More on NSO Group and Cytrox: Two Cyberweapons Arms Manufacturers

Citizen Lab published another report on the spyware used against two Egyptian nationals. One was hacked by NSO Group’s Pegasus spyware. The other was hacked both by Pegasus and by the spyware from another cyberweapons arms manufacturer: Cytrox.

We haven’t heard a lot about Cytrox and its Predator spyware. According to Citzen Lab:

We conducted Internet scanning for Predator spyware servers and found likely Predator customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

Cytrox was reported to be part of Intellexa, the so-called “Star Alliance of spyware,” which was formed to compete with NSO Group, and which describes itself as “EU-based and regulated, with six sites and R&D labs throughout Europe.”

In related news, Google’s Project Zero has published a detailed analysis of NSO Group’s zero-click iMessage exploit: FORCED ENTRY.

Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

By the way, this vulnerability was patched on 13 Sep 2021 in iOS 14.8.

Posted on December 20, 2021 at 9:17 AM56 Comments


wumpus December 20, 2021 10:35 AM

Some thoughts:

Where did we get this notion of “nation state availability”? Certainly the “defense” budgets certainly allow the ability to pay vast sums to contractors to produce cyber weapons such as these, but the real capability likely comes from the contractors. If someone gets enough cash flow from the nations listed above (and other corporations and similar organizations both legal and otherwise) it is fairly obvious that such weapons can be produced.

Perhaps they get a few exploits from the NSA and are asked to weaponize it, but I suspect that the contractors are perfectly capable of finding their own exploits (or are simply gaining that capability for the cyber-arms manufacturers above).

I’d also be curious just how much coordination is needed for this type of thing. You’d need hackers of various specialties, and people to handle the government interfaces, but this doesn’t sound too different from any other sort of underground computer operation of old. While cracking down on the legal variant might be politically difficult seeing how they appear more useful to various governments than a danger, it also looks like new organizations would simply pop up again with new names (although if you had full dossiers of the actual hackers involved, you could probably track them and note the various connections they made to track the new “underground” organizations. Keeping out the “old, tracked” hackers would be difficult.

Ted December 20, 2021 1:33 PM

When you don’t coordinate your nice expensive spyware with the vendor, typical compatibility issues turn your slick Porsche Boxster into an everyman’s ride.

From CL:

The iOS payload also contains a _check function, which queries the phone number and the phone’s current locale country code.

If the locale country code is equal to “IL” (the country code for Israel), or the phone number begins with “+972” (the telephone country code for Israel) then the spyware terminates.

However, the method that Predator uses to query the phone number, CTSettingCopy- MyPhoneNumber, may not work in recent versions of iOS. We could not determine how (or if) the _check function is called.

But if you don’t mind opening the gates to your own fortress city, then it’s probably good enough.

Clive Robinson December 20, 2021 2:39 PM

@ Ted, ALL,

With regards,

“If the locale country code is equal to “IL” (the country code for Israel), or the phone number begins with “+972” (the telephone country code for Israel) then the spyware terminates.”

Is not a sensible thing for any developer to put in their code, for two obvious reasons,

1, It gives an effective “kill switch”.
2, It is indicative evidence of the codes origin.

The real problem for a developer is the lack of “search space” in the identifiers.

That is the normal trick to obscure such information is to treat it like we do a “password”. That is push it through a “One Way Function”(OWF) / hash and save the result to use for later comparison. If the OWF/hash is of suitable design the only way to find out what the match is, is by a brut force search, which for a suitably large search space is not going to happen in our life times.

The problem is the actual search space on countries is aproximately 8bit equivalent, which is trivially small to search.

Ted December 20, 2021 3:48 PM

@Clive, ALL

not a sensible thing for any developer to put in their code

It seems so obvious when you say it like that, unless there’s some whole other dimension I’ve missed.

But one could wonder if we are dealing with high-caliber professionals here:

We found two additional suspicious processes that had recently run in this same coalition, named “hooker” and “takePhoto”.


The logs showed that Nour’s phone had been repeatedly compromised with NSO Group’s Pegasus spyware since March 3, 2021.

Why repeatedly? Various government officials had separate moments of self-indulgent disgust at his appeals for a less oppressive regime?

And of course he was hacked with Cytrox’s Predator too.

At a cursory read, I wasn’t immediately sure when each of the attacks were noted as successful?

SpaceLifeForm December 20, 2021 5:18 PM

@ Ted

At a cursory read, I wasn’t immediately sure when each of the attacks were noted as successful?

Likely all of them. There was likely timestamped fingerprints.

Also, consider that Predator may have been a Loss Leader for Pegasus.

Ted December 20, 2021 9:09 PM

TechDirt has some good info and context on the Apple threat notification recently received by Polish prosecutor Ewa Wrzosek.

The twist is that the Polish government has never officially confirmed it has ever acquired NSO malware. But governments rarely discuss surveillance programs, especially their most controversial ones. However, there is a paper trail that suggests at least one government agency is in possession of NSO’s most powerful surveillance tool. [More]

Also here is a tweet from Ewa.

The Red Herring December 20, 2021 10:27 PM

If you have a function that is set to terminate using specific parameters but is never called then how likely would it be a misdirect?

ResearcherZero December 20, 2021 11:17 PM


“the prosecutor is being targeted in retaliation for her attempted investigation by the same government she works for”

It’s a popular pass time in many places. A truly wonderful experience, being targeted. I certainly enjoyed it, and on occasion, still continue to many years later.

Ted December 21, 2021 5:22 AM


Also, consider that Predator may have been a Loss Leader for Pegasus.

That’s an interesting thought. Are some former Pegasus (NSO) customers switching to Predator (Cytrox) after being ‘cut-off’ by NSO?

Could this have happened in Saudi Arabia?

Citizen Lab’s write-up says:

An IP address in Saudi Arabia appears to have begun matching our Cytrox Predator fingerprints at the end of July 2021, and we classify this IP address as that of a likely Predator customer.

NSO Group’s June 30, 2021 transparency report mentions that NSO cut off a client, later reported to be Saudi Arabia by the New York Times, apparently in response to the revelations of spying on Al Jazeera journalists. This may be an indication that Saudi Arabia has switched from Pegasus to Predator.

