NSO Group's Sophisticated Spyware Connected to More Cases

Google: Firm's Exploit 'One of the Most Technically Sophisticated We've Seen'
NSO Group's Sophisticated Spyware Connected to More Cases
(Photo: JESHOOTS-com/142 images via Pixabay)

The spyware of sanctioned Israeli firm NSO Group was reportedly detected on the smartphones of a high-profile legal figure representing a Polish opposition leader and a prosecutor who challenged the country's conservative government, according to a new report from The Associated Press.

See Also: Cyber Insurance Assessment Readiness Checklist

The first instance, which reportedly occurred in the weeks leading up to a 2019 parliamentary election in Poland, involved lawyer Roman Giertych; the second, two years later, reportedly targeted prosecutor Ewa Wrzosek, who had launched an investigation into public health concerns around the country's 2020 presidential election, according to the AP, which cites analysis provided by the internet watchdog The Citizen Lab, based at the University of Toronto. The Citizen Lab told the AP that the "invader" was "military-grade spyware firm NSO Group."

The spyware was also reportedly detected on the phone of Hanan Elatr, the wife of journalist Jamal Khashoggi, who was killed by Saudi agents in October 2018, according to a new report from The Washington Post. An NSO Group spokesperson has firmly denied the allegation.

NSO Revelations

In July, an international consortium of journalists investigated a leak of approximately 50,000 potential NSO spyware targets, including high-ranking officials, for possible surveillance by those leveraging the firm's Pegasus spyware.

In November, the U.S. Department of Commerce added the NSO Group to its Entity List for allegedly engaging in activities "contrary to the national security or foreign policy interests of the U.S." Those on the Entity List cannot purchase U.S. technologies or goods without a license provided by the Department of Commerce (see: US Commerce Department Blacklists Israeli Spyware Firms).

At the time, an NSO spokesperson told The Hill that the firm was "dismayed by the decision, given that our technologies support U.S. national security interests and policies by preventing terrorism and crime." NSO has echoed the claims in recent months, saying its software is used for legitimate law enforcement purposes.

Following the blacklisting, NSO's spyware was then reportedly detected on at least nine Apple iPhones belonging to U.S. State Department officials who are located in Uganda or whose work focuses on the African nation (see: Report: NSO Group Spyware Found on State Department Phones).

Google Project Zero Findings

In a new report from Google Project Zero, a team tasked with finding zero-day vulnerabilities, researchers Ian Beer and Samuel Groß say a zero-click exploit pushing Pegasus is "one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation-states."

Beer and Groß say the iOS vulnerability they analyzed - tracked as CVE-2021-30860 - was fixed by Apple on Sept. 13.

Early on, the researchers say, targets were sent links in SMS messages, with compromise occurring upon click-through, but subsequent zero-click options meant "even very technically savvy targets who might not click a phishing link are completely unaware they are being targeted."

The researchers say NSO's FORCEDENTRY malware exploited a now-patched vulnerability in iMessage's processing of GIF files, ultimately allowing malicious PDF files to be loaded and opened. And the availability of JavaScript inside PDFs, Beer and Groß say, "made development of reliable exploits far easier."

The compromise reportedly allows actors to access audio and retrieve messages, contacts, and more. "It's pretty incredible, and at the same time, pretty terrifying," the Project Zero researchers say.

Rosa Smothers, a former CIA threat analyst and technical intelligence officer, says of the revelations, "Despite NSO Group's protestations otherwise, irrefutable forensic analysis proves their claims of ensuring the ethical use of Pegasus are exaggerated, to put it mildly."

Smothers, who is currently the senior vice president of cyber operations at the firm KnowBe4, continues: "The tool's design … indicates a level of sophistication seen in nation-state CNA capabilities."

NSO Group logo (File image)

Poland Cases

Regarding the reported breaches on devices belonging to Giertych and Wrzosek, The Citizen Lab tells the AP it "could not say who ordered the hacks," but the victims reportedly lay the blame on the nation's government.

Speaking with the newswire service, Polish state security spokesman Stanislaw Zaryn did not confirm or deny that the government was behind the hacks or had utilized NSO's offerings. The spokesman, however, told reporters that Poland obtains court orders for any surveillance and does not "use operational methods for political struggle," calling the latter claim "unjustified."

And an NSO Group spokesperson told the AP that the firm "does not operate the technology" and that it is not "privy to who the targets are and to the data collected by the customers."

Citizen Lab researchers say Giertych, who represented the country's former Prime Minister Donald Tusk, a member of the nation's largest opposition party, was hacked "at least 18 times" in a four-month span in 2019, according to the AP.

Wrzosek, a Polish prosecutor who began investigating public health concerns around national elections, was reportedly hacked six times between June and August and received an Apple alert in November notifying her of the breach.

Hanan Elatr

According to new reporting from The Washington Post, NSO's spyware was reportedly discovered on the phone of Hanan Elatr, the wife of late journalist Jamal Khashoggi. Forensic analysis from The Citizen Lab reportedly indicates the spyware was manually installed on Elatr's phone while she was being held by United Arab Emirates authorities in April 2018.

A spokesperson for NSO Group tells ISMG, "As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi, or any of his family members, including Hanan Elatr. Publishing these false statements is defamatory and won't change the reality."

Washington Post journalist Dana Priest, who has been a part of a broader, ongoing investigation into the spyware, told PBS' "Frontline" that the UAE declined to respond to the Post's requests for comment, though they had previously denied allegations that they were an NSO customer. Priest says an attorney for NSO Group called the allegations "technically impossible" and "absolutely false."

"I think we've discovered pretty quickly that this [surveillance] world is really out of control," Priest says in an interview with Frontline. "And that it is undermining in really significant ways the U.S. and Europe's goal for democracy in other countries."

"NSO Group claims their process includes initial client vetting, an internal ethics review and then a contract which includes a stipulation that the client is obligated to provide system logs from client servers, should NSO request them," says KnowBe4's Smothers. "This, to me, is stunning. Do they expect the Saudi Mabahith or the Emirate's SIA [Signals Intelligence Agency] to simply hand over accurate system logs, fully disclosing to NSO who they've targeted?

"It's a stunning act of hubris or willful ignorance for them to think this would actually work. Given the scale of targets and proliferation of use, it was inevitable Pegasus would be discovered."

About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.