It wasn’t until a month after the Hacking Team data breach, in fact, that Zerodium, a company whose CEO founded Vupen, announced its $ 1 million bounty for the mother of all tools. commercial hacking: a remote jailbreak.
Days after the Zerodium bounty was claimed, Marczak received a message from Rori Donaghy, a London-based writer on human rights issues in the Middle East, who had published articles criticizing the government of the Arab Emirates. united for a website called Eye of the Middle East. Donaghy had received an invitation to participate in a panel discussion from a group he had never heard of, “The Right to Fight”. He thought a link included in the email sounded suspicious. Marczak discovered that by clicking on it, the user was taken to a Microsoft Word document that only contained a logo and description of the fake “the right to fight” group, while secretly inserting spyware into the user’s computer. He checked with other dissidents in the Persian Gulf and found that many had received the same strange email and had already clicked on the link. As Citizen Lab often did, Marczak gave this unknown attacker a code name: Stealth Falcon.
Once Marczak identified the server that sent the email, he “fingerprinted” it and began searching the Internet for other machines with the same fingerprint. There were hundreds of them. Each had a domain name. Most were registered with a “privacy protection” service, meaning Marczak could not find out who registered the domains. But about 10 were not. By checking the names and addresses of the entities that had registered the sites, he realized that the information was all false. He therefore checked whether these fictitious users had created other sites.
One had. He had created three domain names, all masquerading as a popular Arab news and gossip website. Digging deeper, he found that each was associated with something called “SMSer.net”. When he searched the Internet for servers with “SMS” in their domain names, he found around 120, almost all associated with mobile phone companies in developing countries such as Mexico and Mozambique. Then Marczak checked who had registered these domain names. Most of the postal addresses associated with domain names were apparently located in Israel.
“That’s when I thought, Hmm, I wonder if it’s NSO,” he recalls.
NSO Group was a six-year-old Israeli spyware company so secret that it didn’t even have a corporate website. Marczak was aware of a single entry on an Israel Defense Ministry website in which the company claimed to have developed cutting-edge spyware. Looking further back, he was surprised to find that two years earlier he had sold a controlling stake in his company to Francisco Partners, a San Francisco-based hedge fund, for $ 120 million.
Although he strongly suspects that NSO software was used in the Stealth Falcon attacks, Marczak could not prove it. Whoever it was, he realized, knew what they were doing. By the time Marczak finished following Stealth Falcon the following spring, he discovered that his campaign came from 67 different servers and had more than 400 people click on his links and load spyware onto their devices. He also discovered that 24 UAE citizens had been targeted by the same spyware in messages sent via Twitter. Three were arrested soon after. Another was found guilty of insulting UAE leaders in absentia. Its Citizen Lab report, released last May, detailed the Stealth Falcon attacks, suggesting the UAE was behind them, but did not name NSO.
For Marczak, this was an unfinished business.
The email Marczak received last August night in Berkeley came from the UAE dissident Ahmed Mansoor, who remained under constant harassment from his government. Mansoor had been jailed and beaten in the street, then his passport was confiscated. Someone stole his car. His bank account was emptied of $ 140,000, as he fought several attempts by the UAE government to hack his computers and phones.
What excited Marczak so much was a URL he spied on at the bottom of a text Mansoor had sent: “sms.webadv.co”. He remembered it as one of the hundreds of servers he had linked to NSO: this, it seemed, was the proof he needed to pin the Stealth Falcon campaign on Israeli society. In his living room, Marczak wrote a program that allowed his laptop to impersonate a cell phone, the device Mansoor allegedly used. In doing so, he hoped to recognize the spyware server, wherever it was, without infecting his computer. The Hacking Team tools published by Phineas Fisher only worked on older versions of Android phones; if contacted by a more recent version, it returned a harmless “decoy” page. Marczak assumed that this program worked the same.
This is not the case. When Marczak clicked on the link in Mansoor’s email, his Safari browser suddenly opened and then immediately closed. Monitoring what was going on in the background, he could see what appeared to be the first step of a spyware program downloaded to his laptop. Before he could do any damage, he cut the connection.
But he had seen enough. In an attempt to impersonate Mansoor, Marczak used the penultimate version of the Apple operating system, iOS 9.3.3. NSO’s spyware, if that’s right, could clearly infiltrate it, via Safari. And because the latest version of iOS, 9.3.4., Made no difference to Safari, Marczak realized that the spyware had to use an exploit never seen before: zero day.
“Wow,” he said out loud.
One of his Citizen Lab colleagues suggested that Marczak contact Seth Hardy, a former Citizen Lab analyst who worked at Lookout, a high-end security software provider specializing in mobile phones.
Lookout was founded in 2007 by three IT security specialists from the University of Southern California: John Hering, Kevin Mahaffey, and James Burgess. While having fun with new technology, the three discovered a vulnerability in the Nokia 3610’s Bluetooth connection to wireless headsets, potentially giving unauthorized access to millions of mobile devices. They informed Nokia, but the company would not take the issue seriously as it believed Bluetooth communication was limited to a range of 9 meters.
To prove their point, the three hackers built a “BlueSniper rifle” – a piece of hardware that allowed them to extend Bluetooth’s range to over a mile – and took it to the 2005 Oscars, where they easily collected data from dozens of celebrities. Phone (s. Nokia was finally persuaded to fix the problem.
Seth Hardy took the call shortly after sunrise. “He told us that this suspicious link compromised an iPhone with one click, suggesting that someone had militarized a zero-day exploit,” recalls Hardy. “I mean, it’s incredibly rare. It looked like it was huge. “
Hardy thought of Max Bazaliy, a 29-year-old doctoral student. candidate for the Kyiv Polytechnic. Bazaliy was the only person at Lookout who had actually created a jailbreak, albeit a “public” jailbreak using wires and cables. He and Andrew Blaich frowned as they scrolled through the code, nearly 1,400 multicolored command lines in seemingly random order, tossed like a salad. “It’s clearly a really bad thing, but we had no idea what it was,” recalls Mike Murray, the chief engineer. “So we said, ‘Let’s guess the worst case scenario and see if that’s it. The worst case scenario is a remote jailbreak.
Many spyware programs are grouped into three stages. The first stage infiltrates the user’s device. The second step prepares the device for surveillance; when finished, it contacts a server to deliver the actual spyware package. The third step is the delivery and configuration of the spyware. Because he had taken control of Marczak’s Safari browser, Lookout analysts were convinced that Marczak’s code was the first step in spyware using zero days. “A Safari achievement is huge,” says Murray. “If you have this, you can access any Apple device in the world.”
The code Marczak discovered was “obscured”, that is, it was so completely scrambled that it was impossible to understand it. It took Blaich and Bazaliy several hours to identify the components of the hidden program and line them up in order. After that, they looked for a way to find the second stage of the program. Unfortunately, Marczak had cut his connection before Step 2 could download. Worse, the link he clicked was a “one-time” link, the digital equivalent of a “Mission: Impossible” message that ignites after one listen.
But Bazaliy and Blaich thought they could locate him if they could find the server where the spyware came from. Already, they could see a series of URLs in the code of the first step. Once they identified which one was likely the original server, they found that it could only be contacted by a computer in the Middle East. Bazaliy got to work building a VPN (Virtual Private Network) tunnel, commonly used software that hides a phone’s GPS coordinates, routing its way to the server through a series of foreign countries before finding any. one he could use in the UAE. Each of the URLs, the team was able to identify pieces of code that they believed to be the second step.
There was only one catch: “It looks like a jailbreak, but it’s encrypted, which is a problem,” Bazaliy recalls. “We have no idea what algorithm he was using for its decryption.”