On Thursday, a group of malware hunters revealed that it had caught an incredibly sophisticated and rare piece of spyware: surveillance software that leveraged three previously unknown flaws in the iPhone's operating system to give hackers complete control of the target device.
That kind of attack had never been seen in the wild before, according to the researchers who discovered it.
"It's the most sophisticated mobile malware we've seen by an order of magnitude," Mike Murray, the vice president for security research at Lookout told Motherboard. "It steals all the information that could be useful for someone to spy on you."
A shadowy surveillance company called NSO Group developed the malware, according to researchers from Citizen Lab and Lookout.
"NSO Group are a highly valued surveillance company purporting to sell some of the most advanced spyware on the market," Edin Omanovic, a research officer at Privacy International, told Motherboard in an email. "Given the secretive nature of the company however, as with everything in the surveillance industry, it is very difficult to separate fact from marketing."
In response to the news on Thursday, NSO put out a prepared statement, saying the company's "mission is to help make the world a safer place" and that it only sells to "authorized" governments. The company also denied having any knowledge of the attack caught by Citizen Lab, and that it "does NOT operate any of its systems."
Founded in Israel in 2010 with funding from veterans of the country's elite 8200 intelligence unit, NSO has developed a reputation for being one of the most secretive outfits in the spying business. According to Reuters, the company, which specializes in the exploitation of mobile phones, has changed its name several times, much like the private military contractor Blackwater (now Academi).
"If you want to work successfully in the cloak and dagger battlefield of cyber, you don't want just anyone Googling your information," Omri Lavie, one of NSO's co-founders, told Defense News in 2013 in a rare interview. Although the company does not have a website, on his LinkedIn profile, Lavie describes himself as "a serial entrepreneur, angel investor, early adopter of technologies."
"The NSO Group software and the way it's configured and run, it's all about not being detected, [it's] designed for stealth and to be invisible."
In 2014, US private equity fund Francisco Partners acquired a majority stake in NSO for around $120 million. Just over a year later, Francisco was reportedly searching for a sale that could have valued the company at around $1 billion. At the end of 2015, it had an annual revenue of approximately $75 million, according to Reuters.
NSO has clearly had some success at poaching employees from other Israeli vendors in this space. The company's current director of product management used to work at NICE Systems, which also sells surveillance technology, and its director of business development until recently worked at the defense contractor Elbit Systems. In all, NSO employs at least 200 people, according to its LinkedIn page.
Ironically, or what is likely a clever business decision, Lavie and other NSO employees are also part of Kaymera, a company that promises to do the complete opposite of NSO: protecting phones from hackers' attacks. The NSO founders, as Bloomberg put it, essentially play "both sides of the cyber wars."
These latest findings may be the first confirmation that NSO's reputation might be well deserved.
NSO's premiere product is named Pegasus. We knew very little about it until today, when researchers at Citizen Lab, a digital rights watchdog at the University of Toronto's Munk School of Global Affairs, and mobile security firm Lookout revealed that they had caught a sample of it in the wild, after it was unsuccessfully used against Ahmed Mansoor, a human rights activist in the United Arab Emirates.
Generally, it does everything you would expect from a piece of specialised malware targeting mobile phones, grabbing browsing history, emails, messages—both traditional SMSs as well as WhatsApp messages or iMessages—and contact lists, before beaming them back to whoever has purchased the system.
Of course, the difference with NSO is that it has, according to the researchers, developed the capability to remotely compromise one of the most robust consumer products on the market: the iPhone. And, it has sold that technology to at least one customer.
The researchers at Citizen Lab and Lookout found that Pegasus leveraged three unknown vulnerabilities, or zero-days as they're otherwise known, to break into an iPhone and give hackers full control over it. (Citizen Lab and Lookout explained the technical details of this attack in joint reports released on Thursday.)
The elaborate stringing of several zero-days into one attack is relatively rare, and it indicates that NSO might be one of the most sophisticated surveillance vendors on the market.
Whereas the Italian vendor Hacking Team, a well-known competitor of NSO, relied mostly on malicious apps, or even physical access to a device, to attack targets, the Israeli company is able to remotely compromise the iPhone—and presumably Android and Blackberry phones—with a string of exploits triggered by a successful phishing message.
"Hacking Team compared to these guys is a small business compared to an enterprise," Murray said.
In marketing materials which were leaked online as part of last year's breach of Hacking Team, NSO claims to have two ways to infect a target: one that needs no interaction from the victim ("a zero-click vector") and one that needs some interaction, a "one-click vector."
The attack analyzed by Citizen Lab and Lookout is the "one-click vector" kind, consisting of an SMS containing a link sent to the victim. There's no public evidence yet of a "zero-click" vector attack in the wild.
One of Pegasus' features that impressed the researchers the most is the malware's ability to stay hidden.
"The NSO Group software and the way it's configured and run, it's all about not being detected, [it's] designed for stealth and to be invisible," Murray said.
Some of the spyware's features, such as recording sound and taking pictures, are programmed to only work when the screen is off, according to its marketing materials. The malware is also designed to self-destruct in certain cases, to avoid getting caught.
"We're a complete ghost," Lavie, one of the co-founders, told Defense News back in 2013. "We're totally transparent to the target, and we leave no traces."
NSO itself underlines the importance of not getting caught in its marketing, saying that "it is more important that the source will not be exposed and the target will suspect nothing than keeping the agent alive and working."
WHO USES NSO'S PEGASUS?
NSO chief executive Yair Pecht has said that the company has dozens of marketing licenses. NSO uses WestBridge Technologies Inc. as its marketing and sales arm in North America, which "presents top of the line technologies to various government agencies in North America particularly in the US," according to the company's LinkedIn profile.
"This won't be the last time that we work in a case of dissidents and journalists targeted by expensive malware."
Adding weight to the prospect of NSO doing business with Mexico is another attack that Citizen Lab was able to identify. Rafael Cabrera, a Mexican investigative journalist, received a series of messages containing links that Citizen Lab believes are connected to NSO's infrastructure, but they haven't been able to find the malware that would have infected him. (Cabrera didn't click on the links, and when Citizen Lab tried to, the links were dead.)
Thanks to the documented attack on Mansoor, we now know that the UAE is another very likely customer of NSO. If the past history with Hacking Team and FinFisher is any indication, we'll likely know of more in the months and years to come.
"This won't be the last time that we work in a case of dissidents and journalists targeted by expensive malware," John Scott-Railton, a senior researcher at Citizen Lab, told Motherboard.
This story has been updated to include the NSO Group's statement.