malware – Techdirt (original) (raw)
You’ll Never Go Broke Correctly Estimating The Internet’s Desire For Deepfake Nudes
from the getting-infected-from-online-sex dept
Cheap thrills? Perhaps not so much. A report from Joseph Cox for 404 Media not only points out there’s no such thing as a free meal AI-generated deepfake nude, but that this is exactly the sort of thing Vice Media would have been all over if it hadn’t been burnt to the ground by string of executives whose only “talent” was steadily increasing their take-home pay.
It has sex, Russian crime, and — comically enough — a seemingly direct contradiction of assertions made the US Department of Justice.
Anyway, the upshot is this: if you’re looking to find a free AI nude generator, perhaps you should just stop looking, unless you like having your Bitcoin portfolio siphoned into someone else’s pockets while malware distributed by Russian criminals wanders around your computer/device looking for any other information that might be valuable.
Multiple sites which promise to use AI to ‘nudify’ any photos uploaded are actually designed to infect users with powerful credential stealing malware, according to new findings from a cybersecurity company which has analyzed the sites. The researchers also believe the sites are run by Fin7, a notorious Russian cybercrime group that has previously even set up fake penetration testing services to trick people into hacking real victims on their behalf.
Well, you get what you pay for, I guess. Free AI-generated nudity isn’t worth the asking price, not when cybercriminal groups are running the shop. But it’s exactly the sort of thing that’s always going to work because people looking for free software allegedly capable of “nudifying” any photo are the sort of people who aren’t really going to be doing a whole lot of upper brain thinking when initiating downloads.
That’s the expected outcome of setting up a digital honeypot promising nudity you won’t find elsewhere on the ‘Net. And it worked completely as expected, according to the security researchers who looked into these sites. The cross-section of people willing to click through on questionable sites offering rare nudes also contains plenty of people who’ve plunked down a lot of real money to obtain funds that aren’t quite as tactile.
“The deepfake AI software may have an audience of mostly men with a decent amount [of income] who use other AI software or have crypto accounts,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, told 404 Media in an online chat.
There’s a sucker logging on every minute. All Fin7 had to do is give them what they wanted. Which is, according to Zach Edwards, “the bleeding edge of creepy.” The victims get none of the nudes and the cybercriminals get all the cryptocurrency and financial info they can carry away.
But while all of that is kind of funny and completely expected, the researchers digging into these sites were able to trace this back to Fin7, which means people shouldn’t believe everything that falls out of the DOJ’s mouth.
The news also shows that Fin7 is alive despite the U.S. Department of Justice saying last year that “Fin7 as an entity is no more.”
No criminal entity is ever completely dead. The DOJ should know this because it’s been able to witness this history repeat itself for decades. Crime-fighting is whack-a-mole. Claiming total victory is a move guaranteed to make you eat your words. Crime can be fought. It can’t be defeated. And whatever you don’t kill (which is all of it) will either go further underground or come back even stronger.
The only good news to report is that some of these sites (most of which seem to offer the same “nudifying” and trace back to Fin7 operations) are no longer accessible. Most of the domains were handled by Hostinger, which immediately blocked what it could once it had been notified by 404 Media.
The usual rules apply and internet users ignore them at their own peril. If the offer is too good to be true, it’s because it isn’t. Expecting a free service to use AI to strip the clothes off any picture you happen to possess is just the horniest of wishful thinking. And agreeing to download anything from a site you know nothing about other than its vague promise of “nudifying” is just asking for international cybercriminal trouble. Keep it (and your digital wallet) in your pants, creeps.
Filed Under: ai, cryptocurrency, deepfakes, doj, fin7, malware
Apple Dumps Suit Against NSO Group After Israeli Government Walks Off With A Bunch Of The Company’s Files
from the friends-in-the-highest-places dept
Well, it worked. We’ll have to see how this plays out in the lawsuit WhatsApp brought against NSO Group, but it has managed to shed one litigant thanks to intervention from the home team: the Israeli government.
In July, documents obtained by Distributed Denial of Secrets (DDoS) revealed the desperate measures NSO Group deployed to avoid having to turn over internal information during discovery in multiple lawsuits, including one filed by Apple. Knowing that discovery was inevitable, NSO met with Israeli government officials and asked them to secure a blocking order from the nation’s courts to prevent having to comply with discovery requests.
The government secured these orders and went to work shortly after WhatsApp served NSO with its discovery requests. According to the paperwork, the government needed to seize a bunch of the company’s internal documents for “national security” reasons, speculating disingenuously and wildly that turning over any information about NSO’s Pegasus phone-hacking malware would make the nation itself less secure.
Shortly thereafter, the Israeli government engaged in a performative raid of NSO’s offices to seize anything NSO felt might be disadvantageous in these lawsuits. WhatsApp is still in the litigation game, hoping to obtain anything the Israeli government hasn’t already seized that might relate to its claims of unauthorized access by NSO customers deploying Pegasus malware via the company’s US servers.
Apple, however, has decided it’s not going to spend any more money or time trying to win a rigged game, as Joseph Menn reports for the Washington Post.
Apple asked a court Friday to dismiss its three-year-old hacking lawsuit against spyware pioneer NSO Group, arguing that it might never be able to get the most critical files about NSO’s Pegasus surveillance tool and that its own disclosures could aid NSO and its increasing number of rivals.
[…]
“While Apple takes no position on the truth or falsity of the Guardian Story described above, its existence presents cause for concern about the potential for Apple to obtain the discovery it needs,” the iPhone maker wrote in its filing Friday. Israeli officials have not disputed the authenticity of the documents but have denied interfering in the U.S. litigation.
As for that last sentence, that’s a dodge. Of course the Israeli government interfered with this litigation. That it didn’t actually insert itself directly into either of these bases doesn’t change the fact that the raid it performed because NSO Group asked it to means the company no longer has the documents sought by US litigants in its possession.
