Start your day with intelligence. Get The OODA Daily Pulse.
Since our expanded coverage in July of last year of Pegasus Project – a cadre of global news organization’s exhaustive investigation of the Pegasus “zero click” surveillance software – there have been many developments related to the spyware, including legal, national security and geopolitical activities pointed directly at the NSO Group (the Israel-based developer of the Pegasus Software).
In late July 2021, days after our initial coverage and in response to the findings of the global investigation, Israeli authorities “opened an investigation into the Israeli company and officials from multiple different agencies within the Israeli government visited NSO Group’s offices as part of the new investigation – amid claims that the firm is selling its powerful spyware to threat actors who then commit targeted attacks. According to media reports, Israeli agents visited the NSO Group’s offices in Herzliya, which is located near the city of Tel Aviv.”
That same week, Amnesty International urged for a moratorium on the surveillance technology “used against a long list of journalists, activists, and heads of state…its usage have exposed a global human rights crisis, according to Amnesty. The NGO is now warning against the devastating impact of the poorly regulated spyware industry on human rights and urging for a moratorium on the sale and use of Pegasus and similar tech.”
By December 2021, the WSJ was reporting that the NSO Group was exploring the sale and closure of its Pegasus unit, in response to the company’s addition to the US Commerce Department’s “Entity List” in November, “becoming the fourth spyware developer to join the list. The list is used to restrict companies thought to pose a risk to the US’s national security or foreign policy.”
Over the last five to six months, coverage of the spyware and the NSO Group has gone from the specialized, independent reportage represented by the Pegasus Project to major investigative resources dedicated to the story by the likes of the New Yorker and the New York Times. the New Yorker’s Ronan Farrow, in his How Democracies Spy on Their Citizens story for the magazine, capture the blacklisting of the NSO Group via the following inside access:
“In November, the Commerce Department added NSO Group, along with several other spyware makers, to a list of entities blocked from purchasing technology from American companies without a license. I was with [Shalev Hulio, NSO Group’s C.E.O] in New York the next day. NSO could no longer legally buy Windows operating systems, iPhones, Amazon cloud servers—the kinds of products it uses to run its business and build its spyware. ‘It’s outrageous,’ he told me. ‘We never sold to any country which is not an ally with the U.S., or an ally of Israel. We’ve never sold to any country the U.S. doesn’t do business with.’ Deals with foreign clients require ‘direct written approval from the government of Israel,’ Hulio said.
‘I think that it is not well understood by American leaders,’ Eva Galperin, the director of cybersecurity at the watchdog group Electronic Frontier Foundation, told me. ‘They keep expecting that the Israeli government will crack down on NSO for this, whereas, in fact, they’re doing the Israeli government’s bidding.'” (1)
the NYT’s David Leonhardt, in his influential Morning Newsletter on January 28th – with the tagline How Pegasus’s Spyware Changed Global Intelligence – led with the following: “When an Israeli company released a new spyware product known as Pegasus in 2011, it changed cyberwarfare. Pegasus could reliably decipher the communications of smartphones without the phone’s user knowing and without the cooperation of AT&T, Apple or any other company.”
Leonardt’s newsletter coverage was in support of the publication a New York Times Magazine investigation, “The Battle for the World’s Most Powerful Cyberweapon” by Ronen Bergman and Mark Mazzetti, which revealed that “The F.B.I. bought a version of Pegasus in 2019. Since then, U.S. officials across the Trump and Biden administrations have debated whether to use it within this country as well as abroad.” (2)
Apple, Inc. has marshalled the most aggressive response to the threat posed by Pegasus, matching some of the aggressive responses we saw last year from the Fortune 100 in response to nation-state actors’ cyber espionage activity – which, as we reported at the time, represents American tech companies newfound willingness to play the equivalent role for the U.S. government of the pervasive, global non-state actors that execute cyber activity on behalf of other nation-states. Corporate tech has been stepping up to the plate in 2021 and 2022, none more so than Apple due to the severity of the Pegasus breaches.
To start, however, Apple, Inc. mitigated the risk represented to end users via a patch in mid-September 2021:
“This week, Apple released an urgent update that mitigates a critical vulnerability exploited by the Pegasus mobile software. The flaw, which is tracked as CVE-2021-30860, was first discovered by security researchers at the University of Toronto’s Citizen Lab when analyzing the iPhone of a Saudi activist who had been targeted and infected with NSO Group’s Pegasus spyware. The researchers were able to uncover a zero-day zero-click exploit against iMessage. The zero-day is referred to as FORCEDENTRY by security researchers. The exploit targets Apple’s rendering library and is effective against macOS, watchOS, and Apple iOS devices.
