Apple has updated its documentation related to its warning system for mercenary spyware threats, now specifying that it alerts users when they may have been individually targeted by such attacks.
The revision points out companies like NSO Group, known for developing surveillance tools like Pegasus, which state actors often use for targeted attacks on individuals such as journalists, activists, politicians and diplomats.Â
In a blog post published on Wednesday, Apple highlighted the global and sophisticated nature of these attacks, which are costly and complex.
The update marks a shift in the wording from informing and assisting users targeted by state-sponsored attackers to specifically addressing mercenary spyware threats.
âItâs really important to recognize that mercenary spyware, unlike others, is deliberately designed with advanced capabilities, including zero-day exploits, complex obfuscation techniques, and self-destruct mechanisms, making it highly effective and hard to detect,â explained Krishna Vishnubhotla, vice president of product strategy at Zimperium.
According to recent reports, Apple sent threat notifications to iPhone users in 92 countries, coinciding with the support page revision.
While Apple began sending threat notifications in November 2021, it refrained from attributing the attacks or notifications to any particular threat actor or region.
This development now aligns with global efforts to counter the misuse of commercial spyware, as evidenced by a coalition of countries, including the US, working to develop safeguards against invasive surveillance technology.
Moreover, a recent report by Googleâs Threat Analysis Group (TAG) and Mandiant shed light on the exploitation of zero-day vulnerabilities in 2023, with commercial surveillance vendors being responsible for a significant portion of these exploits.
These vulnerabilities targeted web browsers and mobile devices, underscoring the increasing reliance of threat actors on zero days for evasion and persistence.
In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.
Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more.
Ransomware remains primary cyberthreat for SMBs
The Sophos report also analyses initial access brokers (IABs)âcriminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs theyâve already cracked.
âThe value of âdata,â as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, letâs say attackers deploy an infostealer on their targetâs network to steal credentials and then get hold of the password for the companyâs accounting software. Attackers could then gain access to the targeted companyâs financials and have the ability to funnel funds into their own accounts,â said Christopher Budd, director of Sophos X-Ops research at Sophos.
âThereâs a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,â added Budd.
While the number of ransomware attacks against SMBs has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack, LockBit was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.
BEC attacks grow in sophistication
Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targeting managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryptionâwhen attackers use an unmanaged device on organizationsâ networks to encrypt files on other systems in the networkâincreased by 62%.
In addition, this past year, Sophosâs Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPsâ remote monitoring and management (RMM) software.
Following ransomware, business email compromise (BEC) attacks were the second highest type of attacks that Sophos IR handled in 2023, according to the report.
These BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.
In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an âinvoice.â The download button contained a link to a malicious website.
Google says spyware vendors behind most zero-days it discovers…
Commercial spyware vendors (CSV) were behind 80% of the zero-day vulnerabilities Google’s Threat Analysis Group (TAG) discovered in 2023 and used to spy on devices worldwide.
Zero-day vulnerabilities are security flaws the vendors of impacted software do not know about or for which there are no available fixes.
Google’s TAG has been following the activities of 40 commercial spyware vendors to detect exploitation attempts, protect users of its products, and help safeguard the broader community by reporting key findings to the appropriate parties.
Based on this monitoring, Google has found that 35 of the 72 known in-the-wild zero-day exploits impacting its products over the last ten years can be attributed to spyware vendors.
“This is a lower-bounds estimate, as it reflects only known 0-day exploits. The actual number of 0-day exploits developed by CSVs targeting Google products is almost certainly higher after accounting for exploits used by CSVs that have not been detected by researchers, exploits where attribution is unknown, and cases where a vulnerability was patched before researchers discovered indications of exploitation in-the-wild.” – Google
Those spyware vendors use the zero-day flaws to target journalists, activists, and political figures as directed by their customers, including governments and private organizations.
Some notable CSVs highlighted in Google’s report are:
Cy4Gate and RCS Lab: Italian firms known for the “Epeius” and “Hermit” spyware for Android and iOS. The former acquired the latter in 2022, but operate independently.
Intellexa: Alliance of spyware firms led by Tal Dilian since 2019. It combines technologies like Cytrox’s “Predator” spyware and WiSpear’s WiFi interception tools, offering integrated espionage solutions.
Negg Group: Italian CSV with international reach established in 2013. It is known for “Skygofree” malware and “VBiss” spyware, targeting mobile devices through exploit chains.
NSO Group: Israeli firm famous for Pegasus spyware and other sophisticated espionage tools. It continues operations despite sanctions and legal issues.
Variston: Spanish CSV providing tailored security solutions. It collaborates with other vendors for zero-day exploits and is linked to the Heliconia framework, expanding in the UAE.
These vendors sell licenses to use their products for millions of dollars, allowing customers to infect Android or iOS devices using undocumented 1-click or zero-click exploits.
Some of the exploit chains utilize n-days, which are known flaws for which fixes are available, yet patching delays still make them exploitable for malicious purposes, often for extended periods.
Google says that CSVs have grown very aggressive in their hunt for zero-days, developing at least 33 exploits for unknown vulnerabilities between 2019 and 2023.
In the appendix of Google’s detailed report, one can find a list of 74 zero-days used by 11 CSVs. Of those, the majority are zero-days impacting Google Chrome (24) and Android (20), followed by Apple iOS (16) and Windows (6).
When white-hat researchers discover and fix the exploited flaws, CSVs often incur significant operational and financial damage as they struggle to reconstruct a working alternative infection pathway.
“Each time Google and fellow security researchers discover and disclose new bugs, it causes friction for CSVs and costs them development cycles,” says Google.
“When we discover and patch vulnerabilities used in exploit chains, it not only protects users, but prevents CSVs from meeting their agreements to customers, preventing them from being paid, and increasing their costs to continue operating.”
However, this is not enough to stop the proliferation of spyware, as the demand for these tools is strong, and the contracts are too lucrative for CSVs to give up.
Google calls for more action to be taken against the spyware industry, including higher levels of collaboration among governments, the introduction of strict guidelines that govern the use of surveillance technology, and diplomatic efforts with countries hosting non-compliant vendors.
