Apple Sues Israel’s NSO Group for Spying on iPhone Users With Pegasus Spyware

Apple has sued NSO Group and its parent company Q Cyber
Technologies in a U.S. federal court holding it accountable for
illegally targeting users with its Pegasus surveillance tool,
marking yet another setback for the Israeli spyware vendor.

The Cupertino-based tech giant painted NSO Group as “notorious
hackers — amoral 21st century mercenaries who have created highly
sophisticated cyber-surveillance machinery that invites routine and
flagrant abuse.”

In addition, the lawsuit seeks to permanently prevent the
infamous hacker-for-hire company from breaking into any Apple
software, services or devices. The iPhone maker, separately, also
revealed its plans to notify
targets^[1] of state-sponsored
spyware attacks and has committed $10 million, as well as any
monetary damages won as part of the lawsuit, to cybersurveillance
research groups and advocates.

To that end, the company intends to display a “Threat
Notification” after the targeted users sign into
appleid.apple[.]com, alongside sending an email and iMessage
notification to the email addresses and phone numbers associated
with the users’ Apple IDs.

“State-sponsored actors like the NSO Group spend millions of
dollars on sophisticated surveillance technologies without
effective accountability. That needs to change,” said^[2]
Craig Federighi, Apple’s senior vice president of Software
Engineering in a statement. “Apple devices are the most secure
consumer hardware on the market — but private companies developing
state-sponsored spyware have become even more dangerous.”

Typically installed by leveraging “zero-click” exploits that
infect targeted devices without any user interaction, Pegasus is
engineered as an invasive “military-grade” spyware that’s capable
of exfiltrating sensitive personal and geolocation information and
stealthily activating the phones’ cameras and microphones.

The lawsuit filed by Apple specifically concerns the FORCEDENTRY^[3]
exploit in iMessage that was used to circumvent iOS security
protections and target nine Bahraini activists. The company
said^[4]
the attackers created over 100 bogus Apple IDs to send malicious
data to the victims’ devices, effectively allowing NSO Group or its
clients to deliver and install Pegasus spyware without their
knowledge. Apple addressed^[5]
the zero-day flaw in September.

“The abusive data was sent to the target phone through Apple’s
iMessage service, disabling logging on a targeted Apple device so
that Defendants could surreptitiously deliver the Pegasus payload
via a larger file,” Apple detailed in its filing. “That larger file
would be temporarily stored in an encrypted form unreadable to
Apple on one of Apple’s iCloud servers in the United States or
abroad for delivery to the target.”

The development comes in the aftermath of sweeping sanctions^[6]
imposed by the U.S. government earlier this month against NSO Group
for developing and supplying sophisticated surveillance technology
to foreign governments that then used the spy tools to target
journalists, activists, dissidents, academics, and government
officials across the world. MIT Technology Review earlier this week
reported^[7]
that the sanctions have had a “deeper impact” on the company’s
morale and its future prospects.

“NSO Group is dismayed by the decision given that our
technologies support U.S. national security interests and policies
by preventing terrorism and crime, and thus we will advocate for
this decision to be reversed,” the company previously said^[8]
following the announcement.

“NSO will continue^[9]
its mission of saving lives, helping governments around the world
prevent terror attacks, break up pedophilia, sex, and
drug-trafficking rings, locate missing and kidnapped children,
locate survivors trapped under collapsed buildings, and protect
airspace against disruptive penetration by dangerous drones.”

Despite repeated claims that its software is sold only to
governments and law enforcement agencies and that it has bulwarks
in place to forestall abuse, multiple instances to the contrary
have established a recurring pattern where the spyware has been
misapplied by authoritarian regimes to strike the target and infect
members of civil society, not to mention feature customers with
poor human rights track records.

The lawsuit also mirrors a similar action taken by Meta
(formerly Facebook) in October 2019, when it took the company to court^[10] for exploiting a
bug^[11] in its WhatsApp
messaging app to install Pegasus, enabling the surveillance of
1,400 mobile devices belonging to diplomats, journalists, and human
rights activists. On November 8, 2021, the 9th U.S. Circuit Court
of Appeals in San Francisco rejected^[12] NSO Group’s claim^[13] it was immune from
being sued because it had acted as an agent of sovereign
governments.

“The steps Apple is taking today will send a clear message: in a
free society, it is unacceptable to weaponize powerful
state-sponsored spyware against innocent users and those who seek
to make the world a better place,” Ivan Krstic, Apple’s head of
security engineering and architecture, said^[14] in a tweet.