And then there’s all this complex obfuscation. I know you guys already know this, but I thought this observation was very applicable to the mystery of ‘Cytrox’

Mercenary spyware companies further evade outside scrutiny by employing complex accounting and incorporation techniques familiar to those used by arms traffickers, money launderers, kleptocrats, and corrupt officials.

Haaretz has more on skirting regulations:

Another issue is Dilian’s attempts to enlist veterans of the Israeli intelligence community to companies that do not operate in Israel, and therefore are not under its oversight.

A report published about a year ago by the daily Yedioth Ahronoth described how companies abroad, some that work for Arab countries, try to tempt these young people with huge salaries.

Also, there’s a shell company in Ireland?

The lawsuit also reportedly claimed that “this transfer of Aliada’s activities out of Israel via shell companies, first to the British Virgin Islands and later Ireland, violated both Israeli and foreign defense export control laws.” Intellexa Limited?

Andy December 21, 2021 9:45 AM

Reading that thorough google write-up, the level of sophistication is downright scary. So much so they’re probably treading on the toes – and when caught(then patched)- denying capabilities to our intel services, hence the moves now and backlash. Theoretically possible is one thing, recklessly deployed and active quite another. I’d guess these ‘crown jewel’ type exploits are what the FVEYs would deploy to a tiny select group of adversaries : Assad, Iranian nuclear negotiators, North korean offcials and er.. Angela Merkel?(thank Edward Snowden for that weird revelation). At the crux of it a buffer overflow …again, no wonder C/C++ is rapidly being substituted for the memory safe Rust.

Ted December 21, 2021 9:50 AM

Also, Meta provides a bit more insight into Cytrox, as they recently named it as one of the seven entities they ‘disabled’ on their platform.

Here’s more from their “Threat Report on the Surveillance-for-Hire Industry” released on Dec 16, 2021:

We removed about 300 accounts on Facebook and Instagram linked to Cytrox.

In collaboration with the Citizen Lab … our team at Meta was able to find a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media services

They used these domains as part of their phishing and compromise campaigns.

Our findings suggest that Cytrox likely provided services to another threat actor known in the security community as Sphinx, which targeted people in Egypt and its neighboring countries.

Meta says they alerted people who they believe were targeted, and helped them strengthen the security of their accounts.

I’m curious about the alerts and the assistance these people received.

A group of Meta shareholders is calling for an evaluation of the board’s ability to oversee public safety on Meta’s platforms.

Yeah, this type of behavior is really going beyond the pale. Meta should absolutely be coordinating a heavy-weight strategy to address this.

Clive Robinson December 21, 2021 10:04 AM

@ The Red Herring, Ted, ALL,

If you have a function that is set to terminate using specific parameters but is never called then how likely would it be a misdirect?

That rather depends on,

“The Directing Mind”

Which is a human/sociological not technological issue.

As I noted part of the problem is “how to hide it” due to the very small input search space. There are three options,

1, Don’t include such code.
2, Include code unobfuscated.
3, Try some obfuscation.

The last will not realy work as there is almost always going to be “a better set of eyes” than the code developer look at the developers code.

So the next question is “why include such working code?”

Well, there are two basic reasons,

1, To keep a Government Happy.
2, To protect yourself.

The first is about “export licences” and “regulators” and in some nations ensuring your code does not make certain agencies unhappy.

The second is a bit more subtle… If somebody takes the “binary” to repurpose from “official surveillance” to criminal type activities, then they are unlikely to patch out the whole sub, ore overwrite it effectively. They most likely would just patch a return instruction in at the sub entry point. So there is circumstantial evidence it was an illicit patch rather than developer making a “special” for “illegal activities”. So the developer gets some limited “deniability”.

Which brings us to your point of,

… is never called then how likely would it be a misdirect?

Well if the developer is doing it for deniability, they would if they were sensible, compile with it used, then patch it out in the binary.

However it’s apparant that many such developers are goal oriented rather than risk oriented… Which makes it more likely they will make the changes further back in the development tool chain…

Which acts as a circumstantial tell.

But if a Level III attacker is “False Flaging” they are likely to take more care.

But “binary code” is a little like a brick wall, if you start making holes in it it shows, and even if you fill back with care, there are usually still signs like bricks don’t match etc. That is some things a person patching will miss that can be seen by other eyes.

But it’s increasingly becoming a question of “human -v- machine”. Because it’s more than feasible that an ML system can be trained to spot things that humans do not…

Ted December 21, 2021 10:43 AM

@Clive, The Red Herring, ALL

Because it’s more than feasible that an ML system can be trained to spot things that humans do not…

Yes, that would be an extremely advantageous tool to have. I wonder if such systems are readily available or require an arduous customization process.

I was looking a table in the Citizen Lab report:

Table 5: Some Cytrox Predator domains impersonating legitimate companies or websites.

And I have to wonder how actively (or on what legal grounds) the impersonated companies get involved?

For example these were some of the impersonating domains:



Google Play Store


Tesla Motors

Clive Robinson December 21, 2021 11:15 AM

@ andy, ALL,

again, no wonder C/C++ is rapidly being substituted for the memory safe Rust.

Languages like rust are not realy “memory safe” they just give an illusion of it. It’s a,

“Top down fingers crossed view.”

Consider it this way as a starting point, once an executable is loaded in memory it is just as vulnerable as any other rxecutable on that architecture.

We’ve known since before the 1980’s that low level attacks are not just possible but very difficult to stop. Just search for “DMA attack” with the likes of “Serial bus” and you will see horror stories from the 1980’s onwards[1]. Basically unless other precautions (like IOMMU) are correctly designed and configured an attacker can get at their chosen set of memory locations in the executable.

Whilst DMA attacks require direct access or “evil maid” access the likes of “reach around attacks” can be run in user space even via javascript to get at memory past the hardware and OS protections. The most well known of which is RowHammer which attacks the DRAM common Core memory directly.

All of these hardware and loe level attacks can be viewed like bubbles in a glass of Champaign. From invisable beginings the grow larger as they rise up the computing stack.

There is no high level programing language currently in existance that can stop “bubbling up” attacks on memory.