Google is proactively countering spyware threats through solutions like Safe Browsing, Gmail security, the Advanced Protection Program (APP), and Google Play Protect, as well as by maintaining transparency and openly sharing threat information with the tech community.
A US court has rejected spyware vendor NSO Group’s motion to dismiss a lawsuit filed by Apple that alleges the developer violated computer fraud and other laws by infecting customers’ iDevices with its surveillance software.
Apple sued NSO, developer of the notorious Pegasus spyware, back in November 2021 and asked the court to permanently ban NSO from using any Apple software, services, or devices. The lawsuit alleges that company violated the US Computer Fraud and Abuse Act (CFAA), California’s Unfair Competition Law, and the terms of use for Apple’s own iCloud when its spyware was installed on victims’ devices without their knowledge or consent. NSO now must answer Apple’s complaint by February 14.
Pegasus infected Apple customers’ devices via a zero-click exploit called FORCEDENTRY, according to Cupertino. Once it lands on phones, the spyware allows users to snoop on phone calls, messages, and access the phone’s camera and microphone without permission.
Despite the surveillance-software maker’s claims that it only sells to government agencies, and even then, only to investigate terrorism or other serious crimes, the software has repeatedly been used to spy on journalists, activists, political dissidents, diplomats and government officials. This has led to US sanctions against the company and several lawsuits.
Last March, NSO asked the court to toss Apple’s lawsuit, arguing that Cupertino should be required to sue the developer in Israel, its home jurisdiction. It also claimed that Apple can’t sue over CFAA violations because the iGiant itself didn’t suffer any damages or loss [PDF].
The court, in its ruling on Monday, dismissed these arguments, noting that “the anti-hacking purpose of the CFAA fits Apple’s allegations to a T, and NSO has not shown otherwise.”
“A ‘loss’ is ‘any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service’ ⊠That is precisely the loss Apple has alleged here,” the judge continued [PDF].
When asked about the judge’s ruling, an NSO Group spokesperson said the software maker will fight on.
“The motion to dismiss is part of the legal process in this case,” the NSO spokesperson told The Register. “The technology in question is critical to law enforcement and intelligence agencies in their efforts to maintain public safety. We are confident that once the arguments are presented, the Court will rule in our favor.”
Apple, meanwhile, took the win, and a spokesperson told The Register that this lawsuit is just one of the ways the iGiant is fighting back against spyware vendors.
These include the new Lockdown Mode security feature, the threat notifications it sends to users who may be targets in nation-state attacks, and a $10 million grant to support civil society organizations that research spyware threats and conduct advocacy on the topic through the Ford Foundation.
Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.
Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what weâre doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and thereâs no reasonable way for us to opt out of it.
Spying is another matter. It has long been possible to tap someoneâs phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into peopleâs phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.
AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and itâll do that. Want to know who is talking about what? Itâll tell you.
The technologies arenât perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. Theyâll get better next year, and even better the year after that. We are about to enter the era of mass spying.
Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).
Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.
Thereâs so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find peopleâs confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.
This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and âHey Googleâ are already always listening; the conversations just arenât being saved yet.
Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.
Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secretsâitâs all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance wonât be able to resist collecting and using all of that data.
In the early days of Gmail, Google talked about using peopleâs Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poorâand therefore not useful for marketing purposes. That will soon change. Maybe Google wonât be the first to spy on its usersâ conversations, but once others start, they wonât be able to resist. Their true customersâtheir advertisersâwill demand it.
We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we havenât done anything to limit mass surveillance. Why would spying be any different?
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.
Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage campaigns that have been observed by Managed Defense:
SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
This is the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals. It uses USB flash drives to load the SOGU malware to steal sensitive information from a host.
Mandiant attributes this campaign to TEMP.Hex, a China-linked cyber espionage actor. TEMP.Hex likely conducted these attacks to collect information in support of Chinese national security and economic interests. These operations pose a risk to a variety of industries, including construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the United States.
SNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia
This campaign uses USB flash drives to deliver the SNOWYDRIVE malware. Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands. It also spreads to other USB flash drives and propagates throughout the network.
Mandiant attributes this campaign to UNC4698, a threat actor that has targeted oil and gas organizations in Asia. Once the actor has gained access to the system, they execute arbitrary payloads using the Windows Command Prompt, use removable media devices, create local staging directories, and modify the Windows registry.
SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
The White House National Security Council cautioned on Wednesday that it will review any attempted takeover of foreign commercial surveillance software by an American company to determine whether the acquisition poses a âcounterintelligence threatâ to the U.S. government.
The statement came in response to reporting from the Guardian revealing that a chewing gum heir and producer of several Adam Sandler movies is considering a bid for the NSO Group, including its powerful Pegasus spyware.
The Biden administration is concerned about the spread of foreign commercial surveillance tools like Pegasus and believes they âpose a serious counterintelligence and security risk to U.S. personnel and systems,â the statement said.
The Hollywood producer, Robert Simonds, was responsible for more than 30 movies that made in excess of $6 billion earlier in his career and more recently had worked as the chairman of STX Entertainment, which Variety calls a âfully integrated entertainment outletâ focused on expanding into emerging global markets on a variety of platforms. Simondsâ credits with Sandler include âHappy Gilmore,â âThe Wedding Singerâ and âBilly Madison.â
According to the Guardian, Simonds was recently picked to run the Luxembourg-based holding company controlling NSO. Sources told the Guardian that Simonds is considering ways to take over some of the spyware firmâs assets in an effort to give the Five Eyes intelligence partnership of the US, the UK, Canada, Australia and New Zealand exclusive access to the potent technology.
Pegasus and similar tools are being âmisused around the world to enable human rights abuses and target journalists, human rights activists, political opposition members, or others perceived as dissidents and critics,â the White House statement said, noting that the Biden administration has launched a government-wide effort to stop Pegasus and other foreign commercial surveillance software from spreading. In March, the administration issued an executive order barring all U.S. government agencies from using the spyware, among other measures.