The more surprising assertion is Apple’s: that part of its reason for dropping the lawsuit is to avoid having to turn over any of its own stuff in response to discovery requests. But the rationale is very much an Apple thing: the company feels giving more information to NSO — especially in open court — will just be used to facilitate the creation of new hacking tools for NSO (or its competitors) to use against Apple’s customers.
That’s more of a concern for Apple, which is seeking to protect an entire operating system. WhatsApp’s concerns are more limited. While it too would probably prefer any information it hands over in court not be used against it by malware merchants, it only has to worry about a single service, rather than the underlying infrastructure (so to speak) shared by dozens of Apple products.
Discovery is underway in the WhatsApp case, so hopefully we’ll be seeing some interesting developments there soon. But given what’s happened here, NSO and its Israel-based competitors have some really interesting (and disturbing) options when it comes to thwarting lawsuits over the constant abuse of its Pegasus malware.
Filed Under: israel, lawsuit, malware, pegasus, spyware, surveillance
Companies: apple, nso group
NSO Group Asked Israeli Government To Help It Hide Malware Docs From WhatsApp
from the surely-something-only-an-honest-company-would-do dept
Before the news had broken that NSO Group’s clients were utilizing its powerful spyware to target journalists, dissidents, activists, religious leaders, opposition party members, and anyone else that might have irritated the autocrats and human rights abusers that made up a disproportionate percentage of its customer list, NSO was sued by Meta and WhatsApp.
That lawsuit alleged NSO Group had illegally accessed and utilized WhatsApp’s software and servers to distribute malware to surveillance targets. It’s a problematic lawsuit — one that seeks to see the CFAA (which has been abused perpetually since its inception) read as outlawing any access that might violate terms of service, including access that simply allowed NSO software to reach targets using WhatsApp.
NSO has since tried multiple times to have the lawsuit thrown out. One of its more creative efforts tried to portray NSO Group as nothing more than a stand-in for the governments it sold to. By portraying itself this way, NSO hoped to invoke sovereign immunity. That argument was rejected by two consecutive levels of the judiciary. NSO would have been better served by sticking to its first argument: that it could not be held directly accountable for actions performed by its customers, especially since that’s pretty much the only argument it’s left with at this point in time.
Having failed to get the lawsuit dismissed, the litigation moved forward. Finally, it reached a point NSO hoped it never would: discovery. Earlier this year, the court ordered NSO to turn over a bunch of info, including the source code of the malware that traveled through Meta’s servers to infect WhatsApp users.
The source code has yet to be delivered to the court and WhatsApp. It may never get there. As Harry Davies and Stephanie Kirchgaessner report for The Guardian, NSO Group called on a higher power to help it dodge its courtroom obligations:
Israeli officials seized documents about Pegasus spyware from its manufacturer, NSO Group, in an effort to prevent the company from being able to comply with demands made by WhatsApp in a US court to hand over information about the invasive technology.
Documents suggest the seizures were part of an unusual legal manoeuvre created by Israel to block the disclosure of information about Pegasus, which the government believed would cause “serious diplomatic and security damage” to the country.
Neat! And it comes with a form of plausible deniability built in: the Israeli government could claim it seized this information as part of its own investigation of NSO Group. Of course, that investigation is already closed and it wasn’t publicly announced until long after NSO was in (international) hot water. The government concluded it did nothing wrong when it used NSO spyware. It didn’t have much to say about NSO itself, although it did (very belatedly) limit the countries NSO could sell to.
But this is just a weird form of regulatory capture. NSO Group was formed by former Israeli intelligence officers. For years, Israel’s government helped broker deals for NSO with nearby nations, engaging in a malware-powered form of diplomacy.
The last thing NSO wanted was for this lawsuit to move to the point where it might need to start producing documents. The outstanding order for code production posed a threat to NSO’s secrecy, even if there’s almost zero chance it would be denied any request to seal these documents. With NSO being mostly former government employees and the Israel government being composed of current government employees, NSO asked and received. With this move, a sovereign that is not party to this lawsuit has done what NSO couldn’t on its own: prevent an American entity from obtaining its source code.
The origin of this information isn’t NSO or the Israeli government. It’s the product of leaks and hacking. And it shows NSO knew this reckoning was coming, long before it became somewhat of a household name following the leak of targeting data. This appears to have happened not long after WhatsApp filed its lawsuit against NSO in late 2019.
Israel’s hidden intervention in the case can be revealed after a consortium of media organisations led by the Paris-based non-profit Forbidden Stories, and including the Guardian and Israeli media partners, obtained a copy of a secret court order relating to the 2020 seizure of NSO’s internal files.
Details of the seizures and Israel’s contacts with NSO regarding the WhatsApp case are laid bare in a separate cache of emails and documents reviewed by the Guardian. They originate from a hack of data from Israel’s ministry of justice obtained by the transparency group Distributed Denial of Secrets and shared with Forbidden Stories.
According to the documents, NSO first approached the Israeli government in the early months of 2020, asking for a “blocking order” that would hopefully prevent it from having to hand over anything to WhatsApp. When WhatsApp served its discovery request in June 2020, NSO Group and government officials met to “discuss issues related to disclosure.” After some back-and-forth between NSO’s legal reps and government officials, the government performed a perfunctory raid of NSO offices for the sole purpose of leaving it with almost nothing to turn over in response to the US court order.
Three days later, in mid-July 2020, Israel made a significant but secret intervention. At an urgent meeting with NSO, Israeli officials presented the company with an order issued by a Tel Aviv court granting the government powers to execute a search warrant at its office, access its internal computer systems and seize files.
This subterfuge appears to have worked, at least so far. According to WhatsApp’s lawyers, NSO has only turned over 17 pages of documents in response to its discovery requests. Obviously, none of these documents are responsive to the court order demanding NSO turn over its software to WhatsApp.
On the surface, it might not look any more unusual than, say, the Justice Department filing a motion to keep documents from being produced by one of its contractors in the interest of public safety, operational secrecy, or whatever other excuse it might use. But it’s nowhere near comparable. NSO Group never informed the US court that these documents had been seized. And it appears its lawyers — some of which are US-based — never informed the court it was seeking the assistance of the Israeli government to keep these documents from being produced.
