Getty Images/iStockphoto

Apple files lawsuit against spyware vendor NSO Group

Apple sued the Israeli technology vendor, whose Pegasus spyware has been implicated in several malicious attacks on journalists, activists and government officials.

Apple has filed a lawsuit against NSO Group, claiming the spyware vendor was directly involved in attacks on Apple users.

In a complaint filed Tuesday, Apple said it took legal action in response to "deliberate" efforts by the defendants to "target and attack Apple customers, products and servers." Additionally, the lawsuit claims that "NSO's malicious activities have exploited Apple's products, injured Apple's users and damaged Apple's business."

"Defendants are notorious hackers -- amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse," the complaint said.

That abuse was documented by the U.S. Department of Commerce's Bureau of Industry and Security, which added NSO to its banned entity list earlier this month. According to a press release by the Commerce Department, evidence revealed that the Israel-based firm "developed and supplied" spyware used to target government officials, journalists, businesspeople, activists, academics and embassy workers.

The spyware, known as Pegasus, was also linked to the death of Saudi journalist Jamal Khashoggi in 2018 and allegedly involved in an attack against WhatsApp and Facebook in 2019. While Apple's lawsuit does not mention Kashaoggi, the complaint alleges NSO Group enabled customers to abuse its product to target journalists and activist as well as government officials, businesspeople, academics and even U.S. citizens.

The complaint also accused NSO Group of being actively involved in the attacks on Apple and its customers -- a charge that NSO Group has repeatedly denied over the years. "On information and belief, Defendants provide consulting and expert services to their clients, assist them with their deployment and use of Pegasus, and participate in their attacks on Apple devices, servers and users," the lawsuit said.

Apple claimed NSO Group also used an exploit, dubbed ForcedEntry, to spread spyware through Apple's servers from February to September of this year. However, Apple said it patched the flaw and has not observed any "successful remote attacks against devices running iOS 15 and later versions." It is still notifying "a small number of users" targeted by ForcedEntry.

Apple is seeking three permanent injunctions, including one that would ban NSO Group from using Apple products. The other injunctions would ban NSO Group from developing and distributing any malware designed for Apple products and require the spyware company to locate and destroy all data it collected from Apple customers.

NSO Group did not respond to requests for comment. On Monday evening, the company made several statements on Twitter that were apparently in response to the impending lawsuit. NSO Group defended its products and business model, saying its technology "helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe."

NSO Group's Twitter statements also took indirect aim at Apple. "Terrorists, drug traffickers, pedophiles, and other criminals have access to advanced technology and are harder to monitor, track, and capture than ever before," the company said. "The world's most dangerous offenders communicate using technology designed to shield their communications, while government intelligence and law-enforcement agencies struggle to collect evidence and intelligence on their activities."

UPDATE 11/26: An NSO Group spokesperson sent the following statement to SearchSecurity: "Thousands of lives were saved around the world thanks to NSO Group's technologies used by its customers. Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO group will continue to advocate for the truth."

Latest episode in an ongoing battle

NSO Group's Pegasus spyware was first detected and publicized in 2016 by researchers at the Citizen Lab at the University of Toronto and mobile security vendor Lookout. Citizen Lab attributed Pegasus, which was exploiting a trio of iOS zero-day vulnerabilities, to NSO Group.

Following the initial discovery of Pegasus, Citizen Lab researchers chronicled numerous cases in recent years where NSO Group exploits and spyware were used against journalists, human rights activists, lawyers and government officials in many countries. In Apple's announcement of the lawsuit, Citizen Lab director Ron Deibert slammed the spyware vendor.

"Mercenary spyware firms like NSO Group have facilitated some of the world's worst human rights abuses and acts of transnational repression, while enriching themselves and their investors," Deibert said in the statement. "I applaud Apple for holding them accountable for their abuses, and hope in doing so Apple will help to bring justice to all who have been victimized by NSO Group's reckless behavior."

Apple levied similar criticisms against the spyware vendor, claiming NSO Group's products are "more than just consumer malware" and empowers state-sponsored cyber attacks. "NSO's products are far more insidious and often highly sophisticated," the lawsuit said. "They permit attacks, including from sovereign governments that pay hundreds of millions of dollars to target and attack a tiny fraction of users with information of particular interest to NSO's customers."

Ivan Krstić, head of security engineering and architecture at Apple, also accused NSO of furthering state-sponsored cyber threats. "The steps Apple is taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against innocent users and those who seek to make the world a better place," Krstić said on Twitter.

Apple isn't the first tech company to take legal action against NSO Group. In 2019, Facebook-owned instant messaging company WhatsApp filed a lawsuit against the spyware vendor, alleging NSO Group technology was used to hack WhatsApp's messaging platform, which was then used by nation-state threat actors to send spyware to more than 1,000 mobile devices.

Earlier this month, the U.S. Court of Appeals for the Ninth Circuit denied a motion from NSO Group to dismiss the lawsuit.

Security News Editor Rob Wright contributed to this report.

Dig Deeper on Threats and vulnerabilities