When it comes to privacy, Government agencies have not always been on the right side of the law, it was in fact for this very reason that Snowden leaks made such a huge impact. On August 10, Ahmed Mansoor, a human rights activist from the UAE received a weird message from an unknown number on his iPhone. The message came with a rather click bait hyperlink that read “New secrets about the torture of Emiratis in state prisons.”
Mansoor was previously a victim of Government hackers using commercially available products and this link only made him more suspicious. The activist next forwarded the message to a researcher at Citizen Lab called Bill Marczak. After examination from close quarters, it was further established that Mansoor’s suspicion was right. The message was nothing but a blanket that carried a sophisticated malware as its payload. The malware was, in fact, a triple threat that would exploit three different vulnerabilities in Apple’s iOS which were unknown to the world(has been patched now).
Reports from Citizen Lab and mobile security company Lookout confirmed that the attacker would gain complete access to Mansoor’s iPhone had he opened the link. The security firms further said that the malware was “One of the most sophisticated pieces of cyber espionage software we’ve ever seen.” Mistake not, exploiting the zero-days or unknown bugs in the iPhone cannot be the handiwork of a back alley hacker. We need to realize that tools worth up to one million dollars has been instrumental in this attack which consists of remotely jailbreaking an iPhone.
The cyber criminals have been donning the mask of an organized syndicate and in fact, it has also been revealed earlier that vendors are offering Ransomware as services, just like Software as a Service (SaaS). Coming back, the company (safe to call it one) that has supplied the zero-day exploit to the hackers is a low-profile surveillance outfit based out of Israel called the NSO Group.
NSO has been notorious for supplying sophisticated malware to Governments that required targeting the smartphones of its victims all the while remaining behind the closed doors. Considering the nature of its business the company has mostly been in a stealth mode but according to a recently leaked information it has been funded $120 million at a valuation of $1-billion, once again the huge amount of money exchanging hands further spells trouble about its future exploits.
Mike Murray, Lookout’s Vice president has been quite animated about the whole episode and this is how he puts the malware in his own words, “It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone” and he further added that “It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram—you name it”
The researchers used their demo iPhone to unearth the way the malware infected the device. Also, the depressing measures taken by the Government agencies showcase the kind of information Journalists, activists, and dissidents safeguard. It is often these people that are facing the threat today but in the imminent future it might also be usual citizens like you and me.
How NSO was caught can be explained by a chain of events that further disseminate on how the malware was designed. Till August 10, the researchers were not able to find the samples of the malware that the hackers used, until Mansoor lead them to it. After examining the link, they realized that the spyware communicated back to a server and an IP address which they had fortunately fingerprinted in the past. What helped them further is that another server registered to an NSO employee pointed out to the same IP address.
Things started getting clearer when the researchers saw the string of code in the actual malware that read “PegasusProtocol” which was immediately linked to the NSO’s spyware codename, Pegasus. The NSO was profiled by The Wall Street Journal and in the rather short description the company had revealed that they had been selling their wares to the Mexican government and were even drawing some heat from the CIA. Since Apple has already patched the vulnerability the zero-days in question have been eliminated. That being said it would be safe to assume that the NSO might still be armed with a few of these and the current revelation is not something that would wreck their operations.
Apple’s patch comes bundled in the iOS 9.3.5 and iOS users are advised to update their devices immediately. Dan Guido, the CEO of cybersecurity firm says that these kinds of attacks rarely see the light of the day and are almost never caught in “wild”. Mexico seems to be the best customer of the Hacking teams across the world and organizations like NSO are just taking it to the next level.
Victims and attempts
Me han llegado estos dos supuestos mensajes de UnoTV desde este número: (55) 6106 7277. No es gracioso pic.twitter.com/JXZbXQAzOv
— Rafael Cabrera (@raflescabrera) August 30, 2015
Mansoor is not the lone victim of this spyware and earlier it was a Mexican Journalist, Rafael Cabrera who was sent similar messages. As with Mansoor the messages sent to Rafael also came laced with click-bait headlines. Both Mansoor and Rafael seem to have escaped the attack since they are used to looking over their shoulders, a trait that most of us don’t have. To conclude complete privacy seems to be a myth and it is almost impossible to shield such attacks. While the smartphone maker might earmark more funds to make their phones secure the demand for cyber arms will also peak. We just hope that researchers from firms like Citizen Labs are on their tenterhooks to expose such hacks and establish a kind of resurgence.