Russian Journalist's iPhone Compromised by NSO Group's Zero-Click Spyware

Cyber Security Threat Summary:
The iPhone belonging to Galina Timchenko, a prominent Russian journalist and critic of the government, was compromised with NSO Group's Pegasus spyware, a new collaborative investigation from Access Now and the Citizen Lab has revealed. The infiltration is said to have happened on or around February 10, 2023. Timchenko is the executive editor and owner of Meduza, an independent news publication based in Latvia. It's currently not clear who deployed the malware on the device. The Washington Post reported that the Russian government is not a client of NSO Group, citing an unnamed person familiar with the company's operations. The development marks the first documented case where the notorious spyware has been planted on the phone of a Russian target. Pegasus, developed by the Israel-based NSO Group, is a powerful spying tool capable of harvesting sensitive information from infected handsets. It can be installed on a phone remotely without the victim clicking a link or taking other action, a technique known as a zero-click exploit. While Pegasus is ostensibly licensed to governments and law enforcement agencies to tackle serious crime, it has been repeatedly misused to eavesdrop on members of the civil society” (The Hacker News, 2023).

Security Officer Comments:
The discovery was made possible after Timchenko received a threat notification from Apple on June 23, 2023, that state-sponsored actors may have targeted her iPhone. Shortly after, Timchenko handed over her device to Access Now, which was able to confirm that the iPhone was infected with Pegasus spyware after carrying out a joint investigation with Citizen Lab. According to Citzen Lab, Timchenko’s iPhone was infected using a zero-click exploit, which researchers assess with moderate confidence was achieved via PWNYOURHOME, an exploit that combines iOS’ Homekit and iMessage to bypass BlastDoor protections. PWNYOURHOME came to light in April 2023, after it was observed being used to infect members of Mexico’s civil society. It is unclear how long the actors had access to Timchenko’s device. However, Citizen Lab stated that the infection could have lasted from a few days to weeks after the initial exploitation.

Suggested Correction(s):
Zero-click attacks can be difficult to defend against as they don’t require user interaction. In general, some best practices for mitigating such attacks include regularly patching devices whenever updates become readily available, using MFA when accessing various services, installing VPN to mask traffic, encrypting sensitive data, and regularly scanning devices with Anti-virus solutions.