Beware of Zero-Click hacks: No way to stop them
Cutting-edge technology means even ‘the most skeptical, scrupulous targets can be spied on’
As a journalist working for the Arab news network Alaraby, Rania Dridi said she's taken precautions to avoid being targeted by hackers, keeping an eye out for suspicious messages and avoiding clicking on links or opening attachments from people she doesn't know. Dridi's phone got compromised anyway with what's called a “zero-click” attack, which allows a hacker to break into a phone or computer even if its user doesn't open a malicious link or attachment. Hackers instead exploit a series of security flaws in operating systems — such as Apple Inc.'s iOS or Google's Android — to breach a device without having to dupe their victim into taking any action. Once inside, they can install spyware capable of stealing data, listening in on calls and tracking the user's location.
With people more wary than ever about clicking on suspicious links in emails and text messages, zero-click hacks are being used more frequently by government agencies to spy on activists, journalists and others, according to more than a dozen surveillance company employees, security researchers and hackers interviewed by Bloomberg News.
Once the preserve of a few intelligence agencies, the technology needed for zero-click hacks is now being sold to governments by a small number of companies, the most prominent of which is Israel's NSO Group. Bloomberg News has learned that at least three other Israeli companies — Paragon, Candiru and Cognyte Software Ltd. — have developed zero-click hacking tools or offered them to clients, according to former employees and partners of those companies, demonstrating that the technology is becoming more widespread in the surveillance industry.
There are certain steps that a potential victim can take that might reduce the chances of a successful zero-click attack, including keeping a device updated. But some of the more effective methods — including uninstalling certain messaging apps that hackers can use as gateways to breach a device — aren't practical because people rely on them for communication, said Bill Marczak, a senior research fellow at Citizen Lab, a research group at the University of Toronto that focuses on abuses of surveillance technology.
Dridi, who is based in London, said the hack forced her to shut down some of her social media accounts and left her isolated and fearful for her safety.
“They ruined my life,” said Dridi, who suspects she was targeted because of her reporting on women's rights in the Arab world or her connection to other journalists who are high-profile critics of Middle Eastern governments. “I tried to just go back to normal. But after that I suffered from depression, and I didn't find any support.”
It's not known how many people have been targeted with zero-click hacks, because they are done in secret and the victims are often unaware.
Human rights groups have tied zero-click technology from NSO Group to attacks by governments on individuals or small groups of activists. A 2019 lawsuit filed by Facebook accused NSO Group of using a zero-click hacking method to implant spyware on the devices of 1,400 people who used its WhatsApp service. NSO Group has disputed the allegations. The attacks can be difficult for security experts to detect and pose new challenges for technology giants such as Apple and Google as they seek to plug the security holes that hackers exploit.
“With zero clicks, it's possible for a phone to be hacked and no traces left behind whatsoever,” Marczak said. “You can break into phones belonging to people who have good security awareness. The target is out of the loop. You don't have to convince them to do anything. It means even the most skeptical, scrupulous targets can be spied on.”
Sometimes a zero-click hack doesn't go as planned and leaves traces that investigators can use to identify that a device has been compromised. In Dridi's case, administrators at Alaraby noticed suspicious activity on their computer networks and followed a digital trail that led them to her phone, she said in an interview.
Attackers use zero-click hacks to gain access to a device and then can install spyware — such as NSO Group's Pegasus — to secretly monitor the user. Pegasus can covertly record emails, phone calls and text messages, track location and record video and audio using the phone's inbuilt camera and microphone.
Marczak and his colleagues at Citizen Lab analyzed Dridi's iPhone XS Max and found evidence that it had been infected at least six times between October 2019 and July 2020 with NSO Group's Pegasus. On two occasions in July 2020, Dridi's phone was targeted in zero-click attacks, Citizen Lab concluded in a report, which attributed the hacks to the United Arab Emirates government.
Dridi is now pursuing a lawsuit against the UAE government. Her solicitor, Ida Aduwa, said she will be seeking permission from a High Court judge in London in the next few weeks to proceed with the case. “We want an acknowledgement that this is something that states cannot get away with,” Aduwa said.
A representative for the UAE Embassy in Washington didn't respond to messages seeking comment.
Marczak, from Citizen Lab, said most of the documented cases of zero-click hacks have been traced back to NSO Group. The company began deploying the method more frequently around 2017, he said.
NSO Group, which was blacklisted by the U.S. in November for supplying spyware to governments that used it to maliciously target government officials, journalists, business people, activists and others to silence dissent, has said it sells its technology exclusively to governments and law enforcement agencies as a tool to track down terrorists and criminals.
“The cyber intelligence field continues to grow and is much bigger than the NSO Group,” a spokesperson for the company said in a statement to Bloomberg News. “Yet an increasing number of ‘experts' who claim to be ‘familiar' with NSO Group are making allegations that are contractually and technologically impossible, straining their credibility.” The spokesperson said that NSO Group has terminated customer relationships due to “human rights issues” and won't sell cyber intelligence products to approximately 90 countries. “The misuse of cyber intelligence tools is a serious matter,” the spokesperson said.
In December, security researchers at Google analyzed a zero-click exploit they said was developed by NSO Group, which could be used to break into an iPhone by sending someone a fake GIF image through iMessage. The researchers described the zero-click as “one of the most technically sophisticated exploits we've ever seen,” and added that it showed NSO Group sold spy tools that “rival those previously thought to be accessible to only a handful of nation states.”
“The attacker doesn't need to send phishing messages; the exploit just works silently in the background,” the Google researchers wrote.
While NSO Group has attracted the most media attention, several competing companies in Israel are offering similar tools to help governments spy on mobile phones. At least four other Israeli companies have obtained or developed zero-click hacking technology, according to employees of those companies, surveillance industry professionals and other media reports.
Tel Aviv-based Candiru, a surveillance company that employs more than 120 people, partnered with another Israeli firm, Cognyte, to offer governments zero-click spyware that can be installed on Android and iOS mobile devices, according to two former Candiru employees.
Paragon, a firm founded by former members of Israeli's Unit 8200 surveillance agency, has developed its own zero-click hacking technology that it has marketed to governments in Europe and North America as a means to gain access to encrypted messaging apps such as WhatsApp and Signal, according to two former Paragon employees.
A fourth Israeli company, QuaDream, also has the ability to compromise Apple iPhones using zero-click hacks, Reuters reported earlier this month.
Hila Vazan, a spokeswoman for Candiru, said the company hadn't developed or sold any zero-click hacking technology, though she acknowledged that Candiru had “explored a collaboration” with Cognyte to offer it to customers. The U.S. also blacklisted Candiru in November for supplying spyware to governments that used its technology maliciously.
Paragon declined to comment. Representatives for Cognyte and QuaDream didn't return messages seeking comment.
There is a thriving marketplace in which hackers and brokers sell the latest zero-click vulnerabilities direct to government agencies, sometimes for seven-figure sums, according to surveillance industry professionals.
One of the leading brokers is Zerodium, an “exploit acquisition platform” that offers to pay up to $2 million for a zero-click exploit that can break into the latest versions of Apple's iOS software, according to its website. Zerodium also offers up to $2.5 million for a zero-click that can be used to hack Android phones, and up to $1 million for a zero-click that can be used to compromise Microsoft's Windows computers.
Zerodium's website says it has worked with more than 1,500 security researchers and paid out more than $50 million in “bounties” — fees paid to security researchers who discover software security vulnerabilities that can be used to hack into computers or phones. Once Zerodium has acquired the latest zero-click exploits from security researchers, it then sells them to governments, mainly in Europe and North America, according to its website.
A representative for Zerodium didn't respond to requests for comment. The company was incorporated in Delaware in 2015, but it's not clear where its offices are currently located.
In an interview with Bloomberg, one Asia-based security researcher said he had made several million dollars selling a series of zero-click exploits that could be used to hack iOS, Android and BlackBerry phones, in addition to Windows computers. The researcher, who requested anonymity due to confidentiality agreements, said he had sold some of his zero-click exploits to Zerodium. He identified one European country whose government or law enforcement agencies hacked phones using an exploit he sold.
Other suppliers of zero-click exploits include Arity Business Inc., an operator based in Latvia and Estonia. Alex Prokopenko, an executive at Arity, said in an email that the company was founded in 2015 and works to identify a variety of software security vulnerabilities, including zero-clicks. Arity then sells the security vulnerabilities to government agencies and to companies that work with intelligence and law enforcement agencies so they can be used to hack Windows computers, in addition to iOS and Android phones, he said.
“Now exploits are much more popular with governments, intelligence and private military companies, since earlier this tool was not as accessible as it is now,” Prokopenko said. “The exploit is a digital weapon, and its use must be regulated.”
The spread of encryption technology, which protects the privacy of conversations sent through chat apps such as WhatsApp or Apple's iMessage, has made it harder for law enforcement and intelligence agencies to snoop on people's conversations, said Prokopenko. One of the only ways investigators can get access to encrypted communications is to hack into a device, he said.
“That is why there are all these companies popping up — because there's a market for it,” said Fionnbharr Davies, a security researcher who formerly worked for U.S. and Australia-based Azimuth Security, another company that he said develops zero-click exploits and sells them to governments. “It only costs a couple million dollars to hack any iPhone — that is so cheap from the perspective of a nation state.” A representative for Azimuth Security didn't return a message seeking comment.
Carine Kanimba's experience shows how difficult it can be to prevent a zero-click hack. For the last two years, she has been campaigning for the release of her father, Paul Rusesabagina, a critic of the Rwandan government who was “forcibly disappeared” in August 2020, according to Human Rights Watch. Last year, Rusesabagina, who was the subject of the movie “Hotel Rwanda,” was convicted of terrorism charges in a Rwandan court, a proceeding his supporters say was politically motivated.
Kanimba, a joint U.S.-Belgian citizen, said she knew there was a possibility that she might be under surveillance. In October 2020, her security advisers were so concerned that they destroyed her mobile phone. She purchased a new iPhone, but last spring, researchers at Amnesty International informed Kanimba that it had been breached in a zero-click hack and infected with NSO Group's Pegasus.
A forensic analysis of her device, reviewed by Bloomberg, found that an attacker had used iMessage to send malicious push notifications.
“I never saw any message,” Kanimba said. “The message arrives and disappears straight away, or it arrives and you cannot see it. So there are no clicks, no action from you. It just infects.”
A representative for the Rwandan government didn't respond to a message seeking comment.
Nedal Al-Salman, the acting president of the Bahrain Center for Human Rights, spoke of a similar experience. Al-Salman said that she and four of her colleagues were informed last year that their phones had been compromised, some of them in apparent zero-click attacks.
According to Al-Salman, two of her mobile phones — an iPhone 11 and a Samsung Galaxy Note — were hacked. Citizen Lab's Marczak said he had not forensically analyzed Al-Salman's devices, but said he had confirmed three of Al-Salman's colleagues had their phones infected with NSO Group's spyware.
Al-Salman said she and her colleagues have faced repression in Bahrain, where the government has cracked down on human rights and pro-democracy activism. Al-Salman said she has in the past been blocked from traveling outside of Bahrain, and other current and former members of the Bahrain Center for Human Rights have been jailed or forced to live in exile. According to a Citizen Lab report published last year, Bahrain's government has deployed NSO Group's spyware to target activists and opposition political figures.A representative for the Embassy of Bahrain in Washington didn't respond to a request for comment.
Everyone has personal information on their phones, Al-Salman said, whether it be messages that show arguments with a family member or videos of dancing with friends. But normally, she said, “it's only you who knows about it.”