In its statement the White House also warned that U.S. companies should âbe aware that a transaction with a foreign entity on the Entity List will not automatically remove the designated entity from the Entity List.â The list, published by the United States Department of Commerce’s Bureau of Industry and Security (BIS), restricts trade with specified foreigners, foreign entities, or governments. Companies included on the Entity List must meet strict licensing requirements for exports.
NSO has been on the Entity List since 2021. Despite the controversy swirling around the firm, its unprecedented technology has long attracted the attention of investors. Pegasus can hack into usersâ phones remotely, activating the camera and microphone without a user knowing, as well as intercept all communications, including over encrypted apps like Signal.
Last July, the American defense firm L3Harris decided not to pursue a bid for NSO after initial explorations led to a backlash from the Biden administration
Security researchers have uncovered fresh malware with hacking capabilities comparable to those of Pegasus, which was developed by NSO Group. The software, which is sold by an Israeli firm named QuaDream, has previously been used by customers to target journalists, political opposition leaders, and an employee of an NGO. The company that makes and sells the spyware is called QuaDream.
NEW REPORT: SWEET QUADREAMS: A first look at #spyware vendor QuaDreamâs spy tools, victims and customers. We identified traces of suspected exploit deployed against iOS versions 14.4 and 14.4.2 and possibly other versions as zero-day vulnerability. https://t.co/u7jcxJpu9H
The malware was spread to the victimsâ phones when the operators of the spyware, who are thought to be government customers, sent them an invitation to an iCloud calendar. The cyberattacks took place between the years 2019 and 2021, and the term âReignâ is given to the hacking program that was used.
A phone that has been infected with Reign can, similar to a phone that has been infected with Pegasus, record conversations that are taking place near the phone, read messages that are stored on encrypted apps, listen to phone conversations, track the location of a user, and generate two-factor authentication codes on an iPhone in order to break into a userâs iCloud account.
Apple, which has been marketing its security measures as being among the finest in the world, has taken yet another hit as a result of the recent disclosures. It would seem that Reign poses an unprecedented and significant danger to the security of the companyâs mobile phones.
The spyware that was built by QuaDream attacks iPhones by having the operators of the malware, who are believed to be government customers, issue an invitation to an iCloud calendar to the mobile users of the iPhones. Since the calendar invites were issued for events that had been recorded in the past, the targets of the hacking were not made aware of them because they were sent for activities that had already occurred.
Since users of the mobile phone are not required to click on any malicious link or do any action in order to get infected, these kind of attacks are referred to as âzero-clickâ attacks.
When a device is infected with spyware, it is able to record conversations that are taking place nearby by taking control of the recorder on the device, reading messages sent via encrypted applications, listening in on phone calls, and monitoring the position of the user.
The malware may also produce two-factor authentication tokens on an iPhone in order to enter a userâs iCloud account. This enables the spyware operator to exfiltrate data straight from the userâs iCloud, which is a significant advantage. In contrast to NSO Group, QuaDream maintains a modest profile among the general population. The firm does not have a website and does not provide any additional contact information on its page. The email address of Israeli attorney Vibeke Dank was included on the QuaDream business registration form; however, she did not respond to a letter asking for her opinion.
Citizen Lab did not name the individuals who were discovered to have been targeted by clients while they were using Reign. However, the organization did say that more than five victims were located in North America, Central Asia, south-east Asia, Europe, and the Middle East. These victims were described as journalists, political opposition figures, and an employee of an NGO. In addition, Citizen Lab said that it was able to identify operator sites for the malware in the countries of Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan.
In a security report that was published in December 2022 by Meta, the corporation that owns Facebook, the name of the firm was mentioned briefly. The report defined QuaDream as being an Israeli-based startup that was created by former NSO personnel.
At the time, Meta stated that it had removed 250 accounts on Facebook and Instagram that were linked to QuaDream. The company believed that the accounts were being used to test the capabilities of the spyware maker using fake accounts. These capabilities included exfiltrating data such as text messages, images, video files, and audio files.
The discovery of Reign underscores the continuous spread of very powerful hacking tools, even as NSO Group, the developer of one of the worldâs most sophisticated cyberweapons, has received intensive investigation and been banned by the Biden administration, likely limiting its access to new clients. NSO Group is the maker of one of the most advanced cyberweapons in the world.
Keeping track of your most vital belongings, such as your keys, wallet, remote controls, and even motorcycles, may be made easier with the assistance of an Apple AirTag. Yet, allegations that they were utilized to monitor individuals without first obtaining their permission threw an unfavorable light on the utilization and implementation of these technologies. Itâs possible that your iPhone will warn you before you have to take any action if you have reason to believe that someone is monitoring your whereabouts via an AirTag. If you believe that you may be in danger because someone is following you without your permission and you feel that you should call law authorities, Apple may provide further information about the owner of the AirTag.
You will be notified of this
If you have an iPhone and you are being tracked by an AirTag, your phone may send you a notification that says âAirTag discovered moving with you.â This will occur if all of the following conditions are met:
The AirTag has been detached from its rightful owner. iPhone of yours is awake. When you move the AirTag, it will make a sound. This may also occur with other accessories that are compatible with Find My Network, such as AirPods, AirPods Pro, or AirPods Max. When you move any of these goods when they are not being handled by their owners, each of them will make a sound.
Verify that the Tracking Notifications feature is turned on. In the event that you do not get an alert, it is possible that you will need to complete the following procedures in order to guarantee that your tracking alerts are activated:
Go to the Settings menu, and then pick Privacy. To activate Location Services, choose Location Services from the menu. Go to the System Services menu. Put your iPhone in find mode and activate the Notable Places feature. Return to the Settings menu, and then choose Bluetooth. Bluetooth must be on. Last but not least, open the Locate My app and choose yourself. Activate the Tracking Alerts on your browser.
Try out the app called âFind My.â When AirTags get separated from their owners, they will produce a sound whenever they are moved in order to assist others in locating them. After confirming that Step 2 has finished, you may open the Locate My app and check to see if the AirTag is located if you think you may have heard an AirTag or another sound that you are unable to identify and suspect it may be an AirTag.
