On the morning of August 10, Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates, received a strange text message from a number he did not recognize on his iPhone.
“New secrets about torture of Emiratis in state prisons,” read the tantalizing message, which came accompanied by a link.
Mansoor, who had already been the victim of government hackers using commercial spyware products from FinFisher and Hacking Team, was suspicious and didn’t click on the link. Instead, he sent the message to Bill Marczak, a researcher at Citizen Lab, a digital rights watchdog at the University of Toronto’s Munk School of Global Affairs.
As it turned out, the message wasn’t what it purported to be. The link didn’t lead to any secrets, but to a sophisticated piece of malware that exploited three different unknown vulnerabilities in Apple’s iOS operating system that would have allowed the attackers to get full control of Mansoor’s iPhone, according to new joint reports released on Thursday by Citizen Lab and mobile security company Lookout.
“One of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
This is the first time that anyone has uncovered such an attack in the wild. Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars. After the researchers alerted Apple, the company worked quickly to fix them in an update released on Thursday.
The question is, who was behind the attack and what did they use to pull it off?
It appears that the company that provided the spyware and the zero-day exploits to the hackers targeting Mansoor is a little-known Israeli surveillance vendor called NSO Group, which Lookout’s vice president of research Mike Murray labeled as “basically a cyber arms dealer.”
The researchers at Citizen Lab and Lookout were impressed by this new, never-seen-before, type of malware.
“We realized that we were looking at something that no one had ever seen in the wild before. Literally a click on a link to jailbreak an iPhone in one step,” Murray told Motherboard. “One of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
Since its founding in 2010, NSO has developed a reputation for providing sophisticated malware to governments that need to target cellphones in their investigations, although the use of its tools has never been documented before. The company claims that its products are completely stealthy, like a “ghost.” The company has been so guarded about its wares that it’s never had a website, and has rarely given interviews or any comments to the press. But some information has leaked out, including an investment for $120 million by a US-based venture capital firm in 2014 and a subsequent reported valuation of $1 billion.
NSO’s malware, which the company codenamed Pegasus, is designed to quietly infect an iPhone and be able to steal and intercept all data inside of it, as well as any communication going through it.
“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone,” Murray explained. “It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram—you name it.”
Citizen Lab’s Marczak and John Scott-Railton, who caught the malware first, analyzed it with the help of Murray and his colleagues at Lookout. The researchers clicked on the link that Mansoor shared on their own guinea-pig iPhone, and infected it with Pegasus, which gave them the ability to see exactly what the malware was designed to do.
This attack on Mansoor, as well as another one Citizen Lab was able to trace back to a journalist in Mexico, shows that the well-known Hacking Team and FinFisher are not the only players in the growing business of private companies providing hacking services to governments. It also shows that those companies’ customers, which are often authoritarian governments with proven records of human rights abuses and targeting of dissidents and activists, aren’t afraid to use them, no matter the cost.
“This indicates the incredible power of the voices of journalists and activists who attract this kind of extremely expensive spyware,” Railton said.
Ultimately, this could be a sign of things to come.
“The people that we see being targeted by these texts today—dissidents, activists—these are kind of the people on the frontlines of what is to come for all of us tomorrow, these guys are sort of the canaries in the coal mine,” Marczak said. “The threats that they are facing today are threats that perhaps ordinary users will face tomorrow.”
A spokesperson for NSO declined to answer any specific questions about the report, saying in a prepared statement that “the company has no knowledge of and cannot confirm the specific cases mentioned in your inquiry.“
HOW NSO GOT CAUGHT
Earlier this year, in May, Citizen Lab revealed a new, sophisticated hacking group it dubbed Stealth Falcon. The researchers couldn’t confirm it, but they suspected Stealth Falcon had a link to the UAE government, and targeted dissidents inside and outside of the country.
As part of its research into Stealth Falcon, Citizen Lab was able to map large parts of the group’s infrastructure, including servers and domains that Stealth Falcon used to steal data and siphon it out of its victims in its hacking campaigns. But the researchers couldn’t find any actual samples of the malware the hackers used. That changed on August 10, when Mansoor sent Marczak the suspicious text message.
Once Marczak and Scott-Railton were able to look into it, they followed a convoluted online trail and realized the spyware communicated with a server, and an IP address, that they had fingerprinted in the past as being part of Stealth Falcon’s infrastructure. Then they found that a server registered to an NSO employee pointed to the same IP address.
Moreover, inside the actual malware, its developers left a revealing string of code: “PegasusProtocol,” an apparent reference to NSO’s spyware codename, Pegasus. The researchers were able to find yet more domains associated with NSO or its customers’ infrastructure, noting that “alarmingly“ some of them appeared designed to impersonate humanitarian organizations like the Red Cross, and news media organizations.
