Pegasus used to infect iPhones owned by Catalonian officials
Pegasus, NSO Group's spyware used to hack iPhones, has been caught up in another spying scandal, with the surveillance tool used against devices owned by civil society and political figures in Catalonia, Spain.
NSO Group, who made Pegasus and sold it to law enforcement agencies and governments.
Following a 2020 report claiming senior Catalonian politician Roger Torrent and pro-independence supporters were targeted by "government-grade spyware" via WhatsApp, Citizen Lab launched an investigation into wider spyware use against officials and people of interest in the region. On Monday, the investigation revealed evidence that another tool was used: Pegasus.
At least 63 people were targeted or were infected by Pegasus, the report claims, while four others were targeted by Candiru spyware, and two were targets of both tools. The list of victims included Catalan presidents, legislators, members of civil society organizations, members of the European Parliament, and family members.
While Citizen Lab doesn't directly attribute blame for the attacks, it does say there's extensive circumstantial evidence pointing in the direction of the Spanish government.
As one of the wealthiest autonomous regions of Spain, Catalonia has a long history of attempting to grow its autonomy, typically opposed by the Spanish government. This was especially evident in 2017 during an independence referendum that was deemed illegal by the Spanish Constitutional Court, with police allegedly turning away voters and supposedly using excessive force.
Shortly after the vote was approved by the Catalan Parliament, the Spanish government dissolved that parliament and scheduled new elections. Since then, participants in the referendum were sent to prison, and Spain continues to fight the independence movement.
The investigation determined that of 63 targets, 51 were found to have forensically-confirmed infections. However, since Spain has a high prevalence for Android over iOS, and that forensic tools used by investigators are more developed for iOS, the report believes it "heavily undercounts the number of individuals likely targeted and infected with Pegasus because they had Android devices."
Several instances of "off-center" targeting were spotted, where family members, close members of staff, and other individuals connected to a person of interest were infected, enabling data collection about the subject without necessarily maintaining a connection.
All Catalan Members of the European Parliament that supported independence were targeted, either directly or off-center, including three direct infections of MEPs and two off-center attacks.
Other identified targets include civil societies that supported political independence, such as Assemblea Nacional Catalana, Omnium Cultural, and lawyers representing prominent Catalans.
Homage involved an iMessage zero-click component launching a WebKit instance, after performing a lookup for a Pegasus email address. JavaScript scaffolding was fetched by the WebKit instance, which then fetched the exploit itself.
The scaffolding could even determine the model of iPhone by comparing screen resolutions for possible matches, whether "display zoom" mode is engaged, and the time it took to encrypt a buffer.
It appeared that domains linked to the exploits were controlled by a single Pegasus customer, indicating that it was all performed by one entity. Spain's Centro Nacional de Inteligencia (CNI) was reportedly a customer of NSO Group, with the country's Ministry of Interior potentially able to perform the same attacks.
Other circumstantial evidence includes the timing of targeting that appeared to be of interest to the Spanish government, the content of bait text messages inferred access to personal information like official ID numbers, and the targets being of "obvious interest to the Spanish government."
Citizen Lab believes the seriousness of the case "clearly warrants an official inquiry to determine the responsible party, how the hacking was authorized," the legal framework, the scale of the operation, and what hacked data was used for. It also viewed the case as notable "because of the unrestrained nature of the hacking activities."
The report into Catalan attacks using Pegasus arrive a week after it was determined senior European Commission officials were targeted by attackers in 2021, using the same tools to try and gain access to smartphones.
Read on AppleInsider
NSO Group, who made Pegasus and sold it to law enforcement agencies and governments.
Following a 2020 report claiming senior Catalonian politician Roger Torrent and pro-independence supporters were targeted by "government-grade spyware" via WhatsApp, Citizen Lab launched an investigation into wider spyware use against officials and people of interest in the region. On Monday, the investigation revealed evidence that another tool was used: Pegasus.
At least 63 people were targeted or were infected by Pegasus, the report claims, while four others were targeted by Candiru spyware, and two were targets of both tools. The list of victims included Catalan presidents, legislators, members of civil society organizations, members of the European Parliament, and family members.
While Citizen Lab doesn't directly attribute blame for the attacks, it does say there's extensive circumstantial evidence pointing in the direction of the Spanish government.
As one of the wealthiest autonomous regions of Spain, Catalonia has a long history of attempting to grow its autonomy, typically opposed by the Spanish government. This was especially evident in 2017 during an independence referendum that was deemed illegal by the Spanish Constitutional Court, with police allegedly turning away voters and supposedly using excessive force.
Shortly after the vote was approved by the Catalan Parliament, the Spanish government dissolved that parliament and scheduled new elections. Since then, participants in the referendum were sent to prison, and Spain continues to fight the independence movement.
The investigation determined that of 63 targets, 51 were found to have forensically-confirmed infections. However, since Spain has a high prevalence for Android over iOS, and that forensic tools used by investigators are more developed for iOS, the report believes it "heavily undercounts the number of individuals likely targeted and infected with Pegasus because they had Android devices."
Several instances of "off-center" targeting were spotted, where family members, close members of staff, and other individuals connected to a person of interest were infected, enabling data collection about the subject without necessarily maintaining a connection.
