Several months ago, leaks revealed that Israel-based NSO Group’s Pegasus spyware was exploiting a zero-day, zero-click vulnerability that essentially gave it unfettered access to all Apple devices. Along with parent company OSY Technologies, the group is now facing a lawsuit from the tech giant in the Northern District of California.
Apple is suing the Pegasus spyware provider for “concerted efforts in 2021 to target and attack Apple customers” and surveilling their United States customers across international borders. Some new pieces of information about NSO Group’s involvement have emerged from the lawsuit, with Apple accusing the group of directly consulting with clients about attacks and even creating some 100 fake Apple ID accounts to help facilitate them.
Apple accusations paint NSO group as active participant in attacks
The discussion around NSO Group and the Pegasus spyware has thus far focused on its selection and screening of clients. The group claims that it only provides its tools to legitimate law enforcement agencies using it for matters such as investigations into terrorism and sex trafficking. However, recent leaks reveal that the group provided Pegasus spyware to a broad range of authoritarian regimes. A number of different countries were found to be using it to track journalists, activists and political dissidents.
While there have been widespread concerns about who NSO Group sells to, there was not a general expectation that the firm was actually collaborating actively with these entities on their attacks. The new accusations from Apple have complicated that picture.
Apple’s court filing claims that NSO Group created over 100 fake Apple ID credentials for the purposes of facilitating attacks on users. These accounts were apparently the ones used to deliver malicious messages to target phones. It also alleges that NSO Group acts as an active consultant to clients on carrying out their specific attacks, something the group has previously claimed it does not do.
Apple is seeking an unspecified amount of damages, but has already pledged to donate $10 million to cybersurveillance research groups along with whatever it might receive in the suit. One of those groups is Citizen Labs, the University of Toronto-based group that first discovered the Pegasus spyware attacks. Apple is also seeking a permanent ban on NSO Group that would remove it entirely from its hardware and software ecosystem, by way of an injunction from the court.
Pegasus spyware under attack on multiple fronts
In early November, NSO Group was added to the Entity List by the US Commerce Department. The list is for entities engaged in activities contrary to national security or foreign policy interests and prevents US businesses from transacting with them. This makes it difficult for the group to buy basic hardware from providers in the US, who must seek special permission from the government to be allowed to sell it.
The group is also facing other private lawsuits over the Pegasus spyware. Microsoft, Cisco, Facebook parent Meta Platforms, and Google parent Alphabet have all taken it to court on similar charges of circumventing platform security and targeting users.
Apple’s aggressive campaign against NSO Group stems from the fact that the Pegasus spyware was found to compromise even the most recent versions of iOS earlier this year, and that it was a “no-click” attack exploiting iMessage that could provide total access to the device without even requiring the user to open the malicious message. Apple issued a patch that closed up the flaw in September with the release of iOS 14.8, and says that the Pegasus spyware has yet to be observed compromising any devices running the recently released iOS 15.
NSO Group is refraining from public comment on the matter, something it promised to do after the “Pegasus Project” was published in July. The group has claimed that news organizations are falsely accusing it and refused to respond to further media inquiries.
The purpose of Apple and other tech giant lawsuits may not be to force NSO Group to change its ways, but to push it out of business by making the Pegasus spyware an unprofitable venture via fines, legal decisions and sanctions. Various news outlets have reported that NSO Group is already beginning to struggle financially due to the US blacklist, and that employee morale is low with the company’s new CEO resigning after only one full week on the job. Credit agency Moodys also recently downgraded the company, suggesting that it may default on the hundreds of millions of dollars in debt it is holding. While the Pegasus spyware can reportedly compromise Android phones in a similar way, losing access to the Apple ecosystem would be a major blow given that high-level backdoors of this nature are much more rarely seen on iOS devices.