malware – Techdirt (original) (raw)
NSO Group Owes Meta $167 Million In Damages For Using WhatsApp Servers To Deliver Malware
from the going-to-have-to-hold-a-bake-sale-or-something dept
We’ll have to see if NSO Group has this sort of cash just laying around. Seems unlikely, what with its financial backers pulling out in response to a steady stream of negative headlines, as well as the company considering exiting the highly-profitable offensive malware market.
Sure, this will be appealed and NSO will try to get the awarded damages trimmed down to a more manageable number, but for now, this is what NSO Group owes Meta, the parent company of WhatsApp:
NSO Group, the Israeli spyware-maker behind Pegasus, must pay Meta $167.25 million for hacking 1,400 users across WhatsApp. A federal jury in California made the decision on Tuesday after the court found the NSO Group liable for the attacks last year.
[…]
The jury also awarded Meta $444,719 in compensatory damages.
John Scott-Railton of Citizen Lab has a pretty thorough rundown of this litigation over at Bluesky. Citizen Lab, of course, has been instrumental in revealing abusive deployments of NSO Group’s Pegasus malware by some of its shadier customers. And Citizen Lab has been targeted by some of NSO’s investors in hopes of stopping the self-inflicted bleeding the Israeli malware maker endured over the past four years.
A settlement was expected when NSO Group was ordered to turn over its malware source code by a California federal court. But then NSO asked the Israeli government to raid its offices and seize anything it might be forced to produce in response to WhatsApp discovery requests. Then it let the lawsuit play out, which turned out to be a bad idea. A jury said NSO Group was in the wrong, and for now, at least, it’s on the hook for nearly $168 million in damages.
Meta is taking a deserved victory lap on its site. But of more interest to everyone than news that Meta may become slightly richer are the documents posted by the victorious party, which include transcriptions of NSO Group depositions.
Included in the depositions are the actual price tags for Pegasus, NSO Group’s most powerful and profitable product. As of 2020, 7millionboughtgovernmentstheabilitytodeliverspywaretoupto15targets.Ifgovernmentswantedtotargetdevicesnotcurrentlyinthecountry,thataddedfeatureran7 million bought governments the ability to deliver spyware to up to 15 targets. If governments wanted to target devices not currently in the country, that added feature ran 7millionboughtgovernmentstheabilitytodeliverspywaretoupto15targets.Ifgovernmentswantedtotargetdevicesnotcurrentlyinthecountry,thataddedfeatureran1-2 million on its own.
Given that, you’d think NSO would still have plenty of cash in the bank. But spending nearly a half-decade watching your fortunes dwindle and your name become synonymous with humans rights abuses tends to empty the coffers fairly quickly. At some point, NSO will finally have to settle up with WhatsApp. And the success of this lawsuit will hopefully deter other companies with similarly questionable ethics from rushing to fill the void left behind by NSO’s spectacular implosion.
Filed Under: malware, pegasus, source code, spyware, surveillance
Companies: meta, nso group, whatsapp
Israeli Malware Maker Linked To Six Government Purchasers, Abusive Deployments
from the spyware-for-the-spies dept
Israel-located NSO Group may no longer be a malware option for the US and other discerning governments around the world, thanks to blacklists, lawsuits, and its disturbing willingness to sell to some of the most abhorrent governments of earth. But the market for powerful phone exploits isn’t dying up. Governments still want powerful surveillance tech, even if it means buying from the same market NSO Group almost ruined.
Paragon — formed by a former Israeli intelligence officer, and which currently has ex-Israel prime minister Ehud Barak on its board — is the new option, one even US agencies are willing to approach. Not that Paragon is necessarily that much more ethical than NSO. But, for now, its malware has only been traced to countries that most people wouldn’t consider to be habitual human rights abusers. This is from Lorenzo Franceschi-Bicchierai’s report for TechCrunch, which sums up the discoveries made by Toronto’s Citizen Lab, which has led the world in exposures of abusive deployments of NSO Group spyware.
The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of Israeli spyware maker Paragon Solutions, according to a new technical report by a renowned digital security lab.
On Wednesday, The Citizen Lab, a group of academics and security researchers housed at the University of Toronto that has investigated the spyware industry for more than a decade, published a report about the Israeli-founded surveillance startup, identifying the six governments as “suspected Paragon deployments.”
It’s not that none of these governments are problem-free. Australia has always erred on the side of mass surveillance, encryption-breaking mandates, and ends-justifies-the-means thinking. Cyprus has spent plenty of years acting as an offshore conduit for malware sales to UN-blacklisted nations by setting up shell entities to handle the contractual work that would otherwise be illegal in malware companies’ home countries. Israel is malware central, with much of its homegrown exploit products being created by companies founded by former Israeli intelligence officers and analysts. Singapore has its own problems with control, corporal punishment, and domestic surveillance, even if it manages to offset these encroachments with a strong economy, actually safe and extremely clean streets, and a wealth of robust social services. And Denmark is Denmark, a country that rarely makes the wrong kind of headlines, outside of its bizarre takes on copyright law and its firm resistance to Greenland real estate deals.