All Catalan Members of the European Parliament that supported independence were targeted, either directly or off-center, including three direct infections of MEPs and two off-center attacks.
Other identified targets include civil societies that supported political independence, such as Assemblea Nacional Catalana, Omnium Cultural, and lawyers representing prominent Catalans.
"Homage" and evidence
In terms of how Pegasus worked, zero-click iMessage exploits were attempted between 2017 and 2020, a pretty common technique. However, in late 2019, a zero-click exploit was discovered, which has been called "Homage."Homage involved an iMessage zero-click component launching a WebKit instance, after performing a lookup for a Pegasus email address. JavaScript scaffolding was fetched by the WebKit instance, which then fetched the exploit itself.
The scaffolding could even determine the model of iPhone by comparing screen resolutions for possible matches, whether "display zoom" mode is engaged, and the time it took to encrypt a buffer.
It appeared that domains linked to the exploits were controlled by a single Pegasus customer, indicating that it was all performed by one entity. Spain's Centro Nacional de Inteligencia (CNI) was reportedly a customer of NSO Group, with the country's Ministry of Interior potentially able to perform the same attacks.
Other circumstantial evidence includes the timing of targeting that appeared to be of interest to the Spanish government, the content of bait text messages inferred access to personal information like official ID numbers, and the targets being of "obvious interest to the Spanish government."
Citizen Lab believes the seriousness of the case "clearly warrants an official inquiry to determine the responsible party, how the hacking was authorized," the legal framework, the scale of the operation, and what hacked data was used for. It also viewed the case as notable "because of the unrestrained nature of the hacking activities."
The report into Catalan attacks using Pegasus arrive a week after it was determined senior European Commission officials were targeted by attackers in 2021, using the same tools to try and gain access to smartphones.
Read on AppleInsider
Comments
It boggles my mind that after all these years input validation and sanitization still sucks. That programmers resist things like type-safe languages because it takes more up front work. Well duh! It's a shitshow out there. It didn't matter as much when machines weren't networked; yet crap still spread via disk. Now computers are networked but "computer science" has advanced relatively little in cleaning this crap up.
I'm far from a big government type of person, but I am a pragmatist. I think it's far beyond time to start treating computer science like professional engineering. No more EULAs hand waving all responsibility for software quality away. Individuals should be required to sign off on software builds - especially for critical systems like operating systems - just like engineers have to sign off on and are personally liable for plans.
One of my son’s is a structural engineer and, like you point out, if his name is on the blueprints he is responsible if something goes wrong due to his engineering designs or calculations. That’s why we have the PE (professional engineering) certifications. People can die if the engineering is faulty and the bridge or building collapses. The same should go for software engineering.
Now we’re worried about the Russians waging cyberwar on our infrastructure. Why? Because the software running it has holes in it, that’s why. Last night’s 60 Minutes had a segment about how the Russians are constantly probing our infrastructure like power, water, food, petroleum, looking for ways into the systems and planting malware for future activation.
I lost count of the run-ins I had with scrum masters who wanted apparently little things like error handling relegated to technical debt which would never get attended to. Most of the time, I delivered very robust software that needed little attention while in operation.
The problem is that delivering code comes out of CapEx. Fixing it later comes out of OpEx.
Quality costs. It can be done but few companies want it. They want something delivered NOW and for zero cost.
There is a saying in the north of England...
you don't get owt for nowt.
Very true
Your grasp of where computer science is versus where it was 10 or 20 or 30 years ago is flawed. If you developed software 30 years ago and could look forward to see what was available today you would just quit and take another career path. Short of the C standard library and manufacturer API's there was very little selection of software libraries to do the most basic of tasks. In most cases you had to write it from scratch if you needed it. Now with a little searching you find libraries to do almost anything you can think of, most of which are free to use with some exceptions depending on the license.
Everyone is doing the best they can as no one wants to publish flawed software. Think of something as simple as door lock or padlock. Every lock you can find is pickable no matter how sophisticated and in most cases the picking is not difficult. A 1000+ years of locks and they are all pickable. Shall we require sign off on something as simple and fundamental as a lock. There is not a single lock sold at any hardware store that cannot be picked by someone with a modest skillset. You can go to a locksmith and the advantage there is they might be a little harder to pick, but are still very pickable. The best require you order a key through a locksmith so you cannot easily get an extra, but that is more of a pain than a security feature.
One of the "Real Programmers" sayings was "Strong typecasting is for people with weak memories"
One of my classes had a policy: "If your code does not work for every test, it does not work." Sadly, only one class. But everyone who took it remains paranoid to this day. A lot of them became software testers.
Hell, how many systems are exposed directly to the Internet purely because of convenience? Looking through scans from sites like SHODAN is a horror show. Stop making excuses for bad behavior - and stop calling it computer science. There is nothing scientific to the way we handle computers professionally today.
Also the ridiculous strawman of the week award goes to your inane lock analogy. When someone can anonymously pick your lock from anywhere in the world as long as the have a connection to the Internet you might have a point. If anything you prove exactly the opposite of what you meant to and serve as the poster child for how we ended up here: people suck at assessing and mitigating real risk.