Pegasus Spyware Found on U.S. State Department iPhones

Share this blog

On December 3rd, Christopher Bing and Joseph Menn at Reuters disclosed that iPhones of numerous U.S. State Department employees were hacked by an unknown assailant using Pegasus spyware developed by the Israel-based NSO Group.

While it may be easy to dismiss this as a geopolitical or nation-state incident, it would not be wise to follow that path. At Zimperium, we see attacks like this every single day, in every industry, and across every continent. This is in the news because it is a United States agency and because of the geopolitical intrigue surrounding Pegasus, but it should be treated as a wake-up call rather than an isolated attack.

Before I explain why I would like to remind everyone that we have been detecting and stopping attacks like Pegasus for over ten years. We have a large body of work to support my following comments. I am sorry to be the bearer of bad news, but you cannot protect your organization if you believe either of these two misguided thoughts:

  1. We are not the U.S. State Department or other geopolitical organizations, so we don’t have to worry about being attacked.
  2. Even if not perfect, there are gates to prevent Pegasus from being widely used, so we don’t have to worry about being attacked.

In case you are wondering, I did purposely repeat the same conclusion, “so we don’t have to worry about being attacked,” in both. It was not a typo.

Let’s take the two thoughts in order.

We are not the State Department.

Make no mistake; the mobile threat is very real. Even the most sophisticated organizations are successfully attacked on mobile devices. If the U.S. State Department can be compromised, any organization can be.

As I mentioned before, we have visibility into businesses and agencies worldwide, so I can tell you with complete confidence that attacks are occurring regardless of size or industry. We hosted a customer panel with JPMC, TikTok, Danaher, and Medtronic at the recent Gartner Security & Risk Summit (stay tuned for a post on the key takeaways from our CEO, Shridhar Mittal, later this week). Every customer reiterated that mobile attacks are real and increasing. Then we had our customer advisory meeting and the attendees stated the same thing.

What do all of these organizations have in common? Other than the obvious of being Zimperium customers, the real point is this: they all have visibility into the threats. In other words, every organization that has turned on the lights has proven that their devices are under attack (though not successfully, in our customers’ cases since we detected and stopped the attacks). Said differently, it is not just the State Department.

Pegasus is not widely available

Pegasus gets a lot of attention, but its capabilities after compromise are not that unique. Anyone that thinks they’re not susceptible to this type of attack because Pegasus is difficult to attain and use is sorely mistaken. After all, an unidentified attacker could use it to target U.S. diplomats.

But I think this is a more critical point, personally; similar spyware already exists, and it can even be cobbled together with off-the-shelf code. PhoneSpy, spyware disclosed just last month by the Zimperium zLabs mobile threat research team, is just the latest example. What can Pegasus do? Pretty much everything from accessing contacts to recording conversations, from stealing photos and emails to sending and deleting texts.

What can freely available spyware like PhoneSpy do? The exact same things.

What now?

You are likely not the State Department, but that doesn’t matter. Unless you are different from all of our thousands of customers, you are under attack.

You may not have Pegasus on your devices, but do you know for sure? And do you know for sure if freely available spyware like PhoneSpy is not on your devices?

The bottom line is that organizations like yours need visibility and protection against all forms of mobile attacks. If you’re not thinking about it yet, I strongly suggest you do.

If you would like a free mobile risk assessment or just to learn more, contact us. We are here to help turn on the lights and protect your mobile devices.

Zimperium continues to urge all users to update their Apple devices to the latest versions. The minimum OEM protections against Pegasus from Apple are provided in iOS 14.8, iPadOS 14.8, WatchOS 7.6.2, macOS Big Sur 11.6, and a security update for macOS Catalina to address the vulnerability (CVE-2021-30860).

Pegasus vs. Zimperium

Zimperium zIPS customers are protected against Pegasus with our zero-day, on-device z9 Mobile Threat Defense machine learning engine.

The Zimperium zLabs team has conducted an in-depth technical analysis of the leaked data, showing the zIPS mobile threat defense solution detects and protects mobile customers from the exploitation of the device without any updates. Part of the leaked data revealed there were over 1,400 domains as indicators of compromise, and the Zimperium zIPS anti-phishing detection solution will prevent access of these domains if visited or used by a compromised application.

This attack would be reported as a critical “Pegasus Spyware” event within the zIPS and zConsole. To ensure your iOS users are protected from Pegasus spyware, we recommend a quick risk assessment. Inside zConsole, admins can review which apps are side-loaded onto the device that could be increasing the attack surface and leaving data and users at risk.

About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against the device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us today.