A recent report has once again shed light on the numerous methods employed by governments and law enforcement agencies to deploy the invasive Pegasus spyware on targeted devices. The focus of this latest revelation is award-winning Russian journalist Galina Timchenko, who received a threat notification from Apple warning her that her iPhone was likely the target of a state-sponsored attack.
Timchenko, who is currently exiled in Latvia and co-founded a Russian-English news site called Meduza, sought assistance from the University of Toronto’s Citizen Lab to understand the nature of the threat. Citizen Lab, renowned for their investigations into digital espionage, analyzed the forensics artifacts from Timchenko’s phone and discovered that Pegasus had been installed on it in February.
Both Citizen Lab and Access Now, a nonprofit organization advocating for human rights in the digital age, collaborated on the investigation and released separate reports on the incident. According to Citizen Lab, the infection was likely achieved through a zero-click exploit known as PWNYOURHOME, which targets Apple’s HomeKit and iMessage. However, neither organization attributed the attack to any specific nation-state actor.
PWNYOURHOME is one of three iOS 15 and iOS 16 zero-click exploits previously identified by Citizen Lab as being used by NSO Group’s clients to deploy Pegasus on target iPhones. This particular exploit targets the HomeKit functionality before breaching device protections and enabling Pegasus delivery through iMessage. The other two exploits, FINDMYPWN and LatentImage, target the iPhone’s Find My feature.
These exploits are part of a growing number of attacks targeting iPhone users. Just this month, Citizen Lab reported the discovery of two no-click zero-day vulnerabilities in iOS 16.6, referred to as Blastpass, which allowed for the delivery of Pegasus without any user interaction. The organization urged iPhone users to promptly update their devices to protect against these vulnerabilities.
This incident follows previous discoveries of vulnerabilities in iOS that were actively exploited by threat actors. Kaspersky, for example, uncovered a multiyear spying campaign on iOS users earlier this year, in which a nation-state actor used up to three zero-days to compromise target devices. However, there is currently no evidence to suggest that NSO Group’s clients exploited these vulnerabilities to deploy Pegasus.
The abundance of exploits and vulnerabilities within the iOS environment raises concerns about the potential access adversaries have to spyware like Pegasus. Meduza, in its report on the incident, stated that the spyware likely provided the perpetrator access to sensitive information on Timchenko’s iPhone, including corporate passwords, correspondence, and the identities of individuals collaborating with the news site in Russia.
Pegasus, developed and sold by Israeli firm NSO Group, is a controversial surveillance tool that enables customers to extract various data from targeted devices. Once installed, Pegasus can intercept and transmit messages, emails, media files, passwords, and precise location information. The spyware employs advanced techniques to evade detection by antivirus and threat detection tools.
NSO Group maintains that it only sells the technology to authorized agencies for legitimate crime-fighting and surveillance purposes. However, critics argue that Pegasus enables governments, particularly those with poor human rights records, to spy on and silence journalists, dissidents, activists, and political opponents. A leaked database in 2021 revealed that NSO Group clients had selected over 50,000 phone numbers for surveillance, including those of 180 journalists and numerous individuals involved in human rights work.
The cost associated with accessing Pegasus is also a cause for concern. A senior researcher at Citizen Lab mentioned that NSO Group clients typically spend tens of millions of dollars, if not more, to gain access to the spyware.
The incident involving Galina Timchenko highlights the continued threat posed by Pegasus and the urgent need for improved cybersecurity measures to protect individuals and organizations from state-sponsored surveillance. With the ever-increasing number of exploits and vulnerabilities in mobile devices, it is crucial for users to remain vigilant and keep their devices updated with the latest security patches to mitigate the risk of falling victim to such attacks.