Make AirTag produce a sound. If you have been notified that an AirTag was traveling with you and are checking the Find My app, you have the option to play a sound on the device in order to locate it more quickly. You can monitor other peopleâs AirTags by using the Find My app, which you may access by touching on the alert, selecting continue, and then tapping Locate Nearby.
Check all the details about AirTag When you have the AirTag in your line of sight, you may access the information it contains on your iPhone or any other smartphone that supports NFC. You will need to bring the top of your iPhone close to the white side of the AirTag that you have located and wait for it to identify it. A notice displays beside a webpage that contains the ownerâs last four digits of their phone number in addition to the AirTagâs serial number. If this is a lost AirTag, the owner may have included their contact information so that the person who found it may get in touch with them.
Inactivate the AirTag. If the owner of an AirTag disables it, they will no longer be able to see its current position or get updates about it. Just removing the battery is all that is required to deactivate the AirTag. You may do this by first opening the AirTag by depressing the button on top and then removing the battery by turning the lid counterclockwise.
You will be able to determine the position of another personâs iPhone so long as your AirTag is in close proximity to that device. And with Appleâs recent release of an official app for monitoring AirTags on Android devices, you donât even need an iDevice to accomplish that anymore! Yet, there is one very significant exception to this rule.
With Apple Music, the Beats app, and an application for transitioning to iOS, Tracker Detect is one of the few Apple applications that can be downloaded and used on Android devices. If you wish to zero in on a specific rogue AirTag, you can use the app to play a sound on it, and you can also use the app to monitor neighboring rogue AirTags using it. From that point on, you have the option of scanning the AirTag using an NFC reader or turning it off by removing its battery. The functionality is really fundamental, despite the fact that it is rather cool looking. Since it does not have an auto-scan feature, you will not get alerts about nearby missing AirTags as you would on an iPhone. This means that in order to look for a tag, you will need to manually launch the application first. One may argue that this renders the Tracker Detect app rather worthless since a large number of individuals in the reviews part of the app believe that it ought to be able to auto-scan. Spending your day manually searching your immediate environment for AirTags every five minutes is not the most effective use of your time.
Itâs not even like there are roadblocks in the way of making that happen on Android phones; all you need is Bluetooth Low Energy (BLE). And enabling auto-scanning for AirTags on non-Apple devices and having those devices participate to Appleâs Find My network would also considerably increase the success of finding AirTags in general. Download the application from the Google Play Store right now if you have an Android device and want to be able to scan AirTags with it.
A Barcelona-based company, a spyware vendor named Variston IT, is exploiting flaws under the guise of a custom cybersecurity solutions provider.
On 30th November, Googleâs Threat Analysis Group (TAG) reported that a Barcelona-based company, actually a spyware vendor, named Variston IT has been exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender under the guise of a custom cybersecurity solutions provider.
In their detailed technical report, TAG explained that Variston IT had been using their exploitation framework called Heliconia to install spyware on the targeted devices. The researchers at Google received an anonymous submission to Chromeâs bug reporting program which brought to their attention the exploitation framework.
Heliconia actually contains three separate exploitation frameworks. One of them is used to compromise the Chrome renderer bug so that it can escape the walls of the appâs sandbox and run malware on the operating system.
Another one is used to deploy malicious PDF documents containing an exploit for Windows Defender (a built-in antivirus engine in the newer versions of Windows). The last framework is for compromising Windows and Linux machines by using a set of Firefox exploits.
A manifest file in the source code provides a product description (Image: Google)
In its report, the tech giant observed that the Heliconia exploit is successful against Firefox versions 64 to 68, which suggests that it was created and used as early as December 2018 when Firefox 64 first came out.
Google, Microsoft, and Mozilla fixed the vulnerabilities in 2021 and early 2022. They further stated that, although they had not detected active exploitation, it is likely that the vulnerabilities had been exploited before they could be fixed.
Pegasus is listening: Q&A with Paul Rusesabaginaâs daughter Carine Kanimba
You may not recognize the name Carine Kanimba, but you have probably heard of her dad: Paul Rusesabagina. He was the manager of HÎtel des Milles Collines and rather famously decided to shelter some 1,200 mostly Tutsi Rwandans in his hotel during the 1994 genocide in Rwanda. Don Cheadle played him in the movie Hotel Rwanda.
After, Rusesabagina became a superstar ambassador of human rights. He wrote an autobiography about his work during the genocide; President George W. Bush awarded him the Medal of Freedom; and he went on the speakersâ circuit not just talking about 1994 â but criticizing the current government of President Paul Kagame for trampling on human rights.
In August 2020, Rusesabagina boarded a private jet for what he thought would be a trip to Burundi, but instead he was rendered to Rwanda. Heâs since been sentenced to 25-years in prison.
Carine Kanimba was on Capitol Hill last week to talk not just about her dad (who adopted sisters Carine and AnaĂŻse shortly after the genocide), but also her recent discovery that sheâs been targeted by a commercial spyware program called Pegasus. And she believes the Rwandan government was behind it.
Pegasus spyware is the brainchild of an Israeli company called NSO Group and it has been found on the phones of so many activists around the world it has become a kind of cautionary tale about the commercial spyware industry. It has been linked to the murder of journalist Jamal Khashoggi, discovered on the phones of Mexican opposition leaders, Catalonian politicians, and journalists and lawyers around the world. (In a statement, NSO Group told Click Here that it âthoroughly investigates any claim for illegal use of its technology by customers, and terminates contracts when illegal use is found.â)
The Click Here podcast sat down with Kanimba shortly after her Congressional testimony to talk to her about her role as a human rights advocate, what it is like finding oneself on the receiving end of a spyware campaign, and why she is confident she will win her fatherâs release. The interview has been edited and shortened for clarity.
CLICK HERE: We wanted to start by saying weâre very sorry about what youâre going through with your fatherâŠ
NSO Group, notorious makers of the notorious Pegasus spyware, has been in acquisition talks with a huge U.S. government defense contractor youâve never heard of: L3Harris Technologies, Inc. Doesnât that give you a warm, tingly feeling inside?
