Apple’s NSO Group Lawsuit Amps Up Pressure on Pegasus Spyware-Maker

Just weeks after a judge ruled that NSO Group did not have immunity in a suit brought by Facebook subsidiary WhatsApp, Apple is adding significant weight to the company’s woes.

In the wake of a zero-click zero-day exploit that was deployed against iPhone users, Apple has filed a lawsuit against NSO Group.

The complaint alleges that the maker of the infamous Pegasus mobile spyware is responsible for the illegal surveillance of Apple users. The computing giant is looking for the court to issue a permanent injunction on the Israeli company, banning it from using any Apple software, services or devices – and also an unspecified amount in monetary damages.

“In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Ivan Krstić, head of apple security engineering and architecture, in an Apple statement, issued Monday.

NSO Group is also facing other lawsuits – notably a complaint brought by Facebook subsidiary WhatsApp that aimed to hold NSO Group accountable for distributing Pegasus via the messaging service to at least 1,400 targets. That suit has sparked legions of amicus briefs from Cisco, Electronic Frontier Foundation (EFF), GitHub, Google, the Internet Association, LinkedIn, Microsoft and VMware, among others.

Earlier this month, a U.S. appeals court rejected NSO Group’s argument that it’s protected from the suit under sovereign immunity laws, which will allow the suit to move forward and which will make it necessary for the company to respond to discovery efforts. That verdict likely acted as a green light for Apple’s decision to file its own suit, researchers noted.

“[The Apple suit] isn’t particularly surprising considering that NSO just recently lost their legal bid for a defense of sovereign immunity,” Jake Williams, co-founder and CTO at BreachQuest, said via email. “It’s likely that Apple has been considering this move for some time, but was waiting for the WhatsApp case to make its way through the federal appeals court.”

In addition to the permanent injunction, the lawsuit also seeks redress for NSO Group’s “flagrant violations of U.S. federal and state law, arising out of its efforts to target and attack Apple and its users.” Apple said that it will be donating any awarded damages to “organizations pursuing cybersurveillance research and advocacy,” along with an additional $10 million from its corporate coffers.

Infosec Insiders Newsletter

Apple also said that it will support Pegasus specialists Citizen Lab with pro-bono technical, threat intelligence and engineering assistance going forward.

Pegasus Takes Flight

Pegasus is a notorious, military-grade tool for surveillance that’s been linked to highly targeted cyberattacks by repressive regimes against dissidents, activists and NGOs (not to mention the murders of journalists). It can access the microphone, camera, messages and other sensitive data on Apple and Android devices.

NSO Group, for its part, maintains that it sells Pegasus only for legitimate law-enforcement and anti-terrorist activities, to vetted governments that uphold civil rights. That’s a claim that researchers have largely rejected, including in a recent analysis from Amnesty International and Citizen Lab.

The U.S. government has also pushed back on that notion of innocence, earlier this month banning any trade with the company by American citizens or organizations. The U.S. Commerce Department added NSO Group its “Entity List,” which was previously mainly used to limit the flow of money to people and organizations with links to kinetic terror activities.

Pegasus Took a Bite of Apple

Apple has a legitimate beef: NSO Group has not hesitated to target Apple users in the past. In August, cybersecurity watchdog Citizen Lab warned that Pegasus had added a zero-click, zero-day Apple exploit dubbed FORCEDENTRY to its bag of tricks. The spyware was seen successfully deploying against iOS versions 14.4 and 14.6, blowing past Apple’s new BlastDoor sandboxing feature to land on the iPhones of Bahraini activists. Apple rushed an emergency fix for the bug.

And, last December, four nation-state-backed advanced persistent threats (APTs) hacked Al Jazeera journalists, producers, anchors and executives, in a Pegasus espionage attack leveraging another zero-day exploit for Apple iPhone, researchers said.

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of software engineering, in the statement. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous. While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”

Apple’s legal complaint provides new information on FORCEDENTRY, Apple noted: “To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge.”

Researchers React to Apple’s NSO Lawsuit

Cybersecurity researchers, for their part, applauded Apple’s move. Joseph Carson for instance, chief security scientist and advisory CISO at ThycoticCentrify, touted it as a win for privacy.

“Governments and others have been known to use and abuse the Pegasus spyware to gain access to mobile devices data without the victim knowing or needing to click on anything,” he said via email. “To protect privacy means the need to have good security. When security is broken, it puts everyone at risk.  The balance of privacy is at risk more than ever before and it looks like Apple has decided to defend and fight for privacy.  It is important to protect citizens as governments are here to serve and provide services for the citizens, not to control. This means governments must work together to limit safe havens for those who abuse citizens’ rights and when diplomacy fails, it looks like Apple are now taking the legal action path.”

BreachQuest’s Williams noted that even if NSO Group’s targeting of the Apple platform can’t be prevented with any technical measures, the suit adds to the already formidable headwinds that the company faces.

“Obviously NSO will be able to bypass this from a technical standpoint,” he said. “However, it likely gives Apple additional legal recourse if NSO continues to offer exploits and backdoors that clearly rely on access to Apple products and services for engineering and testing. This can’t be good news for NSO, which is reportedly in danger of default with over $500 million in debt, a recent leadership shakeup with their CEO, and France pulling out of a planned purchase after the U.S. sanctions.”

John Bambenek, principal threat hunter at Netenrich, said that NSO Group has simply pushed it too far.

“This is the natural consequence of the weaponization of vulnerabilities against large enterprises and their customers,” he said. “In years back, these legal tools were used against security researchers until the détente of bug-bounty programs was reached. NSO Group and others are simply now on the business end of these legal tools that have existed but have been dormant for some time. And while I’m skeptical of near-monopolies, [Apple and others] nonetheless have access to court systems all over the world to fight back hard against these entities and I’m glad that they are doing so.

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!

Suggested articles