lawsuit against the Herzliya-based company. But NSO has similar zero-click capabilities that can also target Android devices, the researchers said.

NSO was offering clients “zero-click exploitation technology” where targets, even very technically savvy ones, are completely unaware they are being targeted, said Beer and Groß. It is essentially a cyber “weapon against which there is no defense,” they added.

“In the zero-click scenario, no user interaction is required, meaning that the attacker doesn’t need to send phishing messages; the exploit just works silently in the background,” Beer and Groß wrote.

The breach begins the moment a target receives a text message, whether they see it or not, in an exploit Beer and Groß called “pretty incredible, and at the same time, pretty terrifying.”

A logo adorns a wall on a branch of the Israeli NSO Group company, near the southern Israeli town of Sapir, on August 24, 2021. (AP/Sebastian Scheiner)

In a zero-click exploit, “the user is totally passive, they don’t have to click on anything, they have no control,” said Gili Moller, the General Manager in Israel of Swiss-headquartered cybersecurity multinational Acronis. The cyber protection company recently opened an innovation center in Israel, where the local industry was one of the top three leading sectors for global investments this year.

Moller told The Times of Israel this week that the exploit, as NSO had designed it, was “great work, from an engineering perspective.” The flaw related to how Apple parsed (or processed) GIF images — the small animated images popular on social media and in meme culture — sent and received over iMessage, the native messaging platform in iPhones.

Except NSO used a “fake GIF” exploit, disguising a PDF as a GIF file and injecting it with code to execute the breach on the target’s phone.

Developers at Apple had basically reused a code for parsing PDFs first written by Xerox, a practice that is very common, said Moller. NSO’s spyware was able to “hide a code on the pixel level so that when the text message is received, a code is activated and it’s game over in a way.”

“It’s a bit like science fiction. The target did nothing, all they did was receive a message, and the attacker gains full control,” explained Moller.

Finding such vulnerabilities is very difficult, and involves long, hard work, he added.

The exploit, said security consultant Gabriel Avner, was a “clever, well-done attack” that “undermines what precautions people can take.”

“Security experts have been saying for ages, ‘don’t click on suspicious links’ even from people you may know, but along came NSO” with a zero-click exploit, Avner told The Times of Israel.

The Israeli company had previously used one-click exploits, where targets had to actively click on a link as part of a phishing attack, to activate Pegasus’ powerful spyware and control functions on a phone.

John Scott-Railton, a senior researcher Citizen Lab, a cybersecurity watchdog organization in Toronto, wrote on Twitter this week that the Google analysis showed just how “enormously sophisticated” and “dangerous” the spyware was.

“This kind of capability was previously only seen with top-tier cyber powers. Should send a chill down your spine,” he wrote.

A torrent of criticism

Citizen Lab has been running investigations on NSO and other cyber-surveillance firms for several years, tracking some of their technologies across the world.

This summer, Citizen Lab and Amnesty International unveiled an in-depth probe that found that the firm’s software had been used by many countries with poor human rights records to hack the phones of thousands of human rights activists, journalists, and politicians from Saudi Arabia to Mexico.

The ‘Digital Violence: How the NSO Group Enables State Terror’ platform that details the operations of Israeli company NSO Group, as part of an investigation in July 2021 by Amnesty International and Citizen Lab. (Courtesy)

NSO has been facing a torrent of international criticism over the allegations. The issue became a diplomatic concern with numerous Israeli allies, like France, who demanded answers after reports revealed the software was being used within their countries.

In early November, the US Department of Commerce blacklisted NSO, restricting the firm’s ties with American companies over allegations that it “enabled foreign governments to conduct transnational repression.” The US also blacklisted a second Israeli company, Candiru.

The move is said to have played a role in finally pushing Israel to dramatically scale back the number of countries to which local companies can sell cyber technologies and impose new restrictions on the export of cyber warfare tools. The Israeli Defense Ministry must authorize the sale of spyware firms’ products abroad.

In the meantime, the accusations have kept coming. Just this week, the Washington Post reported that NSO’s Pegasus spyware was placed on the cellphone of the wife of journalist Jamal Khashoggi months before he was murdered in the Saudi consulate in Istanbul in 2018. This development was immediately preceded by reports that the spyware also targeted Polish opposition politicians and an Indian activist.

The Israeli company has repeatedly denied that its spyware was used to target Khashoggi or those close to him, and has insisted its products were meant only to assist countries in fighting serious crime and terrorism. However, due to the broad definitions some of its client countries use for these offenses, the software appears to have been used against a broad range of figures.

People hold posters of slain Saudi journalist Jamal Khashoggi, near the Saudi Arabia consulate in Istanbul, marking the two-year anniversary of his death, Oct. 2, 2020 (AP Photo/Emrah Gurel)

The ensuing fallout has greatly affected the company, which was at risk of defaulting on about $500 million of debt and had its credit rating take a dramatic hit, leading to issues of solvency within the company.