It will certainly be interesting to see how the court responds to these revelations. However, sanctions can’t make NSO Group turn over information now in the hands of its own personal Jesus: the Israeli government. And it’s unlikely any US court has the power to pierce the sovereign immunity that controls this action, no matter how transparent the self-interest.
Filed Under: distributed denial of secrets, israel, lawsuit, malware, pegasus, privacy, source code, spyware, surveillance
Companies: nso group, whatsapp
NSO Malware Discovered On The Phones Of Critics Of Putin And His Allies
from the NSO-may-be-down-but-its-software-is-still-running dept
Here’s yet more unsurprising news about Israeli malware developer NSO Group and its preferred customers. More phones infected by NSO’s flagship Pegasus malware have been discovered by Citizen Lab researchers. And yet again those targeted are journalists, critics, dissidents, and opposition leaders.
The latest investigation identifies seven additional Russian and Belarusian-speaking members of civil society and journalists living outside of Belarus and Russia who were targeted and/or infected with Pegasus spyware. Many of the targets publicly criticized the Russian government, including Russia’s invasion of Ukraine. These individuals, most of whom are currently living in exile, have faced intense threats from Russian and/or Belarusian state security services.
Even though the company is on the ropes, the software it sold to a variety of authoritarians and autocrats still exists. And it can still be used to target people these power-hungry governments don’t like.
What could possibly be the point of infecting phones owned by dissidents, journalists, and critics with malware pitched as a solution to violent crime and international terrorism? The entities NSO sold to have repeatedly made it clear they’ll spend millions on software for the sole reason of engaging in petty revenge operations. That’s because the governments in control of this spyware are too thin-skinned to deal with the normal downsides of being in the government business: criticism, dissent, and the rise of opposition leaders who stand for everything these governments don’t stand for.
While the revenge may be petty, the outcomes are far from trivial. Turning a phone into an active tracking device that also allows governments to eavesdrop on conversations and intercept communications means it is that much easier to locate the people you want to silence. As Citizen Lab points out, the retaliation against critics of Putin and his eastern European buddies is severe, ranging from travel bans to arrests. And there’s always the possibility that operatives will just try to kill critics — something Russian operatives have done multiple times.
While the news may be unsurprising, it’s helping keep NSO’s name in the news. The longer that lasts, the less chance there is that it will be able to slip back under the radar and continue business as usual.
It also provides another set of rebuttals to NSO’s multiple defenses of its products, sales tactics, and choice of customers. When the leak of NSO malware targets first occurred, the company claimed the list was bogus. And even if it was a list of targets, it was only a list of potential targets and not representative of how its customers deployed its products.
That list was full of journalists, critics, dissidents, opposition leaders, religious leaders, human rights advocates, and lawyers engaged in litigation against governments. That was the list the NSO Group claimed meant nothing. It was just a list and couldn’t be tied to NSO, its customers, or the people targeted by its customers.
Literally everything uncovered since that leak has shown the opposite to be the case: NSO’s customers directly or indirectly (by asking other governments to do their dirty work) target exactly the sort of people contained in this list. The malware NSO claims is a powerful tool that allows governments to track dangerous criminals and international terrorists is also just a way for governments to silence critics, eliminate inconvenient human obstacles, and otherwise ensure the narrative remains theirs alone. The deterrent effect of these actions is obvious.
NSO cannot claim to have clean hands. While it’s true it cannot prevent customers from abusive deployments of its malware, it could have refused sales to known human rights abusers. It’s not like this is news at this point. The first reports of NSO’s sales to miscreants like the Saudi government occurred more than a half-decade ago.
It’s not like a lot of the governments NSO sold to just recently started engaging in massive amounts of human rights violations. Every one of these questionable customers had been in the oppression business for years, if not for the entirety of their existence.
NSO has nowhere to go as long as these investigations and this sort of reporting continues. As long as the light remains bright enough, the shadows will be too small to hide in. So while this latest news may just be more of the same, it’s still essential.
Filed Under: activists, belarus, governments, israel, journalists, malware, oppression, russia, spyware, surveillance
Companies: nso group
NSO Group Ordered To Turn Over Spyware Code To WhatsApp
from the UNDERSEAL.EXE dept
The time has come to pay the discovery piper for NSO Group. The phone exploit firm formed by former Israeli spies was supported unilaterally by the Israeli government as it courted human rights abusers and autocrats. The Israeli government apparently felt selling powerful phone exploits to its enemies got caught with its third-party pants down when numerous news agencies exposed just how often NSO’s customers abused its powerful spyware to target journalists, activists, lawyers, dissidents, religious leaders, and anyone else who annoyed its customers.
NSO Group has been sued multiple times. One of the first lawsuits filed in the US featured Meta (formerly Facebook) as a plaintiff, suing on behalf of WhatsApp, its encrypted communications acquisition. NSO tried multiple times to escape this lawsuit. It claimed it was a private sector equivalent of a government agency and, therefore, should be protected by sovereign immunity. This argument was rejected, leaving NSO with the option of arguing its actions (or, rather, the actions of its customers, which it claimed it couldn’t control) weren’t subject to US law.
That other argument might have worked if NSO Group’s customers weren’t using WhatsApp’s US-based servers to deliver malware payloads. Once something like this happens, US law comes into play and, without the protective cover of sovereign immunity, NSO Group must continue to respond to lawsuits filed by US tech companies.
Everything NSO tried in hopes of earning an early exit from US lawsuits was aimed at preventing the very thing that’s happening now. NSO and its (few remaining) backers can probably survive an expensive settlement. What the company is unlikely to survive is a (possibly) public outing of its malware code.
As Stephanie Kirchgaessner reports for The Guardian, NSO has been ordered to turn over the source code for pretty much all of its malware to Meta/WhatsApp.
NSO Group, the maker of one the world’s most sophisticated cyber weapons, has been ordered by a US court to hand its code for Pegasus and other spyware products to WhatsApp as part of the company’s ongoing litigation.
[…]
In reaching her decision, Hamilton considered a plea by NSO to excuse it of all its discovery obligations in the case due to “various US and Israeli restrictions”.
Ultimately, however, [Judge Phyllis Hamilton] sided with WhatsApp in ordering the company to produce “all relevant spyware” for a period of one year before and after the two weeks in which WhatsApp users were allegedly attacked: from 29 April 2018 to 10 May 2020. NSO must also give WhatsApp information “concerning the full functionality of the relevant spyware”.
WhatsApp already has a pretty good idea how NSO Group malware operates. It has already managed to detect actual deployments via its servers. The irony here, of course, is that the incidents that most likely exposed NSO’s exploitation of WhatsApp servers were trial runs of a US-oriented version of NSO’s Pegasus phone exploit by the FBI. (The FBI ultimately decided it couldn’t deploy this malware constitutionally.) A months-long investigation by the FBI into the “mysterious” NSO purchase by a supposedly “unknown” government agency ultimately revealed that it was the FBI itself shelling out bucks for malware it couldn’t deploy without violating the Constitution.
The order [PDF] issued by Judge Hamilton makes it clear NSO has to hand over more than just its Pegasus code to WhatsApp.
As to category (1), as stated at the hearing, the court adopts plaintiffs’ definition of “all relevant spyware” as set forth in their motion: “any NSO spyware targeting or directed at Whatsapp servers, or using Whatsapp in any way to access Target Devices.” As also stated at the hearing, defendants have not identified a basis for limiting its production to the Pegasus program, or to any particular single operating system.
[…]
As to the timeframe of documents that must be produced, the court concludes that, at this stage of the case, the Richmark factors weigh in favor of production for “all relevant spyware” for a period of one year before the alleged attack to one year after the alleged attack; in other words, from April 29, 2018 to May 10, 2020. If, after reviewing the relevant spyware from that timeframe, plaintiffs are able to provide evidence that any attack lasted beyond that timeframe, plaintiffs may seek further discovery at that time.
hahahahaaaaaaaaaa
We can be sure NSO’s lawyers are now busy crafting extremely restrictive proposed protective orders to prevent WhatsApp/Meta for making this information available to the public via court filings, blogs posts, transparency reports, or any other options this company has at its disposal.
I imagine these motions (along with other efforts to seal docket entries) will be granted, since NSO has continually claimed its customers use its malware to target high-value targets like suspected terrorists and other violent criminals. But this court remains free to weigh NSO’s CYA statements against the brutal reality: that its malware is often used to target people governments don’t like, rather than the “terrorists” and “violent criminals” governments claim they’re interested in apprehending.
Equally amusing is the fact that the same court has denied NSO’s demands for any communications between WhatsApp/Meta and Toronto’s Citizen Lab that were initiated following the filing of this lawsuit. It’s easy to see why NSO would love access to these communications, considering Citizen Lab has constantly and continually exposed abusive NSO malware deployments over the past several years while also publishing whatever exploit code it’s been able to extract during these investigations.
But, as the court notes, NSO has already undercut its own argument for additional discovery on its end by attempting to move the goalposts to cover only perceived misuses against “civil society” by its customers. This attempt to obtain further communications is backed only by NSO’s perception of the tone of WhatsApp’s lawsuit, rather than its listed causes for action — allegations that cover not only “abusive” deployments of malware but also “legitimate” deployments that, nonetheless, occurred without the platform’s permission and definitely violated WhatsApp’s terms of service.
So, the lawsuit will move forward. And it’s NSO that obligated to start explaining itself — not just to Meta/WhatsApp, but the court itself. Now that there’s source code on the line, NSO Group might start examining it other options, the most likely of which would be paying WhatsApp a considerable sum of money while promising not to use the company’s US servers to deploy malware. Most entities, at worst, have to deal with the consequences often expressed as having to lay in a bed that they’ve made. But NSO’s actions exceed this idiom. NSO, for all intents and purposes, shat the bed before making it, which makes lying it it feel that much worse.
Filed Under: malware, pegasus, source code, spyware, surveillance
Companies: meta, nso group, whatsapp
State Dept. Expands NSO Group-Targeting Ban To Include Anyone Who Misuses Commercial Malware
from the NSO-inadvertently-making-the-world-a-better-place dept
Well, NSO Group really made a mess of this for everyone. Ever since the devastating leak showing its customers routinely targeted journalists, government critics, dissidents, and human rights activists (you know, rather than the violent criminals and terrorists they said they’d use the spyware to track), things have gone from bad to worse to career-ending for the Israeli malware purveyor.
NSO had always been controversial, given its predilection for selling powerful phone exploits to some of the worst governments in the world. But it had managed to remain profitable and un-sanctioned for years, despite its willingness to get in bed with whatever autocrat would have it.
That all changed following the leak… which was then followed by a never-ending stream of negative press. Investigations into the company were initiated by several world governments, including NSO’s own, which also took the unprecedented step of limiting who the company could sell to.
NSO and one of its Israeli-based competitors, Candiru, also found themselves on the receiving end of a US State Department blacklisting late in 2021. The stated reason for this ban? NSO and Candiru were considered a threat to US national security.
The ERC determined that NSO Group and Candiru be added to the Entity List based on § 744.11(b) of the EAR: Entities for which there is reasonable cause to believe, based on specific and articulated facts, that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. Specifically, investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.
Being Candiru or NSO Group is its own problem. With the latest move by the US State Department (prompted by two years of reports of abusive targeting), certain users of these companies’ spyware are no longer welcome in the United States.
This visa restriction policy is pursuant to Section 212 (a)(3)(C) of the Immigration and National Act, and allows the Department of State to implement visa restrictions for (1) individuals believed to have been involved in the misuse of commercial spyware, to target, arbitrarily or unlawfully surveil, harass, suppress, or intimidate individuals including journalists, activists, other persons perceived to be dissidents for their work, members of marginalized communities or vulnerable populations, or the family members of these targeted individuals; (2) individuals believed to facilitate or derive financial benefit from the misuse of commercial spyware described in prong (1) above, including but not limited to developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware to governments, or those acting on behalf of governments, that engage in activities as described in prong (1) above; and (3) the immediate family members of individuals subject to the restrictions in prongs (1) and (2) above. For purposes of this policy, “immediate family members” include spouses and children of any age.
Malware abusers and their families: that’s potentially a whole lot of people who will have a bit more trouble traveling to or staying in the Land of the Free. And it’s all due to NSO Group and its unwillingness to keep its products out of the hands of serial human rights abusers. The company may state otherwise when approached for comment, but none of this would have happened if it hadn’t decided it was somehow OK to cash checks from autocrats.
Of course, while the policy is certainly tough enough, it’s difficult to see it being a particularly effective deterrent. People who like abusing human rights (and targeting dissidents, activists, journalists, etc.) aren’t going to stop doing it just because of some visa complications. On top of that, it’s extremely difficult to identify who exactly is behind malicious spyware deployments. In most cases, an educated guess will only point in a government’s direction. It’s almost impossible to pinpoint the origin of malware attacks because that’s pretty much the point of these products: to be undetectable and un-attributable if discovered.
Still, it’s the thought that counts, especially when the thought is now part of US foreign policy. And while it’s unlikely to make the worst governments in the world behave better, it might make malware purveyors think twice before handing out spyware to governments likely to abuse it. No company wants to be the one forced to answer uncomfortable questions poised by angry governments, especially when it knows the answers involve governments that aren’t above murdering and dismembering people who’ve displeased them.
Filed Under: entity list, malware, restricted visas, spyware, state departnment, surveillance
Companies: candiru, nso group
India’s Government Goes After Apple For Notifying Journalists, Dissidents Of Phone Hacking Attempts
from the overplaying-its-hand-a-bit dept
Israeli malware developer NSO Group found itself the subject of international headlines a couple of years ago. Not the good kind either. A leaked document apparently showed who was being targeted by the company’s cell phone exploits — a long, disturbing list that contained journalists, lawyers, activists, dissidents, religious leaders, and plenty of politicians.
The months following that initial leak have been even less kind to NSO. To be fair, NSO deserved every bit of this backlash since it had spent several years courting the business of some of the most abusive governments in the world.
NSO is pretty much out of the malware business at the moment, but even if it chooses to get back at it, it will be an extremely uphill battle. It’s been sanctioned, sued, and the subject of multiple investigations by governments apparently shocked to discover they themselves have been maliciously deploying malicious software.
India is one of several countries to open an investigation into NSO and possible use of its phone exploits. This investigation was actually opened by the nation’s top court, which has already been told by the Modi government that it’s not interested in cooperating with the Supreme Court’s inquiry. And the government still wants surveillance tech to (presumably) abuse. But, for the moment, it’s not interested in purchasing it from NSO Group.
Factoring into this latest news is a move Apple made after these revelations about NSO. It sued NSO towards the end of 2021 — a lawsuit that came with a new notification program attached. Apple stated it would notify any users it suspected to be targeted by state-sponsored hacking attempts. It made good on this promise almost immediately, notifying a Polish prosecutor that their phone had been subjected to hacking attempts. Many more notifications soon followed, with the company notifying victims in Thailand, El Salvador, and Uganda.
All of that has added up to this: the government of India being super-pissed Apple is letting people know state-sponsored hackers are trying to access their devices. Gerry Shih and Joseph Menn, reporting for the Washington Post, have the details:
A day after Apple warned independent Indian journalists and opposition party politicians in October that government hackers may have tried to break into their iPhones, officials under Prime Minister Narendra Modi promptly took action — against Apple.
Officials from the ruling Bharatiya Janata Party (BJP) publicly questioned whether the Silicon Valley company’s internal threat algorithms were faulty and announced an investigation into the security of Apple devices.
Understandably, it’s embarrassing getting caught doing the sorts of things people already suspect you of doing. But rather than say something useful — like the government will be looking into this to see if this is a misuse of the tech — the Modi government chose to accuse Apple of being incompetent and place it under investigation instead.
According to anonymous Modi administration officials, the government is placing a ton of pressure on Apple’s India reps to come up with an alternative to the notification program and/or the notifications themselves. Apparently, the government believes the notifications are having a negative “political impact.” Again, rather than alter its tactics, it’s pressuring Apple India reps to alter theirs. They’re seeking alternative wording that might suggest the Modi government has a better reason for hacking phones than simply to spy on people who aren’t fans of Modi or his administration.
That’s going to be a tough sell. The facts speak for themselves.
Many of the more than 20 people who received Apple’s warnings at the end of October have been publicly critical of Modi or his longtime ally, Gautam Adani, an Indian energy and infrastructure tycoon.
Things look even worse when you take a look at which journalists were apparently targeted by state-sponsored hacking:
Of the journalists who received notifications, two stood out: Anand Mangnale and Ravi Nair of the Organized Crime and Corruption Reporting Project, a nonprofit alliance of dozens of independent, investigative newsrooms from around the world.
If the Modi administration wanted to draw attention away from its abusive tactics and alleged corruption, it couldn’t have picked a worse way to do it. Thanks to Apple’s notification program, the entire world now has a clearer picture of how (and why) the Indian government deploys phone exploits. And the malware detected on Mangnale’s phone was none other than NSO Group’s flagship product: Pegasus.
NSO did respond to requests for comment from the Washington Post, but as usual, its contribution to the discussion was less than useful. Once again, NSO stressed it only sells to governments and only for the purposes of combating terrorism and “major crimes.” But this part of the statement is even more useless than the usual stuff NSO says when yet another report shows even more abusive deployments of its spyware.
“The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes.”
“Provide” all the “mechanisms” you want, but it doesn’t actually prevent anyone from targeting the kind of people who shouldn’t be targeted by governments that bought malware and agreed to use it to fight terrorism and “major crime.” The correct response would be to terminate contracts and refuse to sell to governments caught abusing the tech. The incorrect response would be… well, pretty much everything NSO has done since the leak blew the lid off its plausible deniability.
It’s pretty easy to tell a powerful foreign government to fuck off from Cupertino, California. But things are far less simple for those having to deal with Indian government officials face-to-face. The Apple reps located in India appear to have been intimidated into at least some level of cooperation with the government’s preferred narrative.
Apple India soon sent out emails observing that it could have made mistakes and that “detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete.”
But that appears to be the end of the concessions being made by Apple India. And Apple, for its part, flew an outside rep to India to meet with the government in an effort to disabuse it of its (clearly false) notions that Apple hacking warnings are generally just the result of incompetence by Apple’s security team.
For now, it appears the Modi administration believes it has won this match. Pressure to alter notifications has eased a bit as the government’s narrative is continually pushed by politicians who insist the notices were nothing but mistakes or, as one legislator put it, “fake” (as in news). The Indian government can try to enjoy this non-victory, but it’s still losing the long game. India’s citizens already know they can’t trust this government. This is just more evidence indicating the distrust is genuine and earned.
Filed Under: bjp, india, journalism, journalists, malware, narendra modi, notifications, spyware, state sponsored hacking, surveillance
Companies: apple
Former DHS/NSA Official Stewart Baker Decides He Can Help NSO Group Turn A Profit
from the definitely-attracts-a-certain-sort-of-person dept
NSO Group used to have everything going for it. It had plenty of customers and plenty of leeway to sell to some of the worst governments in the world.
Then everything changed. A leaked list of malware targets made it clear most of NSO’s customers weren’t trying to secure nations or solve horrible crimes. Instead, they were spying on journalists, activists, human rights advocates, opposition leaders, and anyone else who might make things mildly uncomfortable for extremely powerful people.
After months of negative press, the Israeli government — the same government that helped broker deals between NSO and autocrats — decided to place limits on who NSO could sell to. The US Commerce Department struck another blow against NSO’s fortunes by placing it (and one of its competitors) on an export blacklist.
Suddenly finding itself floundering, NSO Group considered divesting itself of its malware operations and trying to use its powers for good. Investors, however, considered floundering and altruism to be equally unprofitable, and sought to rid themselves of this toxic asset.
NSO has remained about as viable as a directionless flounder can ever be. It lives on, but without any promises about its future.
Enter none other than former DHS undersecretary Stewart Baker. Baker spent much of his time post-Snowden leaks defending broad surveillance programs against such hideous villains as civil libertarians and right advocates.
In Baker’s view, the problem was the people complaining about warrantless surveillance. In short: the more the government knows, the safer we’ll be. Government knows best. And the less we question our government, the more secure we’ll be.
Baker, an occasional contributor to Volokh Conspiracy, was also responsible for one of the most unintentionally hilarious think-pieces ever written about the TSA. Here’s how Ken White titled his post about Baker’s TSA post:
The Volokh Conspiracy Turned Into A TSA Porn Site So Gradually, I Hardly Noticed
Ken White (Popehat) wasn’t kidding. Here’s a direct quote from Stewart Baker about his interactions with TSA security:
It may not make sense. But I’m willing to bet that a lot of the men reading this have similarly choreographed plans for the security line.
I know I do. And if I’m honest with myself, the rituals of the screening line aren’t really about speed. They’re about performance. I feel a kind of competitive pressure to keep the line moving. I’m not happy to see more than about six inches of distance between my luggage and the bags in front of me on the belt. Every delay in pulling out my laptop or my liquids, every last minute bit of change I have to throw haphazard into the bin, every stutterstep as I realize it’s a whole-body scanner, not a metal detector, so belt and watch have to come off too –- all detracts from the performance.
Every once in a while, though, everything goes right, and I feel great. I’m Michael Chertoff, baby, all smooth competence, no wasted motions, no hesitation, no gaps on the conveyor belt.
OK, that’s a little embarrassing to admit. But it gets worse when I ask myself why I care. If you’re the kind of guy who can’t throw away a piece of paper without wadding it up and arcing it into a basket across the room, you already know.
In part we do it to keep our place in the hierarchy of guys. But in the end, what we’re really hoping for is an Alice Munro moment — that our easy concentration and economical movements will set up in someone “a procession of sparks and chills,” followed a few pages later by, well, what we deserve for all that demonstrated competence.
Stewart Baker has never shown us on the doll where the TSA touched him because, unlike most people who’ve never been the DHS second-in-command, Baker truly enjoys this homecooked, post-9/11 blend of paranoia and officiousness that generally tends to include a government employee running their hands over the length of your body.
Baker is no longer a public servant. And he’s only a very occasional contributor to the Volokh Conspiracy. He’s just one of us, except that he isn’t. He has since returned to law firm Steptoe and Johnson, where he continues to practice whatever it is that Baker practices.
While we may not be privy to Baker’s actions for this law firm since his return in 2009, we’re extremely privy to his most recent move, which appears to be lobbying for NSO Group while using this law firm’s letterhead. Dell Cameron’s post at Bluesky breaks the unfortunate news:
Cameron says what needs to be said: Stewart Baker is now a lobbyist working for a company that sold its products to human rights abusers in Saudi Arabia and the United Arab Emirates that used this tech to spy on journalist/dissident Jamal Khashoggi and his wife — acts of surveillance that ultimately led to Khashoggi being lured to the Saudi consulate in Turkey so Saudi security officers could kill him and dismember his body.
This recent filing with the House of Representatives makes it official: Baker, along with his employer Steptoe and Johnson, will now be seeking to advance the interests of an Israeli company linked to abusive surveillance all over the world. In it, Stewart Baker is listed as the primary lobbyist.
This is the same Stewart Baker who responded to the Commerce Department blacklist of NSO by saying it wouldn’t matter because authoritarians could always buy spyware from… say…. China:
There are countries who need these tools or think they need these tools are going to go looking for them. The Chinese have plenty of people, plenty of companies that would be glad to fill any gap that is created in the market by Western companies getting out.
