Surveillance of Civil Society Groups/Ahmed Mansoor (2016)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date 10 and 11 August 2016.[1]
Suspected actor According to Citizen Lab, an academic research lab that uncovered the attempted cyber operation, the exploit infrastructure was connected to a network of domains that allegedly belonged to NSO Group, a then US-owned [2] company based in Israel that was selling “government-exclusive” spyware software under the name of Pegasus.[3] According to the firm, they only sold their product to authorized governmental agencies as a “lawful intercept”[4] spyware for the “prevention and investigation of crimes”,[5] in compliance with export control regulations.[6]

Although the operator of a spyware is difficult to determine,[7] it was alleged that it had been acquired by the United Arab Emirates and used against Ahmed Mansoor who had been previously the target of surveillance campaigns against human rights defenders.[8]

Victims The target of the operation was Ahmed Mansoor, an UAE-based internationally recognized human rights defender.[9]
Target systems iPhone’s operating system.[10]
Method The vectors for the attempted phishing operation were two suspicious and similar SMS texts sent to Mansoor’s iPhone from an unknown sender.[11] They included a hyperlink that allegedly referred to a webpage containing new secret information about tortured detainees in UAE prisons.[12]

The link to the malicious webpage led to a chain of three zero-day exploits (named “Trident”) which remotely and stealthily overcame the phone’s security measures and allowed software download and installation of the spyware.[13] The spyware allowed access to the microphone, video camera, and to actively record and gather messages, calls and other data from targeted apps including Gmail, WhatsApp, Skype, Facebook, FaceTime, Telegram, among others.[14] It also allowed to exfiltrate calendar, contacts, and passwords data from the device.[15] The monitoring and data collection was done from the background, while the victim remained unaware of any irregular activity.[16]

The collected information was allegedly transmitted to a data server by means of a “Pegasus Anonymizing Transmission Network” which worked as a proxy using rented U.S. servers on the cloud[17] to hide the identity of the government operating the acquired surveillance software.[18]

The spyware disabled the phone’s automatic updates,[19] and used encryption to evade detection and allow persistence.[20]

Purpose The use of the spyware allowed performing a sustained and silent surveillance over the targets and record and collect all types of information. The attempted operation against Mansoor was considered to be part of a “context of ongoing attacks on UAE dissidents”.[21]
Result As he had already been the victim of various malicious cyber operations since 2011,[22] Mansoor did not click on the link but sent screenshots of the messages to Citizen Lab,[23] an interdisciplinary lab at the University of Toronto working at the “intersection of information and communication technologies, human rights, and global security”.[24]

Citizen Lab accessed the link by manually transcribing it to the browser of a factory-reset iPhone with the same iOS version (9.3.3) as Mansoor’s and verified that it was still active. The link led to a chain of zero-day exploits that would have remotely installed the spyware in Mansoor’s phone and allowed the operator to digitally spy on him.[25] The operation would have allowed full access to the iPhone’s microphone and camera, the recording of his personal data, in addition to the tracking of his movements through GPS.[26]

Aftermath Once Citizen Lab’s findings were externally verified,[27] they notified Apple on 15 August 2016 and shared with the company all the information regarding the “exploits and payloads”.[28]

Ten days after receiving this information, Apple developed and released an updated version of iOS (9.3.5) with a security patch addressing the vulnerabilities in order to block the Trident exploit.[29] Apple also released security updates for Desktop Safari and Mac OS X on 1 September 2016.[30]

NSO group’s spyware Pegasus appears to have been used multiple times in the past years, including “zero-click” vulnerabilities allowing operations without the victim having to click on any link.[31] Latest investigations, including a major research carried out by The Washington Post and other media companies together with Amnesty International and Forbidden Stories in 2021, reported on the hacking of human rights activists, academics, journalists, politicians and businesspersons,[32] including “a list of 50,000 numbers containing targeted individuals in over 50 countries”.[33]

Analysed in Scenario 11: Sale of surveillance tools in defiance of international sanctions

Collected by: Dominique Steinbrecher

  1. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 8; Paul Blake, How an Attempt to Hack a Top Human Rights Activist Exposed Unprecedented iPhone Vulnerabilities, ABC News (27 August 2016)
  2. Dave Lee, Who are the hackers who cracked the iPhone?, BBC (26 August 2016)
  3. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 9-10, 25.
  4. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 5
  5. Andrea Peterson, This malware sold to governments could help them spy on iPhones, researchers say, The Washington Post (25 August 2016); See also: Al Jazeera, US: Apple issues update after security flaws laid bare (26 August 2016); BBC, Apple tackles iPhone one-tap spyware flaws (26 August 2016)
  6. Dave Lee, Who are the hackers who cracked the iPhone?, BBC (26 August 2016).
  7. Paul Blake, How an Attempt to Hack a Top Human Rights Activist Exposed Unprecedented iPhone Vulnerabilities, ABC News (27 August 2016)
  8. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 25; Graham Pough, Ahmed Mansoor targeted by UAE government hacking, ADHRB (6 September 2016)
  9. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 8
  10. Lorenzo Franceschi-Bicchierai, The ‘Million Dollar Dissident’ Is a Magnet for Government Spyware, VICE (26 August 2016); Andrea Peterson, This malware sold to governments could help them spy on iPhones, researchers say, The Washington Post (25 August 2016)
  11. Graham Pough, Ahmed Mansoor targeted by UAE government hacking, ADHRB (6 September 2016)
  12. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 8-9
  13. See: Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 10-12; Paul Blake, How an Attempt to Hack a Top Human Rights Activist Exposed Unprecedented iPhone Vulnerabilities, ABC News (27 August 2016)
  14. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 13-14; Al Jazeera, US: Apple issues update after security flaws laid bare (26 August 2016)
  15. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 16-19
  16. Trend Micro, Apple Releases Patch After Discovery of Three Zero-Day Vulnerabilities (2 September 2016)
  17. Paul Blake, How an Attempt to Hack a Top Human Rights Activist Exposed Unprecedented iPhone Vulnerabilities, ABC News (27 August 2016)
  18. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 14
  19. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 17
  20. Lookout, Sophisticated, Persistent Mobile Attack Against High-Value Targets On IOS (25 August 2016)
  21. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 7
  22. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 8
  23. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 5
  24. Citizen Lab, “About
  25. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 5
  26. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 5; Lookout, Targeted IOS Spyware: What You Need To Know To Protect Your Organization From Pegasus And Trident
  27. Trend Micro, Apple Releases Patch After Discovery of Three Zero-Day Vulnerabilities (2 September 2016)
  28. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 15-16
  29. Lorenzo Franceschi-Bicchierai, The ‘Million Dollar Dissident’ Is a Magnet for Government Spyware, VICE (26 August 2016); Al Jazeera, US: Apple issues update after security flaws laid bare (26 August 2016); Amit Chowdhry, Apple iOS 9.3.5 Is Now Available: Why It Is An Essential Update, Forbes (25 August 2016)
  30. Bill Marczak and John Scott-Railton, The Million Dollar Dissident. NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, The Citizen Lab (24 August 2016) 5
  31. TRT World, How NSO spyware became a favourite espionage tool for autocratic regimes (19 July 2021)
  32. Lookout, Targeted IOS Spyware: What You Need To Know To Protect Your Organization From Pegasus And Trident
  33. TRT World, How NSO spyware became a favourite espionage tool for autocratic regimes (19 July 2021)
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Surveillance_of_Civil_Society_Groups/Ahmed_Mansoor_(2016)?oldid=3369"