Some are trying variations of “Hardware tagging” the CHERI system being one. But even it is far from perfect[2]. Some years ago I did some theoretical work, the upshot of which is the bad news that there can be no “memory safety” that can be relied upon in a single CPU architecture (see Castles-v-Prisons / C-v-P / CvP on this blog).

That’s the bottom line with current computer architectures. However you can use other architectures which is what Castle-v-Prison was all about.

[1] For a more modern view on DMA attacks,

[2] Microsoft blog post on CHERI and link to paper,

Ted December 21, 2021 12:58 PM

JSR tweets a FT article.

From that article:

In February 2019, an Israeli woman sat across from the son of Uganda’s president, and made an audacious pitch — would he want to secretly hack any phone in the world?

Why in the heck would NSO allow this? Did they really mean any phone?

I’m seeing ties to the cartoon ‘Pinky and the Brain.’

Pinky: Gee, Brain, what do you want to do tonight?

Brain: The same thing we do every night, Pinky – try to take over the world!”

vas pup December 21, 2021 2:52 PM

“Artificial intelligence and cyber-attacks

China is now fully committed to developing “intelligentized” warfare, or future military methods based on disruptive technologies – especially artificial intelligence, according to the US Department of Defense.

China’s Academy of Military Science has been given a mandate to make sure that this happens, through “civil-military fusion”, in other words joining up Chinese private sector technology companies with the country’s defense industries.

Reports suggest that China may already be using artificial intelligence in military robotics and missile guidance systems, as well as unmanned aerial vehicles and unmanned naval vessels.

China has already conducted large-scale cyber-operations abroad, according to a recent expert assessment.

In July the UK, US and EU accused China of carrying out a major cyber-attack targeting Microsoft Exchange servers.

It is believed that the attack affected at least 30,000 organizations globally and aimed to enable large-scale espionage, including the acquisition of personal information and intellectual property.”


SpaceLifeForm December 21, 2021 3:53 PM

@ Ted

“We checked and she was not a target.”

NSO is spinning into their grave. They specifically told the Court in Apple vs NSO, that they had no way to know who was targeted by the NSO clients.

NSO’s #Pegasus spyware was put on Jamal Khashoggi’s wife’s phone months before his murder.


Ted December 21, 2021 4:41 PM


they had no way to know who was targeted by the NSO clients.

Good one. Also from that tweet 🧵👇

Every #Pegasus spyware abuse is a personal violation, traumatic, and harmful.

I’m thinking this sounds kind of 5-D-esy on the part of the NSO. In Dodgeball terms that’d be dodge, duck, dip, dive, and… (um) dodge again.

Of course, there’s the other 5 D’s

I’ll check it out soon as I can. Thanks for the heads up!

SpaceLifeForm December 21, 2021 7:01 PM

@ Ted

Another thing to keep in mind:

We do not have much public intel regarding how Pegasus exploited Android.

My hunch is that SS7 is involved.

Project Zero has the receipts.

Maybe, this is why various players at NSO no longer want to travel via plane.

It’s not about Covid, but about arrest.

Ted December 21, 2021 8:39 PM


Re: Jamal Khashoggi’s widow and Pegasus

If you have 5 or 6 minutes there was a good video in the WaPo article. It’s so different seeing the real people involved. I’d be curious what you think?

‘Jamal Khashoggi’s widow shares her story: ‘I lost my life’’

Also, how do you think the Citizen Lab researchers knew the URL keystrokes (particularly the typos) that were entered into Hanan Elatr‘s phone to download Pegasus? This happened when she was detained in Dubai in April 2018.

It looks like a FRONTLINE documentary produced with Forbidden Stories is in the works. 👍

SpaceLifeForm December 22, 2021 12:58 AM

@ Ted

Almost certainly, the Chrome browser caught all of the typos and approximate timing between keystrokes (touches on soft keyboard in this case).

Put on your thinking cap.

That is all.

Weather December 22, 2021 1:25 AM

I’m thinking they court the crash but can’t RE the actual cause. Happens a lot, there are groups out there that can do RE ,finding them on the inet is hard, but can be done.

Clive Robinson December 22, 2021 7:49 AM

@ SpaceLifeForm, Ted, Weather,

Put on your thinking cap.

That’s a bit mean 😉

Oh and a “Thinking cap” is no good it needs to be a helmet at the very least… Read on to find out why.

I remember the shock it caused on this blog when I mentioned that Google were doing “user identification / enumeration” via javascript when you typed in a search query. As one of the reasons I turned javascript off.

Google obviously got “fed up” with loosing what they consider “valuable data” so now even though it is not needed –as can be demonstrated– they force you to turn javascript on to use their search engine. User “enumeration” is just another “hidden issue” behind all those “Prove your human” systems…

It still amazes me at how many people still think Google is not evil to the core… As their senior managment know what I’m about to tell you, and they don’t want the potential legal disaster that could result.

Because of the way Google gets those “user enumeration timings” so does GCHQ, the NSA, and quite a few other SigInt agencies and even some private organisations like large wide area network providers.

So just take that user enumerated timing which is in “real time” and add General Haydens words of “we kill on meta-data” into the mix…

And realise why “collect it all” is about rather more than “data”, it’s also about illegaly locating people and the IP address they are on and then back tracing their location even easily through Tor in real time… For the US global franchise “Hellfire4U” special delivery service.

Ted December 22, 2021 7:56 AM


Tesla motor stood out, why have you lot gone quite?

Righty-o. What do you think the significance of these impersonated domains are, particularly Tesla?

Citizen Lab’s (I’m assuming partial) list of impersonated domains in Table 5 was:

Apple, Fox News, Google Play Store, Instagram, LinkedIn, Sephora, Tesla Motors, Twitter, WhatsApp, XNSS, and YouTube (my retyping here)

It looks like these domains would have a stronger home base in the west, even more so than Egypt, but maybe I am wrong.

Also, it’s completely breathtaking that clicking on a single URL could install Pegasus (or Predator) on one’s phone.

Also, about Tesla. If these nasty, sophisticated exploits can get into our phones, what’s off limits? Do you think the larger spy agency are doing everything they can to reel in the unruly, and possibly very pissed off, alternate players?

Ted December 22, 2021 8:34 AM

@Clive, SpaceLifeForm, Winter, ALL

Re: JavaScript

Oh and a “Thinking cap” is no good it needs to be a helmet at the very least…

Touché 🙂

I’m lobbing a bit of text from the CL article your way. Does this make sense to you?

