NSO Group Hacked

NSO Group, the Israeli cyberweapons arms manufacturer behind the Pegasus spyware — used by authoritarian regimes around the world to spy on dissidents, journalists, human rights workers, and others — was hacked. Or, at least, an enormous trove of documents was leaked to journalists.

There’s a lot to read out there. Amnesty International has a report. Citizen Lab conducted an independent analysis. The Guardian has extensive coverage. More coverage.

Most interesting is a list of over 50,000 phone numbers that were being spied on by NSO Group’s software. Why does NSO Group have that list? The obvious answer is that NSO Group provides spyware-as-a-service, and centralizes operations somehow. Nicholas Weaver postulates that “part of the reason that NSO keeps a master list of targeting…is they hand it off to Israeli intelligence.”

This isn’t the first time NSO Group has been in the news. Citizen Lab has been researching and reporting on its actions since 2016. It’s been linked to the Saudi murder of Jamal Khashoggi. It is extensively used by Mexico to spy on — among others — supporters of that country’s soda tax.

NSO Group seems to be a completely deplorable company, so it’s hard to have any sympathy for it. As I previously wrote about another hack of another cyberweapons arms manufacturer: “It’s one thing to have dissatisfied customers. It’s another to have dissatisfied customers with death squads.” I’d like to say that I don’t know how the company will survive this, but — sadly — I think it will.

Finally: here’s a tool that you can use to test if your iPhone or Android is infected with Pegasus. (Note: it’s not easy to use.)

Posted on July 20, 2021 at 1:50 PM83 Comments

Comments

Aaron July 20, 2021 3:23 PM

Are we all just going to be blind to the tragedy in the idea of Israel making a tool of espionage against individuals and small groups which is largely preferred by authoritarian rulers or regimes to tyrannize, manipulate and silence people?

forensic expert July 20, 2021 3:49 PM

So…where we can download those “leaked documents”?
I want to verify those myself.
Or are they again accessible only for “selected journalists” who, solely like the dictators decide what to share with public and what not, via the paywalled articles? We all know how media works.

nobody July 20, 2021 4:33 PM

NSO should be treated as a state-sanctioned criminal actor little different from Russian ‘we’re really not the government, honest’ ransomware gangs.

The response to NSO should extend beyond attempting to prosecute NSO owners to sanctioning the Israeli government for conducting invasive intelligence operations on foreign soil.

ADFGVX July 20, 2021 5:29 PM

@ forensic expert • July 20, 2021 3:49 PM

So…where we can download those “leaked documents”?

Can’t you find a Magnet or BitTorrent link, or don’t they allow you use those protocols at the office where you work?

@ nobody • July 20, 2021 4:33 PM

NSO should be treated as a state-sanctioned criminal actor little different from Russian ‘we’re really not the government, honest’ ransomware gangs.

Why sure. Just like the whole gang of rather disreputable actors loosely affiliated with law enforcement in the U.S.: crimestoppers inc., the “10% cártel” bail bondsmen, skip tracers, bounty hunters, debt collectors, consumer credit reporting agencies, licensed private investigators, process servers, city parking enforcement patrols, vehicle impound auctioneers, etc., etc.

The response to NSO should extend beyond attempting to prosecute NSO owners to sanctioning the Israeli government for conducting invasive intelligence operations on foreign soil.

We’d better look at our own belly button in the U.S., too, while we’re at it. Endemic law enforcement corruption especially with the U.S. Marshal service, various State Troopers, and the Bureau of Alcohol Tobacco Firearms and Explosives, NICS database like a preemptive mental health sex offender registry on steroids. If they hadn’t sold our secrets out to the seedy side of Israeli intelligence, they’d be finding other contractors to do their dirty work of progressively ruining the lives, wrecking the homes, and trashing the cars of U.S. patriots and citizens, and as as reported they already are doing just that cozying up to UAE and Saudi Arabian officials, on their one-minded unified vendetta again Americans who didn’t veer left when the election was stolen.

ADFGVX July 20, 2021 6:56 PM

Scoop: Israel forms damage control team after NSO Pegasus spyware reports

And I have mortal enemies for posting here and there online. There’s a “damage control” crew, and they would have been desperate to knock me and other like minded individuals offline.

Wrecked my laptop, stole my phone. The Israelis have “friends” at local military bases throughout the U.S., they’ve been running a court-martial district in fraternization with “the usual” culprits at City Hall.

I had stopped by the side of the road to rest Saturday, and about noon, I was suddenly attacked and fled in my car amidst a hail of gunfire bullets flying everywhere. Miraculously I was not hit, tore around the corner at a run, without even stopping or looking for traffic.

lurker July 20, 2021 6:56 PM

@SpaceLifeForm: re your link on the squid to “encryption-originalism”[1]

The most advanced technology companies on the planet-titans like Microsoft and Google-do not know how to reliably produce fully secure software.

Obviously only a couple of examples, but surely the list must include Apple and Amazon, both implicated in this NSO story. So

Questions: is Android such a heap of dirt that nobody likely to be a Pegasus target would consider using it?
If iOS analysis is easier because of all the process, network and file logging, why is Apple logging all that stuff when Android apparently deems it unnecessary?

[1] hxtps://www.justsecurity.org/77383/encryption-originalism/

SpaceLifeForm July 20, 2021 8:09 PM

@ lurker

From what I have seen so far, the best defense may be a rooted Android phone.
At least, if you suspect an exploit, you can try to look around for signs.

A potential target may think that iPhone is safer (costs more, must be better), but it may be that the reverse is better in terms of discovery.

Also, it may also be the case that the exploit silently quits if it detects a rooted phone, because they would be worried that it could be found.

It’s also interesting that the exploit is not deployed to the phone, if the phone is in the US, and even if the phone is normally used outside of US, but is roaming. That probably is related to the DNS-Knocking, and knowing that NSA is watching DNS traffic intensely, and therefore, this exploit would stand out.

