Apple sues NSO Group for targeting its users

Apple sued the NSO Group for damages to the company and its users due to an exploit used to spy on a number of Apple users.

 A man walks past the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel July 22, 2021 (photo credit: REUTERS/AMIR COHEN)
A man walks past the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel July 22, 2021
(photo credit: REUTERS/AMIR COHEN)

Apple filed a lawsuit against the Israeli NSO Group and its parent company for the alleged surveillance and targeting of Apple users on Tuesday, according to an announcement by Apple.

The company is also seeking a permanent injunction to ban NSO Group from using any Apple products or services, in the suit filed to the US District Court in the San Jose Division of the Northern District of California.

The lawsuit provides new information about how NSO infected victim's devices with Pegasus using the FORCEDENTRY exploit which has since been patched, according to the company.

Pegasus was used against a number of Apple users across the world to attack them with dangerous malware and spyware, according to Apple.

The company added that it has not yet observed any evidence of successful remote attacks against devices running iOS 15 or later versions.

FILE PHOTO: The Apple Inc. logo is seen hanging at the entrance to the Apple store on 5th Avenue in Manhattan, New York, U.S., October 16, 2019 (credit: REUTERS/MIKE SEGAR/FILE PHOTO)FILE PHOTO: The Apple Inc. logo is seen hanging at the entrance to the Apple store on 5th Avenue in Manhattan, New York, U.S., October 16, 2019 (credit: REUTERS/MIKE SEGAR/FILE PHOTO)

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous. While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”

The exploit, identified by the Citizen Lab research group at the University of Toronto, allowed NSO to break into Apple devices and install the Pegasus spyware product from at least February until September 2021, according to the lawsuit.

The exploit allowed NSO and its clients to hack into victims' devices without any action or awareness by the victim. NSO conducted the FORCEDENTRY exploit by using their computers to contact Apple servers in the US and abroad to identify other Apple devices.

After confirming that the target was using an Apple device, the attackers would then send abusive data through Apples servers to the target phone through Apple's iMessage service, disabling logging on the targeted device so that the Pegasus software could be delivered via a larger file. The file would be temporarily stored in an encrypted form unreadable to Apple on an iCloud server for delivery to the target.

After being delivered to the target's device, Pegasus would transmit personal data to a command-and-control server operated by NSO or its clients. The operator was able to issue commands to the device, including using the device's microphone or camera to record.

Apple stressed that it incurs substantial costs, redirects resources and otherwise suffers harm and damages as the result of each attack of this type, adding that it spent "thousands of hours" addressing NSO's actions.

"[NSO] force Apple to engage in a continual arms race: Even as Apple develops solutions and enhances the security of its devices, [NSO] are constantly updating their malware and exploits to overcome Apple’s own security upgrades," wrote the company in the lawsuit, adding that the fight against the breach attempts has cost the company over $75,000.

The suit called the NSO Group "notorious hackers - amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse," saying that the company designs, develops, sells, delivers, deploys, operates and maintains malware and spyware products and services that have been used against Apple users.

"NSO is the antithesis of what Apple represents in terms of security and privacy," added the lawsuit. "While Apple creates products to serve and protect its users, NSO targets and attempts to exploit those products to harm Apple and its users."

"The steps we’re taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Ivan Krstić, head of Apple Security Engineering and Architecture. “Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

Apple additionally announced that it will be contributing $10 million as well as any damages from the lawsuit, to organizations working in cybersurveillance research and advocacy. The company will also provide pro-bono technical, threat intelligence and engineering assistance to Citizen Lab and other organizations.

The company is notifying the users affected by FORCEDENTRY of the breach.

At the beginning of November, the US Commerce Department announced that it has added NSO Group and Candiru to its blacklist for engaging in “activities that are contrary to the national security or foreign policy interests of the United States.”

The US State Department said the companies trafficked in cyber tools used to gain unauthorized access to computer networks – though it later added that it will not sanction NSO in any way, despite it being on the blacklist, and will not take any actions against any of the companies’ host governments.

The companies’ addition to the list, for engaging in activities contrary to US national security or foreign policy interests, means that exports to them from their US counterparts are restricted. For example, this makes it far harder for US security researchers to sell them information about computer vulnerabilities.

Yonah Jeremy Bob, Lahav Harkov and Reuters contributed to this report.