In a U.S. federal court, Apple has sued NSO Group and its parent firm Q Cyber Technologies for illegally targeting users with its Pegasus spying tool, marking yet another setback for the Israeli spyware vendor. NSO Group is described as "notorious hackers — amoral 21st-century mercenaries who have constructed highly sophisticated cyber-surveillance equipment that promotes routine and egregious exploitation" by the Cupertino-based tech giant.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous."
Pegasus is designed as an invasive "military-grade" spyware capable of exfiltrating sensitive personal and geolocation information and stealthily activating the phones' cameras and microphones. It is typically installed by leveraging "zero-click" exploits that infect targeted devices without any user interaction.
The FORCEDENTRY exploit in iMessage was used to evade iOS security measures and target nine Bahraini activists, according to Apple's lawsuit. The attackers used over 100 false Apple IDs to send harmful data to the victims' devices, allowing NSO Group or its clients to deploy and install Pegasus spyware without their knowledge, according to the firm. In September, Apple patched the zero-day vulnerability.
"The abusive data was sent to the target phone through Apple's iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file," Apple detailed in its filing. "That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple's iCloud servers in the United States or abroad for delivery to the target."
The lawsuit also mirrors a similar action taken by Meta (previously Facebook) in October 2019, when it sued the firm for installing Pegasus on 1,400 mobile devices belonging to diplomats, journalists, and human rights activists by exploiting a weakness in its WhatsApp messaging software.
Apple praises organizations such as Citizen Lab and Amnesty Tech for their pioneering efforts in identifying cyber-surveillance abuses and assisting victims. To support efforts like these, Apple announced that it will donate $10 million to organizations conducting cyber surveillance research and advocacy, plus any damages from the lawsuit.