3rd Party Risk Management , Cybercrime , Cyberwarfare / Nation-State Attacks
Apple Sues NSO for Product and Service AbuseUS Blacklist, Failed France Deal, Moody's Downgrade Also Add to NSO Woes
The NSO Group has become the target of a lawsuit filed by technology giant Apple, which has alleged that the spyware maker abused its products and services to carry out spying operations without the consent of the company or its users.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The news of the lawsuit comes on the heels of the U.S. Department of Commerce blacklisting the NSO Group, along with three other companies, as part of the "Biden-Harris Administration’s efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression" (see: US Commerce Department Blacklists Israeli Spyware Firms).
The company was also downgraded to a "negative outlook" rating by credit ratings agency Moody's.
The rating change "reflects the weakening liquidity profile with an increased risk of a breach of the maintenance covenant which might lead to an event of default if not cured or waived beforehand," says Moody's in a review published on Monday.
Citing the recently announced trading restrictions through blacklisting of the company in the U.S., this will possibly lead to a further revenue contraction in 2021 and beyond, Moody's says.
"The company has a relatively low share of recurring revenues and is, unlike many other software companies, highly dependent on new license sales which we believe can become increasingly difficult given the actions taken against NSO," it adds.
However, the only way for the NSO Group to reverse the tide and gain a positive rating is by "demonstrating a solid operating performance with significant new license sales while maintaining solid Moody's adjusted EBITDA-margins, positive free cash flow as well as compliance with all covenants under the debt documentation," suggests Moody's.
A positive rating action would require an adequate liquidity profile and a resolution of the recent trading restrictions placed on the company, the credit rating company added.
French Deal Fails
Additionally, the French government has reportedly pulled out of a deal with the NSO Group.
In July, accusations surfaced that NSO's flagship Pegasus spyware product was being used by an NSO customer to target President Emmanuel Macron of France (see: World Leaders Included on Alleged Spyware Targeting List). Around the same time, the French government was in the process of closing a deal with NSO Group for its services, according to the MIT Technology Review.
"The process fell apart after the accusations that French politicians potentially were among those targeted, and negotiations were broken off just a few days before the sale was set to take place," according to the report, which cites unnamed sources. However, both the French Ministry of Foreign Affairs and NSO Group denied France was in the process of purchasing NSO Group tools, it adds.
Timeline of Apple Events
Last week, the U.S. Court of Appeals for the Ninth Circuit rejected NSO Group's claim of immunity as a foreign sovereign, allowing a lawsuit brought by social media company Facebook to be pursued against the spyware company (see: NSO's Troubles Extend Beyond CEO-Designate Quitting). Taking a cue from this move, Apple has now sued the NSO Group and its parent company OSY Technologies "to curb the abuse of state-sponsored spyware," according to its press release.
"In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place," says Ivan Krstić, head of Apple security engineering and architecture. He adds: "Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group."
"This lawsuit by Apple appears to be particularly strong because the NSO Group not only hacked and spied on Apple users through exploits, but constantly abused the tech giant's various services and clouds," says John Scott-Railton, senior researcher at The Citizen Lab, which is an interdisciplinary lab in the University of Toronto's Munk School of Global Affairs and Public Policy in Canada.
Key detail from the @Apple v NSO lawsuit: the spyware company doesn't just hack *phone handsets*— John Scott-Railton (@jsrailton) November 23, 2021
Their core biz & exploitation activity includes constant flagrant abuse of services & clouds.
Like Apple's iCloud servers.
Side effect: makes Apple's lawsuit a lot stronger. pic.twitter.com/eZvYz4T3oi
Apple's allegations are based on the exploitation of the now patched vulnerability called FORCEDENTRY used by the NSO Group to implant its spyware. Apple, in its announcement, credits the finding of this exploit to researchers at The Citizen Lab.
The vulnerability, CVE-2021-30860, affects iOS versions before 14.8, macOS versions before Big Sur 11.6 and Catalina before security update 2021-005, and watchOS before version 7.6.2, noted Apple in its security update released at the time.
The exploit is particularly potent because it is a "zero-click" exploit that does not require any user interaction and is among the most valuable and powerful ways to compromise a device, note Citizen Lab researchers in a Citizen Lab report. The report adds that the vulnerability was being actively exploited in the wild.
Citing the blacklisting, the use of Forcedentry exploit against iPhone users and a recent incident where six Palestinian human rights activists - including one U.S. citizen - were targeted by the spyware, Apple decided to sue the NSO Group, according to Apple's statement .
Apple alleges that it is locked in a "continual arms race" with the NSO Group. It clarifies that it is constantly being pulled in recovery and prevention efforts against NSO's malware and exploits, which require significant resources and money. Despite not accounting for all the damages and services involved, the current amount spent on damage control is already in excess of $75,000, according to Apple.
With the above reasons, the technology giant says it is suing the NSO Group on the following counts:
- Violations of Computer Fraud and Abuse Act 18 U.S.C. § 1030(a): Apple alleges that the NSO Group violated this act by intentionally intruding protected private devices, operation system, Apple's servers and services such as iCloud without user(s), company's, or the judiciary's appropriate permission with an intent of fraud/spying.
- Violations of California Business and Professions Code § 17200: Leveraging this law, Apple has said that, as a result of NSO Group's "unlawful acts," the company has suffered and continues to suffer irreparable damages.
- Breach of Contract: Apple says that the NSO Group created and used more than 100 Apple IDs to infiltrate and plant the spyware and, in doing so, agreed to the iCloud Terms. However, these actions have breached at least five sections of the iCloud terms, notes Apple.
- Unjust Enrichment: Apple says that the NSO Group monetarily profited from the personal data they wrongfully obtained from Apple users' devices through the improper use of Apple's servers. "[This] is the central component of their lucrative Pegasus spyware sold to customers and deployed against journalists, activists, and dissidents around the globe," says Apple. Thus, retention of the personal data wrongfully obtained through the use of Apple’s servers and the profits they derived therefrom would be unjust, Apple says in its lawsuit.
To make up for the losses, the NSO Group needs to pay a compensation sum to be decided in the future trial, according to the lawsuit.
Apart from compensatory damages, Apple has demanded an injunction, restraining the NSO Group from using any of its products or services; from deploying its spyware or malware on its devices without the company's or users' consent; an accounting of profits from the alleged spying activities; and disgorgement of NSO Group's profits resulting from its alleged conduct.
NSO Seeks Intervention
In February 2019, NSO Group founders Omri Lavie and Shalev Hulio partnered with European private equity fund Novalpina Capital to purchase a majority stake in NSO. In doing so, they collectively took a loan of more than $500 million from two banks, whose term maturity is slated for March 2025, which Moody's confirms in its rating report.
Apart from this, NSO received a $30 million credit line with a fixed maturity date of March 2024 and a $14 million shareholder loan in the second quarter of 2020, the Moody's report adds.
However, citing the heavy sanctions on the NSO Group around the globe and especially from the U.S., the company is burning all its available cash flow and facing the burden of $500 million debt, reports local Israeli media agency Calcalist Tech.
Citing these issues, NSO CEO Shalev Hulio wrote a letter to Prime Minister Naftali Bennett in the first week of November, asking for intervention in reversing the sanctions imposed on NSO, according to news site Axios.