If the phone’s battery level is adequate, then the automation downloads JavaScript code from the spyware server and substitutes this code into a block of HTML contained in the shortcut.

[Technical detail]

This presumably triggers the exploit and results in the installation of the Predator spyware.

Clive Robinson December 22, 2021 1:50 PM

@ Ted,

I was serious about the helmet, meta-data is the way some people kill others, and they do not care a jot about collateral damage, in fact the opposit they give all the signs they revel in it…

But onto other things.

The “if batery level” is sort of self explanatory they don’t want a pert download left on the device to be found later by somebody that knows what they are looking at…

Then the interesting bit, the web page downloaded by the browser following the link shortcut gets the seperately downloaded javascript loaded into the page prior to the browser getting the page.

The end result in the brower is as if the browser had downloaded a page with bad javascript in it.

However that javascript came from an earlier non browser related download.

Which tells me we are missing some information such as if the javascript was encrypted or obfuscated in some way as to avoid a simple AV or other scanner looking for bad javascript.

Ted December 22, 2021 2:55 PM


Which tells me we are missing some information such as if the javascript was encrypted or obfuscated in some way as to avoid a simple AV or other scanner looking for bad javascript.

Hmm. This got technical kind of quick didn’t it?

It’s interesting that CL said:

We were unable to obtain this JavaScript code.

And they also said:

The HTML in the shortcut also contains a JavaScript function “make_bogus_transform” which appears to create an XSLT transformation that may be invoked by the downloaded JavaScript code.

And then:

The HTML code with the substituted JavaScript is then Base64-encoded, its contents are prepended with “data:text/html,” and then the automation passes this URL to WebKit to render.

If you notice all the bolded words. These are all the things I wish I knew more about. But just to start, have you ever heard of the JavaScript function “make_bogus_transform”?

I wonder if this is a good question for a programmer?

Clive Robinson December 22, 2021 4:34 PM

@ Ted,

Hmm. This got technical kind of quick didn’t it?

It’s mainly what we do when there is something worth getting an aging fang into… So much ICTsec “news” these days is “same old same old with lipstick of a different shade slaped on” 🙁

With regards “make_bogus_transform” if you haven’t seen it before it’s time to do a little “Open Source intelligence”(OSint)…

That is do a search on it as is. If nothing comes up –which it does not– then do a little lateral thinking…

So we could make an assumption, that “make_bogus_transform” could be just a tag that is not likely to come up in any other HTML page, and acts as an “anchor point”.

Whilst that is the most likely explanation, lets assume it’s wrong so we need to dig a little further.

It looks like a function name a developer might come up with. So as javascript pretends to be “Object Oriented”(OO) and OO developers are creatures of habit, lets strip it down/out and search for “javascript transform”. You start to get some information, have a skim read looking for “key” words and phrases. But also try searching not just for “javascript transform” but “CSS transform”. What do you get to read?

Basically you get similar blurb that says something along the lines of,

“The transform() method lets you scale, rotate, move, and skew the current context.

The transform() method changes the current transformation matrix, by multipling the current transformation matrix with the matrix described by a three by three matrix with a bottom row of 001, so only six elements are required. These elements are top row “abc” middle row “def” and they are passed


Note: The transformation will only affect drawings made after the transform() method is called.”

The thing to note is the word “matrix” they are a great place to hide apparently random data.

In fact they have been used as a cryptographic primitive in the “Hill cipher”,

So you can assume (a,b,c,d,e,f) is a place you can hide any values you might want to without it raising much if any suspicion.

In fact 2D and 3D objects can be described in various ways. Two such are as a “Wireframe” of connected points and as “individual polygons” located on a coordinate frame. These can be very large binary data objects. And as HTML is a “plain text” format, you need to convert binary data to ASCII representation which is what “Base64 encoding” does. In,

You will find,

“Common to all binary-to-text encoding schemes, Base64 is designed to carry data stored in binary formats across channels that only reliably support text content. Base64 is particularly prevalent on the World Wide Web[1] where one of its uses is the ability to embed image files or other binary assets inside textual assets such as HTML and CSS files.[2]”

So you can use it to “store random data” or use it as a way to “place padding” that will later be over written.

Now I’m not saying any of the above is what is the case, but it does tell you “what it might be” “within the bounds of reasonable possability”. So you then need to do the old “Scientific method” of,

“Observe, hypothesize, test and loop untill true, repeat with a different data set”

If you do it enough times you can arive at valid conclusions.

As you can see OSint can teach you a lot, but it can also “take you into a maize of twisty little passages”, where you feel you are in the dark and being “treated like a mushroom”[1]. This gets less and less with practice as you start to develop a sort of sixth sense that our host @Bruce calls “Thinking Hinky” and others call “Earning your stones” or equivalent.

But something else the process teaches you, is how you might go about doing something similar yourself. Take cryptography as has been observed “anyone can design a cleaver looking ciphe” but how do you know it’s any good? Well you first have to learn how to break ciphers, that is how cryptanalysis is carried out. When you have not just a good feel for it but a good command of cryptanalysis, then you can design systems to block each attack method or make them to difficult to carry out (i.e. a “brut force search” is prevented by in part a large enough key space).

[1] It’s a joke that used to appear on both sweat-shirts and tee-shirts with two captions, the first being something like “Politicians treat us like mushrooms” above a picture of unhappy looking mushrooms and underneath a second caption of “They keep us in the dark and feed us bull 5h1t”

ResearcherZero December 22, 2021 7:41 PM

@Ted, Clive @ALL

It’s not likely though that anyone would knowingly abuse their power using these tools though is it? If they were to abuse their power I assume it would be purely by accident, and what’s the worse that could happen?

For example:

“It is alarming that, instead of accepting the Committee’s recommendations and allowing time for scrutiny of subsequent amendments, the Morrison Government rushed these laws through Parliament in less than 24 hours.”

When presented with such warrant from the Administrative Appeals Tribunal, Australian companies, system administrators etc. must comply, and actively help the police to modify, add, copy, or delete the data of a person under investigation.–jail.html

The three types of content moderation methods assessed in the report involve different technical approaches, but they share one crucial thing in common: they put the security of billions of people and nations worldwide at risk.

