It was a normal day when Jay Gibson received an unexpected notification on his iPhone. “Apple has detected a targeted mercenary spyware attack against your iPhone,” the message read.
Ironically, Gibson worked for companies that developed exactly the kind of spyware that could trigger such an alert. However, he was shocked to receive a notification on his own phone. He called his father, hung up and left his phone and went to buy a new one.
“I was panicking,” he told TechCrunch. “It was a mess. It was a huge mess.”
Gibson is just one of an ever-growing number of people receiving notices from companies like Apple, Googleand WhatsAppall of which send similar warnings about spyware attacks to their users. Technology companies are increasingly proactive in alerting their users when they are targeted by government hackers, particularly those using spyware made by companies such as Intellexa, NSO Group and Paragon Solutions.
But while Apple, Google and WhatsApp are alerting, they’re not involved in what happens next. Tech companies direct their users to people who might be able to help, but at that point the companies walk away.
This is when you get one of these warnings.
Warning
You have received a notification that you have been targeted by government hackers. now what?
First of all, take it seriously. These companies have reams of telemetry data about their users and what’s happening both on their devices and in their online accounts. These tech giants have security teams that have been hunting, studying and analyzing this type of malicious activity for years. If they think you’ve been targeted, they’re probably right.
It’s important to note that in the case of Apple and WhatsApp notifications, receiving notifications doesn’t necessarily mean you’ve been hacked. It’s possible that the intrusion attempt failed, but they can tell you that someone did.
In Google’s case, it’s very likely that the company is blocking the attack and telling you so you can go to your account and make sure you’ve enabled multi-factor authentication (ideally a natural security key or password), and also activate it Advanced Protection Programwhich also requires a security key and adds additional layers of security to your Google Account. In other words, Google will tell you how to better protect yourself in the future.
In the Apple ecosystem, you should activate Lock functionwhich enables a number of security features that make it harder for hackers to target your Apple devices. Apple has long claimed that it has never seen a successful hack against a user with Lockdown enabled, but no system is perfect.
Mohammed Al-Maskati, director of Access Now’s Digital Security Helpline, a 24/7 global team of security experts that investigates spyware cases against members of civil society, shared with TechCrunch the helpline’s advice to people who are concerned they may be targeted by government spyware.
This advice includes keeping your devices’ operating systems and apps up to date. Apple activation Lock functionand Google Advanced Protection for accounts and for Android devices; be careful with suspicious links and attachments. to reboot your phone regularly. and pay attention to changes in the way your device works.
Contact us
Have you received a notification from Apple, Google or WhatsApp about spyware targeting? Or do you have information about spyware manufacturers? We would love to hear from you. From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
Reaching out for help
What happens next depends on who you are.
There are open source and downloadable tools that anyone can use to detect suspected spyware attacks on their devices, which requires little technical knowledge. You can use it Mobile Verification Toolkitor MVT, a tool that allows you to look for forensic traces of an attack yourself, perhaps as a first step before seeking help.
If you don’t want to or can’t use MVT, you can go straight to someone who can help. If you are a journalist, dissident, academic or human rights activist, there are a few organizations that can help.
You can contact Access now also to the Digital Security Helpline. You can also contact Amnesty International, which has its own team of researchers and plenty of experience in these cases. Or, you can reach out to The Citizen Laba digital rights group at the University of Toronto that has been investigating spyware abuses for nearly 15 years.
If you are a journalist, Reporters Without Borders it also has a digital security lab that offers to investigate suspected cases of hacking and surveillance.
Apart from these categories of people, politicians or business executives, for example, will have to go elsewhere.
If you work for a large corporation or political party, you probably have a competent (hopefully!) security team that you can go straight to. They may not have the specific knowledge to investigate in depth, but in this case they probably know who to turn to, even if Access Now, Amnesty and Citizen Lab can’t help those outside civil society.
Otherwise, there aren’t many places you can turn to executives or politicians, but we asked around and found the following. We can’t fully vouch for any of these organizations, nor do we directly endorse them, but based on the recommendations of people we trust, they’re worth highlighting.
Perhaps the best known of these private security companies is iVerifywhich creates an app for Android and iOS and also gives users the option to request an in-depth forensic investigation.
Matt Mitchell, a well-recognized security expert that helps vulnerable populations protect themselves from surveillance has a new startup, called Safety Sync Groupthat offers this kind of service.
Jessica Hyde, a forensic pathologist with experience in the public and private sectors, has her own startup called Exorcismand offers to investigate suspected violations.
Mobile cybersecurity company Lookout, which has experience analyzing government spyware from around the world, has an online form which allows people to seek help investigating cyber-attacks that include malware, device compromise and more. The company’s threat intelligence and forensics teams may then become involved.
Then there is Costin Raiu, who is in charge TLPBLACKa small group of security researchers working in Kaspersky’s Global Research and Analysis Group, or GReAT. Raiu was the head of the unit when his team discovered sophisticated cyberattacks by elite government hacking groups from the United States, Russia, Iran and other countries. Raiu told TechCrunch that those who suspect they have been hacked can email him directly.
Research
What happens next depends on who you go to for help.
In general, the organization you contact may want to do an initial forensic check by looking at a diagnostics report file that you can create on your device that you can share with remote investigators. At this point, this does not require you to hand over your device to anyone.
This first step may be able to detect signs of targeting or even infection. It may also turn out to be nothing. In either case, investigators may want to dig deeper, which will require you to send a full backup of your device or even your actual device. At that point, the investigators will do their work, which can take time because modern government spyware attempts to hide and erase its tracks, and tell you what happened.
Unfortunately, modern spyware can leave no traces. The modus operandi these days, according to Hassan Selmi, who leads the incident response team at Access Now’s Digital Security Helpline, is a “break and grab” strategy, meaning that once the spyware infects the target device, it steals as much data as it can and then tries to remove any traces and uninstall itself. This is taken for granted that spyware manufacturers are trying to protect their product and hide its activity from researchers and researchers.
If you are a journalist, dissident, academic, human rights activist, the groups helping you may ask you if you want to go public with the fact that you were attacked, but you are not required to do so. They will be happy to help you without taking public credit for it. However, there may be good reasons for opting out: To report being targeted by a government, which may have the side effect of warning others like you about the dangers of spyware. or expose a spyware company by showing that their customers are abusing their technology.
We hope you never receive any of these notifications. But we also hope that if you do, you’ll find this guide useful. Stay safe out there.
