Apple has sued NSO Group and its parent company Q Cyber Technologies in a U.S. federal court holding it accountable for illegally targeting users with its Pegasus surveillance tool, marking yet another setback for the Israeli spyware vendor.
The Cupertino-based tech giant painted NSO Group as "notorious hackers — amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse."
In addition, the lawsuit seeks to permanently prevent the infamous hacker-for-hire company from breaking into any Apple software, services or devices. The iPhone maker, separately, also revealed its plans to notify targets of state-sponsored spyware attacks and has committed $10 million, as well as any monetary damages won as part of the lawsuit, to cybersurveillance research groups and advocates.
To that end, the company intends to display a "Threat Notification" after the targeted users sign into appleid.apple[.]com, alongside sending an email and iMessage notification to the email addresses and phone numbers associated with the users' Apple IDs.
"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change," said Craig Federighi, Apple's senior vice president of Software Engineering in a statement. "Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous."
Typically installed by leveraging "zero-click" exploits that infect targeted devices without any user interaction, Pegasus is engineered as an invasive "military-grade" spyware that's capable of exfiltrating sensitive personal and geolocation information and stealthily activating the phones' cameras and microphones.
The lawsuit filed by Apple specifically concerns the FORCEDENTRY exploit in iMessage that was used to circumvent iOS security protections and target nine Bahraini activists. The company said the attackers created over 100 bogus Apple IDs to send malicious data to the victims' devices, effectively allowing NSO Group or its clients to deliver and install Pegasus spyware without their knowledge. Apple addressed the zero-day flaw in September.
"The abusive data was sent to the target phone through Apple's iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file," Apple detailed in its filing. "That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple's iCloud servers in the United States or abroad for delivery to the target."
The development comes in the aftermath of sweeping sanctions imposed by the U.S. government earlier this month against NSO Group for developing and supplying sophisticated surveillance technology to foreign governments that then used the spy tools to target journalists, activists, dissidents, academics, and government officials across the world. MIT Technology Review earlier this week reported that the sanctions have had a "deeper impact" on the company's morale and its future prospects.
"NSO Group is dismayed by the decision given that our technologies support U.S. national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed," the company previously said following the announcement.
Despite repeated claims that its software is sold only to governments and law enforcement agencies and that it has bulwarks in place to forestall abuse, multiple instances to the contrary have established a recurring pattern where the spyware has been misapplied by authoritarian regimes to strike the target and infect members of civil society, not to mention feature customers with poor human rights track records.
"Thousands of lives were saved around the world thanks to NSO Group's technologies used by its customers," a spokesperson for the company said in a statement shared with The Hacker News. "Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO group will continue to advocate for the truth."
The lawsuit also mirrors a similar action taken by Meta (formerly Facebook) in October 2019, when it took the company to court for exploiting a bug in its WhatsApp messaging app to install Pegasus, enabling the surveillance of 1,400 mobile devices belonging to diplomats, journalists, and human rights activists. On November 8, 2021, the 9th U.S. Circuit Court of Appeals in San Francisco rejected NSO Group's claim it was immune from being sued because it had acted as an agent of sovereign governments.
"The steps Apple is taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against innocent users and those who seek to make the world a better place," Ivan Krstic, Apple's head of security engineering and architecture, said in a tweet.