Pictured is Christopher E. âCall Me Chrisâ Kubasik, L3Harrisâs chairman and CEO. Heâs no doubt disappointed that the White House put the kibosh on the dealâespecially as other bits of the government gave tacit approval (or so weâre told).
But is everything quite as it seems? In todayâs SB Blogwatch, we pay attention to the man behind the curtain.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: WINBOOT.AVI
âL3Harris and NSO declined to commentâ A team of executives from an American military contractor quietlyâŻâŠâŻin recent months [attempted] a bold but risky plan: purchasing NSO Group, the cyber hacking firm that is as notorious as it is technologically accomplished. ⊠They started with the uncomfortable fact that the United States government had put NSO on a blacklist just months earlier [because it] had acted âcontrary to the national security or foreign policy interests of the United States,â the Biden administration said. ⊠But five people familiar with the negotiations said that the L3Harris team had brought with them a surprising message: ⊠American intelligence officials, they said, quietly supported its plans to purchase NSO, whose technology over the years has been of intense interest toâŻâŠâŻthe F.B.I. and the C.I.A. [But news of the] talks to purchase NSO seemed to blindside White House officials, [who] said they were outragedâŻâŠâŻand that any attempt by American defense firms to purchase [NSO Group] would be met by serious resistance. ⊠While not a household defense industry nameâŻâŠâŻL3Harris earns billions each year from American government contracts. ⊠The company once produced a surveillance system called Stingray. ⊠L3Harris and NSO declined to comment. ⊠A spokeswoman for Avril Haines, the director of national intelligence, declined to comment. ⊠The Commerce Department declined to give specifics about any discussions.
One arm of the government doesnât know what another is doing? Say it ainât so! Stephanie Kirchgaessner says itâs soââUS defence firm ends talks to buy NSOâ:
âDefinitive pushbackâ A person familiar with the talks said L3 Harris had vetted any potential deal for NSOâs technology with its customers in the US government and had received some signals of support from the American intelligence community. [But,] sources said, L3Harris had been caught off guard when a senior White House official expressed strong reservations about any potential deal. ⊠Once L3Harris understood the level of âdefinitive pushbackâ, a person familiar with the talks said, âthere was a viewâŻâŠâŻthat there was no way L3 was moving forward with this. ⊠If the government is not aligned, there is no way for L3 to be aligned,â the person said.
âCould have resulted in the blacklisting being liftedâ A deal for all or part of NSO would not be as simple as the two companies agreeing to terms, requiring permission from both the U.S. and Israeli governments. ⊠NSO Group, with its Pegasus spyware, has been one of the most controversial cybersecurity companies of recent times. Pegasus is a form of software that uses zero-day or unpatched exploits to infect mobile devices. ⊠The deal falling apart may also leave NSO in a difficult situation: With the blacklisting in place, the company is limited in whom it can sell Pegasus to and what technology it can purchase. In contrast, an acquisition by an American company could have resulted in the blacklisting being lifted.
âNSO spent years pretending they changedâ WHOA: DealâŻâŠâŻtanked. ⊠[It] helps explain recent signs of desperation from the spyware company. [An] American defense contractor acquiring a demonstrably-uncontrollable purveyor of insecurity would beâŻâŠâŻatrocious for human rights [and] bad forâŻâŠâŻcounterintelligence. ⊠This is not a company that prioritizes Americaâs national security. And it doesnât play well with our tech sector. ⊠NSO spent years pretending they changedâŻâŠâŻwhile using all available tricks to hide the fact that they kept doingâŻâŠâŻrisky biz and dictator deals.
ELI5? Look on u/Ozymandias606âs words, ye mighty, and despair:
âBiden visits Israel tomorrowâ Pegasus is a hacking tool [that] can turn anyoneâs phone into a tracking and recording device without the owner clicking a link. [It] has been sold to governments over the past several years [who] used Pegasus to spy on journalists and activists. ⊠The Commerce Department added Pegasusâ creator to a blacklist that has been slowly choking the company. ⊠A US defense contractor later offered to buy Pegasus â and claims they had explicit permission from US intelligence agencies to do so under a number of conditions, [which] include turning over the softwareâs source code to the âFive Eyesâ cybersecurity alliance. ⊠So, a handful of Western nationsâŻâŠâŻwere trying to control access to a cyber weapon that appears to take control of any phone in the world. ⊠Biden visits Israel tomorrow â his first visit to the country.
Are you hinting what I think youâre hinting? This Anonymous Coward rents the curtain (but is behind on the payments): [Youâre firedâEd.]
Unfortunately, many Americans are still in denial about what the US govt routinely do. ⊠This is simply Tiktok 2.0 (or Alstrom 3.0). ⊠Anyone who looked at history will recognise the same pattern had happened many times already, including Alstrom in France. US will buy out any company, by force or by trickery, that took lead in any area the US deemed important.
Lockdown mode is nothing. It canât work. If the software is compromised, letting software be the security canât work. Every cell phone really needs to have 3 mechanical switches and a removable battery. 1 switch for power, 1 for the mic and 1 for the camera.
What next? The Combat Desert Penguinâ@wolverine_saltyâponders alternative buyers:
Is Thiel interested?
Meanwhile, with a similarly snarky stance, hereâs kmoser:
The Israeli surveillance firm NSO Group revealed that its Pegasus spyware was used by at least five European countries.
The controversial Israeli surveillance vendor NSO Group told the European Union lawmakers that its Pegasus spyware was used by at least five countries in the region.
NSO Groupâs General Counsel Chaim Gelfand admitted that the company had âmade mistakes,â but that after the abuses of its software made the headlines it has canceled several contracts.
âWeâre trying to do the right thing and thatâs more than other companies working in the industry,â Gelfand told members of the PEGA committee. âEvery customer we sell to, we do due diligence on in advance in order to assess the rule of law in that country. But working on publicly available information is never going to be enough.â
In April, the Parliament set up a new inquiry committee investigating the use of Pegaus spyware and equivalent surveillance software used to spy of phones belonging to politicians, diplomats, and civil society members. The spyware was used to target several European leaders, including Spainâs Prime Minister Pedro SĂĄnchez, and Spanish political groups, Hungary, and Poland.
