As a journalist working for the Arab news network Alaraby, Rania Dridi said she had taken security measures to avoid being targeted by criminals, guarding suspicious messages and avoiding clicking links or opening attachments to strangers.
Dridi’s phone has been compromised however with so-called “zero clicks”, which allows the cyber hacker to hack a phone or computer even if its user does not open a malicious link or email attachment. Instead, criminals exploit a series of security defects in operating systems – such as Apple Inc.’s iOS or Google’s Android – to break the device without fooling their victim into taking any action. Once inside, they can install spyware that can steal data, listen to calls and track user location.
As people are more cautious than ever by clicking on suspicious links in emails and messages, zero click hacks are widely used by government agencies to spy on activists, journalists and others, according to more than a dozen security company staff, security researchers. nabaduni.
After the conservation of a number of intelligence agencies, the technology required to click zero is now being sold to governments by a number of companies, the most prominent being the Israeli NSO Group. Bloomberg News has found that at least three other Israeli companies – Paragon, Candiru and Cognyte Software Ltd. – create hacking tools by clicking zero or handing them over to customers, according to former employees and partners of those companies, indicating that the technology is starting. is very prevalent in the security industry.
There are certain steps a victim can take that may reduce the chances of a successful attack by clicking the egg, which includes keeping the device updated. But some of the most effective methods – including removing certain messaging apps that hackers can use as a hacking device – do not work because people rely on them to communicate, says Bill Marczak, a senior researcher at Citizen Lab, in the study. a group at the University of Toronto focusing on the exploitation of surveillance technology.
Dridi, who is based in London, said the robbery forced him to close some of his social media accounts and left him alone and feared for his safety.
“They ruined my life,” said Dridi, who suspects that she was targeted because of her reporting on women’s rights in Arab countries or her interactions with other critical journalists critical of Middle Eastern governments. “I have tried to get back to normal. But then I got depressed, and I didn’t even get support. ”
It is unknown at this time what he will do after leaving the post. Human rights organizations have imposed zero-click technology from the NSO Group on government attacks on individuals or small groups of activists. A 2019 lawsuit filed by NSO Group accused NSO Group of using a hacking method of clicking zero to install spyware on 1,400 people using its WhatsApp service. The NSO Group has denied the allegations. These attacks can be difficult for security experts to detect and cause technological threats such as Apple and Google to challenge as they try to close the security holes exploited by cyber criminals.
“With a random click, it is possible that the phone was hacked and there was no trace left behind,” Marczak said. “You can break into the phones of people who have a good knowledge of security. Target exited loop. You do not have to convince them to do anything. It means that even the most skeptical and clever intentions can be ignored. ”
Sometimes a hack-click hack that does not go as planned and leaves trackers that investigators can use to identify that the device has been compromised. In Dridi’s case, Alaraby executives detected suspicious objects on their computer networks and followed the digital trail that led to his phone call, he said in an interview. Attackers use hacks by clicking zero to gain access to the device and can spy on them – like NSO Group’s Pegasus – to secretly monitor the user. Pegasus can secretly record emails, calls and messages, track location and record video and audio using a built-in camera and microphone. Marczak and his colleagues at Citizen Lab analyzed Dridi’s iPhone XS Max and found evidence that he was infected at least six times between October 2019 and July 2020 through NSO Group’s Pegasus. On two occasions in July 2020, Dridi’s call was directed at the zero-click attack, the Citizen Lab concluded in a report, which said the robbery was caused by the United Arab Emirates government. Dridi is now pursuing a lawsuit against the UAE government. His lawyer, Ida Aduwa, said he would ask permission from a London High Court judge in the next few weeks to proceed with the case. “We want to make it clear that this is something that cannot be avoided,” Aduwa said.
The representative of the UAE Ambassador to Washington did not respond to messages seeking comment.
Marczak, from Citizen Lab, said most of the zero-digit fraud cases have been traced back to the NSO Group. The company started using this method several times in 2017, he said.
The NSO Group, which was listed as a US ban in November for providing spyware to governments that used it to brutally target government officials, journalists, businessmen, activists and others to silence disagreements, said it was selling its technology to governments and law enforcement agencies as a tool to track terrorists and criminals.
“The online intelligence platform continues to grow and is much larger than the NSO Group,” a company spokesman said in a statement. “However, an increasing number of ‘experts’ who claim to be ‘familiar’ with the NSO Group are making substantial contractual and technical allegations, making their integrity difficult.” A spokesman said the NSO Group had terminated customer relationships due to “human rights issues” and would not sell online intelligence products in nearly 90 countries. “The misuse of cyber intelligence tools is a serious matter,” a spokesman said.
In December, Google security analysts analyzed zero-click action that they say was created by the NSO Group, which could be used to hack an iPhone by sending someone a fake GIF image via iMessage. The researchers described the click to zero as “one of the most complex operations we have ever seen,” and added that it showed that the NSO Group had sold test kits “contrary to those previously thought to be accessible to several regions of the country.”
“An attacker does not need to send criminal messages to steal sensitive information; exploitation works silently in the background, ”writes Google researchers.
Although the NSO Group has attracted a lot of media attention, several competing companies in Israel are offering similar tools to help governments spy on cell phones. At least four other Israeli companies have acquired or developed zero-click fraud technology, according to the company’s employees, security experts and other media reports. Candiru in Tel Aviv, a security company that employs more than 120 people, has partnered with another Israeli company, Cognyte, to provide governments with a zero-click spy that can be installed on Android and iOS mobile devices, according to two staff members. former Candiru.