Citizen Lab believes that the exploit has been used by actors deploying Pegasus spyware since at least February of this year. The organization made a high-confidence attribution to NSO Group for the exploit and sent its findings to Apple. Apple has now released a patch for the exploit and has urged customers to immediately update their devices. The vulnerability affects all iPhones with iOS versions 14.8 and prior, all Mac computers with operating system versions prior to OSX Big Sur 11.6, and all watches prior to watchOS 7.6.2.” (a)
Apple then sued the NSO Group to curb the abuse of state-sponsored spyware. Farrow provides further, really fascinating ‘inside baseball’ on the Apple technical investigation which led to the lawsuit:
“Last November, after iPhone users were allegedly targeted by NSO, Apple filed its own lawsuit. NSO has filed a motion to dismiss. ‘Apple is a company that does not believe in theatrical lawsuits,’ Ivan Krstić, [an engineer at Apple], told me. ‘We have this entire time been waiting for a smoking gun that would let us go file a suit that is winnable.’
Apple created a threat-intelligence team nearly four years ago. Two Apple employees involved in the work told me that it was a response to the spread of spyware, exemplified by NSO Group. ‘NSO is a big pain point,’ one of the employees told me. ‘Even before the stuff that hit the news, we had disrupted NSO a number of times.’
In 2020, with the launch of its iOS 14 software, Apple had introduced a system called BlastDoor, which moved the processing of iMessages—including any potentially malicious code—into a chamber connected to the rest of the operating system by only a single, narrow pipeline of data. But Omer, the NSO V.P., told me that ‘newer features usually have some holes in their armor, making them ‘more easy to target.’ Krstić conceded that there was ‘a sort of an eye of a needle of an opening still left.’
In March, 2021, Apple’s security team received a tip that a hacker had successfully threaded that needle. Even cyber warfare has double agents. A person familiar with Apple’s threat-intelligence capabilities said that the company’s team sometimes receives tips from informants connected to spyware enterprises: “We’ve spent a long time and a lot of effort in trying to get to a place where we can actually learn something about what’s going on deeply behind the scenes at some of these companies.” (An Apple spokesperson said that Apple does not “run sources” within spyware companies.)
The spyware venders, too, rely on intelligence gathering, such as securing pre-release versions of software, which they use to design their next attacks. “We follow the publications, we follow the beta versions of whatever apps we’re targeting,” Omer told me. That month, researchers from the Citizen Lab contacted Apple: the phone of a Saudi women’s-rights activist, Loujain al-Hathloul, had been hacked through iMessage. Later, the Citizen Lab was able to send Apple a copy of an exploit, which the researcher Bill Marczak discovered after months of scrutinizing Hathloul’s phone, buried in an image file. The person familiar with Apple’s threat-intelligence capabilities said that receiving the file, through an encrypted digital channel, was ‘sort of like getting a thing handed to you in a biohazard bag, which says, ‘Do not open except in a Biosafety Level 4 lab.’
Apple’s investigation took a week and involved several dozen engineers based in the United States and Europe. The company concluded that NSO had injected malicious code into files in Adobe’s PDF format. It then tricked a system in iMessage into accepting and processing the PDFs outside BlastDoor. ‘It’s borderline science fiction,’ the person familiar with Apple’s threat-intelligence capabilities said. ‘When you read the analysis, it’s hard to believe.’
Google’s security-research team, Project Zero, also studied a copy of the exploit, and later wrote in a blog post, ‘We assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.’ In the NSO offices, programmers in the Core Research Group printed a copy of the post and hung it on the wall.” (1)
Farrow also reported the following: “Last month, the Washington Post reported that Israel had blocked Ukraine from purchasing Pegasus, not wanting to alienate Russia. ‘Everything that we are doing, we got the permission from the government of Israel,’ Hulio told me. ‘The entire mechanism of regulation in Israel was built by the Americans.'” (1)
In the course of the global investigations and technical revelations surrounding Pegasus, other spyware platforms and technologies considered national security threats have surfaced, including:
Source: Council on Foreign Relations (cfr.org)
From the start, the NSO Group has been taking incoming from all sides, including legal entities of nation-states and the human rights activists, NGO space. The severity of this initial response was spurred on by the specificity of the investigation, which delivered a list of 14 heads of states on a potential spyware list, including French President Emmanuel Macron.
Various news outlets have over the course of the last year updated the list of heads of state, elected officials, relatives of prominent politicians and global activists who have been hacked by the Pegasus spyware – the most recent of which is the New York Times report on May 2nd of the hack of the cellphones of the Prime Minister and Defense Minister of Spain. Further prominent reports of Pegasus hacks since July 2021 include:
April 2022: UK Prime Minister, Catalan groups ‘targeted by NSO spyware’
In March, the Council of Foreign Relations offered the following interesting analysis: How Israel’s Pegasus Spyware Stoked the Surveillance Debate
February 2022
January 2022
December 2021
November 2021: NSO’s Pegasus spyware found on the devices of six Palestinian activists
October 2021
August 2021: NSO Group facing renewed backlash after helping repressive Bahraini Government hack iPhones of politicians, activists
Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop
The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence
We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech
Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency
The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.