NSO needed to register wildcard 3rd-level TLS certs.

hxtps://threadreaderapp.com/thread/1416801439402262529.html

Dave July 20, 2021 11:29 PM

@forensic expert: Would it make any difference if you had access to the originals? You’ve obviously decided you don’t want to believe the story, so no amount of proof will convince you. In particular you’ll presumably declare the originals to be faked…

ADFGVX July 21, 2021 12:17 AM

@ Dave • July 20, 2021 11:29 PM

@forensic expert: Would it make any difference if you had access to the originals? You’ve obviously decided you don’t want to believe the story, so no amount of proof will convince you. In particular you’ll presumably declare the originals to be faked…

And if it were the other way around they’d already have their charging documents ready for court, take a moment to spell check, and railroad the defendants right on through in a mass trial on the same forced confession collective bargaining plea agreement just like everybody else they throw in the meat grinder downtown New York City Manhattan Federal district court.

SpaceLifeForm July 21, 2021 12:26 AM

Spy vs. Spy

2020-04-03

hxtps://www.vice.com/en/article/pke9k9/facebook-wanted-nso-spyware-to-monitor-users

“NSO is trying to distract from the facts Facebook and WhatsApp filed in court over six months ago. Their attempt to avoid responsibility includes inaccurate representations about both their spyware and a discussion with people who work at Facebook. Our lawsuit describes how NSO is responsible for attacking over 100 human rights activists and journalists around the world. NSO CEO Shalev Hulio has admitted his company can attack devices without a user knowing and he can see who has been targeted with Pegasus. We look forward to proving our case against NSO in court and seeking accountability for their actions,” the statement from a Facebook spokesperson read.

2021-04-12

hxtps://www.politico.com/news/2021/04/12/nso-falters-lawsuit-whatsapp-hacking-481073

Two judges on the panel suggested it would be premature or mistaken for the courts to dismiss the case based on the doctrine of sovereign immunity without the U.S. government declaring that such action was needed to protect foreign countries relying on NSO’s software.

2021-07-21

hxtps://www.timesofisrael.com/government-said-to-form-team-to-deal-with-fallout-of-nso-spyware-revelations/

The government has appointed a special team to handle the fallout of revelations that Israel-based NSO Group sold spyware allegedly used by governments to target politicians, journalists and others worldwide, according to a Tuesday report.

Citing two unnamed senior Israeli officials, the Walla news site said the interagency team will examine the allegations against NSO published in numerous international outlets and what the potential security, diplomatic and legal consequences could be. The team, which reportedly first met on Sunday, includes representatives from the Defense Ministry, Foreign Ministry, Justice Ministry, Mossad and Military Intelligence.

Clive Robinson July 21, 2021 12:53 AM

@ SpaceLifeForm, lurker,

From what I have seen so far, the best defense may be a rooted Android phone.

Or turning off the basic transportarion mechanism for the malware (which is what we did some years,back when Android had a similar Multi-Media-Images issue).

Look at it this way, some one wants to send you a steaming heap of something unpleasant, do you,

1, Tell the delivery guy “No Go away”.
2, Just let the guy dump it all over the kitchen table just before you start making Sunday Dinner for the whole family.

I suspect many would consider option 1, over option 2. So why do we let not exactly the most socially or security wise techno Geeks tell us it has to be option 2 each and every time…

I could give a long long long list of these failings where “because it’s neat” is the only driving factor.

Just one being the use of glyphs of the day or some other “idiot status badge” to be a measure of your social status etc…

In a world where “Marketing has gone down the rabbit hole” to join Alice in experimental pharmacology, what do we realy expect?

Almost one of the first rules of security is minimise complexity so you have some ability to see and stop any securiry issues.

No such luck wirh mobile phones you either get the evil motherload or you don’t get even the most basic of comms…

Thus users have to learn to take back control, from those who would dump on them in the name of “rough trade”.

As an idea “simple” but in practice “Oh so hard” when it realy should not be.

Peder Thorsø Lauridsen July 21, 2021 1:00 AM

Maybe we should start looking at making the mobile platforms more secure? This is really “just” another piece of malware. Where is Google and Apple in this?

ADFGVX July 21, 2021 1:20 AM

@ Peder Thorsø Lauridsen

Maybe we should start looking at making the mobile platforms more secure? This is really “just” another piece of malware. Where is Google and Apple in this?

In bed with the thieves, just like Microsoft, Intel, Cisco, Facebook, Twitter, AT&T, the cable television industry, Verizon, Virgin T-Mobile, Sprint, etc., etc. the whole tech sector.

lurker July 21, 2021 1:32 AM

@SpaceLifeForm, Clive
The billboards scream: Don’t root your phone, you’ll become a magnet for malware.
Now the malware gets in, no magnets needed, and you have to root to get it out…

re sovereign immunity: NSO are taking the arms dealer plea? We only sell the guns, who kills who is none of our business.

ADFGVX July 21, 2021 1:38 AM

@ lurker

re sovereign immunity: NSO are taking the arms dealer plea? We only sell the guns, who kills who is none of our business

Your local cops have the guns to shoot you and kill you if you misbehave.

Your local cops have the spyware to snoop on your phone to make sure you are not misbehaving.

Legitimate dealers will make sure than no one but the local cops in your area can obtain access to guns or spyware.

Right.

JonKnowsNothing July 21, 2021 2:10 AM

@Clive @All

re: Almost one of the first rules of security is minimise complexity … Thus users have to learn to take back control,

A note of hope…

RL anecdote tl;dr

Large code base MMORPG video games have complex graphics. There’s all sort of graphic styles and the ones the mirror real life landscapes often have the deepest complexity and are more than just a static painted backdrop with limited foreground imaging. These are graphics where you can see all the leaves on the trees in detail and individual blades of grass along with the entire ecosystems and starscapes.

Trying to keep a computer from burping over these hi-res images is one main task every MMORPG player has to deal with. The complexity and variability of hardware is legion and what works for one player may not work for another.

