The May 2019 WhatsApp Incident
As reported in May 2019, WhatsApp identified and shortly thereafter fixed a vulnerability that allowed attackers to inject commercial spyware on to phones simply by ringing the number of a target’s device.
On Oct 29th, WhatsApp is publicly attributing the attack to NSO Group, an Israeli spyware developer that also goes by the name Q Cyber Technologies.
What is NSO?
NSO Group, which also goes by the name Q Cyber Technologies, is an Israeli-based company which develops and sells spyware technology. It is majority owned by Novalpina Capital, a European private equity firm. For more information on NSO Group, you can find a summary of key public reporting here.
NSO Group claims it sells its spyware strictly to government clients only, and all of its exports are undertaken in accordance with Israeli government export laws and oversight mechanisms. However, the number of cases in which their technology is used to target members of civil society continues to grow.
A Multi-Year History of Abuses
Citizen Lab—along with organizations such as R3D, Privacy International, EFF, and Amnesty International—has closely tracked how NSO Group’s surveillance technology has been turned against political dissidents, lawyers, journalists, and human rights defenders. Among the many companies Citizen Lab has tracked, NSO Group stands out in terms of the reckless abuse of its spyware by government clients.
Although the technology is marketed as a tool to assist governments in lawful investigations into crime and terrorism, Citizen Lab has identified dozens of cases where journalists, human rights activists and defenders, lawyers, international investigators, political opposition groups, and other members of civil society have been targeted with its spyware, called “Pegasus.”
What is Pegasus?
NSO Group / Q Cyber Technologies’ flagship spyware, which is usually branded as Pegasus but which may have other names (including Q Suite), is among some of the most sophisticated spyware available on the market and can infiltrate both iOS and Android devices. To monitor a target, a Pegasus operator uses multiple vectors and tactics (see: ‘How Do Infections Happen?’), including zero-day exploits and deception, to penetrate security features in popular operating systems and silently install Pegasus without the user’s knowledge or permission.
What Can Pegasus Do?
Once Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity, and use the GPS function to track a target’s location and movements.
How Do Infections Happen?
Other vectors used in prior cases of NSO targeting include tricking targets into clicking on a link using social engineering. For example, in 2017, the wife of a murdered Mexican journalist was sent alarming text messages concerning her husband’s murder, designed to trick her into clicking on a link and infecting her phone with the Pegasus spyware. In 2018, a close confidant of Jamal Khashoggi was targeted in Canada with a fake package notification, resulting in the infection of his iPhone. Citizen Lab has tracked more than two dozen cases using similar techniques.
Not all vectors are publicly known. Once the spyware is implanted, it provides a C&C server with regular, scheduled updates designed to avoid extensive bandwidth consumption. Pegasus is designed to be stealthy and evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by operators.
Commercial Spyware Abuse: A Global Problem
NSO Group has claimed that it has strict controls over how its spyware is sold and used, and robust company oversight mechanisms to prevent abuse. The new majority owner, Novalpina, has pledged to bolster these mechanisms in various ways. However, Citizen Lab research, and the research of other groups, has consistently presented a different and more troubling picture of abuse. Citizen Lab and others have repeatedly raised questions to Novalpina and NSO Group about whether their public statements about human rights compliance will make a difference in practice, pointing to inconsistencies and contradictions in their purported due diligence. NSO Group and Novalpina Capital have dismissed these questions and concerns.
The WhatsApp incident, and the more than 100 cases of abusive targeting that are associated with it, clearly verify the serious concerns Citizen Lab and others have raised. NSO Group spyware is being sold to government clients without appropriate controls over how it is employed by those clients. They are, in turn, using NSO’s technology to hack into the devices of members of civil society, including journalists, lawyers, political opposition, and human rights defenders—with potential lethal consequences.
Citizen Lab’s Role
After the incident, Citizen Lab volunteered to help WhatsApp identify cases where the suspected targets of this attack were members of civil society, such as human rights defenders and journalists.
As part of investigation into the incident, Citizen Lab has identified over 100 cases of abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, ranging from Africa, Asia, Europe, the Middle East, and North America that took place after Novalpina Capital acquired NSO Group and began an ongoing public relations campaign to promote the narrative that the new ownership would curb abuses.
They continue to investigate the incident, and conduct outreach with the individuals targeted with these attacks to assist them in becoming more secure, and to better understand the cases.
This information is originally published in The Citizen Lab website. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada