A single activist helped turn the tide against NSO Group, one of the world’s most sophisticated spyware companies, which is now facing lots of new legal action and scrutiny in Washington over damaging new allegations that its software was used to hack government officials and dissidents all over the world.
It all started with a software glitch on her iPhone.
According to six people involved in the incident, an unusual error in NSO’s spyware allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to discover a trove of evidence suggesting the Israeli spyware maker had helped hack her iPhone. A mysterious fake image file within her phone, left behind by the spyware by mistake, notified security researchers.
Last year’s discovery on al-Hathloul’s phone sparked a storm of legal and government action, putting NSO on the defensive. For the first time, the method by which the hack was found is detailed here.
One of Saudi Arabia’s most prominent activists, Al-Hathloul, is known for leading a campaign to end the nation’s ban on women drivers. She was freed from jail in February 2021 after being charged with risking national security.
Soon after her release from prison, the activist received an email from Google informing her that state-sponsored hackers had tried to hack her Gmail account. Fearing that her iPhone had also been hacked, al-Hathloul contacted the Canadian privacy rights organization Citizen Lab and requested that they investigate her device for evidence, three people close to al-Hathloul told Reuters.
After digging through her iPhone records for six months, Citizen Lab researcher Bill Marczak made an unprecedented discovery: a fault in the surveillance software implanted on her phone had left a copy of the malicious image file rather than deleting itself after stealing its target’s messages.
He claimed that the finding, computer code left by the attack, provided direct evidence that NSO built the espionage tool.
“It was a game-changer,” said Marczak “We caught something that the company thought was uncatchable.”
According to four people with direct knowledge of the incident, the discovery amounted to a hacking blueprint and urged Apple Inc to notify thousands of other state-backed hacking victims around the world.
Citizen Lab and al-Hathloul’s discovery served as the foundation for Apple’s November 2021 lawsuit against NSO, and it reverberated in Washington, where U.S. officials found that NSO’s cyberweapon was used to spy on American diplomats.
In recent years, the spyware industry has seen explosive growth as governments around the world buy phone hacking software that enables the type of digital surveillance that was previously only available to a few elite intelligence agencies.
Over the last year, plenty of revelations from journalists and activists, including the international journalism collaboration Pegasus Project, have linked the spyware industry to human rights violations, fueling increased scrutiny of NSO and its competitors.
However, security researchers claim that the al-Hathloul discovery was the first to provide a blueprint for a powerful new form of cyberespionage, a hacking tool that penetrates devices without user interaction, providing the most concrete evidence of the weapon’s scope to date.
An NSO spokesperson stated in a statement that the company does not operate the hacking tools it sells – “government, law enforcement, and intelligence agencies do.” The spokesperson refused to respond on whether its software was used to target al-Hathloul or other activists.
But the spokesperson said the organizations making those claims were “political opponents of cyber intelligence,” and suggested some of the allegations were “contractually and technologically impossible.” The spokesperson declined to provide specifics, citing client confidentiality agreements.
Without going into specifics, the company stated that it had a procedure to investigate alleged misuse of its products and that it had cut off clients due to human rights concerns.
THE BLUEPRINT’S DISCOVERY
Al-Hathloul was right to be suspicious; this was not the first time she had been watched.
According to a 2019 Reuters investigation, she was targeted in 2017 by a team of US mercenaries who surveilled dissidents on behalf of the UAE under a secret program called Project Raven, which classified her as a “national security threat” and hacked into her iPhone.
She was arrested and jailed in Saudi Arabia for nearly three years, according to her family, and was tortured and interrogated using information stolen from her device. Al-Hathloul has been released in February 2021 and is currently banned from leaving the country.
Reuters has no evidence NSO was involved in that earlier hack.
Al-Hathloul’s experience of surveillance and imprisonment made her determined to gather evidence that could be used against those who wield these tools, said her sister Lina al-Hathloul. “She feels she has a responsibility to continue this fight because she knows she can change things.”
Citizen Lab discovered a “zero click” spyware on al-Hathloul’s iPhone which means the user can be infected without ever clicking on a malicious link.
When zero-click malware invades a user, it usually deletes itself, leaving researchers and tech companies without a sample of the weapon to study. According to security researchers, this can make gathering hard evidence of iPhone hacks nearly impossible.
This time, however, was different.
The software glitch left a copy of the spyware hidden on al-Hathloul’s iPhone allowing Marczak and his team to obtain a virtual blueprint of the attack as well as evidence of who developed it.
“Here we had the shell casing from the crime scene,” he said.
Marczak and his team found that the spyware worked in part by sending picture files to al-Hathloul through an invisible text message.
The image files tricked the iPhone into giving access to its entire memory, bypassing security and allowing the installation of spyware that would steal a user’s messages.
According to three people with direct knowledge of the situation, the Citizen Lab discovery provided solid evidence that the cyberweapon was built by NSO, according to Marczak, whose analysis was confirmed by researchers from Amnesty International and Apple.
According to Marczak, the spyware found on al-Hathloul’s device contained code indicating that it was communicating with servers previously identified by Citizen Lab as being controlled by NSO. This new iPhone hacking method has been dubbed “ForcedEntry.” By Citizen Lab. Last September, the researchers produced the sample to Apple.
With the attack blueprint in hand, Apple was able to patch the critical vulnerability and notify thousands of other iPhone users who had been targeted by NSO software, warning them that they had been targeted by “state-sponsored attackers.”
This was the first time Apple had done so.
While Apple determined that the vast majority were targeted by NSO’s tool, security researchers discovered that spy software from a second Israeli vendor, QuaDream, also used the same iPhone vulnerability, Reuters reported earlier this month. Quadrem has yet to respond to several requests for comment.
Dissidents critical of Thailand’s government were among the victims, as were human rights activists in El Salvador.
Apple sued NSO in federal court in November, citing the findings from al-Hathloul’s phone alleging the spyware maker violated US laws by developing products designed “to target, attack, and harm Apple users, Apple products, and Apple.” Apple accepted Citizen Lab for providing “technical information” used as evidence in the lawsuit but did not reveal that it was obtained from al-Hathloul’s iPhone.
According to NSO, its tools have helped law enforcement and saved “thousands of lives.” The company stated that some of the allegations made against NSO software were false, but declined to elaborate on specific claims citing confidentiality agreements with its clients.
According to people familiar with the matter, among those Apple warned were at least nine US State Department employees in Uganda who were targeted with NSO software, igniting a new wave of criticism against the company in Washington.
The US Commerce Department placed NSO on a trade blacklist in November, preventing American companies from selling the Israeli firm’s software products and risking its supply chain.
The Commerce Department said the action was based on evidence that NSO’s spyware was used to target “journalists, businesspeople, activists, academics, and embassy workers.”
In December, Democratic Senator Ron Wyden and 17 other lawmakers demanded that the Treasury Department sanction NSO Group and three other foreign surveillance companies for reportedly helping authoritarian governments in human rights violations.
“When the public saw you had U.S. government figures getting hacked, that quite clearly moved the needle,” Wyden told Reuters in an interview, referring to the targeting of U.S. officials in Uganda.
Lina al-Hathloul, Loujain’s sister, said the financial blows to NSO might be the only thing that can deter the spyware industry. “It hit them where it hurts,” she said.
