The Guardian recently dropped the first stories of an investigation it has been conducting alongside other organisations into a form of spyware produced by the NSO Group.
When a story like this appears, GRCI Law’s clients often ask us to provide a short overview of what has happened to and put it into the context of the client’s operations. So, in this blog, we have picked out key points, considering what this might mean for SMEs, and drawing up advice on cyber security best practice.
What is NSO and Pegasus?
The most recent series of revelations relate to an Israeli technology firm called NSO. Stories about NSO products have been popping up here and there in the news for several years. The organisation provides spyware to governments and security organisations in countries around the world.
The software, known as Pegasus, allows the user to access the device of an individual they are targeting and do a number of pretty nifty things. These include tracking locations, downloading information from the device and activating microphones and cameras without the target being aware that anything is amiss.
The tool is promoted as for its use in the fight against organised crime and terrorism. Clearly if a group is planning mass murder, it’s a good idea to track their activities.
Unfortunately, software that works for counterterrorism is also fantastic for tracking legitimate opponents of your regime and journalists trying to hold you to account.
NSO has said that it will “investigate all credible claims of misuse and take appropriate action based on the results of these investigations”.
However, given that NSO “does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers”, it’s unlikely they’ll prove any misuse.
What makes this affair interesting for security enthusiasts is that Pegasus can be installed on a target’s device using a zero-click attack. Most malware requires the person being targeted to take action for it to be downloaded onto the device – e.g. clicking on a link in a phishing email.
A zero-click attack is one where this positive action by the target isn’t required. A common way this could happen is by embedding Pegasus into a WhatsApp voice call.
This allows the spyware to be transferred to the target device by simply phoning the user via WhatsApp, even if the target doesn’t answer the call. Similar zero-click exploits have been identified in iMessage and several mobile email applications.
The upshot of this is that no amount of awareness raising and best practice around phishing will stop this spyware getting into the target’s device if they are using vulnerable applications.
What it means for SMEs?
Current evidence suggests that Pegasus is only being used by state actors. As such, if your organisation isn’t directly involved in political activism or journalism, it’s unlikely that you will be impacted by this.
For organisations involved in these areas, there is support available from the National Cyber Security Centre on how to conduct activities securely.
More broadly, reports of zero-click attacks highlight the need to reconsider your information security risk assessment to account for what could be an emerging trend. Criminal hackers could use the technique for a range of purposes, including:
- Accessing intellectual property;
- Theft of customer financial data;
- Deleting of records; and
- Downloading ransomware
These are all things organisations have needed to defend against for years. The emphasis has often been on raising staff awareness and encouraging them to see information security as a central part of their roles.
Although this is still extremely important, senior leadership need to also be aware of where technology comes into risk management.
What good cyber hygiene should we be doing?
As the capabilities of criminals improve, senior decision-makers need to be aware of the threat landscape and be supported by experts to make informed decisions.
The following are actions that organisations may want to consider when managing the risk of zero-click attacks:
- Ensure updates for software are installed on all devices as soon as possible
- Move away from using applications that have been identified as vulnerable to Zero Click attacks. As this story continues to develop, applications should be reviewed by IT security
- Access emails via a web browser rather than an email app
- Insist staff deactivate Wi-Fi and Bluetooth on their devices when they aren’t required. Note: A good incentive for getting staff to do this is that it will boost the battery life of their device (a spoonful of sugar and all that!)
- Continue to train staff in what they need to do in order to be secure. While Zero Click attacks have captured the imagination this week, the most common attack vector continues to be via phishing. A situation which is unlikely to change in the near future.
Keep getting the basics right
The NSO Pegasus story is one which continues to develop. It will be intriguing to see where it goes and what precedents arise around protection of political freedoms.
While this will not be the last time you hear the term ‘zero-click attack’, the risk to businesses from this form of breach remains low.
The key to staying on top of new threats as they develop is making sure there is a clear line of communication between security experts and senior decision makers.
This ensures that they are presented with an informed explanation of the risk profile and actions such as those listed above to manage risks in the long term.