Then there’s Canada. Canada’s government has also recently been pushing for more domestic surveillance, less oversight, and even engaged in some conversations about encryption backdoors. Still, it’s usually mostly harmless. But even though the Ontario Provincial Police don’t want to talk about their Paragon purchases, it’s pretty much impossible for the OPP to pretend this hasn’t actually happened. This is from Justin Ling’s op-ed for the Toronto Star, which calls out the OPP for its acquisition of Paragon spyware, as well as its lack of transparency about its use of Paragon’s products:
The Citizen Lab first uncovered Paragon’s operation when a tip led them to a domain name registered to the company, which in turn led to a server that the Citizen Lab says it believes Paragon uses to communicate with clients. Researchers then tracked that server to small town Ontario, to an address which matches only a warehouse, a strip mall, a brewery, an apartment — and the headquarters of the Ontario Provincial Police.
So, there’s no chance of plausible deniability, which explains the OPP’s statement that says nothing more than it won’t talk about its investigative tools in public.
But that’s not the end of the discussion. It’s more than a little concerning when a free world police agency decides it can be trusted with powerful malware that it then deploys against its fellow Canadians.
When cops deploy this cutting-edge technology without disclosure, or firm rules in place, they risk violating the public’s trust. That problem is only more acute when it comes to technology that risks collecting data on innocent people — like spyware. While adopting new tech can help police solve crimes, failing to fully disclose the nature of these new techniques risks getting evidence thrown out at trial on procedural grounds.
[…]
Even if the police are operating ethically, the same vulnerabilities they’re exploiting could put you at risk.
This is the trade-off the general public often isn’t aware is being made in its name, but without its consent: that cops will buy from companies that hoard exploits and refuse to inform the millions of innocent people affected by them of their existence simply because doing so might make it slightly more difficult for them to target and track suspected criminals. Meanwhile, active criminals are no doubt using the same undisclosed exploits to cause more harm. And that’s on top of any abuse of this spyware that’s being perpetuated by the governments that have purchased these products.
As Citizen Lab notes, there’s no way to “abuse-proof” powerful malware. As if to prove this point, reports surfaced last month showing an unknown government had been targeting Italian human rights activists. (This would seem to point to Cyprus, which has been a facilitator of abuse on behalf of countries trying to distance themselves from the consequences of their actions, but nothing has been confirmed at this point.)
Beppe Caccia, one of the co-founders of Mediterranea Saving Humans, an Italian non-government organization that helps immigrants, told TechCrunch that he had been targeted by the spyware campaign.
Caccia disclosed he was targeted after another one of his organization’s co-founders, Luca Casarini, said publicly last week that he had also received a notification from WhatsApp alerting him to the suspected spyware attack.
To assume the Ontario Provincial Police can be trusted with this powerful malware is foolish. All it takes is one person with access to violate whatever trust is left by using it for personal or political reasons. One of the few deterrents is robust oversight, which should always be accompanied by proactive transparency. If cops want powerful spyware, they should be expected to fully justify its deployment over less-intrusive forms of surveillance. And it should never be allowed to purchase or deploy this tech without stringent guidelines in place or prior to a period of public comment. Trust has to be earned. It’s not enough to just buy stuff from a company that has yet to prove it’s any better than the company it’s replacing.
Filed Under: australia, canada, cyprus, denmark, israel, malware, ontario provincial police, privacy, rights violations, singapore, spyware, surveillance, surveillance abuse
Companies: graphite, paragon
Poland’s Justice Minister Arrested For Illegal Use Of NSO Group Malware
from the wow-justice-what-a-weird-concept dept
After several months of pretending this sort of thing just didn’t happen there, the Polish government finally admitted some of its members had abused powerful smartphone malware it had purchased from Israeli spyware firm, NSO Group.
This came to light following an investigation that found someone in the government had illegally targeted a Polish government prosecutor who had been investigating election irregularities. He was notified by Apple, which had implemented a program to inform customers of suspected state-sponsored hacking.
As NSO Group’s future prospects continued to crumble, more investigations were opened. And now another abuser of NSO malware has been taken down by the same government that employed them. Here’s Suzanne Smalley, reporting for The Record:
Polish police on Friday arrested the country’s former justice minister, alleging that he signed off on the use of government money to pay for spyware used to snoop on opposition leaders and supervised cases where the technology was deployed.
The arrest of Zbigniew Ziobro — who was justice minister from 2015 to 2023 — follows the arrest earlier this week of the country’s former Internal Security Agency chief Piotr Pogonowski, according to local news reports.
Ziobro’s arrest is the latest high-profile action in a probe the country’s new prime minister has undertaken to mete out justice for nearly 600 people who are believed to have been victims of the spyware attacks. The abuses took place from 2017 to 2022.
Adding it all up, that’s one prosecutor victimized by illegal government spying and one participant in illegal government spying: the top prosecutor in the nation, roughly equivalent to the US DOJ’s Attorney General.
The more astounding facts come in the third paragraph: the country’s government illegally compromised phones nearly 600 times over a five-year period. Almost certainly, that total has increased since 2022. Any downward trend in recent months should be attributed to worldwide outrage against NSO Group, rather than the Polish government’s desire to see actual justice done.
My cynicism aside, it’s remarkable that anyone has been arrested for abusing a product this government has legally secured. If this had happened in lots of other countries, abusers of spyware would still be in positions of power, occasionally glancing at in-process investigations no one sincerely believes will be resolved before the news cycle draws attention away from the routine abusive acts of NSO Group’s customers.