In February, the European Data Protection Supervisor (EDPS) authority called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.
The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection.
âIt comes from the EDPSâ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.â states the European Data Protection Supervisor (EDPS).
âPegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.â
Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.
The bad news is that the business of digital surveillance is growing in scaring and uncontrolled way. Recently, experts spotted other surveillance malware infecting systems worldwide, such as the HERMIT spyware that was linked to an Italian firm.
If you want to read more info on the Pegasus spyware give a look at a report investigating Pegasus spyware impacts on human rights has been launched by the Council of Europe on the occasion of the summer session of the Parliamentary Assembly.
The report was prepared by the Information Society Department with contributions from Tamar Kaldani the former Personal Data Protection Inspector and the State Inspector of Georgia, currently serving as the first Vice-chair of the Consultative Committee of Convention 108 and Zeev Prokopets â an Israeli executive, product designer, software developer and entrepreneur.
âAn investigation report released by a global consortium26 revealed that 200 journalists worldwide had been targeted using Pegasus spyware. The Office of the UN Special Rapporteur for Freedom of Expression also noted the number of victims of attempted spying through Pegasus, including Mexican journalists, human rights defenders and opposition leaders.27 âThe numbers vividly show the abuse is widespread, placing journalistsâ lives, those of their families and associates in danger, undermining freedom of the press and shutting down critical media,â â said Secretary-general of Amnesty International.â concludes the report. âThe right to freedom of expression and information, as guaranteed by Article 10 of the Convention, constitutes one of the essential foundations of a democratic society and one of the basic conditions for its progress and the development of every individual.â
Researchers reported that threat actors leveraged a new zero-click iMessage exploit to install NSO Group Pegasus on iPhones belonging to Catalans.
Researchers from Citizen Lab have published a report detailing the use of a new zero-click iMessage exploit, dubbed HOMAGE, to install the NSO Group Pegasus spyware on iPhones belonging to Catalan politicians, journalists, academics, and activists.
The previously undocumented zero-click iMessage exploit HOMAGE works in attacks against iOS versions before 13.2.
The experts speculate the HOMAGE exploit was used since the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address.
The experts at the Citizen Lab, in collaboration with Catalan civil society groups, have identified at least 65 individuals targeted or infected with spyware. 63 of them were targeted or infected with the Pegasus spyware, and four others with the spyware developed by another surveillance firm named Candiru. The researchers reported that at least two of them were targeted or infected with both surveillance software.
Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations, the threat actors also targeted family members.
The researchers also noticed that the content used in the bait SMS messages suggests access to targets personal information, including the Spanish governmental ID numbers.
âWith the targetsâ consent, we obtained forensic artefacts from their devices that we examined for evidence of Pegasus infections. Our forensic analysis enables us to conclude with high confidence that, of the 63 people targeted with Pegasus, at least 51 individuals were infected.â reads the report published by Citizen Lab.
âWe are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.â
This isnât the first time that Catalans were targeted by the NSO Group Pegasus Spyware, Citizen Lab has previously reported âpossible cases of domestic political espionageâ after detecting infections with the popular surveillance software. Multiple Catalans were targeted with Pegasus through the 2019 WhatsApp attack, at the time the spyware leveraged exploits for theÂ
CVE-2019-3568
 vulnerability.
The Citizen Lab doesnât explicitly attribute the attacks to a specific threat actor, but the nature of the targets suggests a link with Spanish authorities. All the targets were of interest to the Spanish government and experts pointed out that the specific timing of the targeting matches events of specific interest to the Spanish government.
âWhile we do not currently attribute this operation to specific governmental entities, circumstantial evidence suggests a strong nexus with the government of Spain, including the nature of the victims and targets, the timing, and the fact that Spain is reported to be a government client of NSO Group.â concludes the report.
An espionage attempt was made by an NSO Group customer to hack the phones of senior EU officials. Although thereâs some suggestion that it might have been QuaDreamâa similar Israeli spyware firm.
Commissioner for Justice Didier Reynders (pictured) seems to have been the main target, along with several of his staffers at the Directorate-General for Justice and Consumers. They were warned of the attack five months agoâby Apple.
But who ordered the hack? Might it have been the French government? In todayâs SB Blogwatch, weâre shockedâSHOCKEDâto discover un peu dâespionnage fratricide.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Shrimp can lobster.
âRemotely and invisibly take control of iPhonesâ Among them was Didier Reynders, a senior Belgian statesman who has served as the European Justice Commissioner since 2019. ⊠At least four other [Justice and Consumers] commission staffers were also targeted. ⊠The commission became aware of the targeting following messages issued by Apple to thousands of iPhone owners in November telling them they were âtargeted by state-sponsored attackers.â ⊠The warnings triggered immediate concern at the commission. ⊠A senior tech staffer sent a message to colleagues with background about Israeli hacking tools: ⊠âGiven the nature of your responsibilities, you are a potential target.â ⊠Recipients of the warnings were targeted between February and September 2021 using ForcedEntry, an advanced piece of software that was used by Israeli cyber surveillance vendor NSO Group to help foreign spy agencies remotely and invisibly take control of iPhones. A smaller Israeli spyware vendor named QuaDream also sold a nearly identical tool.
âComes at potentially the worst possible timeâ Itâs not totally clear why these officials were targeted or who used the malware against them. ⊠NSO has denied that it had any involvement. ⊠Reuters also reached out to QuaDreamâŻâŠâŻbut did not get any sort of comment or response. ⊠The claims that EU officials were targeted with NSO Group software comes at potentially the worst possible time for the company as it continues to battle both legal and financial troubles, as well as multiple government investigations. ⊠NSO is now appealing to the U.S. Supreme Court in a new effort to rid itself of a hefty lawsuit filed byâŻâŠâŻWhatsApp, [which] sued NSO in October of 2019 after the surveillance firmâs malware was allegedly discovered on some 1,400 usersâ phones. ⊠The company is also currently battling another lawsuit from Apple filed last November on similar grounds.