“With similar policies being introduced in other countries, we could potentially see these economic consequences extending globally in addition to compromised security and privacy of billions of people worldwide. It is vital governments take a step back and implement a rigorous assessment of the potential impact of these policies before they’re enacted so that we can avoid potential economic harm.”

“Australia lacks a robust human rights framework that would provide adequate protection against the abuse of the powers contained in this Bill.”

The definitions also capture a range of offences that are wholly unrelated to the purpose of the Bill stated in the Explanatory Memorandum; in such circumstances, the use of these warrants is unlikely to be proportionate.

he breadth of these definitions means that the Warrants can be used to target relatively minor criminal activities, such as theft, as well as the activities of individuals acting in the public interest, such as whistleblowers.

In theory, at least, the police could put something like child exploitation images onto your computer. While something like this is not the intention of the bill, there are also no significant safeguards against it.

For example, under the current definitions a warrant can be deployed where:

• a person posts content on social media that is deemed menacing, harassing or offensive

• a person dishonestly takes, conceals or tampers with post;

• a person dishonestly obtains cheaper internet;

• a person marries two other people;

• a person alters a registered trade mark without permission;

• a person owns a whale or dolphin that has been unlawfully imported;

• a person organises a protest activity involving breaking into a farm;

• a whistleblower communicates information obtained under a surveillance warrant in a way that prejudices an investigation;

• a whistleblower discloses information relating to the “assistance and access” regime in the Telecommunications Act;

• a lawyer or journalist assists a government whistleblower to uncover wrongdoing, in a manner deemed to constitute “incitement”.

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 gives the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new powers for dealing with online crime:

Data disruption warrant: "disrupt data" by modifying, copying, adding, or deleting it.

Network activity warrant: collect intelligence from devices or networks that are used, or likely to be used, by those subject to the warrant.

Account takeover warrant: take control of an online account (e.g. social media) for the purposes of gathering information for an investigation.

Ted December 22, 2021 8:45 PM


Re: military-grade spyware and javascript

Call me totally impressed at your approach to unpacking some very top-shelf software engineering! I would like to spend more time looking over your thoughts, but don’t know if I’ll have much more to add.

Your attention and thoughtfulness on these matters is so fun and appreciated!

“Politicians treat us like mushrooms…”

Lol for the win!! 😆🍄

Ted December 22, 2021 10:46 PM


Black Hat security conference & Amnesty’s forensic analysis

Those are Awesome! Thank you so much! I just watched the Amnesty video and love how much detail they were able to provide about the forensic analysis.

I am also very much enjoying the print article that corresponds with the video.

I will watch the Black Hat presentation too. That is just so incredible thoughtful! Thank you again!! 🙂

ResearcherZero December 22, 2021 11:26 PM


This article references the capability of Pegasus and the knowledge and skill set needed to build it.

“For example, when Google reverse-engineered the hack used against American diplomats in Uganda, it found an elegant, tiny piece of code that adapted software from 1990s Xerox machines to fit a so-called Turing machine—essentially a complete computer—into a single GIF file.”

“Pretty incredible, and at the same time, pretty terrifying,” said Google’s engineers. “Wow. Just wow,” tweeted Yaniv Erlich, an Israeli professor of computer science at Columbia University.

“You can count on one hand the number of teams in the world that could create something like that,” said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which found the malware and brought it to Apple’s attention.

SpaceLifeForm December 22, 2021 11:31 PM

URL tells you what this is about


Ted December 22, 2021 11:43 PM

@ResearcherZero, SpaceLifeForm, ALL

Magnifique! I’m messing around with a blogspot. I will save those links there so I can remember to read them. Thank you! 🙌

JonKnowsNothing December 23, 2021 12:30 AM

@ResearcherZero, @Ted, @All

re: Old coders with new hacks

“For example, when Google reverse-engineered the hack used against American diplomats in Uganda, it found an elegant, tiny piece of code that adapted software from 1990s Xerox machines … .”


When one of the major western secret surveillance software implants was exposed, there was a very odd bit of code, that the researchers didn’t recognize.

It took a good bit of digging but the code style was from decades earlier and that style was no longer in use or taught. The language was obsolete too. Based on the time period for that type of coding and language, they made some interesting assertions about the coder:

  • An old dude/dudette
  • Learned in an odd language(s)
  • Worked for the 3L/5EY and/or Chums

Old dogs know more tricks the young dogs. They just don’t bother to chase the ball anymore.

ResearcherZero December 23, 2021 1:52 AM

from ‘Apple v. NSO Group: How will it affect security researchers?’

“A security researcher who is accused of ‘breaking the terms and conditions’ of a service within the same country as the software provider would have one less legal layer to protect themselves,”

The legal implications for researchers will come down to how the Computer Fraud and Abuse Act (CFAA), which Cohn described as a “ridiculously bad law, even when it was written,” is interpreted.

“I think it is absolutely possible, and important, that the CFAA be interpreted in a way that really aims at the folks who are supplying this technology to repressive governments knowing that it’s going to be misused, and not to the very people who brought us this news about the Pegasus papers, Citizen Lab and other security researchers,” Cohn said. “So it takes a little careful parsing to make sure that you get this right, but it’s doable.”

…However, the CFAA in relation to this lawsuit presents several questions for Cohn, including: Who gets to do that authorizing? It is a central piece, she said, not only because users are on other peoples’ computers constantly, but the software is also owned by other companies. In this instance, will authorization be up to the user, or to Apple?

If it continues to be the user who can hack their own devices or give permission to someone else to do so, then Cohn said there will be a wide lane for security researchers, which is good.

“If Apple becomes the person who gets to decide what they do on your device, that would be a misreading of the complaint. This isn’t what Apple has said, but this is where some of the confusion lies in this very big statute,” Cohn said.

…The case’s potential side effects on security researchers, according to Pfefferkorn, demonstrate that the CFAA, like the Digital Millennium Copyright Act (DMCA) statute at issue in another Apple lawsuit, both need to be amended by Congress in order to protect good-faith security research.

In 2019, Apple sued Corellium, a vendor that provides mobile penetration testing and security research. Apple alleged that Corellium “infringed Apple’s copyrights in iOS and circumvented its security measures in violation of the federal Digital Millennium Copyright Act (DMCA).” Corellium denied the allegations, and Apple dropped the lawsuit this year.