Recently, my system displayed a graphic anomaly, one that should not occur but STUFF happens. During an exchange with other players about the anomaly, which yielded the Standard Set of Things To Try (1), one player posted their method for graphics stability:

I only use this system for this game.
  I do not use it for email, browsing, office or video or anything else.

I wanted to cheer.

Although the reason was more to do with the vagaries of hi-res graphic systems and the extreme difficulties in keeping such features working across may platforms, it reinforces concept that a One Task Device has many positive attributes.

===

1, Did I get the graphic anomaly resolved? ATM it appears to have been a GPU caching issue. Time will tell.

_nosignature July 21, 2021 5:10 AM

OK, NSO has a way to look at what you are doing. How is this different from Facebook and Google?
I’m confused. Intel orgs in the US, UK, Russia, China, etc do this all the time and no one is in arms about it, and all the sudden an Israeli company does this and the world came to an end? Would It be the same is the company was Saudi? Or Chinese? Or American? I doubt it.

Here’s a scenario:

  • Israeli company develops a successful way the get a MITM on the TLS and SSL. They always get in the middle and they can intercept all traffic. It was developed to demonstrate that current protocols needs to change.
  • The company is called “evil on earth!” Israel is the scum of the world for doing this! I’m sure that company was working for the Israeli intel community!
  • All the press, Amnesty Int. and UN Human Rights Council (which has some of the biggest offenders in their ranks) are all up in arms!

… meanwhile is the US, a group of researchers at NSA develop the same tech.
… meanwhile the Chinese have been using this tech to capture traffic for a decade already

But no one is saying anything.

Yeah, it’s a weapon. Got it. It will only get worse. So, deal with it.

Winter July 21, 2021 5:33 AM

@nosignature
“Yeah, it’s a weapon. Got it. It will only get worse. So, deal with it.”

Burglars and murderers are everywhere. Why are you complaining when you catch one. Just let him go, everybody is doing it.

I believe such people are called “apologists” and are the ones who try to make life easier for miscreants.

No Spam Please July 21, 2021 7:15 AM

I am looking for a report of the actual facts. What evidence has been published?

All I can see is long rants against the evils of NSO from Amnesty, Citizen Lab etc. without much factual basis. Can someone please post something that has facts and not just foaming-at-the-mouth?

And BTW, yes NSO is an arms dealer. It should be treated as such. But is arms dealing something new? Can someone explain why all the fuss about this particular arms dealer?

_nosignature July 21, 2021 7:23 AM

@Winter
“Burglars and murderers are everywhere. Why are you complaining when you catch one. Just let him go, everybody is doing it.”

Yes, the only problem is that NOT everyone is doing. My point was that they only seem to do it when the Israeli gov, or an Israeli company involved.

But hey, so long as you play nice and don’t disagree with Amnesty, you are good.
It’s funny how all those orgs get protective if you give them a different opinion…

Roberto Cocinero July 21, 2021 8:14 AM

If the Israeli gov’t doesn’t shut them down, cut the already unjustified funding a rich country like Israel receives.

Sadly, that probably won’t happen. The Israeli lobby is huge and the US gov’t may profit from all this.

Winter July 21, 2021 8:37 AM

@gmmca
“Most claims are not from security experts though, but from NGOs with anti-Israel bias.”

I have yet to see Amnesty international lying. But I have seen those who slander Amnesty international lying at every opportunity. So why should I believe the slanderers of AI.

“NGOs with anti-Israel bias.”

As every country murdering and torturing people claim AI is anti-[that country] as well as being a Communist/anti-Communist organization, I think it is more likely you are anti-human rights like the other slanderers of AI.

Clive Robinson July 21, 2021 8:39 AM

@ gmmca

Most claims are not from security experts though, but from NGOs with anti-Israel bias.

Cut the crap the IDF etc always trot out that sort of nonsense,especially when they have been caught red handedly,

1, Firing white phosphorus into UN aid stores/depot

2, Getting Israeli premier to lie blatantly to the head of the UN about their use of such leathal weapons of mass destruction on international aid workers.

3, Evidence emerged that the UN had been very deliberately targeted.

The Israeli people are most definately not best served by such institutionaly terroristic minded organisations, who’s sole intent is to create as much hate, segregation and oppression as possible, for the agrigation of power and profit.

Winter July 21, 2021 8:43 AM

@nosignature
“My point was that they only seem to do it when the Israeli gov, or an Israeli company involved.”

Are you really that ignorant or just spewing propaganda?

The NGOs involved have criticized almost every government under the sun. And they have done so for decades. It is only those who oppose human rights for everyone who slander them.

jones July 21, 2021 8:47 AM

“A final plausible future security system is one where war is less an extension of politics than of business.Corporations, cartels, and states might use violence and coercion–whether traditional, physically destructive violence or new forms such as cyberviolence or psychological violence–to attain access to resources and markets or deny it to others. Organized violence itself may become a common commodity sold on contract. As states and their militaries prove less capable of meeting the security threats of the future, people, organizations, and businesses might look for other sources of security. More and more of the functions now performed by state militaries thus would be assumed by transnational security or mercenary firms or by the security divisions of transnational corporations.”

“In a system characterized by economic warfare, military force structure, doctrine, and equipment would be designed to minimize collateral damage when used. If the objective of military operations is to acquire or defend resources and markets, the goal would obviously be to do as little damage as possible to infrastructure, plant, and equipment. Since casualties diminish potential customers, nonlethal weaponry will play a prominent role in military operations. The most important military missions would be information warfare against competitors and protection of informational,physical, and human assets against violence and extortion.”

“In a security system where warfare was commercialized, many of the United States’ core strategic concepts would be inapplicable. For instance, the US military could no longer count on the qualitative superiority that has served it so well since the end of World War II. Against high-tech mercenaries, corporate militaries, private armies hired by enemy states, or armed criminal cartels, the US military might have to switch to a Soviet-style strategy using numbers and mass to compensate for qualitative inferiority. The United States would also have to rethink its basic understanding of the rules of warfare when faced with issues like the appropriateness of declaring war, forming alliances, or signing treaties with non-state entities. Washington could face future Battles of New Orleans, where a militarily weak United States formed an alliance-of-convenience with the pirate forces of Jean Laffite. At an even broader level, the United States would have to decide how much of its own security could be “contracted out” rather than left to its very expensive military.”

