Apple is suing NSO Group, the company most known for its ability to hack iPhones using previously un-discovered Zero-Day vulnerabilities.
The opening lines of the lawsuit say it all:
"Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse."
And Apple's head of security engineering and architecture was extremely blunt when he announced the lawsuit on Twitter. Ivan Krstic wrote:
"The steps we're taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place."
And he didn't stop there.
"Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”
The steps Apple is taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against innocent users and those who seek to make the world a better place. https://t.co/3I9JqomzZu
— Ivan Krstić (@radian) November 23, 2021
NSO Group publicly denounced by privacy advocates
SecureWorld News covered the recent U.S. decision to place the NSO Group on its Entity List related to its Zero-Click, Zero-Day attacks. Being on this list effectively blocks the government or its vendors from doing business with NSO.
But other governments around the world may still turn to NSO Group to hack the iPhones of their targets. And that's why Apple is suing.
"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change," said Craig Federighi, Apple's senior vice president of software engineering.
And as Apple revealed its lawsuit today, the privacy-focused Citizen Lab at the University of Toronto cheered the decision.
"Mercenary spyware firms like NSO Group have facilitated some of the world's worst human rights abuses and acts of transnational repression, while enriching themselves and their investors," said Ron Deibert, director of Citizen Lab. "I applaud Apple for holding them accountable for their abuses, and hope in doing so Apple will help to bring justice to all who have been victimized by NSO Group's reckless behavior."
That behavior by NSO Group, according to Citizen Lab and Apple, includes secret installation of Pegasus spyware. This NSO created spyware turned iPhones into spy devices: spying on the iPhone's owner, secretly and silently, by sharing the phone's location and sharing its messages, calls, and even audio from its speaker and video from its camera.
Apple patched the previous vulnerability that NSO Group allegedly used, and then NSO Group reportedly found another work around.
"Apple's legal complaint provides new information on NSO Group's FORCEDENTRY, an exploit for a now-patched vulnerability previously used to break into a victim's Apple device and install the latest version of NSO Group's spyware product, Pegasus.
NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices. To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim's device—allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim's knowledge."
There was a sliver of good news in today's announcement: Apple says it has not observed any NSO Group success against iOS 15 and later versions. So check your iOS for updates and suggest that your organization's employees do the same.
What Apple is asking for: NSO lawsuit details
What, specifically, is Apple asking for in its lawsuit? The document is long, but here are a few things outlined in the filing:
- "A permanent injunction restraining Defendants from accessing and using any Apple servers, devices, hardware, software, applications, or other Apple products or services"
- "A permanent injunction requiring Defendants to identify the location of any and all information obtained from any Apple users' Apple devices, hardware, software, applications, or other Apple products—and to delete all such information, and to identify any and all entities with whom Defendants shared such information"
- "A permanent injunction restraining Defendants from developing, distributing, using, and/or causing or enabling others to use any spyware, malware or other malicious devices on Apple devices, hardware, software, applications, or other Apple products or services without Apple's consent..."
- Money - including money for damages to be determined at trial, analysis of profits NSO made by hacking devices of its customers, and Apple is asking the court to take away any profits from the company."
There is much more to come on this story, and you can read Apple's legal filing here.
Cybersecurity industry reacts to Apple suing NSO Group
Jake Williams, Co-Founder and CTO at BreachQuest, explains why this lawsuit is happening now and what he thinks it could mean:
"This isn't particularly surprising considering that NSO just recently lost their legal bid for a defense of sovereign immunity. It's likely that Apple has been considering this move for some time, but was waiting for the WhatsApp case to make its way through the federal appeals court.
Obviously NSO will be able to bypass this from a technical standpoint. However, it likely gives Apple additional legal recourse if NSO continues to offer exploits and backdoors that clearly rely on access to Apple products and services for engineering and testing.
This can't be good news for NSO, which is reportedly in danger of default with over $500 million in debt, a recent leadership shakeup with their CEO, and France pulling out of a planned purchase after the U.S. sanctions."
And John Bambenek, Principal Threat Hunter at Netenrich, shared his unique view of this action:
"This is the natural consequence of the weaponization of vulnerabilities against large enterprises and their customers. In years back, these legal tools were used against security researchers until the détente of bug bounty programs was reached.
NSO Group and others are simply now on the business end of these legal tools that have existed but have been dormant for some time, and while I'm skeptical of near-monopolies, they nonetheless have access to court systems all over the world to fight back hard against these entities, and I'm glad that they are doing so."
Perhaps this will slow the spread of NSO Group's Pegasus spyware.
Citizen Lab says Pegasus has been used against journalists, activists, and leaders in many parts of the world, and it was typically effective against Apple iOS, MacOS, and WatchOS devices.
Sometimes the discovery of these vulnerabilities led to Apple's Emergency Patch.
The Apple and NSO Group battle: what it means for organizations
Cybersecurity and privacy attorney Rebecca Rakoski, Managing Partner at XPAN Law Partners, says this is a sign of what Apple is committed to and a reminder of what organizations should do.
"I think that a gate is only as good as its keeper. Apple is clearly invested in taking steps to maintain the privacy of its users. It has demonstrated this, not only in this lawsuit, but in other attempts by governmental authorities to gain access to Apple user accounts.
This only highlights the need for a strong privacy program for every organization, and that data is a true commodity. Protecting that commodity through laws and proactive corporate programs is going to be a true differentiator in the marketplace going forward."
[RELATED: Listen to our podcast episode with Rebecca Rakoski, Suing the CISO]
Cybercrime mercenary group tracked around the world
There are many cyber mercenary groups at work in the world. Trend Micro Senior Threat Researcher Feike Hacquebord tracked one of them for more than a year. Persistence then met with a crack in the group's operational security. Listen to the SecureWorld News conversation with him here: