Citizen Lab, the foremost security and privacy organization investigating misuse of the Pegasus spyware, has uncovered another campaign seemingly directed against non-criminal targets by a repressive government.
The organization has uncovered use of Pegasus spyware to track journalists, lawyers and activists in Jordan from 2019 to late 2021. The time window is noteworthy in that some specific incidents occurred on iPhones after Apple had sued NSO Group, removed exploits that Pegasus relies on and notified compromised users.
Pegasus spyware once again tied to suspected government espionage of domestic targets
Jordan is sometimes regarded as one of the “more free” countries in the Muslim world in terms of government authoritarianism, but it is a monarchy and negative speech about the king is tightly policed (and sometimes punished). The country has also seen protests since 2011 on a number of themes, including growing wealth inequality and government corruption, that are sometimes cracked down on.
Citizen Labs reports that four people in Jordan had Pegasus spyware placed on their phones: these were lawyers, political activists and journalists not known to be under investigation for crimes. There are indications that this was done by two operators believed to have ties to the Jordanian government; a group called MANSAF that has been active since 2018, and another referred to as BLACKIRIS that has been active since December 2020.
Three of the victims have opted to publicly identify themselves. Activist Ahmed Al-Neimat, a member of the social justice-oriented Hirak movement, had his phone hacked in 2021 shortly before he was arrested while posting bail for another activist. Malik Abu Orabi, a human rights lawyer, had his phone hacked via text message 21 times between 2019 and 2021. Journalist Suhair Jaradat, who focuses on women’s issues in the country, was hacked six times in 2021. The fourth victim has opted to remain anonymous but was also identified as a journalist with a focus on women’s human rights issues.
There are several points of particular note in this case. One is that Pegasus spyware was apparently used to compromise at least one of these phones after Apple began its campaign against it in late 2021. Apple patched out the major vulnerability that Pegasus had been exploiting with the release of iOS 14.8 in September 2021, a “no click” exploit of iMessage that could compromise a phone simply upon receipt of a tainted text message. In late November, Apple took Pegasus spyware manufacturer NSO Group to court over unauthorized use of its service and violations of the US Computer Fraud and Abuse Act. The company also began sending warnings directly to users that had been identified as having been targeted by the spyware.
The timing indicates that NSO Group is continuing to not screen its clients as it has promised; the company has previously said that it would only provide the Pegasus spyware to governments for legitimate law enforcement and terrorism investigation purposes, but it appears to still be failing to cut off those that are abusing it to track and monitor political opposition and human rights advocates.
Are Apple phones still vulnerable to Pegasus spyware?
The Citizen Lab report does not make clear if the zero-click iMessage vulnerability was used to compromise the phone that was hit with Pegasus spyware in 2021. There are several alternate possibilities. One is that the phone user was still on some version of iOS prior to 14.8, rendering the phone still vulnerable to the old exploit. Another is that the attackers went back to the old method of getting Pegasus spyware onto devices, which is to send text messages with attack site links in them and hope the victim clicks through them. This appears to be what happened in a number of the prior Jordan attacks. As of now there is no indication that iPhones running a current version of iOS remain vulnerable to the Pegasus zero-click exploit.
NSO Group has faced a barrage of problems from around the world since the extent of its partnership with repressive and authoritarian states was revealed by the 2020 “Pegasus Papers” investigative report that saw Amnesty International, the Guardian, the Washington Post and numerous other media sources collaborate. Among other things NSO Group has been banned from trade in the US, sued by Apple, reportedly considered bankruptcy and a total shutdown of the company, and is now embroiled in another legal battle with a consultancy firm that took over the group’s management in 2021 as it was being rocked by scandals. Berkeley Research Group has accused NSO’s management of withholding information about its blacklisting in the US and has been “virtually non-existent” in the past year. Additionally, a whistleblower has told Washington Post reporters that someone from NSO essentially attempted to bribe a California mobile security firm with “bags of cash” in return for access to American mobile networks.