European officials reportedly targeted by NSO spyware

Pegasus software maker faces mounting lawsuits, investigations in the US and EU

Someone at least tried to use NSO Group's surveillance software to spy on European Commission officials last year, according to a Reuters report. 

European Justice Commissioner Didier Reynders and at least four commission staffers were targeted, according to the news outlet, citing two EU officials and documentation. 

The European Commission did not immediately respond to The Register's request for comment.

NSO is the Israeli cyber-surveillance firm that developed the infamous Pegasus software that, once in an infected phone or other device, can extract data and carry out other espionage. It can be installed on a victim's gadget without any user interaction: typically, they have to just receive a booby-trapped message. And once it's deployed, the NSO customer controlling that instance of Pegasus has access to everything on the victim's handheld, including text messages, phone calls, emails, passwords, and photos.  

In November Apple sent security alerts to iPhone owners whose devices may have been compromised by state-sponsored spyware.

Reuters said the European Commission "became aware of the targeting" of its people following Apple raising that alarm. The news agency also said it reviewed an email originating from a "senior tech staffer" who warned Euro officials: "Given the nature of your responsibilities, you are a potential target."

Reuters said it couldn't determine who planted the spyware, what they were looking for, or if the attempts were successful. It's unclear to us if the European officials were actually targeted by Pegasus or simply on alert after Apple issued its warning about state-backed malware. Reuters is adamant Reynders and at least four other commission staffers were menaced by NSO spyware, according to its sources.

NSO didn't respond to The Register's inquiries. But it sent a statement to Reuters saying that it wasn't responsible, and that targeting EU commissioners and staffers "could not have happened with NSO's tools."

Also last November Apple sued NSO Group for targeting Apple users with an exploit called ForcedEntry. It abused a now-patched vulnerability to hijack Apple devices and install Pegasus. According to Apple, the spyware was used to monitor "a small number of Apple users worldwide."

Shortly after that, the US government barred NSO for providing spyware to foreign governments that "used these tools to maliciously target" government officials, journalists, businesses, embassy workers, activists, and academics.

Despite Uncle Sam's crackdown, the FBI admitted to testing Pegasus for potential use in criminal investigations. 

Facebook parent company Meta has also sued NSO, alleging that the spyware illegally targeted WhatsApp users.

Meanwhile, as lawsuits and political pressure mount against the NSO in the US, the European Parliament is moving ahead with its own probe into the use of Pegasus surveillance software.

EU lawmaker Sophie in 't Veld, who lobbied for the committee investigation, told Reuters that she wasn't aware that the spyware had targeted Reynders and other commission officials.

"We really have to get to the bottom of this," she said. ®

Broader topics

Other stories you might like

  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022