Steven Metz, “Which Army After Next? The Strategic Implications of Alternative Futures Futures,” Parameters, 1997

No Spam Please July 21, 2021 9:21 AM

Here we go Israel-bashing again…

Can we keep this discussion focused on the topic at hand?

Can someone please point to actual facts? What is new, what has been leaked, what evidence is there?

Winter July 21, 2021 9:41 AM

@ No Spam Please
“Here we go Israel-bashing again…”

I do not think Israel has been bashed on this site more than USA, Russia, China, or North Korea.

My question is then why are we not allowed to criticize the Israeli government while we do so every day with USA, Russia, China, and North Korea?

ADFGVX July 21, 2021 10:14 AM

@ Winter • July 21, 2021 8:37 AM

@gmmca
“Most claims are not from security experts though, but from NGOs with anti-Israel bias.”

ht_tps://www.amnesty.org/en/what-we-do/arms-control/

Clearly Amnesty International opposes the right of humans to bear arms suitable for their defense, and demands extended universal background checks and government databases of “prohibited persons” which are used for intrusive purposes far beyond the intended or purported disarmament and disenfranchisement.

I have yet to see Amnesty international lying. But I have seen those who slander Amnesty international lying at every opportunity. So why should I believe the slanderers of AI.

AI, NATO, ATF, FBI, Interpol, Europol and every last one of your precious NGOs etc. are drunken with the blood of saints and martyrs, and they have slandered the names of the just and the righteous on their expansive government databases of personæ non gratæ and others prohibited from possessing the guns they control.

If you’re going to criticize Israel, remember that the international arms control organizations you mention are guilty of invading our privacy and shedding much more human blood on the earth, and butchering many more children than Israel ever did.

ADFGVX July 21, 2021 10:52 AM

@ Winter

The NGOs involved have criticized almost every government under the sun. And they have done so for decades. It is only those who oppose human rights for everyone who slander them.

Why don’t you get off your high horse?

The NGOs you mention are all gun control organizations, and they incessantly promote government, government, governments more government, at city, local, state, and national levels to enforce their totalitarian gun control and disarmament policies.

They’re on the same side of all the political issues as the Israeli crooks they accuse of hacking their human rights peace-and-love disarmament cell phones, and none of them have any intention of treating us as human beings.

Why can’t we just all get along and submit to 24×7 international arms control surveillance, harassment, and surprise inspections and searches by international police organizations for our own safety?

No. The answer is no. And it’s time for people to grow up here. Are we slaves and cripples or are we arms-bearing citizens of a free country?

Winter July 21, 2021 11:10 AM

@ADFGVZ
“The NGOs you mention are all gun control organizations, and they incessantly promote government, government, governments more government, at city, local, state, and national levels to enforce their totalitarian gun control and disarmament policies.”

All these organisations are for peaceful activism and oppose violence. Right to bear Arms organizations advocate violence on the pretext of “self defense”. This self-defense ALWAYS includes shooting at lawful representatives of the state.

Worldwide, the number of firearms in private possession predicts higher numbers of gun related deaths, eg, the USA.

ADFGVX July 21, 2021 11:41 AM

@ Winter

All these organisations are for peaceful activism and oppose violence. Right to bear Arms organizations advocate violence on the pretext of “self defense”. This self-defense ALWAYS includes shooting at lawful representatives of the state

Gee whiz. Just obey your pimps, shack up with the proper boyfriends, hold up your hands, and beg those lawful representatives of the state
not to shoot and kill you as they killed Ashli Babbitt.

And it was only ever lawful representatives of the state who were allowed to buy all this NSO/Candiru spyware from Israel.

So just do a cell phone geolocate and carry out a lawful hit on behalf of the state, since murder is lawful, as long as it’s committed by a lawful representative of the state by your reasoning.

It just never occurred to you that it might be precisely those lawful representatives of the state who are the worst violators ofhuman rights, did it?

Clive Robinson July 21, 2021 11:41 AM

@ ADFGVX,

AI, NATO, ATF, FBI, Interpol, Europol and every last one of your precious NGOs etc

And just how many of your list of Organizations are actually “Non Governmental”

Can I suggest you eat your chicken feed without the ergot infection.

Winter July 21, 2021 11:45 AM

@ADFVGZ
“It just never occurred to you that it might be precisely those lawful representatives of the state who are the worst violators ofhuman rights, did it?”

As I wrote, these NGOs are supporting peaceful protest. You just want to kill those you do not like.

ADFGVX July 21, 2021 12:20 PM

@ Winter • July 21, 2021 11:45 AM

@ADFVGZ
“It just never occurred to you that it might be precisely those lawful representatives of the state who are the worst violators ofhuman rights, did it?”

As I wrote, these NGOs are supporting peaceful protest. You just want to kill those you do not like.

And you are saying that they should be allowed to murder me with total impunity, if you are not already putting a price on my head.

God damn your miserable selfish soul to hell!

MarkH July 21, 2021 1:41 PM

@Clive,

Phantasmagoria often occurs without the ingestion of special compounds …

Much more important, how is your health? Are you back home?

JonKnowsNothing July 21, 2021 3:16 PM

@MarkH, @Clive,

re: Phantasmagoria often occurs without the ingestion of special compounds …

That and when the Cleaner Crews are dispatched to cover over the dirt

re: Much more important, how is your health? Are you back home?

This is more important! /Raid Ready Check! (1)

===

  1. In MMORPG group games there are activities that require 3, 6, 12, 24 + players. Getting everyone to the starting line, with gear, potions, foods, buffs, and long-cool-down skills reset is worse than herding cats. A common action for the leader is to issue a Raid Ready Check message, that flashes on the screens of the other players. If a player is ready to go they punch green, otherwise red or it times out on red (the person is in the loo or getting a snack). Once all the lights are green the leader starts the instance up.