NSO was now said to be considering shutting down its Pegasus operation and selling the entire company to an American investment fund, Bloomberg reported last week, citing officials involved in the talks.

Not just NSO

Tim Willis, head of Project Zero at Google, said that there were “many companies that provide similar exploitation capabilities and services,” and that “taking action against one company (NSO), while noble and fosters a discussion, doesn’t address the root of this problem.”

“The takeaway here isn’t “NSO exceptionalism”. It’s just that NSO was caught this time and we get a peek at how they are attacking iOS/iMessage,” wrote Willis on Twitter, adding that “we need to keep making 0-day incrementally harder for attackers.”

Moller, of Acronis, reiterated that NSO was indeed not the only company with such offensive cyber-surveillance capabilities, but there was a “snowball effect on NSO.”

Citizen Lab revealed last week in a new investigation that another Israeli company, Cytrox, also developed commercial spyware that was recently found on an iPhone belonging to an Egyptian dissident. Cytrox’s Predator software targeted Apple’s iOS operating system using single-click links sent via WhatsApp (owned by Facebook/Meta), according to the organization’s research. Facebook sued NSO Group in 2019 for allegedly violating its WhatsApp messenger app.

Illustrative: WhatsApp on an iPhone, Nov. 15, 2018. (AP/Martin Meissner)

But the bigger discovery, in a joint Citizen Lab probe with Facebook/Meta, was that Cytrox has customers in countries beyond Egypt, including Armenia, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

Meta announced last Thursday a flurry of takedowns of accounts affiliated with seven surveillance-for-hire firms — including Cytrox and four other Israeli companies — and notified about 50,000 people in more than 100 countries including journalists, dissidents and clergy who may have been targeted by them. It said it deleted about 300 Facebook and Instagram accounts linked to Cytrox, which appears to operate out of North Macedonia.

Citizen Lab researcher Bill Marzak told the Associated Press that the Cytrox malware appears to pull the same tricks as NSO Group’s Pegasus product — in particular, turning a smartphone into an eavesdropping device and siphoning out its vital data. One captured module records all sides of a live conversation, he said.

Cytrox was part of a shadowy alliance of surveillance tech companies known as Intellexa that was formed to compete with NSO Group. Founded in 2019 by a former Israeli military officer and entrepreneur named Tal Dilian, Intellexa includes companies that have run afoul of authorities in various countries for alleged abuses.

On its website, Intellexa has described itself as “EU-based and regulated, with six sites and R&D labs throughout Europe,” but lists no address. Its web page is vague about its offerings, although as recently as October it said that in addition to “covert mass collection” it provides systems “to access target devices and networks” via Wi-Fi and wireless networks. Intellexa said its tools are used by law enforcement and intelligence agencies against terrorists and crimes including financial fraud.

Cyber defense

On an individual level, most people “don’t have to worry about zero-click exploits,” said Avner, the security consultant. They just need to “practice better [cyber] hygiene, like closely checking URLs, and using second channels of communications” to verify any suspicious-sounding messages from people we may know, he added.

“Most cyber attacks can be prevented with two-factor authentication,” or 2fa, Avner said, a method that adds an extra layer of protection to ensure the security of online accounts beyond a username and password.

If a security agency “wants to get into your phone, it’ll likely get in,” said Moller. “There’s no such thing as 100% protection.”

But cyberattacks are not a predetermined fate, said Moller. Companies and organizations can protect themselves by deploying cybersecurity services that reduce their attack surfaces, the number of all possible points where an unauthorized user can gain access, testing their systems, and educating their workforces against social engineering, Moller explained.

Social engineering is a manipulation technique, used by cyber intelligence and cyber surveillance companies, to trick people into divulging private or confidential information or making security-related mistakes.

“Individuals and businesses can prevent the majority of potentially disastrous hacks,” said Moller. “By being aware of the risks and adopting a ‘defense in depth’ approach. For example, maintaining a preventative measure protocol, like regularly upgrading software with the latest and greatest version of the software, using two-factor authentication (2fa), not reusing passwords etc. Businesses can outsource these components and use patch management solutions (like the ones Acronis provides).”

“In addition, as post-breach actions (or in suspicion of a breach), there are services that enable extracting forensic information from the device (like a smartphone) to see whether it was hacked”.

For individuals protection should come from governments and regulators, Moller argued.

“Just like we have the police, and the military, and the Shabak [Israel’s internal security service], there need to be cyber defenders. Authorities need to take responsibility and provide more oversight into companies’ practices,” he concluded.

Agencies and TOI staff contributed to this report.

Most Popular
read more: