NSO Group’s Pegasus malware used to spy on lawyers • The Register
Updated Cherry Blair told a Jordanian princess that the royal family’s estranged husband, the Sheikh of Dubai, had used NSO Group’s Pegasus malware against her and her lawyers, a series of explosive Supreme Court rulings [PDFs] have revealed.
Against the backdrop of kidnappings, espionage and a fiercely contested child custody case, the sentences shed fresh light on the abuses to which NSO Group malware products are posted by some of her clients.
Sheikh Mohammed bin Rashid al Maktoum, the absolute ruler of Dubai, was found to have ordered the deployment of one of the most powerful types of malware in the world against Princess Haya bint Hussein, his ex-wife and a member of the Jordanian royal family, during atrocities. . a court battle for custody of their children.
The rulings, released last night, also revealed that the diligent infosection work carried out by Canada’s Citizen Lab, an academic surveillance research organization, helped uncover espionage and warn its victims. The sheikh’s agents targeted not only Princess Haya, but also her British legal team, her physical security records and others around her.
While Sheikh Al Maktoum denies the violation in a statement before the Air Force, the Court of Appeal was clear:
The NSO confirmed to the Supreme Court that it terminated its contract with the United Arab Emirates (of which Dubai is one of the seven federal states) on December 7, 2020, which cost it “tens of millions of dollars.”
The lawsuit is the tip of the iceberg: the sheikh abducted two of his daughters in the 2000s after trying to escape his control, according to a UK family court ruling in 2020.
Princess Haya fled to the UK in 2019, applying for various non-destructive orders to the Supreme Court, as well as custody of their children, forcing the sheikh to fight the case away from home.
It’s Pegasus malware implemented against iPhone which is capable of silently recording and forwarding activity from a huge number of common social media applications as well as voice calls, photos and videos. It is widely considered one of the leading mobile threats to malware, implemented by government and close to the state actors.
Former Prime Minister Tony Blair’s husband called a fellow lawyer
Sheikh al-Maktoum has tried to blame “the states of Iran, Israel and Saudi Arabia” and even Jordan, Princess Haya’s home country, for deploying Pegasus, as the president of the Supreme Court’s family division ruled in May.
According to the ruling, the first suspicion for Princess Haya’s team was that Pegasus was used to spy on them through their personal devices when Martin Day, founder of London-based human rights law firm Leigh Day, contacted the princess’s lead lawyer. , Baroness Fiona Shackleton. Day told her that Dr. William Marchak of Citizen Lab, whom he knew, had seen Internet traffic suggesting that Princess Haya’s lawyers had been hacked with the help of Pegasus.
Separately, Cherry Blair, who is married to former UK Prime Minister Tony Blair and an adviser to the NSO Group, contacted Baroness Shackleton the same day (August 5, 2020), saying the same. It turns out that Blair gave legal advice to the NSO Group. She was “invited to contact Baroness Shackleton by a senior NSO official.”
IP addresses are marked
Citizen Lab’s Marczak is investigating the Pegasus operation through an UAE activist identified only as Mr. X. By analyzing Mr. X’s phone, he obtained a list of IP addresses of the NSO management and control servers (C2) used to manage Pegasus.
Further analysis of Internet traffic gave, so the court was told the IP addresses of devices communicating with these C2 servers.
“This led Dr. Marczak to find the IP address of the law firm instructed in this case by his mother, Payne Hicks Beach (” PHB “). An Internet search of PHB has led to news related to the current proceedings, involving the mother and father, “said the Supreme Court’s decision on” hacking “. [PDF].
It was difficult to verify Marczak’s findings to the satisfaction of the court. A British company called to examine Princess Haya’s iPhone, and her lawyers said there was “no sign of surveillance” – only to throw away the towel when she handed him a copy of Marchak’s witness testimony detailing Pegasus’ presence, in part. shown by suspiciously named apps installed on the iPhone.
“IntaForensics did not have to know the scale and nature of the task for which they were hired, and they evoke the respect of the court, not the critics, to signal their inability to follow instructions as soon as the situation becomes clear,” the judge said.
Professor Alastair Bereford of the Department of Computer Science and Technology at the University of Cambridge was able to verify Marchak’s findings after gaining access to his methodology.
The appeals were rejected
Sheikh Al Maktoum did not fully engage with the Supreme Court’s fact-finding process, instructing his lawyers to leave the courtroom. The Supreme Court also refused to allow its experts to see raw data from the hacked iPhone, something he said was unfair to him.
These experts include Sygnia, an Israeli-based provider of “military cybersecurity” and are not legally instructed as forensic experts. As noted by the Court of Appeal, the company is outside the jurisdiction of the United Kingdom and therefore its views “will remain confidential to the father and will not be disclosed to the mother or the court.”
In other words, Sygnia could extract more data for the sheikh to use against Princess Haya – or even notify the NSO of Marczak’s exact method of attribution, which would allow the malware vendor to exclude it in the future. If Sheikh Al Maktoum had officially instructed a British expert witness, the basic data would have been revealed – but he did not.
The extremely complex case shows, in terms of information, that surveillance malware is not just an abstract challenge to computer security. It has the power, especially in the modern era, to bring about change in life.
The courts have ruled that Princess Haya’s children should live with her in Britain, not with Sheikh al-Maktoum in Dubai. The full range of solutions can be read on the website of the judiciary.
Neither the NSO Group nor the Citizen Lab responded to requests for comment. ®
If you are concerned that your devices may have been targeted or infected with NSO’s Pegasus spyware, Amnesty has the technical details to find a compromise. here.
Updated to add at 15:27 UTC on October 7:
The register asked if the revelations contradicted NSO’s previous claims that the company was unable to establish the goals of its malware.
A company spokesman replied: “To be clear, there is no discrepancy, the NSO does not manage the products themselves; we license approved government agencies for this and are not aware of the details of the individuals being monitored.
“When we become aware of allegations of alleged abuse by one of our customers, we undertake a full investigation with the assistance of that customer as part of their contractual obligations to us. If we find abuse, we will act to resolve the issue and close the product as we have done in the past. “