ADFGVX July 21, 2021 3:35 PM

@ MarkH • July 21, 2021 1:41 PM

@Clive,

Phantasmagoria often occurs without the ingestion of special compounds …

Much more important, how is your health? > Are you back home?

That’s what allows U.S. law enforcement agencies to follow the common practice of secretly administering psychedelic drugs to suspects in order to have them committed to mental hospitals or adjudicated as mental defectives in order to revoke their gun rights and have their names published on NICS gun ban lists of “prohibited persons” and other government databases, blacklists, and “violent persons” registries, without a criminal conviction, forever barring them from recourse or appeal in court.

Winter July 21, 2021 3:44 PM

@ADFGVX
“And you are saying that they should be allowed to murder me with total impunity, if you are not already putting a price on my head.”

You are advocating extra judiciary executions. These are a very serious crime. No one should be allowed to murder anyone. And history has thought us in no uncertain terms that two crimes do not make justice.

If you shoot LEO’s, you are nothing better than LEO’s shooting citizens.

ADFGVX July 21, 2021 4:21 PM

Winter • July 21, 2021 3:44 PM

@ADFGVX
“And you are saying that they should be allowed to murder me with total impunity, if you are not already putting a price on my head.”

People who cut hair shouldn’t practice law: case in point, district attorney in Municipality and Borough of Anchorage.

You are advocating extra judiciary executions. These are a very serious crime. No one should be allowed to murder anyone. And history has thought us in no uncertain terms that two crimes do not make justice.

You are open advocating a blind pre-crime arrests and imprisonments, various restraining orders, and other preemptive legal-system measures against individuals who have not committed the crimes of which they accused as being “at risk” of committing.

If you shoot LEO’s, you are nothing better than LEO’s shooting citizens.

And you’re accusing me of some unspecified capital crime here. You’re not quite willing to come right out with it, but you want to make sure that if “LEO’s” (or other individuals presumably authorized by city hall or Israeli intelligence authorities to carry weapons in the U.S.) do wish to shoot and kill me, that I will have no effective defense against them.

You have also expressed a desire to limit, curtail, and restrict my freedoms and liberties as much as you possibly can, that I should be defenseless at all times under total surveillance with a loaded gun pointed at the back of my head in case I should do or say anything that would displease the ladies and gentlemen of the district.

Governments generally do not place their own people under such hostile foreign or multinational surveillance with tools like NSO, Candiru, etc., if they have any intention of allowing us to live out our lives as presumably armed and voting citizens of free countries, rather than disarmed, disenfranchised, and silenced subjects or slaves of UN, AI, NATO, Interpol, and other Non-Governmental or New World Order organizations.

CallMeLateForSupper July 21, 2021 4:46 PM

A few minutes ago I read an NSO Group quip in WaPo: “Somebody’s got to do the dirty work.”

What a jackass.

Clive Robinson July 21, 2021 4:47 PM

@ MarkH,

Much more important, how is your health? Are you back home?

No I’m going to be in untill atlrast the weekend…

Oh and aa usuall being subjected to cruel and unusual punishment in the name of science… In this case sleep deprevation by two methods,

1, The use of saline bags…
2, Orher patients with short tempers in the heat “blowing steam”.

Apparently I’m not alowed to induces a reduced consciousness in them with the “Drip atand” or other more delecate apparatus… What’s the point of having such things handy if you can not repurpose and recycle 😉

MarkH July 21, 2021 6:21 PM

@Clive:

In a word, yuck.

When I read “the weekend,” what flashed into my mind was my observation that come Friday afternoon, most doctors seem to scatter from the hospital scatter like cockroaches when the light’s turned on …

The up side is that there’s less energy for devising new tortures on Saturdays and Sundays; the down side is that if there’s some procedure you actually need, it might be postponed til Monday.

Wishing you the best through it all!

lurker July 21, 2021 8:06 PM

@ADFGVX Are we slaves and cripples or are we arms-bearing citizens of a free country?

My country has a standing militia, and thus has no need for citizens to bear arms, indeed permits citizens to bear arms only under onerous licence conditions.

And yet in the name of liberty and free markets we are deluged with software that is unfit for use on the internet. If we exercise our freedom to purchase the communications systems that suit our needs, we are spied on as if we are an enemy.

NSO is just another symptom of the diseases infecting cyberspace.

Winter July 22, 2021 12:24 AM

@ADVFZX
“Most people in the U.S., to put those numbers to scorn, actually lived through all that and survived for many more years after that.”

I am seriously questioning the quality of your education, or whether you had any at all. Here you show either complete ignorance about the meaning of “life expectancy”, or an utter unwillingness to adapt your conclusions to the facts.

Just in case there is something you can still learn, the statement “people in the U.S. born around 1900 lived only 46-47 years on average,” means that very many children below the age of 5 years died. To be more specific, around 1900 approximately 10% of babies died before the age of 1. Those who survived to adulthood indeed lived, on average, well beyond their 50th birthday. Except that many women died from complications around childbirth.

Winter July 22, 2021 12:28 AM

@ADHD
“You’re not quite willing to come right out with it, but you want to make sure that if “LEO’s” (or other individuals presumably authorized by city hall or Israeli intelligence authorities to carry weapons in the U.S.) do wish to shoot and kill me, that I will have no effective defense against them.”

Do you really are so delusional that you think you will survive for long if you shoot at police officers in the USA? I Europe, I can imagine the police will actually make an effort to arrest you alive and put you in prison for a very long time. But in the USA, I seriously doubt it.

No Spam Please July 22, 2021 12:37 AM

I’ll try again…

Bruce opens this piece with “NSO Group … was hacked”. I am looking for something which explains the facts behind this: what was the nature of the hack, what was leaked, etc.?

I saw mention of a list of 50,000 phone numbers, which NSO Group denied having any connection to. Anything else?

Or do facts simply not matter? Is this just an exercise in fulminating about NSO Group and Israel being Evil Incarnate?

