The latest bombshell investigations into NSO Group’s Pegasus spyware reinforce how widely the tool is being used by governments and clients around the world to conduct surveillance on journalists, human and civil rights activists, politicians and other individuals.
But a number of mobile and security experts worry that the same research also highlights a nascent global spyware industry that is making it increasingly trivial to conduct sophisticated surveillance on Android and Apple smartphones, devices used across industries and governments around the world. The success of NSO Group, while hard to replicate, is something that could eventually spur imitators and spread the reach of such digital espionage campaigns to broader victim groups.
In particular, research from Amnesty International, Citizen Lab and news organizations like the Washington Post identified dozens of high-profile individuals infected with Pegasus spyware. Amnesty’s report tracked attacks as far back as 2014 and as recently as July 2021. So-called “zero click” attacks that don’t require any user interaction have been observed since 2018, with the latest example showing the spyware was capable of infecting a fully patched iPhone 12.
That kind of capability could make it harder for victims, organizations and security researchers to identify potentially infected devices, or track when and how it is being used. NSO Group has claimed it has no way of observing or tracking how their tools are ultimately used by its customers. The company also said it prohibits the sale of Pegasus to private industry and has internal controls to vets potential government buyers and prevent them from using the spyware for authoritarian or abusive ends. The list of confirmed or suspected victims of NSO phone hacks over the years makes it clear that whatever their policy, NSO's technology is routinely used toward those ends.
It should be noted that businesses are not the primary target of Pegasus, and the vast majority of confirmed or suspected Pegasus infections appear to have targeted journalists, human and civil rights activists, politicians and other individuals. How much of a potential threat Pegasus and other spyware may pose to corporate networks now and in the future is a subject of some debate.
Aaron Cockerill, chief strategy officer at Lookout, a cybersecurity firm that helped analyze one of the first Pegasus iOS samples in 2016, said the bar for building and selling such spyware tools has lowered dramatically in the past five years. He likened the industry’s potential for future growth and expansion to the way many ransomware groups have shifted to outsource their malware and infrastructure to third party affiliates, allowing entities that may otherwise lack the expertise to carry out such attacks on their own.
“Every day, the research teams at Lookout observe advanced techniques used by the likes of the NSO Group,” Cockerill said. “There has been a trend where these techniques are being adopted more frequently by consumer-grade surveillanceware and spyware vendors. This could put very powerful surveillance tools in almost anyone's hands.”
A growing but immature market
Due to restrictions on sales to the private sector, such threats are still most likely to come from government agencies, but If software like Pegasus is ever re-sold on the grey market “it is virtually impossible to control who can eventually buy hacking tools and for what purposes,” said Ilia Kolochenko, founder of ImmuniWeb, a Switzerland-based application security and penetration testing company.
Companies like NSO Group can leverage their connections and relationship with patron governments and a murky regulatory environment to cast a veil that makes it extremely difficult to know who ultimately gets access to these tools and how they’re used.
“It is virtually impossible to regulate this market as vendors and buyers are highly sophisticated entities, while the latter frequently enjoy immunity by the virtue of law,” Kolochenko said.
Others think there are a number of challenges that would likely make it harder for imitators to achieve the same success or use these tools at a broader scale.
Ollie Whitehouse, global chief technology officer for cybersecurity consultant firm NCC Group, said the average U.S. or European executive should still consider it “highly unlikely” that such spyware will be used to target their business. There’s no evidence that Pegasus or other similar spyware has been used in economic espionage campaigns waged by Chinese or Russian hackers against western industry, and the use of already contentious tools like Pegasus would likely risk attracting unwanted attention and heat from Western governments if they discovered it was being used against their industry.
Another obstacle: while the desire and market may exist for broader use of these tools, part of the reason NSO Group gets so much scrutiny is because software like Pegasus and its zero-click infections are in a league of their own compared to other competitors.
“NSO is quite unique as the true edge of capability. One has to recognize that NSO does invest a lot of money [in its product] and obviously can do things [that others in the market can’t],” said Whitehouse. “It is fair to say that we see a number of nascent Indian companies trying to operate in a similar space, and…some Cypriot companies that may be also Israeli in nature or Russian trying to operate in this kind of space, but I think it’s fair to say that for them…it’s pretty basic.”
Still, other firms like Israeli-based Candiru have shown similar advanced smartphone hacking capabilities, while the success of companies like India-based BellTroX InfoTech Services have underscored the global market demand for broad-based “hacking for hire” services. Whitehouse said the capabilities demonstrated by NSO Group as well as international hacking events like Pwn to Own and the Tianfu Cup also show that this type of surveillance for popular mobile devices can be achieved “with relatively little capital investment.”
Word to the wise
So who in the business world should be worried, or incorporating these kinds of attacks into their security threat models? And what can be done about it? If you hold or manage data that is valuable to foreign governments, it could increase the risk that one of them may turn to a tool like Pegasus.
“Business executives with access to market data, technological research, and infrastructure are highly valuable targets,” said Cockerill. “As iOS and Android devices continue to be integral to our lives, they need to be secured with as much, if not more priority than any other device.”
Ditto for companies with an international presence who do business with countries that have a history of using the tool or a record of authoritarian or human rights abuses. Whitehouse said the clients NCC Group has observed putting proactive plans in place to deal with the threat tend to be “more mature” organizations who do business with risky or questionable goernments. Companies that still struggle with security fundamentals like implementing multifactor authentication almost certainly have larger fish to fry before they shift focus on detecting advanced mobile spyware.
“I think for the vast majority of organizations who are conducting standard commerce in the USA, you’re broadly fine,” said Whitehouse. “However, were you to be in negotiations around mineral extraction or an arms deal or something sensitive, then that may put you in the crosshairs.”
The use of common, trusted apps like Apple Music as a vector in Pegasus attacks might also be leveraged to take advantage of BYOD work policies and notoriously lax cyber hygiene practices within the general workforce.
Amnesty’s report identified 45 different process names found in phones infected with the malware, while an independent review of that evidence by the non-profit Citizen Lab indicates that these process names don’t appear to relate to any other legitimate functions and are almost always a sign of an infected device.
“We can…confirm that we have not observed Amnesty’s list of 45 process names used in association with any benign or legitimate apps,” wrote Bill Marczak, John Scott-Railton, Sienna Anstis and Ron Deibert.
Researchers believe that most Pegasus infections start with a successful phishing attack, and Amnesty International’s Security Lab released a free tool that organizations can use to test their mobile phones for signs of Pegasus infection, as well as indicators of compromise that can be used to detect signs of infection or attempted infection.
Beyond that, implementing mobile phishing protections where possible for SMS, email, social media, third-party messaging platforms and gaming or dating apps were recommended as steps that IT security teams can take to defend their smartphones and tablets.