And you know the system is completely corrupt when you take a look at this nexus:
The country’s 2019 elections were tainted by the use of Pegasus, Senate investigators said, recommending criminal charges.
The prosecutor targeted by Pegasus spyware by other government entities was correct: the 2019 elections had been interfered with. This government report confirms that, saying misuse of malware contributed to this election interference. Years later, there’s this: a report that says (without saying who was targeted) the head prosecutor in the nation illegally targeted someone or someones with NSO’s flagship product. It may be years before we find out who the minister targeted. But, given the information uncovered so far, it’s not that difficult to believe this was prosecutor-on-prosecutor surveillance.
Filed Under: malware, pegasus, poland, spyware, surveillance abuse, zbigniew zioboro
Companies: nso group
US Gov’t Again Hacks Thousands Of Computers To Thwart Foreign Gov’t Hackers Who Hacked Thousands Of Computers
from the nothing-to-worry-about-here dept
It’s not the first time. It certainly won’t be the last. But every time, we’re expected to hang back and assume the FBI is on the right side of history.
Something the FBI has tried a couple of times previously is back in the news: the remote access of thousands of computers containing foreign spyware for the purpose of dismantling botnets and/or thwarting foreign access to US-based devices.
The first attempt was made more than a half-decade ago, right after federal law (specifically Rule 41) was altered to allow the feds to ignore jurisdictional limitations when crafting warrants. This issue presented itself during the FBI’s “Playpen” investigation — one in which it took over a server hosting CSAM and kept it running while it deployed its remote access tool to visitors’ computers, forcing their devices to give up identifying info, including where these devices might be located (IP addresses, in other words).
A single warrant obtained in Virginia resulted in the FBI accessing computers all over the nation (and all over the world). While this raised constitutional questions, most courts were fine with this because, well, the defendants were just people facing CSAM-related charges. The Rule 41 alterations codified the FBI’s previous abuse of the legal process.
Now, with a single warrant, the FBI can access computers anywhere in the US. Which it has. Multiple times. The incidents the FBI actually wants to talk about publicly involve rooting out botnets and thwarting malware deployed by hostile state actors. In addition to nuking malware servers, the warrants also allowed FBI agents to pull identifying information from targeted users, including IP addresses and routing info, supposedly for the sole reason of confirming the infections had been removed and the targeted computers were no longer communicating with malware “administrators.”
It has happened again, as Emma Roth reports for The Verge:
The FBI hacked about 4,200 computers across the US as part of an operation to find and delete PlugX, a malware used by state-backed hackers in China to steal information from victims, the Department of Justice announced on Tuesday.
In an unsealed affidavit, the FBI says the China-based hacking group known by the monikers “Mustang Panda” and “Twill Typhoon” used PlugX to infect thousands of Windows computers in the US, Asia, and Europe since at least 2012. The malware, which infects computers through their USB ports, operates in the background while allowing hackers to “remotely access and execute commands” on victims’ computers.
It worked like this. The FBI gained access to the command-and-control server, obtained a list of IP addresses of infected computers, and sent its own command to those devices to end the malware’s operation and delete the malware when the operation was finished. As in the earlier cases, users whose computers were accessed remotely by the FBI were not notified of this action.
All’s well that ends well, I guess. But we perhaps should offer only the most cautious of applause for this anti-malware action. While it’s nice to see power used for good, the underlying problem is that the FBI has both the power and permission to access an unlimited number of computers using a single warrant obtained in whatever jurisdiction the agency feels might be most receptive to its overtures. I’m not saying the FBI will abuse these powers. But I am saying that having these powers at your disposal, untethered from anything one might call rigorous oversight, is definitely an open invitation to abuse.
And while the DOJ is more than happy to talk about G-men performing virtual raids to rid citizens’ computers of unwanted spyware, it’s pretty much guaranteed the moment the FBI does something a bit more questionable, it will take a ton of litigation to force the DOJ to divulge details on operations that don’t reflexively lead to self-congratulatory press releases.
Filed Under: botnets, doj, fbi, malware, remote installs, warrant
Federal Judge Says NSO Group Violated CFAA, Holds It Liable For Malware Delivered Via WhatsApp’s Servers
from the lost-the-battle-but-maybe-won-a-war? dept
WhatsApp has scored a limited win in its lawsuit against NSO Group. The allegations were that NSO used WhatsApp’s servers — located in California — to deliver its malware to targeted devices. NSO argued several things and failed in almost every case, including the deployment of diametrically-opposed assertions. First, it argued it couldn’t be held directly liable for the acts of its customers. Then it argued it should be granted the same sovereign immunity awarded to the governments that purchased its products.
All of this failed. NSO Group was also ordered to turn over the source code of its most powerful malware — the zero-click malware known as “Pegasus” — to WhatsApp so it could examine it for proof of its misuse of the company’s servers, as well as the messaging service itself. NSO did not comply with these orders. In fact, it even asked the Israeli government to intervene, but notably not by asking it to file a motion in court. Instead, it basically begged the government to raid its offices and seize anything it didn’t want to end up in the hand of litigants, which at that point also included Apple.