There is some suspicion, Pfefferkorn said, that part of Apple’s motivation behind the NSO lawsuit may be to relitigate its claims against Corellium, this time against a less sympathetic defendant.

…Sony sued an individual, George Hotz, for hacking into his own PlayStation3 and accused him of “jailbreaking” the device.

“It relied on the CFAA and the DMCA, and Sony ultimately prevailed on a temporary injunction on the DMCA claim,” Tuma said in an email to SearchSecurity. “Since that time the CFAA has come a long way and I think is much stronger today, in this case, than it was back in 2011, especially considering how integrated the Apple devices and iOS are with Apple’s network’s servers, which makes the case much stronger for an ‘unauthorized access’ to Apple’s devices.”

If this application of the CFAA is done correctly in Apple v. NSO, Cohn said it can be good.

“That’s not something we say all the time,” she said. “I hope other companies will follow suit.”

… “It’s not something I think we can prevent entirely, but we can make this business model illicit and that’s what we need to do,”

Clive Robinson December 23, 2021 2:39 AM

@ JonKnowsNothing, SpaceLifeForm, ALL,

Old dogs know more tricks the young dogs. They just don’t bother to chase the ball anymore.

The new dogs can’t see so don’t even know about the old ball, because it came without bells and whistles, they need.

For instance who else remembers something as recent as Forth built into boot ROMs so IO hardwre drivers could be on the card for all OS’s?

Have a look at IEEE 1275-1994

It’s based on work done by Sun in the very early almost pre-PCI days in the very early 1990’s

You might need to know what PostScript is and how to read it though…

ResearcherZero December 23, 2021 4:32 AM


“The suggestion that Polish services used operational methods for political ends is unjustified,” said Stanislaw Zaryn, spokesman for the ministry in charge of the secret services.

Roman Giertych, a lawyer involved in several cases against the ruling Law and Justice (PiS) party, told Gazeta Wyborcza that Poland was using the spyware “to fight the democratic opposition”.

“Using this type of programme to fight the opposition completely eliminates the sense of democratic elections,” he said, explaining that the spyware was used ahead of the 2019 elections.

Ewa Wrzosek, a prosecutor and opposition figure, also said the spyware had been used against her. She had been alerted by Apple, she added.

Citizen Lab, a cyber-security watchdog based in Canada, confirmed it had looked into the use of Pegasus against Giertych and Wrzosek.

“We conducted these investigations and provided confirmation to the two named individuals that they were repeatedly infected with Pegasus spyware,” John Scott Railton, a senior researcher at Citizen Lab, told AFP.

The Polish channel TVN in 2019 reported that the country’s anti-corruption agency had spent 7.6 million euros ($8.6 million) on phone spyware.

Zaryn said Tuesday the activities of “operational control” were carried out in accordance with the law only after obtaining the consent of the Prosecutor General and a court order.

A Polish state security spokesman, Stanislaw Zaryn, would neither confirm nor deny whether the government ordered the hacks or is an NSO customer.

Zaryn did not comment on whether the two matters might be related. He said Poland conducts surveillance only after obtaining court orders.

An NSO spokesperson said Monday that the company is a “software provider, the company does not operate the technology nor is the company privy to who the targets are and to the data collected by the customers.” Citizen Lab and Amnesty International researchers say, however, that NSO appears to maintain the infection infrastructure.

The company spokesperson also called the allegations of Polish misuse of Pegasus unclear: “Once a democratic country lawfully, following due process, uses tools to investigate a person suspected in committing a crime, this would not be considered a misuse of such tools by any means.”

@Clive Robinson

I removed a keylogger from my brothers phone, and rather than thank me, he wanted to know how I knew it was there. He then claimed I hacked him in the process of scanning his phone and removing the malware from his phone and PC.

My brother removed any security policies and software that imposed difficulty on his need to insecurely broadcast and serve files from his home network. He was happy to receive free service and equipment from me, but not a fan of remote administration, even though he requested license keys from me, rather than pay for his own software.
The benefit of paying for the software is that you get to administer the users. My brother should have read the documentation, considered that although generous – I am not a charity specializing in free computer repairs, and that I don’t get hardware and software for free.

SpaceLifeForm December 23, 2021 3:27 PM

@ JonKnowsNothing, Clive, ALL

Old dogs know more tricks the young dogs. They just don’t bother to chase the ball anymore.

Old dogs also avoid chasing a ball willy-nilly at full speed. They know there are rabbit holes in the path. They will slowly and carefully tread. The ball will be retrieved in due time.

JonKnowsNothing December 23, 2021 5:36 PM

@SpaceLifeForm, @Clive, @ALL

re: Old dogs also avoid chasing a ball willy-nilly at full speed. They know there are rabbit holes in the path. They will slowly and carefully tread. The ball will be retrieved in due time.

iirc(badly) Old Story tl;dr

A story about a new keeper at the zoo, back when keepers were THE caretakers of the animals before ZooVets became ZooGods.

A zoo wolf pen had a few escape artist wolves that found many clever ways of going walkabout inside the zoo perimeter. (1)

A new keeper spotted a walkabout wolf and got very excited, ready to chase the animal.

The old keeper said “STOP! Coffee first, THEN Wolf”…

The wolves returned to their pens on their own, when dinner was served. There wasn’t any need to chase them.


  1. It’s not uncommon to have double fence barriers. There was a secondary perimeter around the areas just to prevent walkabouts from going too far.

Some years later, the wolf pen got rebuilt and the wolves no longer got to go walkabout.

Clive Robinson December 24, 2021 3:02 AM

@ JonKnowsNothing,

Some years later, the wolf pen got rebuilt and the wolves no longer got to go walkabout.

That’s a shame.

Wolves get a very bad and undeserved reputation from lazy humans.

Like foxes they can be a bit of a nusance from time to time, but they generaly do not attack humans without cause.

It’s also fairly easy to train them to not touch “live stock” and unlike dogs, you don’t have to train them all individually, just train a couple in an area and the message goes around to the other wolves.