David July 22, 2021 12:43 AM

Anything NSO can do, you can safely assume that various nation state agencies will be duplicating. Some people might find several countries spying on them at the same time.

ADFGVX July 22, 2021 1:00 AM

@ Winter

To be more specific, around 1900 approximately 10% of babies died before the age of 1. Those who survived to adulthood indeed lived, on average, well beyond their 50th birthday. Except that many women died from complications around childbirth.

Look, I don’t want to be harsh but Al Capone’s mob was no joke. That was the live-it-up railroad era culminating in the Roaring Twenties, with the Flapper Girls.

Infanticide was more common than abortion and doctors were cruel and brutal about it and made short work of it. Yes there were “complications” from back alley abortions and other unorthodox medical procedures and dirty work by doctors. Hard radioactive quack cures and X-rays to try on shoes at the hardware store for instance. Think Marie Curie and the Radium Girls who painted he dials of men’s watches.

For as many women who died of “complications” as that was so fashionably stated on official death certificates, the men died from Mob hits or other direct violence, which was unacknowledged when it affected women, because there was no such thing as “domestic violence” back then.

Winter July 22, 2021 1:26 AM

@ADFGVX
“Look, I don’t want to be harsh but Al Capone’s mob was no joke.”
“Infanticide was more common than abortion”
“the men died from Mob hits or other direct violence,”

I already knew, but your response is again an illustration of the heartlessness of the Alt-Right when the lives of women and children are involved, or anyone who is not a white male.

The right has no heart nor compassion. The only language they know is that of violence. As such, you are a perfect example.

ADFGVX July 22, 2021 2:02 AM

@ Winter

women and children are involved, or anyone who is not a white male.

You play all these blonde versus brunette games with the ladies, look up

INCELs = Involuntary Celibates.
MGTOW = Men Going Their Own Way.

There’s something about the “men who were caught” versus “the men who got away” not that they were criminals or doing anything wrong but more or less like Black Widow the movie.

There’s a college sorority or more general sisterhood of women who “work law” below the belt, so to speak, which would be one thing if they were minding their own business rather than for instance streetwalking in pairs with a political agenda to entrap men in their affairs.

There’s a boss, though, and the boss is invariably male. That’s the братва, “the brotherhood” of organized crime networks, or in the Civil Rights era what the Feminists called the “Patriarchy” — or what Protestants have termed the “popery” or “papacy” of the Roman Catholic and Russian Orthodox churches.

JonKnowsNothing July 22, 2021 2:05 AM

@No Spam Please

As reported from various sources:

  • 50,000 phone numbers
  • some phone numbers matched to VIP/High Privileged Persons
  • some phone numbers matched to devices used by VIP/High Privileged Persons
  • some phone numbers matched to devices that are no longer in use
  • some phone numbers matched to devices still in use (active)
  • some phone numbers and devices still active, reviewed “forensically” using methods common to malware, spyware analysis
  • some phone numbers and devices showed traces of attempted installation of known Pegasus software (fragments)
  • some phone numbers and devices showed indications of successful installation of known Pegasus software (trace logs)
  • some phone numbers and devices showed indications of partially successful software removal/un-installation (fragments, trace logs, data changes)
  • some phone numbers and VIP/Persons had Odd Stuff happening circa the time table of Pegasus software installation attempts. (log files/serendipity)

I don’t see any Evil Incarnate here. I just see people doing what people do, when they think they have More Rights than Others and people who think that they are Entitled to Do Whatever They Like, Whenever They Want and that they have No Obligation to Anyone for Anything, other than getting a fatter paycheck, bonus and nicer life than their neighbor. The world is full of such people, nothing evil about it.

It’s a Human Thing, there is nothing Metaphysical about it.

Clive Robinson July 22, 2021 2:11 AM

@ Winter,

With regards comments such as,

“You didn’t even consider taking out a policy unless the Mob really was after you, and you only had a few years left to live.”

Compleate nonsense many people did have some form of insurance even if it was a few pennies a week via “clubs”. It was only those from very large rural farming families where the cost of death was comparatively to small to matter, that did not.

In part that was due to other economic factors such as the “great dust bowl” and “great depression”, which changed the way people saved for their funerals etc.

As for the mob, yeh well they were the famed “communist” or other “look under your bed scary monster” of their day. Yes the small crime gangs built up and crazy life styles were lived. But one reason for that was the motor car and “safe across the border” of jumping state lines etc. Hence the perceived nerd for a “federal crime agency” which unfortunately fell in the hands of a real pair of crooks who did very well by it one crooked way or another.

The fact that for much of the time the supposed “mob” knew more about what the FBI were upto than the FBI themselves did, tells you who had the better command of technology, tactics and Operational Security…

x-MAN July 22, 2021 2:40 AM

_nosignature

You say: “So, deal with it.”

One way of dealing with something is to look at it critically, without regard to the “sacredness” of the perpetrator.

There is nothing, zero, nada, zilch so sacred about Israel, Israeli companies, or Israeli individuals that their actions cannot or should not be examined critically. The same with any other government, group, individual, etc. If somebody does something questionable, they should be held to account for it, even if it makes some folks cringe or think “I can’t say anything critical about them because they’re above reproach” and/or “They don’t like it when I criticize them, so I better keep quiet.”

Some people suggest the USA is also beyond reproach and its questionable conduct in so many areas “shouldn’t” be examined or criticized. But nobody is so “sacred” and this includes Israel and Israeli citizens.

No Spam Please July 22, 2021 3:08 AM

@JonKnowsNothing
At last some facts! Thank you!

So the facts are that 50,000 phone numbers were “leaked”, and some of these phone numbers also belonged to devices which appear to have been infected with NSO spyware.

Where is the evidence that they were leaked from NSO? As pointed out earlier, NSO denies any connection to these phone numbers.

Is the fuss because the owners of these phone numbers believe they have a right not to be infected by spyware?

veritas July 22, 2021 7:30 AM

Bruce,

it would not surprise if NSO Group has spied on you or your direct colleagues as well.