The win here is limited. And while it does seem to expand the definition of unauthorized access that has so often been a problem in CFAA cases, it only does so because NSO refused to make the source code available to WhatsApp, which means the court has to assume Whatsapp’s allegations are true because NSO is unwilling to prove them false. (And that’s assuming the source code would prove these allegations false. There’s a good chance it wouldn’t.) Here’s a short summary from Reuters:
A U.S. judge ruled on Friday in favor of Meta Platforms’ WhatsApp in a lawsuit accusing Israel’s NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
U.S. District Judge Phyllis Hamilton in Oakland, California, granted a motion by WhatsApp and found NSO liable for hacking and breach of contract.
The case will now proceed to a trial only on the issue of damages, Hamilton said. NSO Group did not immediately respond to an emailed request for comment.
The damages trial that will be moving forward is directly due to NSO’s refusal to comply with discovery orders, as the court notes in its decision [PDF]:
Overall, the court concludes that defendants have repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery. Most significant is the Pegasus source code, and defendants’ position that their production obligations were limited to only the code on the AWS server is a position that the court cannot see as reasonable given the history and context of the case. Moreover, defendants’ limitation of its production such that it is viewable only by Israeli citizens present in Israel is simply impracticable for a lawsuit that is to be litigated in this district.
Accordingly, the court concludes that plaintiffs’ motion for sanctions must be GRANTED.
Yep, that’s right. NSO promised to produce the code but insisted it could only be viewed by an Israeli citizen on Israeli soil — a pretty bold move considering this case involved a California company and its California servers.
So, the first of the evidentiary sanctions is this: the court accepts WhatsApp’s allegations as true and rules accordingingly:
The court concludes that, because defendants did not produce Pegasus code in a way that was meaningfully accessible to plaintiffs or to the court, plaintiffs were unable to obtain detailed evidence of how the WIS chose which server(s) to use, and thus, an evidentiary sanction is warranted such that the court will conclude that the use of plaintiffs’ California based servers was a purposeful choice made by defendants.
As for the CFAA claims, the court says both parties are hung up on a semantic argument about whether or not the distribution of malware via WhatsApp messages (and, necessarily, utilizing the company’s servers to distribute the spyware) was “without authorization” or “exceeded authorization.” The court says it’s the latter. Sending messages to WhatsApp users is “authorized” because that’s the entire purpose of the platform. However, extracting device info, data, and communications “exceeded” authorization because NSO’s malware utilized WhatsApp’s servers to perform these extractions.
As the parties clarified at the hearing, while the WIS [WhatsApp Installation Server] does obtain information directly from the target users’ devices, it also obtains information about the target users’ device via the Whatsapp servers. See Dkt. 464 at 44 (“before Pegasus is on the device, in the process of getting the Pegasus agent installed on the target device, there is a whole lot of signaling that goes on. . . . They had to fingerprint the device which used a pretty sophisticated set of messaging to get information back to the WIS via the Whatsapp servers about the precise operating system and memory structure of the [target] phone.”); see also Dkt. 399-2 at 27 (“NSO also obtained information via the Whatsapp servers from the target device, such as the structure of its operating system and the location of crucial memory files, which a regular Whatsapp user using the Whatsapp client app cannot obtain.”).
The analysis for [CFAA] section (a)(4) is largely the same, as it uses the same statutory definition found in section (e)(6). Plaintiffs argue that the information’s value is established by defendants’ clients’ willingness to pay for Pegasus. Defendants challenge the mens rea showing for the ‘intent to defraud’ (as well as the ‘intent’ requirement of section (a)(2)), but the fact that defendants redesigned Pegasus to evade detection after plaintiffs first fixed the security breach is enough to prove intent.
All that’s left to be decided is how much NSO Group owes WhatsApp. Any expansion of CFAA authorized access definitions seems to be tempered by the specific facts of this case: namely, that accepting WhatsApp’s assertions was the only option left when NSO refused to comply with discovery. If it had, the ruling might have gone a different way. I assume NSO feels better about paying damages than opening up its malware for examination by opposing litigants. Hopefully this will deter NSO from resurrecting its mostly-dormant malware division, but hope seems to spring eternal for companies with no shortage of malicious governments willing to pay top dollar for effective malicious software.
Filed Under: cfaa, malware, pegasus, spyware, surveillance
Companies: meta, nso group, whatsapp
You’ll Never Go Broke Correctly Estimating The Internet’s Desire For Deepfake Nudes
from the getting-infected-from-online-sex dept
Cheap thrills? Perhaps not so much. A report from Joseph Cox for 404 Media not only points out there’s no such thing as a free meal AI-generated deepfake nude, but that this is exactly the sort of thing Vice Media would have been all over if it hadn’t been burnt to the ground by string of executives whose only “talent” was steadily increasing their take-home pay.
It has sex, Russian crime, and — comically enough — a seemingly direct contradiction of assertions made the US Department of Justice.
Anyway, the upshot is this: if you’re looking to find a free AI nude generator, perhaps you should just stop looking, unless you like having your Bitcoin portfolio siphoned into someone else’s pockets while malware distributed by Russian criminals wanders around your computer/device looking for any other information that might be valuable.
Multiple sites which promise to use AI to ‘nudify’ any photos uploaded are actually designed to infect users with powerful credential stealing malware, according to new findings from a cybersecurity company which has analyzed the sites. The researchers also believe the sites are run by Fin7, a notorious Russian cybercrime group that has previously even set up fake penetration testing services to trick people into hacking real victims on their behalf.
