Apple has filed a lawsuit against NSO Group, the maker of the notorious Pegasus spyware, alleging that the company has harmed Apple’s customers as well as Apple itself by abusing “Apple services and servers to perpetrate attacks on Apple’s users”.
The lawsuit is not unprecedented--Facebook’s WhatsApp division sued NSO Group in 2019 for unauthorized access to the company’s servers, and that’s part of the legal argument that Apple is using in its complaint. Apple alleges that NSO Group created more than 100 Apple IDs and used Apple’s iCloud servers to deliver an exploit payload to target devices, which then loaded the Pegasus spyware. The delivery method relied on an exploit that researchers named FORCEDENTRY, which exploited a zero day in iOS 14.
“Defendants contacted Apple servers using their Apple IDs to confirm that the target was using an Apple device. Defendants would then send abusive data created by Defendants through Apple servers in the United States and abroad for purposes of this attack. The abusive data was sent to the target phone through Apple’s iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file. That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple’s iCloud servers in the United States or abroad for delivery to the target,” Apple said in the complaint, which was filed Tuesday in the U.S. District Court for the Northern District of California.
Researchers at Citizen Lab at the University of Toronto discovered the FORCEDENTRY exploit in September and notified Apple. Within a week of the notification, Apple released an update for iOS that closed the vulnerability on which FORCEDENTRY relied.
Apple is asking the court to permanently prevent NSO Group from using any Apple devices, software, or services, and is asking for monetary damages, as well. The company said it will donate any damages it wins to organizations doing research on cyber surveillance, and it also is pledging an additional $10 million to support those research efforts. Apple also said it has begun notifying the small number of people who have been targeted by the FORCEDENTRY exploit. Some activists in Thailand have already received notifications and have posted the emails on Twitter. The notifications will consist of an email, an iMessage text, and a banner at the top of the user's account page.
"State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behavior to evade detection in the future," Apple said.
“Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery."
NSO Group has been the subject of more than a few legal actions lately, and the U.S. government has also sanctioned the Israeli company. In October, the Department of Commerce issued an interim final rule that essentially prevents Americans from selling exploits or vulnerabilities to some foreign entities, and earlier this month Commerce added NSO Group to its Entity List.
In its lawsuit, Apple said NSO Group’s actions have injured the company and its customers.
“Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple,” Apple says in the lawsuit.
“For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.”
“At Apple, we are always working to defend our users against even the most complex cyberattacks. The steps we’re taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Ivan Krstić, head of Apple Security Engineering and Architecture.