A report this week about Pegasus spyware showing up on an iPhone belonging to award-winning Russian journalist Galina Timchenko has highlighted again the seemingly myriad ways that government and law enforcement agencies appear to have to deliver the odious surveillance tool on target devices.
Timchenko is an exiled Russian investigative journalist and co-founder of Meduza, a Russian- and English-language news site headquartered in Riga, Latvia. On June 22, Apple sent Timchenko a threat notification that warned her that her device is likely the target of a state-sponsored attack. Apple earlier this year rolled out the spyware threat notifications, which are designed specifically to assist users that the company determines are being individually targeted because of what they do.
Targeted for Spying
Meduza’s technical director reached out to the University of Toronto’s Citizen Lab for help understanding what the alert might have been about. Researchers at Citizen Lab, who have earned a reputation over the years for their ability to conduct investigations into incidents of digital espionage, analyzed forensics artifacts from Timchenko’s phone and quickly determined that someone had installed Pegasus on it in February.
“We believe the infection could have lasted from days up to weeks after the initial exploitation,” Citizen Lab said. “The infection was conducted via a zero-click exploit, and forensic traces lead us to assess with moderate confidence that it was achieved via the PWNYOURHOME exploit targeting Apple’s HomeKit and iMessage.” Neither Citizen Lab or Access Now attributed the attack to any specific nation-state actor.
PWNYOURHOME is one of three iOS 15 and iOS 16 zero-click exploits that Citizen Lab previously determined NSO Group’s clients to have used in 2022 to drop Pegasus on target iPhones. The two-phase zero-click exploit first targets the HomeKit smart home functionality built into iPhones, and then uses the iMessage process to essentially breach device protections and enable Pegasus delivery on it.
The other two exploits that Citizen Lab uncovered were: FINDMYPWN, a two-phased exploit that targets the iPhone’s Find My feature and iMessage functionality; and LatentImage, another exploit that involves the iPhone’s Find My feature.
Flurry of iOS Exploits and Vulnerabilities
The exploits are among a growing number targeting iPhone users. Just earlier this month, Citizen Lab reported finding a threat actor chaining together two no-click zero-day vulnerabilities in iOS 16.6 — the latest version — to deliver Pegasus. Citizen Lab, which is tracking the exploit as Blastpass, described it as enabling Pegasus delivery without any user interaction and urged everyone to immediately update their devices.
In recent months, others have discovered other vulnerabilities in iOS that attackers actively exploited before Apple became aware of them and fixed them.
Earlier this year, for instance, Kaspersky uncovered a multiyear spying campaign on iOS users, where a likely nation-state threat actor exploited as many as three zero-days in Apple’s mobile operating system to break into target devices. Russia’s intelligence agency, the Federal Security Service of the Russian Federation (FSB), blamed the attacks — without any evidence — on the US National Security Agency (NSA) and claimed it had impacted thousands of the country’s diplomats and other individuals.
There’s no reporting so far to suggest that any of NSO Group’s clients exploited those zero-day flaws that Kaspersky reported to deliver Pegasus. But the flurry of exploits and vulnerabilities that researchers in general have discovered in the iOS environment recently suggest that adversaries — especially those with three-letter acronyms — have multiple ways to get the spyware on targeted devices.
They Got ‘Everything They Wanted’
Meduza, which also posted a report on the incident Wednesday, described the spyware on Timchenko’s iPhone as likely having allowed the perpetrator to access everything on her device. This included corporate passwords, correspondence, the names of Meduza staff, bank account details, and most concerningly, the identities of those collaborating with the news site who live in Russia. “They got everything,” the report quoted Meduza’s editor-in-chief Ivan Kolpakov as saying. “Everything they wanted.”
Pegasus is a controversial surveillance tool for mobile devices from NSO Group, an Israeli firm that develops and sells surveillance and cyber intelligence tools to government, intelligence, and law enforcement. The spyware allows customers to access and extract pretty much anything they want from an iPhone, Android smartphone, or other mobile device. Once installed on a target device, Pegasus can intercept and transmit messages, emails, media files, passwords, and detailed location information. It also employs several sophisticated techniques to evade detection by antivirus and other threat detection tools.
The NSO Group itself has maintained it only sells the technology to authorized agencies for legitimate crime-fighting and surveillance purposes.
But critics have heavily criticized the tool and the NSO group for enabling governments, especially in countries with poor human rights practices, to spy on and attempt to silence journalists, dissidents, rights activists, and political opponents. In 2021, a leaked database of more than 50,000 phone numbers that various NSO Group clients had selected for surveillance listed some 180 journalists from countries like India, Hungary, and Mexico. The database also contained phone numbers belonging to numerous human rights activists, lawyers, union leaders, doctors, politicians, and diplomats.
Meduza quoted a senior researcher at Citizen Lab as saying NSO clients “typically spend tens of millions of dollars and potentially more for access to Pegasus.”