âUse of surveillance softwareâ The discovery of the misuse of NSO Groupâs tools certainly doesnât help the companyâs profile following the Pegasus scandal, when it was found the tool was used by governments to spy on journalists, activists, and government opponents, instead of for fighting crime. The adoption of Pegasus and other tools by government agencies led to lawmakers in the U.S. asking Apple and the FBI about the latterâs acquisition of NSO Group tools. ⊠Meanwhile, the European Parliament will be launching a committee on April 19 to investigate the use of surveillance software in European member states.
The European Union, huh?FOHEng thinks this should be a teachable moment:
Many of these same EU people think The App Store should be forced to open, increasing the vectors forâŻâŠâŻexploits to make it into devices. Theyâre as stupid as some US Senators, who arenât allowed to sideload Apps on their devices over security concerns, yet want to force Apple to allow this. They are truly delusional. ⊠Third party stores with Apps being vetted for security? An oxymoron if ever there was one. ⊠You think iOS third party stores are going to somehow be secure and Apps checked?
âNo big deal until it happens to me.â This story has been unfolding slowly for years, yet these EU officials didnât seem too bothered until Apple notified them about their phones being hacked. ⊠Thanks for all the concern.
But what of Apple in all this? Heed the prognostications of Roderikus:
More fines for offering a platform that is basically compromised while being marketed as âsafe.â
However,mikece is triggered by a certain word in the Reuter hed:
Throwing the adjective âIsraeliâ into the title is misleading as it suggest the state of Israel is somehow involved. ⊠Blaming Israel for this is like blaming Japan for all of the Toyota Hiluxes converted into gun platforms around the world.
Yet weâve still not dealt with the âwhoâ question. For this, we turn to Justthefacts:
CitizenLab did some clever geographic fingerprinting, and have a list of which countries are doing this. ⊠Out of these, the credible list is: France, Greece, Netherlands, Poland, UK, USA.
The target was the European Justice Minister from 2019 onwards. He doesnât have military or external trade secrets. Neither the UK nor USA are impacted in any way by what goes on in his office. So itâs either France, Greece, Netherlands, Poland.
If you have a look at the heat-map produced by CitizenLab, itâs the French government snooping on the EU. What were you expecting?
Nor the âwhyâ: What else do we know about the named victim? ffkom ffills us in: [Youâre ffiredâEd.]
Didier Reynders is [one of] those politicians who have continuously undermined EU data protection laws by agreeing to sham contracts like âSafe Harbourâ and âPrivacy Shield,ââŻâŠâŻknowing those were contradicting EU lawâŻâŠâŻand not worth the paper they were written on. He, personally, is also responsible for not enforcingâŻâŠâŻGDPR. ⊠It serves Mr. Reynders right that his data is exposed, just as much as he has helped to expose EU citizenâs data.
For the past few weeks, Russia has been deploying military forces into strategic positions on Ukraineâs borders. However, there is another, virtual dimension to the escalating conflict: cyber-attacks on Ukrainian government and business websites and services.
Although it is impossible to confirm the Russian state is behind these attacks, commentators have suggested that similar tactics form part of a type of hybrid warfare that Russia has been fine tuning for the past couple of decades.
Cyber-espionage and information warfare have become an intrinsic part of recent conflicts and happen on a regular basis between conflicting powers. However, governments do not usually publicly claim responsibility for this type of activity, since this could put them in a position of declaring war against the targeted country and provoking counterattacks and sanctions from the international community. Therefore, evidence that Russia is definitely behind these attacks is hard to establish.
Cyber-attacks are often attributed to hacker groups with nationalist motivations, who justify their political agendas without explicitly verifying any state backing.
In January, there was a spate of attacks by Belarusian hackers believed to be supporting Russia. They launched a series of malware attacks against Ukrainian computer systems with many government and other websites being defaced with provocative and intimidating messages.
In mid February, there was another round of cyber-attacks, this time targeting the Ukrainian army website, ministerial websites and some of the major banks, including PrivatBank, preventing online payments and use of banking apps.
These latest attacks were mainly distributed denial of service (DDOS) attacks, where a huge number of small packets of information are sent to websites and servers from multiple sources. This information overload causes the servers and computer systems targeted to slow down or collapse because of the swarm of information requests.
Russian involvement in those cyber-attacks is suspected, but is hard to confirm. The attacks follow the pattern of similar tactics with alleged Russian backing over the past two decades in Ukraine, Estonia and Georgia, including attacks on communications infrastructures and power grids.
The US president and EU officials are now discussing increasing cyberspace defences against such attacks or imposing sanctions, if required.
Despite all of this, Ukrainian officials have refrained from explicitly mentioning the Russian state as being behind these attacks.
A searing look inside the rise of cyberwarfare as the primary way nations now compete with and sabotage one another – The Perfect Weapon
The European Data Protection Supervisor authority called for a ban on the development and the use of Pegasus-like commercial spyware.
The European Data Protection Supervisor (EDPS) authority this week called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.
Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.
The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection.
âIt comes from the EDPSâ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.â states the European Data Protection Supervisor (EDPS).Â
âPegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.â
Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.
Pegasus was used by governments with dubious human rights records and histories of abusive behaviour by their state security services.
The surveillance software allows to completely take over the target device and spy on the victims. Developers of surveillance solutions leverage zero-click zero-day exploits to silently compromise the devices without any user interaction. Pegasus is known to have used KISMET and FORCEDENTRY exploits to infect the devices of the victims.
NSO Group has repeatedly claimed that its software is sold exclusively to law enforcement and intelligence agencies to fight crime and terrorism, in so-called âlife-saving mission.â
According to a series of disclosures by the business publication Calcalist in recent weeks, dozens of citizens in the country were targeted by Israel Police with the NSO Groupâs spyware to gather intelligence without a search warrant authorizing the surveillance.
âNational security cannot be used as an excuse to an extensive use of such technologies nor as an argument against the involvement of the European Union.â continues EDPS.
EDPS urges tight control over the use of surveillance and hacking tools to prevent and disincentive unlawful use.