Paragon, a company founded by former members of the Israeli intelligence unit Unit 8200, has launched its zero-click marketing technology to market governments in Europe and North America as a way to gain access to encrypted messaging apps like WhatsApp and Signal. , according to two former Paragon employees. A fourth Israeli company, QuaDream, also has the ability to hack Apple iPhones using hacks with a click of zero, Reuters reported earlier this month.
Hila Vazan, a spokeswoman for Candiru, said the company had not yet developed or sold any fraudulent technology by clicking zero, although it acknowledged that Candiru had “tested a partnership” with Cognyte to provide customers. The U.S. re-listed Candiru in November for providing spyware to governments that use its technology harshly.
Paragon declined to comment. Representatives of Cognyte and QuaDream also did not return messages seeking comment.
There is a thriving market where hackers and consumers are selling the latest risk of zero clicks directly to government agencies, sometimes for a total of seven times, according to security industry experts.
One of the leading buyers is Zerodium, an “exploitation platform” that offers up to $ 2 million in zero-click exploits that can get into the latest versions of Apple’s software, according to its website. Zerodium also offers up to $ 2.5 million for zero clicks that can be used to hack Android phones, and up to $ 1 million for zero clicks that can be used to damage Microsoft Windows computers.
The Zerodium website claims to have worked with more than 1,500 security researchers and paid more than $ 50 million in “bounties” – fees paid to security researchers who discovered security risks of software that could be used to hijack computers or phones. Once Zerodium has acquired the latest zero-click jobs for security researchers, it has sold it to governments, particularly in Europe and North America, according to its website.
Zerodium representative did not respond to requests for comment. The company was set up in Delaware in 2015, but it is unclear where its offices are currently located.
An Asian-based security researcher has reported making millions of dollars by selling a series of zero-click actions that can be used to hack iOS, Android, and BlackBerry phones, in addition to Windows computers. The researcher, who asked for his name to be withheld due to confidentiality agreements, said he had sold Zerodium to some of his zero-click services. He has exposed one European country whose government or law enforcement agencies break into their phones and use their products.
Other providers of egg-laying services include Arity Business Inc., a operator based in Latvia and Estonia. Alex Prokopenko, chief executive of Arity, said in an email the company was founded in 2015 and is working to identify various software security risks, including zero clicks. Arity then traded security threats at government agencies and intelligence agencies and law enforcement agencies to be used to hack Windows computers, in addition to iOS and Android phones, he said.
Prokopenko declined to name any customers but said Arity has sold its operations in countries including Ireland, Italy, Spain, Poland, Ukraine, Israel, UAE, Turkey, India and Singapore. Most of the company’s sales, he added, were between $ 200,000 and $ 600,000.
“Exploitation is now very popular among governments, intelligence companies and the private sector, from the very beginning the tool was not as accessible as it is now,” Prokopenko said. “Exploitation is a digital weapon, and its use must be controlled.”
The proliferation of encryption technology, which protects the privacy of chats sent via chat apps such as WhatsApp or Apple’s iMessage, has made it difficult for law enforcement and intelligence agencies to intercept people’s conversations, Prokopenko said. One of the only ways investigators could gain access to the hacked communications was to steal the device, he said.
“That’s why all these companies are emerging – because there is a market,” said Fionnbharr Davies, a security researcher who worked for Azimuth Security in the US and Australia, another company that said it was developing zero-clicks as well. sells them to governments. “It costs a few million dollars to hack any iPhone – the cheapest from a world standpoint.” Azimuth Security representative did not return the message for comment.
Carine Kanimba’s experience shows how difficult it can be to prevent a robbery with a zero click. Two years ago he was campaigning for the release of his father, Paul Rusesabagina, a Rwandan government critic who “disappeared forcibly” in August 2020, according to Human Rights Watch. Last year, Rusesabagina, who made headlines in the film “Hotel Rwanda,” was convicted of terrorism in a Rwandan court, a process that his supporters said was politically motivated.
Kanimba, a U.S.-Belgian citizen, said he knew he might be under surveillance. In October 2020, his security advisers became so concerned that he vandalized his cell phone. He bought a new iPhone, but last spring, Amnesty International researchers told Kanimba that it had been broken into a zero-click robbery and taken over by the NSO Group’s Pegasus.
An analysis of his device, which was reviewed by Bloomberg, found that the attacker had used iMessage to send malicious alerts.
“I have never seen any message,” Kanimba said. “The message disappears immediately, or you don’t see it. So no clicks, no action from you. It’s just contagious. ”
The Rwandan government representative did not respond to a call for comment.
Nedal Al-Salman, acting vice president of the Bahrain Center for Human Rights, spoke of a similar experience. Al-Salman said he and four colleagues were reported last year that their phones had been compromised, some of them with what appeared to be zero-click attacks.
According to Al-Salman, two of his cell phones – the iPhone 11 and the Samsung Galaxy Note – were hacked. Marczak of Citizen Lab said he had not yet officially reviewed Al-Salman’s equipment, but said he had confirmed that three of Al-Salman’s colleagues had their phones with NSO Group spyware.
Al-Salman said he and his colleagues had experienced repression in Bahrain, where the government had violated human rights and democracy. Al-Salman said he had previously been barred from traveling outside Bahrain, and other current and former members of the Bahrain Center for Human Rights had been arrested or forced to live in exile. According to a Citizen Lab report published last year, the Bahraini government has sent a spy to the NSO Group to target activists and opposition political figures. A representative of the Bahraini Ambassador to Washington did not respond to a request for comment.
Everyone has personal information on their phones, says Al-Salman, whether it’s messages that conflict with a family member or dance videos with friends. But generally, he said, “only you know about it.”