For the first time, the researchers were able to finally have a real glimpse into the features of the company’s malware. Since its founding in 2010, NSO has gained an almost-legendary aura, with unconfirmed rumors about its powers, while remaining essentially unknown to the general public. Its executives have rarely spoken to the press, and the few articles written about the company are full of vague descriptions and unconfirmed rumors.
“We’re a complete ghost,” NSO co-founder Omri Lavie told Defense News, a military trade publication, in 2013.
“We’re a complete ghost.”
A short profile in 2014, published in The Wall Street Journal, reported that NSO had peddled its product to the Mexican government, and got the interest of even the CIA. Its spyware, according to the article, was sold all over the world.
Now that its spyware has been exposed, and its zero-days have been burned, NSO perhaps can’t claim to be a ghost anymore, although the company could very well have other zero-days and tools up its sleeves. That’s why the researchers don’t expect their reports, and Apple’s patch, to hit the brakes on the activities of NSO for long.
“We’re not going to put NSO out of business by patching these vulnerabilities,” Murray said.
Moreover, the malware is programmed with settings that go all the way back to iOS 7, which indicates that NSO has likely been able to hack iPhone devices since the iPhone 5.
NSO’s spokesperson Zamir Dahbash said in a statement that the company’s “mission is to help make the world a safer place by providing authorized governments with technology that helps them combat terror and crime.“
“The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations. Moreover, the company does NOT operate any of its systems; it is strictly a technology company,“ the statement read. “The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner. Specifically, the products may only be used for the prevention and investigation of crimes.“
The researchers at Citizen Lab and Lookout reached out to Apple as soon as they found out about the zero-days, which they dubbed Trident. It took about 10 days for Apple to develop and release a patch. The patch is now live as part of the iOS 9.3.5 update, which every iPhone user should download and install as soon as possible.
”We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5,” an Apple spokesperson said in a statement, declining to provide more comments.
Dan Guido, the CEO of cybersecurity firm Trail Of Bits, which does a lot of work with Apple systems, said that these attacks, while rarely seen in the open, are to be expected. Ultimately, despite the three zero-days caught in the wild, Guido still believes the iPhone is a much safer choice than Android, for example.
“Apple has raised the cost of exploiting their devices higher than any other vendor out there. But this highlights the need for better compromise detection for iOS,” Guido said, adding that in any case, “iOS is still the single most secure consumer device available.”
“The problem is that it takes a paranoid mentality and friends at Citizen Lab to identify whether you have malware,” he added.
The researchers haven’t been able to find any other samples of Pegasus spyware yet. But while searching for similar links and domains to the ones associated with the attack on Mansoor and the infrastructure of a hacking group they dubbed Stealth Falcon, they were able to find a tweet that appears to target unknown victims in Kenya, as well as an attack on Mexican investigative journalist Rafael Cabrera.
Me han llegado estos dos supuestos mensajes de UnoTV desde este número: (55) 6106 7277. No es gracioso pic.twitter.com/JXZbXQAzOv
— Rafael Cabrera (@raflescabrera) August 30, 2015
“It’s clear that they wanted me to click,” Cabrera told Motherboard. “You could even say they were desperate.”
Cabrera didn’t want to speculate as to who the hackers really were, saying it could be the government, or someone else. Mexico is among the suspected customers of NSO, but it’s unclear if a police or intelligence agency there are actually using the company’s malware. Mexico was also the largest customer of Hacking Team in the world, and some of its agencies allegedly used the spyware to target journalists and dissidents, rather than criminals.
In the end, Cabrera and Mansoor did not get hacked, as they were savvy enough not to fall for the hackers’ tricks. In a way, they got lucky. By having been targeted before with government hacking attempts, they were more vigilant than usual.
But their stories, as Marczak said, might just be yet another warning of things to come. If governments want hacking tools and have deep pockets to pay for them, companies like Hacking Team and NSO will continue to provide them. In the past, Citizen Lab has documented several attacks against dissidents, journalists, and human rights workers by governments worldwide using spyware similar to the one NSO produces. And despite publicizing and warning about these attacks, the malware hunters at Citizen Lab keep finding new attacks, sometimes performed by the same governments, and even against the same targets.
“The incentives just aren’t there for these companies like NSO to keep these tools out of the hands of serial abusers like the UAE,” Marczak said.
This is also the first sign of the rise of a new superpower in the spyware industry. NSO has potential to grow after the damaging—yet not deadly—hacks on FinFisher and Hacking Team, which are still the most well-known, and notorious, spy tech vendors today.
And all of these revelations would have remained in the shadows if Mansoor had clicked on that link he got on August 10.