Business leaders among Pegasus spyware victims, says security firm

Security firm iVerify said a leader of a big company was among several individuals whose iPhones were recently targeted with the Pegasus spyware. 

While journalists, human rights defenders, lawmakers and political officials are frequent targets of state surveillance, reports of spyware compromising the phones of business leaders are rare, but not unheard of. The findings come as a fresh warning that spyware typically used by governments under the guise of preventing serious crime and terrorism can also be misused for commercial espionage.

In a call with TechCrunch this week, iVerify chief executive Rocky Cole declined to name who was targeted, but said that the spyware targeted a business “that you’ve heard about.” Cole, a former analyst at the National Security Agency, said the business leader, who iVerify is in contact with, was “completely surprised” by the attempt to compromise their phone.

NSO Group, which develops the Pegasus spyware, did not comment by press time on Wednesday.

iVerify, which offers an eponymous app that can scan iPhones and iPads for signs of malware, said it detected evidence of compromise on seven iPhones, some of which were running newer versions of iOS 16.6 in late 2023 at the time of detection. The security firm said the seven devices were identified out of a pool of 2,500 iVerify users who opted to scan their devices for possible traces of spyware in recent months. Cole said the number of newly identified infections was not representative of the general population, given that its app users are more likely to be at higher risk of state-backed targeting.

The company’s app is designed to look for potentially anomalous signals deep inside the iPhone and iPad operating systems that can be caused by the side effects of malware infections. Since Apple tightly controls the software on iPhones and iPads to make it difficult for apps like iVerify to examine the security of other installed apps, or the kernel of the underlying software, the security firm analyzes other telemetry data within those privacy constraints — such as on-device diagnostic logs — to help determine if the device might be compromised.

It is not known if the targeted iPhones were compromised at the time iVerify identified the anomalous signals. Cole said any detected signals could indicate a historical spyware compromise at an earlier point in time. Some of the targeted phones may not have been patched with the latest software update when they were compromised, which may have left the devices exposed to older exploits.

Though iVerify is not the only way to detect if a phone is compromised by spyware, Cole said his company’s app allows the detection of spyware “at scale.”

Government hackers reusing spyware exploits on the rise

Confirmed spyware attacks against business leaders are seldom made public. The phone of Amazon founder Jeff Bezos was hacked several years ago, which a United Nations report concluded was likely the result of Saudi officials purchasing access to Pegasus and using WhatsApp to deliver the spyware. NSO Group claimed at the time that its spyware “was not used in this instance.”

Security researchers say the proliferation of spyware is making its use — and misuse — harder to contain. Earlier this year, Google sounded the alarm after its security researchers found evidence that Russian government-backed hackers acquired exploits that were “identical or strikingly similar” to code developed by NSO Group, which said it had never sold its spyware to Russia.

Cole told TechCrunch that iVerify is also seeing the reuse of spyware exploits by government-backed hackers from countries like China, Iran, and Russia, as “becoming more widespread.” Cole said the company was investigating whether Salt Typhoon, a China-backed hacking group linked to ongoing intrusions at several U.S. and international phone and internet giants, may have used its access to the telecom networks to identify and target individuals with phone spyware.

iVerify recently identified an uptick in anomalous signals from two phones belonging to senior officials at the Harris-Walz presidential campaign, Cole told TechCrunch, at a time when Salt Typhoon was “really active” in the phone companies’ networks. 

The company said it wasn’t yet clear if those devices were fully compromised, as its investigation is “ongoing.” The FBI is reportedly examining whether the China-backed hackers used their access to phone networks to target the phones of senior American officials with malware. 

Cole said if Salt Typhoon is linked to the targeting of these phones, the attempted intrusions “very well could be the reuse of commercial capabilities.”