Apple just sued spyware firm NSO Group, calling its employees ‘notorious hackers’
Apple is suing Israeli security firm NSO Group for allegedly infecting devices used by Apple’s customers with spyware.
The iPhone maker announced the lawsuit, filed in federal court in San Jose, Calif., on Tuesday, calling the NSO Group a maker of “sophisticated, state-sponsored surveillance technology that allows its highly targeted spyware to surveil its victims.”
As part of the lawsuit, Apple seeks to bar NSO Group from using any Apple product or service for its spyware. Apple is also seeking unspecified damages that it said it would use to fund anti-spyware organizations.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability.” Craig Federighi, Apple’s senior vice president of software engineering, said in a statement. “That needs to change.”
In a statement, an NSO Group spokesperson responded to Apple’s lawsuit by telling Fortune that “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers.”
“Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO group will continue to advocate for the truth,” the spokesperson said.
Over the summer, the Paris-based journalism nonprofit Forbidden Stories and Amnesty International revealed in The Washington Post that NSO Group had created spyware called Pegasus that covertly tracked human rights activists, journalists, and executives. The revelations underscored the extent of NSO Group’s spying capabilities, carried out by exploiting flaws in Apple’s products. At the time, NSO Group criticized the reports, calling them a “well-orchestrated media campaign.”
In September, Apple said it had patched a software flaw in its Messaging app that security researchers discovered was used by NSO Group to spread spyware.
More recently, the Biden Administration said it would blacklist the NSO Group from purchasing software and services from U.S. companies without first obtaining a license, and accused the company of providing spyware to foreign governments to use to surveil activists, journalists, and political opponents.
Here are four takeaways from Apple’s lawsuit:
Apple describes NSO Group as “notorious hackers”
NSO Group operates more like a hacking collective rather than a cybersecurity firm, Apple alleged. The security firm’s spying software lets the company remotely monitor users of Apple iPhones and is so powerful, it “can record using a device’s microphone and camera, track the phone’s location data, and collect emails, text messages, browsing history, and a host of other information accessible through the device,” the complaint said.
Apple boasted of its own security protections for its products in its legal filings, saying that it “is extremely rare for a consumer to encounter malware on iPhone.” That the NSO Group was able to exploit software flaws in Apple products underscores the complexity of the firm’s hacking attacks.
“These attacks have been very carefully designed and deliberately targeted by highly sophisticated parties with extraordinary resources and capabilities—typically nation-states and their agencies or instrumentalities, or, in some cases, those that do business with them,” the complaint said.
NSO Group is making big money from its spyware
Apple alleged that NSO Group conceals “the enormous amounts of money they make” from selling spyware. But Apple estimated that the company’s revenue from spyware and related services is in the “hundreds of millions of dollars” and that “NSO has asked for fees in excess of one hundred million dollars for a single license and charges tens of millions of dollars per customer for its products and services.”
NSO Group is costing Apple money
Because the NSO Group is constantly trying to exploit flaws in Apple software, Apple must engage “in a continual arms race,” Apple said in its complaint. Apple has had to devote staff and resources to patching flaws and its team “has spent thousands of hours addressing Defendants’ abusive actions.” “Defendants’ unlawful malware activities have caused and continue to cause Apple significant damages in excess of $75,000,” the company said.
In its lawsuit, Apple alleged that NSO Group violated the computer fraud and abuse act, including by intentionally accessing the iOS software on people’s iPhones without their permission and improperly siphoning user data. It also said the NSO Group’s hacking violates lawful business practices.
Additionally, Apple alleged NSO Group had violated Apple’s terms of service by creating and using more than 100 presumably fake Apple IDs and using its service to “stalk, harass, threaten or harm another.” Finally, Apple accused NSO Group of unjust enrichment from the money it made from stealing user data and by improperly accessing Apple’s servers.
Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.