NSO’s Pegasus Spyware Found on iPhones of US State Department Employees
According to a report from Reuters, phones belonging to at least nine US State Department employees were infected with Pegasus spyware. The malware is made by NSO Group. The targeted employees were either based in Uganda or were working on Uganda-related issues. Pegasus capabilities include location tracking, microphone activation, and data theft. A State Department spokesperson declined to confirm the report.
There are so many takeaways from this story. First, while NSO claims it will take legal action against those who misused its tools, their customers will likely have more success in claiming sovereign immunity than NSO itself. Second, it's unfortunate that Apple doesn't provide users with more information they can use to detect an attack themselves. Companies like NSO will continue to capitalize on this lack of transparency to victimize users. Finally, it's hard to imagine these actions (and others like them) aren't related to the sanctions placed on NSO.
The story of NSO should also be seen as a warning to other companies offering offensive tools commercially. Well-funded attackers often use the same tools red teams use legitimately in authorized penetration tests. So far, I don't think anybody has found a way to effectively restrict how these tools are being used. NSO group stuck out for its unique abilities to attack mobile devices, and in some ways, its downfall was that the tool was “too good.”
Apple is taking the initiative to notify users who have devices infected with the NSO spyware. The vulnerability used to install their software was closed in the September release of iOS 14.8. Make sure that your devices are on current versions, particularly if deployed in foreign countries. Make sure that your mobile device management system can actively detect spyware installed on your devices rather than having a third-party give you the bad news. Note that while NSO claims to only license their software to government agencies with strict terms including Israeli government granted export licenses, and use against USG employees is strictly prohibited, that is an administrative rather than a technical control; you need to implement the technical controls to insure the attack vectors remain closed.
The US federal government has long neglected an opportunity to use its buying power to drive Google and Apple to support a trusted “Government App Store” as part of all federal wireless contracts. Google and Amazon provided federal cloud capabilities because the federal government did use their buying power as FedRAMP and US government “Cloud-first” initiatives were backed with procurement requirements.
Working for a company that sells an adversary emulation platform, we have to maintain a balance between operational security and feature sets. Products that do not “call home” are welcomed by our customers but if the product lands in the wrong hands, we would have no visibility into its use. This is what has occurred with Pegasus and other products. Learning from these mistakes is costly but required.
Read more in
Washington Post: Pegasus spyware used to hack U.S. diplomats working abroad