Well, you get what you pay for, I guess. Free AI-generated nudity isn’t worth the asking price, not when cybercriminal groups are running the shop. But it’s exactly the sort of thing that’s always going to work because people looking for free software allegedly capable of “nudifying” any photo are the sort of people who aren’t really going to be doing a whole lot of upper brain thinking when initiating downloads.
That’s the expected outcome of setting up a digital honeypot promising nudity you won’t find elsewhere on the ‘Net. And it worked completely as expected, according to the security researchers who looked into these sites. The cross-section of people willing to click through on questionable sites offering rare nudes also contains plenty of people who’ve plunked down a lot of real money to obtain funds that aren’t quite as tactile.
“The deepfake AI software may have an audience of mostly men with a decent amount [of income] who use other AI software or have crypto accounts,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, told 404 Media in an online chat.
There’s a sucker logging on every minute. All Fin7 had to do is give them what they wanted. Which is, according to Zach Edwards, “the bleeding edge of creepy.” The victims get none of the nudes and the cybercriminals get all the cryptocurrency and financial info they can carry away.
But while all of that is kind of funny and completely expected, the researchers digging into these sites were able to trace this back to Fin7, which means people shouldn’t believe everything that falls out of the DOJ’s mouth.
The news also shows that Fin7 is alive despite the U.S. Department of Justice saying last year that “Fin7 as an entity is no more.”
No criminal entity is ever completely dead. The DOJ should know this because it’s been able to witness this history repeat itself for decades. Crime-fighting is whack-a-mole. Claiming total victory is a move guaranteed to make you eat your words. Crime can be fought. It can’t be defeated. And whatever you don’t kill (which is all of it) will either go further underground or come back even stronger.
The only good news to report is that some of these sites (most of which seem to offer the same “nudifying” and trace back to Fin7 operations) are no longer accessible. Most of the domains were handled by Hostinger, which immediately blocked what it could once it had been notified by 404 Media.
The usual rules apply and internet users ignore them at their own peril. If the offer is too good to be true, it’s because it isn’t. Expecting a free service to use AI to strip the clothes off any picture you happen to possess is just the horniest of wishful thinking. And agreeing to download anything from a site you know nothing about other than its vague promise of “nudifying” is just asking for international cybercriminal trouble. Keep it (and your digital wallet) in your pants, creeps.
Filed Under: ai, cryptocurrency, deepfakes, doj, fin7, malware
Apple Dumps Suit Against NSO Group After Israeli Government Walks Off With A Bunch Of The Company’s Files
from the friends-in-the-highest-places dept
Well, it worked. We’ll have to see how this plays out in the lawsuit WhatsApp brought against NSO Group, but it has managed to shed one litigant thanks to intervention from the home team: the Israeli government.
In July, documents obtained by Distributed Denial of Secrets (DDoS) revealed the desperate measures NSO Group deployed to avoid having to turn over internal information during discovery in multiple lawsuits, including one filed by Apple. Knowing that discovery was inevitable, NSO met with Israeli government officials and asked them to secure a blocking order from the nation’s courts to prevent having to comply with discovery requests.
The government secured these orders and went to work shortly after WhatsApp served NSO with its discovery requests. According to the paperwork, the government needed to seize a bunch of the company’s internal documents for “national security” reasons, speculating disingenuously and wildly that turning over any information about NSO’s Pegasus phone-hacking malware would make the nation itself less secure.
Shortly thereafter, the Israeli government engaged in a performative raid of NSO’s offices to seize anything NSO felt might be disadvantageous in these lawsuits. WhatsApp is still in the litigation game, hoping to obtain anything the Israeli government hasn’t already seized that might relate to its claims of unauthorized access by NSO customers deploying Pegasus malware via the company’s US servers.
Apple, however, has decided it’s not going to spend any more money or time trying to win a rigged game, as Joseph Menn reports for the Washington Post.
Apple asked a court Friday to dismiss its three-year-old hacking lawsuit against spyware pioneer NSO Group, arguing that it might never be able to get the most critical files about NSO’s Pegasus surveillance tool and that its own disclosures could aid NSO and its increasing number of rivals.
[…]
“While Apple takes no position on the truth or falsity of the Guardian Story described above, its existence presents cause for concern about the potential for Apple to obtain the discovery it needs,” the iPhone maker wrote in its filing Friday. Israeli officials have not disputed the authenticity of the documents but have denied interfering in the U.S. litigation.
As for that last sentence, that’s a dodge. Of course the Israeli government interfered with this litigation. That it didn’t actually insert itself directly into either of these bases doesn’t change the fact that the raid it performed because NSO Group asked it to means the company no longer has the documents sought by US litigants in its possession.
The more surprising assertion is Apple’s: that part of its reason for dropping the lawsuit is to avoid having to turn over any of its own stuff in response to discovery requests. But the rationale is very much an Apple thing: the company feels giving more information to NSO — especially in open court — will just be used to facilitate the creation of new hacking tools for NSO (or its competitors) to use against Apple’s customers.