John Mark July 22, 2021 7:42 AM

NSO Group is not the only deplorable company located in Israel.

But they may have a lot of defenders, at least in USA, mainly because it is an Israeli company. And USA has a lot of fanatics who interpret the Bible so that it gives them the idea that modern-day Israel is somehow God’s chosen nation.

On this matter might be good to bring up Jesus’ words in Matthew 21:43, speaking of the nation of Israel:

“Therefore say I unto you, The kingdom of God shall be taken from you, and given to a nation bringing forth the fruits thereof.”

Fed.up July 22, 2021 7:50 AM

@Clive

The first thing you should ask for when hospitalized is earplugs. In the US, hospitals have them upon request, but if yours does not then Boots or Amazon have them too. The foam work the best. Read the directions. They really work and a sleep mask can help too.

I hope you get to go home soon.

Clive Robinson July 22, 2021 9:24 AM

@ Fed.up,

The first thing you should ask for when hospitalized is earplugs. In the US, hospitals have them upon request.

They are in the “admission pack” it’s just that even back in the 80’s and 90’s when wearing the green and working in the oil industry I found they gave me headaches and still do way worse these days due to “measures beyond my control” 🙁

Even wearing silly little ultra-lite ear bud headsets gives me thumping migraines within a handfull of minutes,due to damage from having been given a full fracture of the lower jaw by some idiot back in 2000 and subsequent maxiofacial surgery to stop the two halves going their own way, which might be great for a party trick, but is no fun when it comes to soup :$

Being someone who’s then work involved picking ultra faint signals out of noise that even computers could not spot back then, you can imagine what an impediment that was and still is. And one of the reaaons I changed in part what I did for a living.

Now of course I have major league tinnitus most of the time which some rudely call “selective hearing”. Similar… but worse is screaming jangling nerve when I go in some fast food place to get a burger or similar like a MuckyD’s with beeps and whistles eminating from the kitchen bringing me into a state of near paralysis. It realy becomes a trial by combat when at a railway station and a “long goods” goes through side climbing the rails, I know I’m at best only going to draw at that one with my fingers in my ears and a dose of the cold sweats.

But the weird thing is those anechoic / sound proof chambers… They are supposed to sound “dead” to me they sound like the Rio Carnival is passing through.

I’ve in more recent years tried “seperately exciting” the mastoid bone via conduction with pink noise and certain selective bands. Whilst it can help you can imagine just how big the equipment is…

The best thing though is “loud music” especially heavy rock music where the VU meters hardly twitch, it gets you kind of the same effect as oil of cloves/peppermint does when you have a paiful tooth. You get a sharp shock then a few minutes blissful relief, trouble is it’s never long enough. But it does have one upside, you can madly “air guitar” on the excuse “it’s research”, just don’t put on the Spandex 😉

Freezing_in_Brazil July 22, 2021 10:10 AM

@ Clive Robinson

to me they sound like the Rio Carnival is passing through.

Man, you really are screwed. Sending confetti sprinkles your way. Get well soon.

JonKnowsNothing July 22, 2021 10:53 AM

@No Spam Please

re: Why the fuss?

I suppose it could be any or all of the following reasons

  • The targeted devices did not belong to NSO Pegasus
  • The devices belonged to people who did not work for or have any direct employment with NSO Pegasus
  • The devices were not paid for or given to the targeted people by NSO Pegasus

Therefore NSO had no “rights, or implied rights or legal use” for the targeted devices. There was no EULA or TOS signed or check-to-agree legal statement that the devices could have NSO Pegasus installed. There was no Device-AppStore offering for NSO Pegasus software through which the software was distributed as a specific AppOffering. Although some sorts of similar software have been found (regularly) on such Device-AppStores but these are removed when the AppStore EULA/TOS/SDK terms are violated. Some AppStores have requirements to deinstall any software found in violation of their terms, which NSO Pegasus did not adhere to.

  • VIP/High Value Persons can be in many categories but the primary ones of interest are members of governments, representatives, military persons, policing services.
  • VIP/High Value Persons in these categories are often privileged to information Not In The Public Domain aka Secret Information
  • Secret Information may include National Security, National Policy, International Trade, Government Procurement Details, Currency Exchanges and other functions of The State
  • NSO Pegasus as a private corporation (although with ties to their national government) would not normally have access to Secret and Restricted Information.
  • NSO Pegasus software is designed to exfiltrate many different types of information from the targeted devices.
  • It is plausible that NSO Pegasus did extract, exfiltrate, such data from targeted devices regardless of VIP category.

Having Secret Restricted information exfiltrated by Governments is an Accepted Exception to the Rule of who can or cannot access such information without prior authorization. Having such information extracted by a private corporation has no protection from these activities.

A similar case might be made against Palantir Technologies, the CIA fronted funding arm for much of Silicon Valley High Tech. For the most part, Palantir Tech is more cautious about such exposures and they hand-off their involvement to Government Agencies which do have the authorization for similar activities.

  • The Security Model of the Internet is such that it cannot be fully secured
  • Every aspect from the hardware through transmission through the devices are vulnerable

Many posts can be found in the archives and in other documents that explain in fine grain detail about every point on the line between one device and another device. The cascade of failings is well documented. They are also often exploited by both criminals and governments. There is no effective difference between the two groups.

There isn’t any fuss here on this blog, because we already know all about it. It is perhaps people like yourself who have not been fully paying attention to the topic and therefore will continue to Pay and Pay and Pay for things that really do not work, are not fit for purpose and put your life and the lives of those around you At Risk.

It’s not new news to us.