I transcribed a recent interview, here some questions and answers about nation-state hacking, spyware, and cyber warfare. Enjoyâ
How has spyware changed the rules of cyber security in recent years? What will cyber security look like now that those tools are all over the internet?
In the last decade, we have observed a progressive weaponization of cyberspace. NATO recognized cyberspace as a new domain of warfare. Cyberspace is the new battlefield for nation-state actors, the digital place where international crime rings operate threatening the pillars of our digital society.
Spyware are powerful weapons in the arsenal of governments and cybercrime gangs. These tools are even more sophisticated and are able to evade detection by using so-called zero-day exploits allowing attackers to bypass the defense of government organizations and businesses. Spyware allows attackers to steal sensitive info from the targets, and perform a broad range of malicious activities.
Is the Pegasus spyware as a game-changer?
Pegasus is probably the most popular surveillance software on the market, it has been developed by the Israeli NSO Group. Anyway, it is not the only one. Many other surveillance firms develop spyware that are every day abused in dragnet surveillance and target journalists, dissidents, and opponents of totalitarian regimes. These software are developed for law enforcement and intelligence agencies, but they are often abused by many governments worldwide cyber espionage operations. The surveillance business is growing in the dark and is becoming very dangerous.
Which are devices of cyber warfare and cyber espionage?
Every technological device can be abused for cyber warfare and cyber espionage. Malware, spyware are the most common means but do not forget the power of social network platforms that can be used for surveillance and misinformation purposes.
Many governments have fallen victim to massive ransomware attacks from groups linked to organized crime, how bad can this new trend of hacking get?
Every day we read about major attacks targeting organizations worldwide with severe impact on their operations. The situation is going worse despite the numerous operations of law enforcement on a global scale. The number of ransomware attacks spiked in the last couple of years due to the implementation of the Ransomware-as-a-Service model, this means that tens of ransomware gangs have created a network of affiliates and provided them their malware. Almost any criminal group could become an affiliate, obtain ransomware from a gang, and spread it, this is amplifying the damages. Critical infrastructure are even more exposed to a new generation of threats that are more aggressive and sophisticated.
Reports are coming out linking North Korea to illegal online activities related to cryptocurrency. How are some governments using the Internet to threaten world peace in one way or another?
When dealing with nation-state actors you must consider the main motivation behind the attacks and distinguish the technique, tactics, and procedure adopted by the different state-sponsored groups.
For example, China-linked nation-state actors are more focused on cyberespionage aimed at stealing intellectual property, while Russia-linked Advanced Persistent Threat groups often operate to destabilize the political contest of foreign states, carry out cyber espionage activities, and conduct disinformation campaigns. North Korea-linked threat actors carry out financially motivated attacks against banks and cryptocurrency firms worldwide to steal funds to re-invest in their military industry.
What about the resilience of countriesâ infrastructure to face such kind of war?
We need norms of state behavior in the cyber space and more information sharing on cyber threats. We need to share information about the attacks in an early stage, profiling the threat actors to mitigate and prevent their campaigns. It is essential to increase the level of security of critical infrastructure like power grids, power plants and hospitals. Critical infrastructure are the main targets of nation-state actors in a cyber warfare contest.
Is making the internet a safe place technically possible?
Let me use the title of a famous book, âNo place to hideâ. I mean that both nation-state actors and cybercriminal organizations are spending a growing effort to increase their hacking capabilities and evasion techniques. Unfortunately, today most of the organizations still consider cybersecurity a cost to cut and this approach gives the attackers an immense advantage. We need a cultural change and we must consider that a security by design approach is the unique way to make the Internet a safe place. We also need globally recognized norms of responsible state behavior in cyberspace.
In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the worldâs most notorious maker of spyware. Then, with their equipment in place, they began testing.
The F.B.I. had bought a version of Pegasus, NSOâs premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else â not a private company, not even a state intelligence service â could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.
Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture JoaquĂn GuzmĂĄn Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSOâs products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.
But by the time the companyâs engineers walked through the door of the New Jersey facility in 2019, the many abuses of Pegasus had also been well documented. Mexico deployed the software not just against gangsters but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist whom the government threw in jail. Saudi Arabia used it against womenâs rights activists and, according to a lawsuit filed by a Saudi dissident, to spy on communications with Jamal Khashoggi, a columnist for The Washington Post, whom Saudi operatives killed and dismembered in Istanbul in 2018.
Finland Ministry for Foreign Affairs revealed that devices of Finnish diplomats have been infected with NSO Groupâs Pegasus spyware.
Finlandâs Ministry for Foreign Affairs revealed that the devices of some Finnish diplomats have been compromised with the infamous NSO Groupâs Pegasus spyware.
The diplomats were targeted with the popular surveillance software as part of a cyber-espionage campaign.
âFinnish diplomats have been targets of cyber espionage by means of the Pegasus spyware, developed by NSO Group Technologies, which has received wide publicity. The highly sophisticated malware has infected usersâ Apple or Android telephones without their noticing and without any action from the userâs part. Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features.â reads a statement published by the Ministry.
According to the statement, threat actors have stolen data from the infected devices belonging to employees working in Finnish missions abroad. The attacks were spotted following an investigation that started in the autumn of 2021, anyway, according to the government experts the campaign is no longer active.
The announcement pointed out that the data transmitted or stored on diplomatsâ devices are either public or classified at the lowest level of classified information (level 4).
Finlandâs Ministry for Foreign Affairs warns that even if the information is not directly classified, the information itself and its source may be subject to diplomatic confidentiality.
âThe Ministry for Foreign Affairs is continually monitoring events and activities in its operating environment and assessing related risks. The Ministry for Foreign Affairs monitors its services and strives to prevent harmful activities. The preparation of and decisions on foreign and security policy, in particular, are matters that attract much interest, which may also manifest itself as unlawful intelligence.â concludes the Ministry. âThe Ministry responds to the risk by various means, but complete protection against unlawful intelligence is impossible.â
In December, Apple warned that the mobile devices of at least nine US Department of State employees were compromised with NSO Group âs Pegasus spyware.