That’s more of a concern for Apple, which is seeking to protect an entire operating system. WhatsApp’s concerns are more limited. While it too would probably prefer any information it hands over in court not be used against it by malware merchants, it only has to worry about a single service, rather than the underlying infrastructure (so to speak) shared by dozens of Apple products.
Discovery is underway in the WhatsApp case, so hopefully we’ll be seeing some interesting developments there soon. But given what’s happened here, NSO and its Israel-based competitors have some really interesting (and disturbing) options when it comes to thwarting lawsuits over the constant abuse of its Pegasus malware.
Filed Under: israel, lawsuit, malware, pegasus, spyware, surveillance
Companies: apple, nso group
NSO Group Asked Israeli Government To Help It Hide Malware Docs From WhatsApp
from the surely-something-only-an-honest-company-would-do dept
Before the news had broken that NSO Group’s clients were utilizing its powerful spyware to target journalists, dissidents, activists, religious leaders, opposition party members, and anyone else that might have irritated the autocrats and human rights abusers that made up a disproportionate percentage of its customer list, NSO was sued by Meta and WhatsApp.
That lawsuit alleged NSO Group had illegally accessed and utilized WhatsApp’s software and servers to distribute malware to surveillance targets. It’s a problematic lawsuit — one that seeks to see the CFAA (which has been abused perpetually since its inception) read as outlawing any access that might violate terms of service, including access that simply allowed NSO software to reach targets using WhatsApp.
NSO has since tried multiple times to have the lawsuit thrown out. One of its more creative efforts tried to portray NSO Group as nothing more than a stand-in for the governments it sold to. By portraying itself this way, NSO hoped to invoke sovereign immunity. That argument was rejected by two consecutive levels of the judiciary. NSO would have been better served by sticking to its first argument: that it could not be held directly accountable for actions performed by its customers, especially since that’s pretty much the only argument it’s left with at this point in time.
Having failed to get the lawsuit dismissed, the litigation moved forward. Finally, it reached a point NSO hoped it never would: discovery. Earlier this year, the court ordered NSO to turn over a bunch of info, including the source code of the malware that traveled through Meta’s servers to infect WhatsApp users.
The source code has yet to be delivered to the court and WhatsApp. It may never get there. As Harry Davies and Stephanie Kirchgaessner report for The Guardian, NSO Group called on a higher power to help it dodge its courtroom obligations:
Israeli officials seized documents about Pegasus spyware from its manufacturer, NSO Group, in an effort to prevent the company from being able to comply with demands made by WhatsApp in a US court to hand over information about the invasive technology.
Documents suggest the seizures were part of an unusual legal manoeuvre created by Israel to block the disclosure of information about Pegasus, which the government believed would cause “serious diplomatic and security damage” to the country.
Neat! And it comes with a form of plausible deniability built in: the Israeli government could claim it seized this information as part of its own investigation of NSO Group. Of course, that investigation is already closed and it wasn’t publicly announced until long after NSO was in (international) hot water. The government concluded it did nothing wrong when it used NSO spyware. It didn’t have much to say about NSO itself, although it did (very belatedly) limit the countries NSO could sell to.
But this is just a weird form of regulatory capture. NSO Group was formed by former Israeli intelligence officers. For years, Israel’s government helped broker deals for NSO with nearby nations, engaging in a malware-powered form of diplomacy.
The last thing NSO wanted was for this lawsuit to move to the point where it might need to start producing documents. The outstanding order for code production posed a threat to NSO’s secrecy, even if there’s almost zero chance it would be denied any request to seal these documents. With NSO being mostly former government employees and the Israel government being composed of current government employees, NSO asked and received. With this move, a sovereign that is not party to this lawsuit has done what NSO couldn’t on its own: prevent an American entity from obtaining its source code.
The origin of this information isn’t NSO or the Israeli government. It’s the product of leaks and hacking. And it shows NSO knew this reckoning was coming, long before it became somewhat of a household name following the leak of targeting data. This appears to have happened not long after WhatsApp filed its lawsuit against NSO in late 2019.
Israel’s hidden intervention in the case can be revealed after a consortium of media organisations led by the Paris-based non-profit Forbidden Stories, and including the Guardian and Israeli media partners, obtained a copy of a secret court order relating to the 2020 seizure of NSO’s internal files.
Details of the seizures and Israel’s contacts with NSO regarding the WhatsApp case are laid bare in a separate cache of emails and documents reviewed by the Guardian. They originate from a hack of data from Israel’s ministry of justice obtained by the transparency group Distributed Denial of Secrets and shared with Forbidden Stories.
According to the documents, NSO first approached the Israeli government in the early months of 2020, asking for a “blocking order” that would hopefully prevent it from having to hand over anything to WhatsApp. When WhatsApp served its discovery request in June 2020, NSO Group and government officials met to “discuss issues related to disclosure.” After some back-and-forth between NSO’s legal reps and government officials, the government performed a perfunctory raid of NSO offices for the sole purpose of leaving it with almost nothing to turn over in response to the US court order.
Three days later, in mid-July 2020, Israel made a significant but secret intervention. At an urgent meeting with NSO, Israeli officials presented the company with an order issued by a Tel Aviv court granting the government powers to execute a search warrant at its office, access its internal computer systems and seize files.
This subterfuge appears to have worked, at least so far. According to WhatsApp’s lawyers, NSO has only turned over 17 pages of documents in response to its discovery requests. Obviously, none of these documents are responsive to the court order demanding NSO turn over its software to WhatsApp.
