Apple Sues Israel's NSO Group in Effort to Protect iPhone Users From Pegasus Spyware

Apple on Tuesday sued NSO Group, accusing the Israeli company—widely criticized for selling surveillance technology to repressive governments around the globe—of infecting targeted iPhones with Pegasus spyware, which has been used to crack down on dissidents and journalists.

In its lawsuit, the U.S. tech giant accused the Israeli surveillance company of violating its terms and conditions as well as U.S. federal and state laws.

“Steps like this are useful, but incomplete. We need more action by governments.”

“To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices,” Apple announced in a press release. “The lawsuit also seeks redress for NSO Group’s flagrant violations of U.S. federal and state law, arising out of its efforts to target and attack Apple and its users.”

Craig Federighi, Apple’s senior vice president of software engineering, said that “state-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change.”

Jewish Voice for Peace (JVP) celebrated Apple’s lawsuit, which comes just over two weeks after researchers from Amnesty International’s Security Lab and the University of Toronto’s Citizen Lab revealed that before the Israeli government outlawed six Palestinian human rights groups, the cellphones of activists from those organizations were infected with Pegasus spyware.

“Spyware is a critical Israeli export,” JVP noted. “It’s about time they are forced to be held accountable.”

Apple’s Federighi said that “Apple devices are the most secure consumer hardware on the market—but private companies developing state-sponsored spyware have become even more dangerous.”

NSO Group used a new invasive technology “to attack a small number of Apple users worldwide with dangerous malware and spyware,” according to Apple, which said that its complaint “provides new information on NSO Group’s FORCEDENTRY, an exploit for a now-patched vulnerability previously used to break into a victim’s Apple device and install the latest version of NSO Group’s spyware product, Pegasus. The exploit was originally identified by the Citizen Lab, a research group at the University of Toronto.”

Citing Apple’s complaint, The Verge explained how the attack worked: “Using the Apple IDs it created, NSO would send data to a target via iMessage (after determining that they were using an iPhone), which was maliciously crafted to turn off the iPhone’s logging. That would then let NSO secretly install the Pegasus spyware and control what was being collected on the phone.”

In its press release, Apple commended “groups like the Citizen Lab and Amnesty Tech for their groundbreaking work to identify cyber-surveillance abuses and help protect victims,” and added that “to further strengthen efforts like these, Apple will be contributing $10 million, as well as any damages from the lawsuit, to organizations pursuing cyber-surveillance research and advocacy.”

“No one in their right mind will want to touch [NSO Group]. But it’s not just one company, this is an industrywide problem.”

Apple’s lawsuit comes two years after Facebook became the first company to sue NSO Group, which it did in 2019 for targeting WhatsApp users. As The Verge noted Tuesday, “Apple and WhatsApp aren’t alone in their push against NSO Group in court, as last year, tech companies including Microsoft and Google filed a brief supporting Facebook’s lawsuit.”

The New York Times, which first reported Apple’s lawsuit, said that the new complaint “represents another consequential move by a private company to curb invasive spyware by governments and the companies that provide their spy tools.”

“Apple executives described the lawsuit as a warning shot to NSO and other spyware makers,” the Times noted. Ivan Krstic, head of Apple security engineering and architecture, told the newspaper that “this is Apple saying: If you do this, if you weaponize our software against innocent users, researchers, dissidents, activists or journalists, Apple will give you no quarter.”

Alluding to Pegasus’ zero-click infection scheme—which NSO carried out after creating over 100 fake Apple IDs—Heather Grenier, Apple’s senior director of commercial litigation, told the Times that “this was in flagrant violation of our terms of service and our customers’ privacy.”

“This is our stake in the ground, to send a clear signal that we are not going to allow this type of abuse of our users,” Grenier added.

Earlier this month, the Biden administration blacklisted NSO Group and Candiru, a similar firm, in a development the Times called “the strongest step an American president has taken to curb abuses in the global market for spyware, which has gone largely unregulated.” 

The Commerce Department’s ban, which prohibits U.S. organizations from working with the pair of Israeli surveillance companies, came less than four months after the Pegasus Project, a media consortium of more than 80 reporters from 17 news outlets in 10 countries, analyzed a trove of leaked data and exposed how NSO Group’s hacking tool “has been used to facilitate human rights violations around the world on a massive scale.”

The investigation, published in July, also identified the phone numbers of over a dozen heads of state on a leaked list of more than 50,000 potential targets of Pegasus. The findings were met with widespread condemnation from human rights experts, including Agnès Callamard, secretary general of Amnesty International, and United Nations High Commissioner for Human Rights Michelle Bachelet.

While Bachelet advocated for stricter regulation of surveillance technologies to prevent human rights abuses, whistleblower Edward Snowden—who has lived in Russia with asylum protections since leaking classified materials on U.S. government mass surveillance in 2013—called for an end to the spyware trade. Less than a month later, three U.N. special rapporteurs demanded a global moratorium on the sale and transfer of spyware.

Moody’s, the ratings agency, has warned that NSO Group’s “$500 million of debt and severe cash flow problems” put the company “at risk of default,” according to the Times. “Digital rights experts said Apple’s suit threatened NSO’s survival.”

“NSO is now poison,” Ron Deibert, director of Citizen Lab, told the newspaper. “No one in their right mind will want to touch that company. But it’s not just one company, this is an industrywide problem.”

“Steps like this are useful, but incomplete,” he added. “We need more action by governments.”