NSO spyware Pegasus targeted US iPhones indirectly, despite the company forbidding customers from infecting phones with American SIMs. Devices belonging to Catalan politicians and others were also infected, with the Spanish government suspected to be responsible.
Additionally, it was discovered that a device connected to the network at 10 Downing Street – the office of British prime minister Boris Johnson – was also infected …
NSO Group makes spyware called Pegasus, which is sold to government and law enforcement agencies. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is said to be capable of mounting zero-click exploits – where no user interaction is required by the target.
In particular, it’s reported that simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with personal data exposed.
NSO imposes some conditions on those purchasing Pegasus, one of which is that it must never be used to hack phones with US phone numbers. It likely does this to avoid a robust response by the American government and its intelligence agencies. Pegasus has already been declared a national security risk, and its use is prohibited within the US.
Pegasus targeted US iPhones indirectly
Citizen Lab, an initiative of Canada’s University of Toronto, says that it found evidence that the powerful spyware Pegasus was used to indirectly target US phones. The approach used is known as “off-center targeting.”
Targeting friends, family members, and close associates is a common practice for some hacking operations. This technique allows an attacker to gather information about a primary target without necessarily maintaining access to that person’s device. In some cases, the primary target may also be infected, but in others this may not be feasible for various reasons.
We observed several cases of relational or “off-centre” targeting: spouses, siblings, parents, staff, or close associates of primary targets were targeted and infected with Pegasus. In some cases those individuals may also have been targeted, but forensic information was unavailable. In others, we found no evidence that a primary target was infected with Pegasus, but found targeting of their intimates.
For example, one individual targeted with Candiru had a US SIM card in their device, and resided in the US. We failed to find evidence that this individual was infected with Pegasus. This is consistent with reports that most Pegasus customers are not permitted to target US numbers. However, both of the target’s parents use phones with Spanish numbers, and were targeted on the day that the primary target flew back to Spain from the US. Neither parent is politically active or likely to have been targeted because of who they are or what they do.
In other words, texts and other messages sent by a US phone could be intercepted by hacking phones belonging to the target’s overseas family, friends, and other contacts.
British prime minister’s office successfully targeted
A piece in an upcoming edition of the The New Yorker reveals that Pegasus also successfully targeted 10 Downing Street, the office of the British prime minister.
Pegasus was used to infect a device connected to the network at 10 Downing Street, the office of Boris Johnson, the Prime Minister of the United Kingdom. A government official confirmed to me that the network was compromised, without specifying the spyware used.
“When we found the No. 10 case, my jaw dropped,” John Scott-Railton, a senior researcher at the Citizen Lab, recalled. “We suspect this included the exfiltration of data,” Bill Marczak, another senior researcher there, added.
The official told me that the National Cyber Security Centre, a branch of British intelligence, tested several phones at Downing Street, including Johnson’s. It was difficult to conduct a thorough search of phones—“It’s a bloody hard job,” the official said—and the agency was unable to locate the infected device. The nature of any data that may have been taken was never determined.
Extensive Pegasus attack against Catalans
Citizen Lab also found that at least 63 people in Catalonia had their devices attacked by Pegasus, with the Spanish government the prime suspect.
The hacking covers a spectrum of civil society in Catalonia, from academics and activists to non-governmental organisations (NGOs). Catalonia’s government and elected officials were also extensively targeted, from the highest levels of Catalan government to Members of the European Parliament, legislators, and their staff and family members. We do not conclusively attribute the targeting to a specific government, but extensive circumstantial evidence points to the Spanish government […]
With the targets’ consent, we obtained forensic artefacts from their devices that we examined for evidence of Pegasus infections. Our forensic analysis enables us to conclude with high confidence that, of the 63 people targeted with Pegasus, at least 51 individuals were infected.
It was last week reported that Apple warned senior EU officials that their iPhones had been hacked by Pegasus. The Cupertino company proactively looks for signs that iPhones have been compromised by Pegasus, and sends an alert to victims.
Note that nothing should be read into more reports of infected iPhones than Android devices: iOS makes it easier to detect when a device has been infected, so iPhones account for the majority of confirmed cases, but the number of infected Android phones is likely higher.
Author: Ben Lovejoy