On the surface, it might not look any more unusual than, say, the Justice Department filing a motion to keep documents from being produced by one of its contractors in the interest of public safety, operational secrecy, or whatever other excuse it might use. But it’s nowhere near comparable. NSO Group never informed the US court that these documents had been seized. And it appears its lawyers — some of which are US-based — never informed the court it was seeking the assistance of the Israeli government to keep these documents from being produced.
It will certainly be interesting to see how the court responds to these revelations. However, sanctions can’t make NSO Group turn over information now in the hands of its own personal Jesus: the Israeli government. And it’s unlikely any US court has the power to pierce the sovereign immunity that controls this action, no matter how transparent the self-interest.
Filed Under: distributed denial of secrets, israel, lawsuit, malware, pegasus, privacy, source code, spyware, surveillance
Companies: nso group, whatsapp
NSO Malware Discovered On The Phones Of Critics Of Putin And His Allies
from the NSO-may-be-down-but-its-software-is-still-running dept
Here’s yet more unsurprising news about Israeli malware developer NSO Group and its preferred customers. More phones infected by NSO’s flagship Pegasus malware have been discovered by Citizen Lab researchers. And yet again those targeted are journalists, critics, dissidents, and opposition leaders.
The latest investigation identifies seven additional Russian and Belarusian-speaking members of civil society and journalists living outside of Belarus and Russia who were targeted and/or infected with Pegasus spyware. Many of the targets publicly criticized the Russian government, including Russia’s invasion of Ukraine. These individuals, most of whom are currently living in exile, have faced intense threats from Russian and/or Belarusian state security services.
Even though the company is on the ropes, the software it sold to a variety of authoritarians and autocrats still exists. And it can still be used to target people these power-hungry governments don’t like.
What could possibly be the point of infecting phones owned by dissidents, journalists, and critics with malware pitched as a solution to violent crime and international terrorism? The entities NSO sold to have repeatedly made it clear they’ll spend millions on software for the sole reason of engaging in petty revenge operations. That’s because the governments in control of this spyware are too thin-skinned to deal with the normal downsides of being in the government business: criticism, dissent, and the rise of opposition leaders who stand for everything these governments don’t stand for.
While the revenge may be petty, the outcomes are far from trivial. Turning a phone into an active tracking device that also allows governments to eavesdrop on conversations and intercept communications means it is that much easier to locate the people you want to silence. As Citizen Lab points out, the retaliation against critics of Putin and his eastern European buddies is severe, ranging from travel bans to arrests. And there’s always the possibility that operatives will just try to kill critics — something Russian operatives have done multiple times.
While the news may be unsurprising, it’s helping keep NSO’s name in the news. The longer that lasts, the less chance there is that it will be able to slip back under the radar and continue business as usual.
It also provides another set of rebuttals to NSO’s multiple defenses of its products, sales tactics, and choice of customers. When the leak of NSO malware targets first occurred, the company claimed the list was bogus. And even if it was a list of targets, it was only a list of potential targets and not representative of how its customers deployed its products.
That list was full of journalists, critics, dissidents, opposition leaders, religious leaders, human rights advocates, and lawyers engaged in litigation against governments. That was the list the NSO Group claimed meant nothing. It was just a list and couldn’t be tied to NSO, its customers, or the people targeted by its customers.
Literally everything uncovered since that leak has shown the opposite to be the case: NSO’s customers directly or indirectly (by asking other governments to do their dirty work) target exactly the sort of people contained in this list. The malware NSO claims is a powerful tool that allows governments to track dangerous criminals and international terrorists is also just a way for governments to silence critics, eliminate inconvenient human obstacles, and otherwise ensure the narrative remains theirs alone. The deterrent effect of these actions is obvious.
NSO cannot claim to have clean hands. While it’s true it cannot prevent customers from abusive deployments of its malware, it could have refused sales to known human rights abusers. It’s not like this is news at this point. The first reports of NSO’s sales to miscreants like the Saudi government occurred more than a half-decade ago.
It’s not like a lot of the governments NSO sold to just recently started engaging in massive amounts of human rights violations. Every one of these questionable customers had been in the oppression business for years, if not for the entirety of their existence.
NSO has nowhere to go as long as these investigations and this sort of reporting continues. As long as the light remains bright enough, the shadows will be too small to hide in. So while this latest news may just be more of the same, it’s still essential.
Filed Under: activists, belarus, governments, israel, journalists, malware, oppression, russia, spyware, surveillance
Companies: nso group
NSO Group Ordered To Turn Over Spyware Code To WhatsApp
from the UNDERSEAL.EXE dept
The time has come to pay the discovery piper for NSO Group. The phone exploit firm formed by former Israeli spies was supported unilaterally by the Israeli government as it courted human rights abusers and autocrats. The Israeli government apparently felt selling powerful phone exploits to its enemies got caught with its third-party pants down when numerous news agencies exposed just how often NSO’s customers abused its powerful spyware to target journalists, activists, lawyers, dissidents, religious leaders, and anyone else who annoyed its customers.
