Share this page!

Bill Marczak Profile picture
Twitter logo
24 Oct, 4 tweets, 1 min read
New @citizenlab report "BREAKING THE NEWS", in which we show how New York Times journalist Ben Hubbard was hacked with Pegasus twice (July 2020 and June 2021), both after he complained to NSO about previous hacking attempts against him citizenlab.ca/2021/10/breaki…
We attribute the spyware to NSO Group with high confidence. NSO Group says that it couldn't have been them for "technical and contractual reasons," but it's quite likely they're wrong. We conclude it was their spyware with high confidence, as we show in our report.
Our confidence is bolstered by the fact that Hubbard's case has excellent evidence: he regularly took backups of his iPhones, so we can compare the before-and-after cases, and notice the telltale signs of Pegasus introduced onto (or deliberately cleaned up from) the phone.
This raises the question as to how effective NSO's "technical and contractual" safeguards actually are. If the safeguards were implemented in this case as NSO says, then they likely failed.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Bill Marczak

Bill Marczak Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @billmarczak

Bill Marczak Profile picture
13 Sep
Stop and UPDATE your iPhones to iOS 14.8 NOW!!! We @citizenlab recovered NSO Group's FORCEDENTRY zero-click exploit (CVE-2021-30860) from the phone of a Saudi activist, and shared w/ Apple, who released iOS 14.8 today with a fix. citizenlab.ca/2021/09/forced…
We found the exploit and shared w/ Apple last Tuesday (Sep 7), and they released a fix today (six days later), underscoring the urgency of the update.
The exploit is invisible to the target, but in our forensic analysis, we found 31 files with the ".gif" extension on a target's phone. Of course, they weren't GIFs at all! 27 of them were the same 748-byte Adobe PSD file, and four were PDFs.
Read 4 tweets
Bill Marczak Profile picture
18 Jul
THREAD with a couple of interesting bits from @AmnestyTech's new report on what they learned from looking for NSO Group's spyware on phones amnesty.org/en/latest/rese…
@AmnestyTech (1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.
Read 20 tweets
Bill Marczak Profile picture
18 Jul
BREAKING: Major new investigation from @FbdnStories into a leaked list of 50,000+ phone numbers that are said to have been looked up by NSO Group's customers, perhaps as a prelude to the customers hacking into the phones washingtonpost.com/investigations…
The leaked number lists show data going back to 2016, and are believed to come from a subset of NSO clients in 10 countries (Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the UAE).
.@FbdnStories worked with @AmnestyTech to investigate 67 phones on the leaked list, and discovered that 37 showed signs of hacking. We @citizenlab peer-reviewed the forensic methodology, and also examined four of the phones four of the phones: citizenlab.ca/2021/07/amnest…
Read 4 tweets
Bill Marczak Profile picture
15 Jul
NEW @citizenlab joint-report with @MsftSecIntel: "Hooking Candiru," in which we provide an interesting look into the global proliferation of spyware from Candiru: another big player that sells hacking tools to govts, including known surveillance abusers citizenlab.ca/2021/07/hookin…
Our analysis is based on a "patient zero", a Western European politically active individual. We extracted a copy of Candiru's spyware from their computer, after identifying that their computer was communicating with Candiru spyware servers. So how did we find our "patient zero"?
Well, first, @citizenlab found a 2017 OPSEC mistake by Candiru, where six of their supposedly "hidden" spyware servers accidentally returned a TLS certificate (seen here on @censysio) with "candirusecurity[.]com" (oops!!!) Image
Read 9 tweets
Bill Marczak Profile picture
20 Dec 20
🚨BIG @citizenlab report on an NSO Group hacking bonanza. In late 2019 and in July 2020, NSO Group clients appear to have used an invisible 0-click exploit in iMessage to break into the latest, up-to-date iPhones. Some of the first target were journalists citizenlab.ca/2020/12/the-gr…
At least 36 personal phones belonging to journalists, producers, executives, and presenters at Al Jazeera, and one journalist at Al Araby, were hacked in July by four operators, two of which we attribute to the UAE and Saudi. One journalist hacked was @AJArabic's @TamerMisshal.
Tamer's hard-hitting investigative programs have focused on possible UAE Gov linked financial corruption (), the Khashoggi killing (), and Bahrain's alleged hiring of Al Qaeda to kill opposition members ().
Read 5 tweets
Bill Marczak Profile picture
1 Dec 20
We've got a neat new @citizenlab report out, looking at NSO Group affiliate company Circles, the we-spy-without-hacking-your-phone guys, who reportedly exploit flaws in mobile phone networks themselves. We ID'd a bunch of likely customers! citizenlab.ca/2020/12/runnin…
The essence of the report is simple. The firewalls of Circles systems are configured using a management server with the domain name "tracksystem[.]info." Thanks to some leaked documents filed in a lawsuit in Israel, we can see that this domain name is used by Circles for email ImageImage
There's some dodgy customers, including spyware abuser UAE (apparently UAE Supreme Council for National Security, Sh. Tahnoon's Royal Group, and Dubai Police). The Royal group case is interesting, because there also seems to be a nexus with Mohammed Dahlan. Image
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @billmarczak has new unrolls!

Check out other threads from @billmarczak!

Read all threads by @billmarczak

:(