The US National Counterintelligence and Security Center (NCSC) and the Department of State have issued a joint alert warning citizens of zero-click malware that can “access and retrieve virtually all content on a phone.” The advisory doesn’t name any specific malware, but it checks all the boxes that describe NSO Group’s infamous Pegasus spyware.
The alert, titled Protect Yourself: Commercial Surveillance Tools, informs the public that “companies and individuals have been selling commercial surveillance tools to governments and other entities that have used them for malicious purposes.”
“Journalists, dissidents, and other persons around the world have been targeted and tracked using these tools, which allow malign actors to infect mobile and internet-connected devices with malware over both WiFi and cellular data connections,” the alert says.
“In some cases, malign actors can infect a targeted device with no action from the device owner,” the advisory continues, likely referencing the zero-click capabilities of Pegasus spyware, which Google researchers have described as a weapon against which there is no defense.
“In others, they can use an infected link to gain access to a device,” the advisory adds.
According to the alert, the cyber-weapons in question can:
• Record audio, including phone calls
• Track a phone’s location
• Access virtually all content on a phone, including text messages, files, chats, commercial messaging app content, contacts and browsing history
The warning comes shortly after Reuters reported that the iPhones of at least nine US State Department employees had been allegedly infected with Pegasus spyware.
In early December 2021, multiple sources told the news agency that the hacks hit US officials either based in Uganda or focused on matters concerning the East African country. The intrusions were said to be the widest known hacks of US officials through NSO Group’s Pegasus spyware.
In late December, researchers from The Citizen Lab – the original ‘whistleblowers’ of Pegasus – reported that threat actors deployed a zero-day attack against iOS 13.5.1 and likely had access to the iPhones of 36 people at Al Jazeera.
Supporting these findings, iPhone maker Apple in November made a crucial first move against NSO Group, hitting the Israeli spyware maker with a lawsuit alleging that Pegasus has enabled extensive state-sponsored hacking of its devices. At the time, Apple also announced plans to hand out $10 million to infosec partners to help fight cyber surveillance abuses.
The US has blacklisted NSO, forbidding it from selling technology in the US and preventing it from acquiring US technology, such as Apple devices.
The NCSC bulletin offers a list of common cybersecurity practices that may mitigate some risks associated with cyber-surveillance tools. Some of it sounds like overkill for regular Joes and Janes, such as covering device cameras, but many of the precautions make for good cybersecurity hygiene – even if you have no reason to believe you’re a target.