===

ht tps://en.wikipedia.org/wiki/Palantir_Technologies
ht tps://en.wikipedia.org/wiki/Palantir_Technologies#U.S._military,_intelligence,_and_police

  • The company is known for three projects in particular: Palantir Gotham, Palantir Metropolis, and Palantir Foundry. Palantir Gotham is used by counter-terrorism analysts at offices in the United States Intelligence Community (USIC) and United States Department of Defense.[6] In the past, Gotham was used by fraud investigators at the Recovery Accountability and Transparency Board, a former US federal agency which operated from 2009 to 2015. Gotham was also used by cyber analysts at Information Warfare Monitor, a Canadian public-private venture which operated from 2003 to 2012. Palantir Metropolis is used by hedge funds, banks, and financial services firms.[7][8] Palantir Foundry is used by corporate clients such as Morgan Stanley, Merck KGaA, Airbus, and Fiat Chrysler Automobiles NV.[9]

(url fractured to prevent autorun)

SpaceLifeForm July 22, 2021 12:46 PM

@ ALL

There are dots than could indicate that the list came out of a COINTEL investigation.

I’ll leave it at that, as I am sure it is ongoing.

from russia with love July 22, 2021 4:02 PM

Another Russian company, that pretends to be ethical cybersecurity company, but collaborates with Russian government and hands them over all their clients secrets.

Group-IB

hedgehog July 22, 2021 4:11 PM

@ SpaceLifeForm

‘”We can confirm we obtained a decryptor from a trusted third party but can’t share anymore about the source,” Kaseya’s SVP Corporate Marketing Dana Liedholm told BleepingComputer.’

A$$holes just want to save their a$$ and business pretending to “save the world”.
I wouldn’t be surprised if they collaborated with them from the start.

SpaceLifeForm July 22, 2021 4:58 PM

@ hedgehog

They say they have two third parties.

So, who was the second third party?

Believe me, I have a very short list.

Glomar

hedgehog July 22, 2021 6:01 PM

@ SpaceLifeForm

Me either. Whether the third party is FBI or there’s no third party at all – for Kaseya staying in business is a life and death question after that incident so in order to survive, they had to provide decryption. Otherwise they are dead in the water.

So I guess they coughed up the cash.

SpaceLifeForm July 22, 2021 6:26 PM

@ hedgehog

I doubt there is even a second party that Kaseya is aware of.

They are spinning just like NSO.

Winter July 23, 2021 12:40 AM

@All
“Allegedly, the second third party is Emsisoft.”

Have a look at the timeline:

  • REvil demands $70 million for universal decryptor
  • PotUS calls them a problem and tells Putin it should stop
  • REvil disappears
  • Universal decryptor surfaces

My interpreataion: REvil painted a big target on their backs by becoming this visible and a major nuisance. Much more important, they became an embarrassment for PotUS. Now, think of the fates of Pablo Escobar, Osama bin Laden, and other famous criminals who embarrassed US politicians.

I suspect that the people behind REvil made the decision to cut their losses, pack their stuff and stay low for a while while their faces are not yet on a most wanted list. It is not that they cannot open up shop later in a different configuration. Or maybe someone else made that decision for them.

ht tps://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/amp/

After the attack, the threat actors demanded $70 million for a universal decryptor, $5 million for MSPs, and $40,000 for each extension encrypted on a victim’s network.

ht tps://www.techspot.com/news/90332-biden-revil-ransomware-attack-caused-minimal-damage-us.html

Kaseya said that the attack never posed a threat to critical US infrastructure. It comes three weeks after Biden warned President Vladimir Putin that Russia needs to do more when it comes to stopping hackers within the country attacking the US.

On Saturday, Biden said, “The initial thinking was it was not the Russian government but we’re not sure yet.” If that proves to be the case, “I told Putin we would respond.”

ht tps://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/amp/

Soon after, the REvil ransomware gang mysteriously disappeared, and the threat actors shut down their payment sites and infrastructure.

ResearcherZero July 23, 2021 3:56 AM

“a coincidence” claims NSO group over traces of Pegasus found on phones

There is no “coincidence”, this is very well developed spyware with unique IOCs.

hxxps://www.bbc.com/news/technology-57922664

This report documents the forensic traces left on iOS and Android devices following targeting with the Pegasus spyware.

hxxps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

take a look at the implementation here if in doubt

hxxps://info.lookout.com/rs/051-ESQ-475/images/pegasus-exploits-technical-details.pdf

AT July 25, 2021 1:44 PM

@No Spam Please – I have seen you request (several times) some links to primary sources or verifiable evidence, but all you seem to get are regurgitations of what is published in the press.

If you are ever provided with concrete, could you please do us all a favor and share it here?

SpaceLifeForm July 25, 2021 4:19 PM

@ ResearcherZero

I read the lookout link, and I can only conclude that it is a multi-million dollar state action. A lot of work. And that writeup is old, and never mentions SIM, Baseband, or GPU, so one should assume that the newer zero-click exploits probably use the vectors not mentioned.

It appears to me, that all modern exploits involve at least 3 of the following:

GPU
Threading
Race Condition
ASLR bypass
UAF (Use after free)

The attack chains are long and convoluted, but eventually they result in the kernel leaking something, and eventually give the attacker a read primitive and then a write primitive into kernel space.

ASLR is basically security theatre, a determined attacker will get past that.

So, if you want a really secure machine, best to follow KISS. No GPU, no SMT.

No SMT will probably kill off race condition bugs mostly.

Basically, kernels leak and are susceptible to race conditions. I.E., they are full of bugs.

You can really reduce the attack foorprint. I’m talking PC though, not a Smartphone. Maybe a Pinephone, but not what most people use.

SpaceLifeForm July 25, 2021 8:00 PM

There are dots between No Such Organization and Front Side Bus.

Don’t ask.

Fla.

R-Squared July 25, 2021 8:19 PM

@ SpaceLifeForm • July 25, 2021 8:00 PM

You are connecting three different things.
And that is for sure “high class” as they call it.

hxxps://www.abovetopsecret.com/

Feed that conspiracy mill some more.

SpaceLifeForm July 26, 2021 1:45 AM

@ R-Squared

I know, it does not sound likely. But two sides of the triangle are pretty strong. The third side still has very hazy dots. Time will tell.

Remember, one player allegedly did not play in the other two backyards.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.