NSO Group has been sued multiple times. One of the first lawsuits filed in the US featured Meta (formerly Facebook) as a plaintiff, suing on behalf of WhatsApp, its encrypted communications acquisition. NSO tried multiple times to escape this lawsuit. It claimed it was a private sector equivalent of a government agency and, therefore, should be protected by sovereign immunity. This argument was rejected, leaving NSO with the option of arguing its actions (or, rather, the actions of its customers, which it claimed it couldn’t control) weren’t subject to US law.
That other argument might have worked if NSO Group’s customers weren’t using WhatsApp’s US-based servers to deliver malware payloads. Once something like this happens, US law comes into play and, without the protective cover of sovereign immunity, NSO Group must continue to respond to lawsuits filed by US tech companies.
Everything NSO tried in hopes of earning an early exit from US lawsuits was aimed at preventing the very thing that’s happening now. NSO and its (few remaining) backers can probably survive an expensive settlement. What the company is unlikely to survive is a (possibly) public outing of its malware code.
As Stephanie Kirchgaessner reports for The Guardian, NSO has been ordered to turn over the source code for pretty much all of its malware to Meta/WhatsApp.
NSO Group, the maker of one the world’s most sophisticated cyber weapons, has been ordered by a US court to hand its code for Pegasus and other spyware products to WhatsApp as part of the company’s ongoing litigation.
[…]
In reaching her decision, Hamilton considered a plea by NSO to excuse it of all its discovery obligations in the case due to “various US and Israeli restrictions”.
Ultimately, however, [Judge Phyllis Hamilton] sided with WhatsApp in ordering the company to produce “all relevant spyware” for a period of one year before and after the two weeks in which WhatsApp users were allegedly attacked: from 29 April 2018 to 10 May 2020. NSO must also give WhatsApp information “concerning the full functionality of the relevant spyware”.
WhatsApp already has a pretty good idea how NSO Group malware operates. It has already managed to detect actual deployments via its servers. The irony here, of course, is that the incidents that most likely exposed NSO’s exploitation of WhatsApp servers were trial runs of a US-oriented version of NSO’s Pegasus phone exploit by the FBI. (The FBI ultimately decided it couldn’t deploy this malware constitutionally.) A months-long investigation by the FBI into the “mysterious” NSO purchase by a supposedly “unknown” government agency ultimately revealed that it was the FBI itself shelling out bucks for malware it couldn’t deploy without violating the Constitution.
The order [PDF] issued by Judge Hamilton makes it clear NSO has to hand over more than just its Pegasus code to WhatsApp.
As to category (1), as stated at the hearing, the court adopts plaintiffs’ definition of “all relevant spyware” as set forth in their motion: “any NSO spyware targeting or directed at Whatsapp servers, or using Whatsapp in any way to access Target Devices.” As also stated at the hearing, defendants have not identified a basis for limiting its production to the Pegasus program, or to any particular single operating system.
[…]
As to the timeframe of documents that must be produced, the court concludes that, at this stage of the case, the Richmark factors weigh in favor of production for “all relevant spyware” for a period of one year before the alleged attack to one year after the alleged attack; in other words, from April 29, 2018 to May 10, 2020. If, after reviewing the relevant spyware from that timeframe, plaintiffs are able to provide evidence that any attack lasted beyond that timeframe, plaintiffs may seek further discovery at that time.
hahahahaaaaaaaaaa
We can be sure NSO’s lawyers are now busy crafting extremely restrictive proposed protective orders to prevent WhatsApp/Meta for making this information available to the public via court filings, blogs posts, transparency reports, or any other options this company has at its disposal.
I imagine these motions (along with other efforts to seal docket entries) will be granted, since NSO has continually claimed its customers use its malware to target high-value targets like suspected terrorists and other violent criminals. But this court remains free to weigh NSO’s CYA statements against the brutal reality: that its malware is often used to target people governments don’t like, rather than the “terrorists” and “violent criminals” governments claim they’re interested in apprehending.
Equally amusing is the fact that the same court has denied NSO’s demands for any communications between WhatsApp/Meta and Toronto’s Citizen Lab that were initiated following the filing of this lawsuit. It’s easy to see why NSO would love access to these communications, considering Citizen Lab has constantly and continually exposed abusive NSO malware deployments over the past several years while also publishing whatever exploit code it’s been able to extract during these investigations.
But, as the court notes, NSO has already undercut its own argument for additional discovery on its end by attempting to move the goalposts to cover only perceived misuses against “civil society” by its customers. This attempt to obtain further communications is backed only by NSO’s perception of the tone of WhatsApp’s lawsuit, rather than its listed causes for action — allegations that cover not only “abusive” deployments of malware but also “legitimate” deployments that, nonetheless, occurred without the platform’s permission and definitely violated WhatsApp’s terms of service.
So, the lawsuit will move forward. And it’s NSO that obligated to start explaining itself — not just to Meta/WhatsApp, but the court itself. Now that there’s source code on the line, NSO Group might start examining it other options, the most likely of which would be paying WhatsApp a considerable sum of money while promising not to use the company’s US servers to deploy malware. Most entities, at worst, have to deal with the consequences often expressed as having to lay in a bed that they’ve made. But NSO’s actions exceed this idiom. NSO, for all intents and purposes, shat the bed before making it, which makes lying it it feel that much worse.
Filed Under: malware, pegasus, source code, spyware, surveillance
Companies: meta, nso group, whatsapp