I used to know someone thirty years or so ago who had a funny story about wolves. They traveled as a student and then earnt money at it by writing for travel guides wgich is a great thing to do in your twenties. They had gone upto a fairly remote area and was staying with a North American Indian family way up in timber land. There was a “once a week bus in the summer”… Well the day of leaving arived and the family had lots to do so they were up and out early, but let my friend stay as it was some time till it was time to walk to the bus. Imagine the father and sons suprise on returning much later in the day to find my friends back pack and other gear outside on the poarch with the door open and her still in the house, but hiding and somewhat scared and anxious. So they sat my friend down and asked her what had happened. She explained that she had carried her stuff out before making a last coffee and clearing up, when she opened the door there was a very large wolf on the porch, she paniced and went and hid. The wolf just got comfortable by the door and she was to frightend to go anywhere near the door, so she was trapped. My friend was shocked when the father started to laugh gently and the son was grinning widely. He explained that the wolf who they had a name for altgough wild, was like a family pet, and it would drop by to be sociable mostly when other peoole were not around. The father then said she should feel proud that the wolf accepted her as part of the family. But by then the bus was long gone for that week and my friend decided it was easier to just stay another week. As a result she had a rather nice enlarged photo of her sitting next to the wolf on the porch sharing her lunch and the warm afternoon sunshine hung above the fire place in the living room of her flat. I sometimes wonder what she is upto, she got engaged to an Australian bloke I worked with and they went to Auz for a year, planing to come back and “Do Europe” but changed plans and got married and did South Anerica instead. As far as I know they are either still there or back in Auz.

Ruben December 26, 2021 8:19 PM

Wouldn’t it be kind of obvious to embed any comments in the language of some other nation? I mean that is what I would do on any copies released in the wild.

And in any case do not embed them in English. Use Hebrew if you have to and happen to have an Israeli dev team.

Ted December 26, 2021 9:05 PM


Wouldn’t it be kind of obvious to embed any comments in the language of some other nation?

What do you think about this?

Note: a great way to find Chinese characters in a file system is by sending the following command .

pcre2grep -r -n ‘[^\x00-\x7f]’ .

Chinese characters are usually hidden in unicode, and IDE’s don’t recognize the characters unless you change the detection.

lurker December 27, 2021 12:21 AM


pcre2grep -r -n ‘[^\x00-\x7f]’

is a handy tool to find any characters which are not in the first 256 code positions, ie. roughly all non-Western-European scripts, not just Chinese.

As for

Chinese characters are usually hidden in unicode, and IDE’s don’t recognize the characters unless you change the detection.

there are some folks who say an IDE should never do more than 7-bit ASCII, and they miss out on all this fun…

Ted December 27, 2021 2:47 AM

@lurker, SpaceLifeForm

Re: Pegasus research

It’s just so much. Here’s a tweet from someone who does a podcast.

Pegasus continues to be a topic worth discussing. We have a couple of podcast episodes around this, and I am sure we will be discussing this more this week as we are using Pegasus is being using state side.

  • Episode 37 – PEGASUS ID and more with Jonathan Scott
  • Episode 29 – Identifying NSO Pegasus breaches with CrowdStrike Mobile …

I started listening to episode 37. At minute 13 Jonathan talks about SIM cards and Java, at minute 27 he talks about the APKs that are written in Chinese.

I may listen to more while doing chores around the house. We’ll see.

@lurker: there are some folks who say an IDE should never do more than 7-bit ASCII, and they miss out on all this fun…

I hope someone ends up explaining this, bc whoosh – over my head.

lurker December 28, 2021 9:30 PM

@SpaceLifeForm, @Ted

Java Card gives users the ability to program a device…

My mind is boggled…

vas pup December 30, 2021 6:02 PM

What does future warfare look like? It’s here already

“Meaning what, in practice? Well, almost the first things that would happen in any hostilities would be massive cyber attacks by both sides. There’d be attempts to “blind” the other by knocking out communications, including satellites, or even cutting the vital undersea cables that carry data.

I asked Franz-Stefan Gady, a specialist on future warfare at the IISS, what this would mean for you and me, here on the ground. Could our phones suddenly stop working, petrol stations run dry and food distribution get thrown into chaos?

“In all likelihood, yes,” he says. “Because great powers are massively investing not only in offensive cyber capabilities but also in electronic warfare capabilities that can jam
satellites and bring down communication. So not just the military but societies overall will be a prime target in future conflict.”

ResearcherZero December 30, 2021 8:59 PM

@vas pup

It’s been well prepared for too. We started finding backdoors placed into exchanges and other critical infrastructure at least in 2010, and then seeing testing of capabilities after that. Small scale power outages, things of that nature. Fun for the entire family.

ResearcherZero January 2, 2022 6:43 PM

“I don’t want a back door,” Rogers, the director of the nation’s top electronic spy agency, said during a speech at Princeton University, using a tech industry term for covert measures to bypass device security. “I want a front door. And I want the front door to have multiple locks. Big locks.”

The technique requires a complex set of separate boxes or systems to carry the keys, recombine them and destroy the new key once it has been used. “Get any part of that wrong,” said Johns Hopkins University cryptologist Matthew Green, “and all your guarantees go out the window.”

“There’s no way to do this where you don’t have unintentional vulnerabilities.”

The keys to those magic locks eventually find their way to Russia, cartels, and other organizations with death squads, long before they are obtained and released publicly.

Leaked emails also suggest Hacking Team was not always in control of the products it sold, and that its clients might have abused them in Panama.

“I just got word from Robotec that the system we installed in Panama had gone missing,” Hacking Team’s then-salesperson Alex Velasco wrote in an email to the company’s higher ups, who seemed taken aback by the incident.

Velasco wrote back that an individual named Hugo, presumably a local liaison, told him that Hacking Team’s equipment “disappeared from the office after the presidential election, and before the new president moved in.”

“All Hugo told me is that they are looking for it and can not find it,” Velasco said, according to the emails. “This happened with the presidential change.”

As many as 25 private companies – including the Israeli company NSO Group and the Italian firm Hacking Team – have sold surveillance software to Mexican federal and state police forces, but there is little or no regulation of the sector – and no way to control where the spyware ends up, said the officials.