Nice. In other words, Baker believes autocrats should buy from “Western” firms because, if they don’t, they’ll just buy their malware from China. I’m not sure what Baker’s point is here, but I can only assume he thinks “Western” firms should make hay while the sun shines, even if that means selling powerful tech to human rights abusers.
That would definitely align with NSO’s view of the malware market. And that makes Baker the perfect proponent for its worst impulses.
Driving that point home is another quote from Stewart Baker on NSO’s multi-year run of negative press coverage, this time delivered to the Associated Press:
Stewart Baker, a cybersecurity lawyer and former general counsel at the National Security Agency, said it remains to be seen how big an impact Wednesday’s announcement will have on the NSO Group’s long-term health. He said the Commerce Department will have significant discretion in how it handles licensing requests related to the NSO Group, and could face pressure from U.S. exporters and the Israeli government.
“We could see a situation in which the sanction has been granted and it has a great symbolic significance and some practical significance for NSO, but certainly isn’t a death penalty and may over time just be really aggravating,” he said.
Ah. An inconvenience at most, mostly of the political variety. That explains Baker’s insertion into the NSO Group narrative. Obviously, his efforts will be aimed at moving this blacklisting more towards the “symbolic” end of the scale and further away from the “practical” side, making it easier for NSO to return to its previous level of profitability.
But it’s more than that. The better Baker does clearing NSO’s tarnished name, the sooner it and its competitors can return to doing the things that got them in trouble in the first place. Once NSO is considered somewhat acceptable, it can go back to doing the things that made it the most money: i.e., hawking powerful phone exploits to human rights abusers. But this time, NSO has a former US government official in its back pocket. And not just any former government official but one who spent months telling US citizens who were horrified by the implications of the Snowden leaks that they were wrong for being alarmed about bulk surveillance.
NSO Group couldn’t ask for a better advocate: a government official who still firmly believes governments should be able to do whatever they want without being hassled by the proles for overstepping their bounds.
Filed Under: lobbying, malware, pegasus, spyware, stewart baker, surveillance
Companies: nso group
Investigation Shows Israeli Malware Firms Pitching Spyware To Embargoed Countries, Serial Human Rights Abusers
from the never-even-bothering-to-ask,-are-we-the-baddies? dept
As we’re all painfully aware by now, former Israeli intelligence analysts are capable of producing private sector malware companies faster than the CIA can produce successful coups.
While both are capable of handing over inordinate amounts of power to truly terrible people, only the Israeli companies have been formally asked by the US federal government to knock it the fuck off.
The sanctions handed down by the US Commerce Department were the direct results of months of negative press detailing the endless abuse of Israel-based NSO Group’s malware by the abusive governments it chose to sell to, including several countries listed in the world yearbook as Most Likely To Want Israel Dead.
NSO and Cytrox — companies that both have extensive sordid histories — were sanctioned. NSO, despite being best buddies with the Israeli government, found itself being investigated by the same government that had aided and abetted its malware sales to international death merchants, resulting in the extremely belated trimming of “Acceptable Customers” list.
The negative press has failed to subside. But not all of it is NSO-focused. Plenty of other Israeli companies founded by ex-Israeli intelligence analysts have similarly chosen to sell spyware to the worst governments on earth, resulting in the sort of worldwide press that’s normally the result of press junkets by confirmed misanthropes.
Every country has its own blacklists. The UN maintains its own. Several other not-specifically blacklisted countries are just considered bad to do business with. But, for Israeli malware merchants, nothing was off limits, even when some of it actually (in the legal sense) was.
This investigative report published by Israeli news outlet Haaretz provides more details on Israeli spyware firms and the questionable governments they chose to do business with. Most of this was facilitated by a third party located outside of Israel, providing plausible deniability to the Israeli malware firms it represented. Deniability, however implausible, was definitely needed, considering the deals being brokered by this third party.
A global investigation published Thursday into Intellexa, an alliance of digital arms and surveillance firms owned by Israelis but operating from outside of Israel, reveals how the company sold its spyware to Egypt, where it was used against critics of the regime. Intellexa also pitched its capabilities to Saudi Arabia, Malaysia, Cameroon, Mauritius, Sierra Leone and others, per the investigation.
The front group was headed by ex-Israelis, but located conveniently offshore in locations that are often home to entities that wish to evade the legalities of doing business in their own countries. Intellexa, most recently registered in Greece, also calls Ireland and North Macedonia “home.”
From these home bases, Israeli-created malware could be pitched to countries the Israeli government refuses to (officially) do business with.
According to the investigation, in 2021 a sales pitch was made to the regime of Khalifa Haftar in Benghazi, which controls eastern Libya. The regime is under an international arms embargo but the offer – bearing the logos of Intellexa and AMES – included cell phone spyware. A deal was ultimately signed for other eavesdropping and cellular interception technology, however, getting the tech to the sanctioned regime was a problem.
“We have a request from a super bad country,” the French CEO told the company’s legal advisor in a May 2021 phone call. “I wanted to know if it is completely prohibited, or what our options are.” The legal counsel was unequivocal: “Forget about it… You know about the arms embargo, about the EU effort against Libya. They are very strict.”
This deal, headed up by the French CEO of Dubai-based Advanced Middle East Systems (AMES), ultimately fell through. A similar pitch was made to the government of Egypt in 2019. That deal — which followed the Arab Spring uprising in that country — apparently went through. Subsequent investigations of spyware-infested phones linked the infections to Israeli-produced spyware deployed by the Egyptian government against exiled politicians and opposition leaders.
This partnership with an autocratic government — one apparently aided by former Israeli Prime Minister Ehud Olmert’s work for Intellexa — was a success, one celebrated by executives thrilled to have made the world just a little bit worse.
At the end of 2020 a contract was signed. The French CEO reported this in the Nexa-Intellexa WhatsApp group – adding three champagne bottle emojis. “Amazing,” Intellexa’s VP of Sales replied, with Dilian adding: “Great!!! Happy New Year.”
If there’s any upshot — at least for NSO Group — it’s that NSO is not the actual worst of the worst when it comes to Israeli spyware sellers. That title belongs to those who have flown further under the radar, thanks in large part for their use of foreign-based fronts for international sales.
