This article is more than 1 year old
NSO Group's Pegasus malware was used to spy on Dubai princess's lawyers during child custody dispute
Firm apparently terminated UAE's contract when it realised
Updated Cherie Blair tipped off a Jordanian princess that the royal's estranged husband, the Sheikh of Dubai, had deployed NSO Group's Pegasus malware against her and her lawyers, a series of explosive High Court judgments [PDFs] have revealed.
Set against a backdrop of kidnappings, espionage and a bitterly contested child custody case, the judgments shine fresh light on the abusive uses to which NSO Group's malware products are put by some of its customers.
Sheikh Mohammed bin Rashid al Maktoum, the absolute ruler of Dubai, was found to have ordered the deployment of one of the world's most potent malware strains against Princess Haya bint Hussein, his former wife and a member of the Jordanian royal family, during a bitter court battle over custody of their children.
The judgments, made public last night, also revealed that diligent infosec work carried out by Canada's Citizen Lab, an academic surveillance research organisation, had helped uncover the spying and alert its victims. The sheikh's agents targeted not only Princess Haya but also her UK legal team, her physical security detail and others in her entourage.
While Sheikh Al Maktoum denied wrongdoing in a statement to the BBC, the Court of Appeal was clear:
… the phones of the mother, her legal advisers and various associates were hacked through the use of Pegasus software and that this surveillance was carried out by the servants or agents of [Sheikh Al Maktoum] and with his express or implied authority.
NSO confirmed to the High Court that it had terminated its contract with the United Arab Emirates (of which Dubai is one of seven federal states) on 7 December 2020, costing it "tens of millions of dollars".
The court case is the tip of the iceberg: the sheikh kidnapped two of his daughters during the 2000s after they attempted to flee from his control, according to a 2020 UK family court judgment.
Princess Haya fled to the UK in 2019, filing for various non-molestation orders in the High Court as well as for custody of their children, forcing the sheikh to fight the case away from his home turf.
Pegasus is malware deployed against iPhones that is capable of silently recording and forwarding activity from a vast number of common social media apps, as well as voice calls, photos and videos. It is widely seen as one of the leading mobile malware threats deployed by state and near-state threat actors.
Spouse of former PM Tony Blair tipped off fellow lawyer
Sheikh Al Maktoum sought to blame "the states of Iran, Israel and Saudi Arabia" and even Jordan, Princess Haya's home country, for deploying Pegasus, as the president of the High Court's Family Division ruled in May.
According to the judgement, the first inkling any of Princess Haya's team had that Pegasus was being used to spy on them through their personal devices was when Martyn Day, founder of London human rights law firm Leigh Day, contacted the princess's lead barrister, Baroness Fiona Shackleton. Day told her that Citizen Lab's Dr William Marczak, whom he knew, had seen internet traffic suggesting Princess Haya's lawyers had been infiltrated using Pegasus.
Separately Cherie Blair, who is married to former UK prime minister Tony Blair and advisor to NSO Group, contacted Baroness Shackleton on the same day (5 August 2020) saying the same thing. Blair, it emerged, had been giving legal advice to NSO Group. She had been "invited to make contact with Baroness Shackleton by a senior official in NSO Group."
IP addresses flagged up
Citizen Lab's Marczak had been investigating Pegasus' operation through a UAE activist named only as Mr X. Through analysis of Mr X's phone he had obtained a list of IP addresses of NSO's command-and-control (C2) servers used to manage Pegasus.
...the way in which Mr X's phones were made to communicate with the suspicious domain names, by sending a sequence of "knocking" packets before it sent a request, rather than simply making contact, further suggested that covert surveillance was being undertaken.
Further analysis of internet traffic yielded, so the court was told, IP addresses of devices communicating with those C2 servers.
"This led Dr Marczak to spot the IP address of the firm of solicitors instructed in these proceedings by the mother… Payne Hicks Beach ('PHB'). An internet search of PHB led to news stories relating to the present proceedings involving the mother and the father," recounted the High Court's "hacking" judgment [PDF].
Verifying Marczak's findings to the court's satisfaction proved tricky. A British firm called in to examine the iPhones of Princess Haya and her lawyers said there was "no sign" of surveillance – only for it to throw in the towel when handed a copy of Marczak's witness statement detailing Pegasus' presence, partially shown by suspiciously named apps installed on the iPhones.
"IntaForensics were not to know the scale and character of the task for which they were being recruited and they command the court's respect, rather than criticism, for flagging up their inability to complete the instruction as soon as the situation became clear," commented the judge.
Professor Alastair Bereford, of the University of Cambridge's Department of Computer Science and Technology, was able to verify Marczak's findings after being given access to his methodology.
Sheikh Al Maktoum did not fully engage in the High Court's fact-finding process, instructing his lawyers to walk out of the courtroom. The High Court also refused to let his experts see raw data from the hacked iPhones, something he alleged was unfair to him.
- Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware
- Israeli authorities investigate NSO Group over Pegasus spyware abuse claims
- NSO Group 'will no longer be responding to inquiries' about misuse of its software
- That 'anti-NSO Pegasus spyware' download is actually a Trojan – so don't touch it
Those experts included Sygnia, Israel-based purveyor of "military grade cyber security" – and, legally, had not been instructed as experts for the court proceedings. As the Court of Appeal noted, the company is based outside the UK's jurisdiction and therefore its views "would remain confidential to the father and would not be disclosed to the mother or the court."
Put another way, Sygnia could have extracted more data for the sheikh to use against Princess Haya – or even tipped off NSO as to Marczak's precise attribution method, enabling the malware vendor to shut him out in future. Had Sheikh Al Maktoum formally instructed a UK-based expert witness, the underlying data would have been disclosed – but he didn't.
The hugely complicated case shows, from an infosec perspective, that surveillance malware is not only an abstract computer security challenge. It has the power, especially in the modern era, to cause life-changing effects.
The courts concluded that Princess Haya's children should live with her in the UK and not with Sheikh al Maktoum in Dubai. The full set of judgments can be read on the judiciary website.
Neither NSO Group nor Citizen Lab responded to requests for comment. ®
If you're worried your devices may have been targeted by or infected with NSO's Pegasus spyware, Amnesty has technical details on detecting a compromise here.
Updated to add at 15:27 UTC 7 October:
The Register asked whether the revelations contradicted previous statements from NSO that the company was unable to ascertain the targets of its malware.
A spokesperson from the company responded: "To be clear, there is no discrepancy, NSO does not operate the products itself; we license approved government agencies to do so, and we are not privy to the details of individuals monitored.
"When we become aware of accusations of alleged misuse by one of our clients, we undertake a full investigation with the cooperation of that client as part of their contractual obligations to us. If we determine misuse, we will act to resolve the issue and shut down the product's capabilities, as we have done in the past."