An individual employed by a Washington DC-based organization with international offices was targeted with powerful hacking software made by NSO Group, researchers have claimed, raising new concerns about the proliferation of spyware that can infect Apple devices.
The alleged attack was discovered by researchers at the Citizen Lab at the Munk School at the University of Toronto while they were checking the individual’s device.
Citizen Lab, which is on the forefront of finding sophisticated hacking attacks against members of civil society – including journalists, environmental rights defenders and diplomats, among others – did not provide any other details about the individual or where the person was when the alleged cyber-attack occurred. The individual has elected to remain anonymous.
Researchers said they discovered what is known as a “zero-click exploit”, a vulnerability that allows software sold by companies like NSO Group to infect a user’s mobile device through a previously unknown security flaw in a phone’s operating software, without the user having to click on a malicious link.
Apple released what is called a “patch” to fix the security flaw in its latest version of iOS (16.6.1). The company had no further comment.
NSO said in a statement that it was “unable to respond to any allegations that do not include any supporting research”.
The Israeli company has said it only sells its spyware – which can infect any phone – to government clients, for use in fighting serious crime and terrorism. But the Guardian and other media groups have documented dozens of cases of the spyware being misused by government clients in Mexico, Saudi Arabia, India, Rwanda and the UAE, among others.
Once a phone is infected, the user of the spyware – mostly likely a foreign government intelligence service or police – has total access to the phone, including encrypted conversations and messages over applications such as Signal or WhatsApp. It can also turn a person’s mobile into a listening device by manipulating its recorder.
The spate of attacks against journalists, diplomats, foreign government officials and activists, including against US citizens abroad, prompted the Biden administration in 2021 to place NSO on a blacklist. The company is also being sued by Apple and WhatsApp.
Bill Marczak, a senior researcher at Citizen Lab, told Reuters he attributed the exploit to NSO Group’s Pegasus with “high confidence”, based on forensic evidence. He also said that he believed the operator of the spyware had likely made an error during installation of the spyware, which was how Citizen Lab found it.
Got a tip on this story? Please contact Stephanie.Kirchgaessner@theguardian.com