Apple sues Israeli spyware firm NSO Group for surveillance of users

Apple has launched a lawsuit against NSO Group, the Israeli spyware company that was recently blacklisted by the Biden administration for acting “contrary to the foreign policy and national security interests of the US”.

The move marks a sharp turnaround for the technology giant, which previously downplayed the threat posed by the spyware, and underscores growing concern and frustration among technology companies about the proliferation of attacks against its customers.

In its complaint, Apple said that NSO’s signature spyware, called Pegasus, had been used to “attack a small number of Apple users worldwide with malicious malware and spyware”.

The Pegasus project, an investigation into NSO by the Guardian and other media outlets, coordinated by the French media group Forbidden Stories, has documented dozens of examples in which NSO’s spyware was used to attack users of Apple’s iPhone. In some cases, a vulnerability in the company’s iMessage feature, which could be penetrated by Pegasus, was used against journalists, human rights activists and other members of civil society.

“At Apple, we are always working to defend our users against even the most complex cyberattacks. The steps we’re taking today will send a clear message: in a free society, it is unacceptable to weaponise powerful state-sponsored spyware against those who seek to make the world a better place,” said Ivan Krstić, head of Apple security engineering and architecture.

He added: “Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

Apple’s lawsuit is also seeking damages from NSO for its alleged “flagrant violations of US federal and state law, arising out of its efforts to target and attack Apple and its users”.

The lawsuit is significant because of Apple’s dominance in the global technology industry. It is also significant because the company has elected to target the maker of the spyware – NSO – and not the company’s government clients.

A spokesperson for NSO Group said: “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers.

“Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO group will continue to advocate for the truth.”

The Israeli company has in the past sold its surveillance software to Saudi Arabia, Mexico, the United Arab Emirates and other countries with poor human rights records. The company has consistently defended its actions by claiming that its surveillance tools are meant to be used by its customers to investigate serious crimes and terrorism. It has also alleged that it has no information about how its tools are used against targets.

The development comes months after security researchers at Citizen Lab at the University of Toronto, which have closely tracked the targeting of dissidents and journalists with spyware, said they had discovered an exploit that they believe had been used to silently hack into iPhones and other devices since February 2021.

The discovery was made as the researchers were examining the mobile phone of a Saudi activist. It prompted Apple to release a patch to fix the vulnerability. The company has also insisted that the attacks were “only aimed at a very small number of users”.

At the time of the announcement, in September, the researchers said the speed with which Apple had fixed the issue underscored the “absolute seriousness” of their findings.

Apple is not the first US technology company to file a lawsuit against NSO. The Israeli company was sued by WhatsApp in 2019 after allegations by the messaging app that Pegasus was used to target 1,400 of its users, including about 100 individuals who were diplomats, government officials, journalists and activists. Many other technology companies expressed support for WhatsApp in legal briefs – including Microsoft, Google and Cisco – but Apple was noticeably absent in a legal filing in support of the company.

Apple’s decision to take action against NSO could reflect concerns that the company’s products were not seen as secure in the wake of revelations by the Pegasus project and research by Citizen Lab. The company also announced on Tuesday that it would donate $10m to organisations pursuing cyber-surveillance research and advocacy.

The news marked the latest in a string of negative developments for the company. On Tuesday, Moody’s Investors Service announced that NSO was facing a growing risk of default on about $500m of debt following the Biden administration’s decision to blacklist the company. The credit rating firm cut the company’s rating by two notches to Caa2, or eight levels below investment grade.

“Those who follow the Citizen Lab’s research will understand just how consequential Apple’s actions are today,” said Ron Deibert, the head of Citizen Lab. “Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression while enriching themselves and their investors. They claim they are selling a carefully controlled ‘lawful interception’ tool, but in reality what they are providing is despotism-as-a-service.”