“It’s a free-for-all,” the official told the Cartel Project, an initiative coordinated by Forbidden Stories, a global network of investigative journalists whose mission is to continue the work of reporters who are threatened, censored or killed. “The police who have the technology would just sell it to the cartels.”

a Mexican intermediary DTXT Corp. kept RCS software instead of giving it to the federal police— who were the presumed customers. Hacking Team employees asked repeatedly for the signed end-user license agreement to be returned, but without success. One year later, an employee wrote in a general note that “it seems like it [is] a common thing in Mexico.”

Javier Valdez Cárdenas was murdered, his wife, journalist Griselda Triana, was also targeted with multiple infection attempts using NSO Group’s Pegasus malware.

Javier Valdez’s colleagues were among more than two dozen Mexican and American citizens targeted with Pegasus spyware by Mexican NSO Group customers.

“The company, in fact, has ‘a backdoor’ into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about,”

The problem is, “it’s not feasible,” says Soghoian. “It’s a fantasy proposal and the reason they can make it with a straight face is because they don’t know anything about technology and most of the people they’re speaking to don’t know anything about it either.”

It’s a theory that might work in the classroom, he adds, but not in practice. “People are going to have to use it and they’re going to be using it on a regular basis. It’s going to have to be accessible… No technical expert would ever build this into their own system voluntarily.”

Martin J. Muench, a Gamma Group managing director, will deliver a presentation titled “Government I.T. Intrusion: Applied Hacking Techniques Used by Governments.” After his presentation, three Hacking Team executives will talk about their latest government-grade surveillance technology. October 10, 2012

The researchers identified 21 countries linked to the spyware: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan.

new files reveal previously unknown customers, such as the FBI, Spain, Chile, Australia, Russia, as well as new details of known customers such as Sudan, a country where Hacking Team was likely legally barred from selling, due to international sanctions and embargoes.

Newly released e-mails from Hacking Team, the now-embattled Italian spyware firm that sold what it claims is lawful intercept software to companies and governments, definitively show that it sold its Remote Control System surveillance software to the Federal Security Service of the Russian Federation (FSB), the successor agency to the KGB.

Hacking Team sold to Advanced Monitoring, which then sold to Kvant, which in turn presumably provided the software to the FSB.

Officially, Hacking Team sold its wares to a company called “Advanced Monitoring,” whose corporate parent has a license to work with the FSB, as recently as August 28, 2014. That would put the Italian firm in violation of the July 31, 2014 European Union regulation that forbids selling such technology, whether directly or indirectly, to the Russian military.

“Yes we did [sell to the FSB].”

“Conditions are perfect [for going to Russia]. Now you can harness the power of Russia in full. I’ll tell you one thing. Years ago, I was in Moscow for 28 straight days for a job. The ruble was at 40 against the dollar, people were suffering. I turned away beautiful prostitutes that every night approached me at the hotel, and I was staying at the Metropol, next to Red Square. When a pimp’s car stopped at traffic lights and a few girls, very young and beautiful, entered in the car until it [the car] wasn’t quite full: three or four [girls] in general, and they cost $10 each. Now these things should be valid at the power 4 [x^4]. It’s time to go to Moscow cousin, first stop: Nightfly night club & restaurant. [You should] go there for dinner. :->”

a hacker who only went by the name “PhineasFisher” hacked the controversial surveillance tech company Gamma International, a British-German surveillance company that sells the spyware software FinFisher.

The leak of 400GB of internal files contains “everything,” according to a person close to the company, who only spoke on condition of anonymity. The files contain internal emails between employees; a list of customers, including some, such as the FBI, that were previously unknown; and allegedly even the source code of Hacking Team’s software, its crown jewels.

Hacking Team’s Vincenzetti gloated over FinFisher’s hack, writing that “a wannabe competitor of ours has been severely hacked.”

The inclusion of ‘intrusion software’ in the recently proposed changes to the Wassenaar Arrangement is a direct consequence of the backlash against surveillance companies like Hacking Team and Gamma International selling their products to repressive regimes.

The rest of the article is a loosely ordered recollection of Hacking Team’s relationships and correspondences with various 0day providers.

whoohoo January 6, 2022 12:44 PM

@wumpus said:

“If someone gets enough cash flow from the nations listed above (and other corporations and similar organizations both legal and otherwise) it is fairly obvious that such weapons can be produced.”

It is also fairly obvious that the same people paid by nation states to develop cyberweapons are not going to be paid by organized crime or other criminals or non-state actors. You can bet your pants no government researcher is going to jeopardize his security clearance by doing this.

Therefore, it’s not a fungible labor pool. That’s why this is news. The “bad guys” are more numerous and more talented than we thought.

Alt explanation: this was actually developed by state actors, who merely disavow it after accidentally (or intentionally) releasing it “into the wild,” Wuhan-style. Won’t be the first time that happened.

Clive Robinson January 6, 2022 2:16 PM

@ WhooHoo,

It is also fairly obvious that the same people paid by nation states to develop cyberweapons are not going to be paid by organized crime or other criminals or non-state actors.

Actually it’s not.

One of the things I noted about the new Israeli list was that “Bulgaria” was on it. It is well known that certain Bulgarian officials used to “front for” organised crime not just in their own country but other countries as well. The same is true for a number of South American countries as well.

As for the “Inteligence Community” it’s again well known that US has sold anything they like where ever they like as a means to often dubious or not realistic ends. Look at the Iran – Contra affair for instance,

“On 4 March 1987, [Sitting US President] Reagan made a further nationally televised address, taking full responsibility for the affair and stating that “what began as a strategic opening to Iran deteriorated, in its implementation, into trading arms for hostages”.”

Not much was said about the Nicaraguan Government, who the US Executive wanted toppled, and thus used the profits from the arms sales to Iran to fund the terrorist group known as the Contras. The excuse given was it was to free hostages… Only problem the first arms sales were in 1981 when there were no hostages to be freed…

If you think this is either an issolated incident or all in the past you would be very much mistaken.

One of the side effects of the Ed Snowden revelations was a “resuffle” of personnel who ended up thinking they had been “burned”… The thing is someone came along that they trusted and put them on a gig working in the Middle East. The NSA basically aranged for them to “not say no” to going and working for a foreign nation to spy on amongst others US Citizens. Until an Ex-NSA worker Lori Stroud turned whistleblower…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.