Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
It was a normal day when Jay Gibson received an unexpected notification on his iPhone. “Apple has detected a targeted mercenary spyware attack against your iPhone,” the message reads.
Ironically, Gibson worked at companies that developed exactly the type of spyware capable of triggering such a notification. However, he was shocked to receive a notification on his own phone. He called his father, turned off and put his phone away and went to buy a new one.
“I was panicking,” he told TechCrunch. “It was a disaster. It was a huge disaster.”
Gibson is just one of an ever-growing number of people receiving notifications from companies like Apple, GoogleAnd WhatsAppall of which send similar warnings about spyware attacks to their users. Tech companies are increasingly proactive in alerting their users when they become targets of government hackers, and particularly those using spyware created by companies such as Intellexa, ONS GroupAnd Paragon Solutions.
But even if Apple, Google and WhatsApp alert, they don’t get involved in what happens next. Tech companies direct their users to people who could help them, but at that point the companies back away.
This is what happens when you receive one of these warnings.
Warning
You received a notification that you were the target of government hackers. And now ?
First of all, take it seriously. These companies have a wealth of telemetric data about their users and what’s happening both on their devices and in their online accounts. These tech giants have security teams that have been tracking, studying, and analyzing this type of malicious activity for years. If they think you’ve been targeted, they’re probably right.
It’s important to note that in the case of Apple and WhatsApp notifications, receiving one doesn’t necessarily mean you’ve been hacked. It’s possible that the hacking attempt failed, but they can still tell you that someone tried.
In the case of Google, it is most likely that the company has blocked the attack and is asking you to access your account and ensure that you have multi-factor authentication (ideally a physical security key or password), and also turn on its Advanced Protection Programwhich also requires a security key and adds other layers of security to your Google account. In other words, Google will tell you how to better protect yourself in the future.
In the Apple ecosystem, you must enable Lock modewhich enables a series of security features that make it harder for hackers to target your Apple devices. Apple has long claimed to have never seen a successful hack against a user with lockdown mode enabled, but no system is perfect.
Mohammed Al-Maskati, Director of Access Now’s Digital Security Helpline, a 24/7 global team of security experts investigating spyware cases against members of civil societyshared with TechCrunch the advice the helpline gives to people who fear being targeted by government spyware.
These tips include updating your devices’ operating systems and apps; turn on apple Lock modeand advanced protection from Google for accounts And for Android devices; be careful with suspicious links and attachments; restart your phone regularly; and pay attention to changes in the operation of your device.
Contact us
Have you received a notification from Apple, Google or WhatsApp that you have been targeted by spyware? Or do you have information on the spyware creators? We would love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or e-mail.
Ask for help
What happens next depends on who you are.
There are open source and downloadable tools that anyone can use to detect suspected spyware attacks on their devices, which requires a bit of technical knowledge. You can use the Mobile Verification Toolkitor MVT, a tool that allows you to search for forensic traces of an attack on your own, perhaps as a first step before seeking help.
If you don’t want or can’t use MVT, you can contact someone directly who can help you. If you are a journalist, dissident, academic or human rights activist, there are a handful of organizations that can help you.
You can turn to Access Now and its digital security helpline. You can also contact Amnesty International, which has its own team of investigators and extensive experience in these cases. Or you can contact The citizen laboratorya digital rights group at the University of Toronto that has been investigating spyware abuse for nearly 15 years.
If you are a journalist, Reporters Without Borders also has a digital security lab that offers to investigate suspected cases of hacking and surveillance.
Outside of these categories of people, politicians or business leaders for example will have to go elsewhere.
If you work for a large company or political party, you probably have a (hopefully!) competent security team that you can speak to directly. They may not have the specific knowledge needed to investigate in depth, but in this case they probably know where to turn, even if Access Now, Amnesty and Citizen Lab cannot help those outside of civil society.
Otherwise, there aren’t many places for leaders or politicians to turn, but we asked around and found the ones below. We cannot fully vouch for any of these organizations, nor endorse them directly, but based on suggestions from people we trust, they are worth reporting.
Perhaps the best known of these private security companies is iCheckwhich creates an app for Android and iOS, and also offers users the option to request a thorough forensic investigation.
Matt Mitchell, a renowned security expert which helps vulnerable populations protect themselves from surveillance has a new startup, called Security Synchronization Groupwhich offers this type of service.
Jessica Hyde, a forensic investigator with experience in both the public and private sectors, has her own startup called Hexordiaand offers to investigate suspected hacking.
Mobile cybersecurity company Lookout, which has experience analyze government spyware from all over the world, has an online form which allows users to request help in investigating cyberattacks involving malware, device compromise, and more. The company’s threat intelligence and investigation teams can then be involved.
Then there is Costin Raiu, who directs TLPNOIRa small team of security researchers who worked within Kaspersky’s Global Research and Analysis Group, or GReAT. Raiu was leading the unit when his team discovered sophisticated cyberattacks carried out by elite government hacking teams from the United States, Russia, Iran and other countries. Raiu told TechCrunch that people who suspect they have been hacked can send him an email directly.
Investigation
What happens next depends on who you ask for help.
Generally speaking, the organization you contact may wish to perform an initial forensic audit by viewing a diagnostic report file you can create on your device, which you can share remotely with investigators. At this point, this does not require you to hand over your device to anyone.
This first step can help detect signs of targeting or even infection. It could also be that it doesn’t do anything. In either case, investigators may want to dig deeper, which will require you to send a full backup of your device, or even your current device. At this point, investigators will do their job, which may take time as modern government spyware attempts to hide and erase their tracks, and tell you what happened.
Unfortunately, modern spyware leaves no trace. The current modus operandi, according to Hassan Selmi, who leads the incident response team at Access the Digital Security Helpline Nowis a “smash and grab” strategy, meaning that once the spyware infects the target device, it steals as much data as possible, then attempts to remove all traces and uninstall itself. It is assumed that spyware manufacturers are trying to protect their product and hide its activity from investigators and researchers.
If you are a journalist, dissident, academic, human rights activist, the groups that help you may ask you if you want to go public with the fact that you were attacked, but you do not have to do so. They will be happy to help you without taking public credit. There may, however, be good reasons to do so: to expose the fact that a government has targeted you, which may have the side effect of warning others like you about the dangers of spyware; or to expose a spyware company by showing that its customers are abusing their technology.
We hope you never receive one of these notifications. But we also hope that if you do, you find this guide useful. Stay safe out there.