Unlike Pegasus spyware maker NSO, which is regulated by the Israeli Defense Ministry and sold its wares to Saudi Arabia with Israel’s blessing, Intellexa has long operated outside of Israel and away from Israeli oversight.
The only upside here is that these companies have yet to produce phone malware as powerful as NSO’s flagship product, the zero-click Pegasus exploit. But even their off-brand knock-offs are capable of compromising phones, even if they might require a bit more direct interaction with their targets. But there’s no real good news to report. This latest set of revelations confirms what’s always been feared: that “good guys” with malware are more than willing to sell their products to the “bad guys” of the world.
Filed Under: human rights, israel, malware, surveillance
Companies: ames, cytrox, intellexa, nso group
Council Of Europe Says Most Use Of NSO’s Pegasus Spyware Is Probably Illegal
from the nice-racket-you-got-there,-NSO dept
I mean, that’s what we all were thinking, right? When you carve out a niche selling to outlaws, there’s a good chance your product will be used illegally, no matter who’s buying it.
That’s how it all plays out for NSO Group and its infamous Pegasus zero-click phone exploit — one capable of fully compromising targets’ phones. And what a list of targets it is! Journalists, human rights activists, opposition leaders, religious leaders, lawyers, and dissidents were all included on the list of NSO malware targets obtained by journalists in 2021.
Two years of bad news followed. Not just negative press, but investors, founders, and even the Israeli government backing away slowly from this suddenly toxic asset. At its peak, NSO had a long list of customers, most of them doing their own citizens dirty with routine human rights abuses. At its current nadir, NSO limps along, trying to find someone willing to pay it to put itself out of its self-inflicted misery.
This report [PDF], compiled by the Council of Europe and written by the Netherlands’ Pieter Omtzigt, says what everyone knows. But it says it for the benefit of those who know, but still refuse to stop engaging in abusive deployments of the Pegasus malware.
Here’s the main takeaway, as summarized by Suzanne Smalley for The Record.
The PACE’s Committee on Legal Affairs and Human Rights, which produced the report, asked at least 14 European Union countries which have bought or used the tools, including the Netherlands, Germany, Belgium and Luxembourg, to “clarify the framework of its use and applicable oversight mechanisms” within three months.
Additionally, the report singles out Poland, Hungary, Spain, Greece and Azerbaijan, which have already weathered public scandals related to their use of the NSO Group’s Pegasus spyware and similar tools, to undertake “effective, independent and prompt investigations” on all confirmed and alleged cases of spyware abuse.
Some things to note before we take a deeper look at the report:
First, it was composed by a representative of a government that has been (at least somewhat) critical of the EU’s attempts to undermine encryption with client-side scanning mandates. Second, the countries named as participants in likely illegal surveillance include Greece and Spain. Greece has been dealing with the fallout of illegal spying efforts utilizing other malware created by yet another Israeli-based spyware company. Spain has been engaged in open oppression of Catalan dissidents and wholeheartedly believes the EU should give it even more power to repress those who seek to have this region’s independence recognized by the Spanish government.
The other countries on the list have rarely been considered havens of personal freedom, with Poland being a bit more progressive in its protection of human rights than Hungary or Azerbaijan. That being said, Poland hasn’t exactly kept its hands entirely clean when it comes to domestic surveillance.
The problem is the malware itself, which is extremely powerful and, for most targets, undetectable. Given these aspects, the Parliamentary Assembly of the Council of Europe (PACE) doubts any use of the spyware could possibly comply with European law.
The Parliamentary Assembly notes that Pegasus is a highly intrusive surveillance spyware, which grants the user complete and unrestricted access to all sensors and information of the targeted mobile phone. It turns the smartphone into a 24-hour surveillance device, accessing the camera and microphone, geolocation data, e-mails, messages, photos, videos, passwords, and applications. While some spyware tools require some action on the part of the victim, such as clicking on a link (for instance, Predator) or opening an attachment, Pegasus is installed through a so-called “zero click attack”. Given its unprecedented level of intrusiveness into the private life of the targeted individual and all the target’s contacts, the Council of Europe Commissioner for Human Rights and the European Data Protection Supervisor have expressed serious doubts as to whether its use could ever meet the proportionality requirement and therefore be human-rights compliant.
This is followed by the name-and-shame portion of the presentation. The Council notes the malware has been deployed in both Poland and Hungary to spy on journalists, opposition leaders, lawyers, prosecutors, and activists. In Spain, 65 infections of phones possessed by Catalan pro-independence activists have been verified. Azerbaijan has both deployed it against its own people (journalists, activists) as well as targets in Armenia.
Since almost any deployment of Pegasus will, at the very least, likely violate European privacy laws, the Council requests that all EU nations inform the Assembly about any past, present, or planned Pegasus use, provide redress to those illegally-targeted, apply sanctions (if needed) against the entities deploying the malware, and conduct investigations to determine whether any past deployments have flown under the oversight radar.
The report delivers more details on potentially illegal Pegasus deployments throughout the rest of the report. Most of these were uncovered by security researchers, like the invaluable Citizen Lab. None of the discovered infections were the result of self-reporting by government agencies who purchased NSO spyware. In a few cases, government investigations have uncovered abusive deployments by government entities, but most of the legwork is still being done by the private sector.
While the Council is entitled to make these demands of EU nations, it doesn’t actually have the power to make any of this happen, unfortunately. Back to Suzanne Smalley and The Record:
The Council of Europe was established in the wake of World War II to promote human rights and democracy. While it cannot enact laws, it describes itself as being able to “push for the enforcement of select international agreements reached by member states on various topics.”
It’s not much, but maybe it will be enough. NSO is on the ropes and very few self-respecting governments want to be caught with Pegasus on their hands. There will always be competitors willing to fill the void created by NSO should it choose to exit the market. But maybe efforts like these will make EU nations think twice before doing business with malware merchants more than happy to get in bed with any autocracy that will have them.
Filed Under: council of europe, malware, privacy, spyware
Companies: nso group