The U.S. intelligence community offered steps that would mitigate — but not stop — spyware developed by firms like the NSO Group.
The most insidious spyware can be placed on a phone without having to trick users into clicking a malicious link.
WASHINGTON — The federal government on Friday warned the public about the risks of commercial surveillance tools that have been used to spy on journalists and political dissidents by infecting their phones with malware.
The warning, issued by the National Counterintelligence and Security Center, came after the Biden administration’s actions in November against the NSO Group, an Israeli surveillance company, and other firms that have developed malware. When placed on a target’s phone, the software gives access to nearly all content on the device.
The administration has been trying to make it more difficult for surveillance companies to operate in order to push them out of the business of developing commercial spyware that can be misused. U.S. officials are increasingly concerned that the spyware can be placed on the phones of diplomats to learn government secrets, and that authoritarian governments are using it to track the work of journalists and political enemies.
The most insidious spyware can be put on a phone without tricking a user into clicking a malicious link. Such zero-click exploits are difficult to defend against, but the security center on Friday outlined steps that can mitigate the risk, such as updating devices with the latest operating systems.
Last year, Apple discovered spyware that gave broad access to devices used by U.S. diplomats in Uganda. The discovery was made public not long after the Biden administration took actions against companies that develop such software, including the NSO Group.
NSO has long insisted that it chooses and vets its clients, turning away many who would abuse the spyware. But technology firms and organizations that defend political dissidents have questioned its track record.
The United States found in November that NSO’s software, and its operations, run contrary to American foreign policy interests. The Commerce Department placed the firm on its “entities list,” which bans it from receiving key U.S. technologies.
The Biden administration also took action against another Israeli firm, Candiru, as well as companies based in Russia and Singapore. They were not accused of hacking into the phones of journalists or dissidents but of providing the tools to clients.
The warning by the National Counterintelligence and Security Center — which charged with warning the public about espionage threats and is part of the Office of the Director of National Intelligence — aims to build on the Commerce Department’s action and raise awareness of the risks posed by spyware.
“Although everyday American citizens may not be the primary targets, we have been acutely concerned that certain governments are using commercial surveillance software in ways that pose a serious counterintelligence and security risk to U.S. personnel and systems, and also to target journalists, human rights activists or others perceived as critics of regimes around the world,” said Dean Boyd, a spokesman for the center.
Little can be done to stop the most advanced spyware from being placed on a phone. But less sophisticated software still relies on malicious links, meaning that avoiding suspicious emails, attachments and messages can prevent some attacks.
Some of the center’s recommendations of the center, like disabling options that allow a phone to track its location or covering cameras, will be more difficult to follow because they interfere with the functions that make smartphones useful.
But other best practices included in the warning are relatively easy. The recommendations included regularly restarting mobile devices to remove or damage some types of malware that live in their memory rather than in storage.
What to Know About Ransomware Attacks
Card 1 of 5
What are ransomware attacks? This form of cybercrime involves hackers breaking into computer networks and locking digital information until the victim pays for its release. Recent high-profile attacks have cast a spotlight on this rapidly expanding criminal industry, which is based primarily in Russia.
Why are they becoming more common? Experts say ransomware is attractive to criminals because the attacks take place mostly anonymously online, minimizing the chances of getting caught. The Treasury Department has estimated that Americans have paid $1.6 billion in ransoms since 2011.
Is there any connection to the rise of cryptocurrencies? The criminal industry’s growth has been abetted by cryptocurrencies, like Bitcoin, which allow hackers to transact with victims anonymously, though experts see virtual currency exchanges as a weak point for ransomware gangs.
What is being done about these attacks? The U.S. military has taken offensive measures against ransomware groups, and the Biden administration has taken legal and economic action. Recent attacks have propelled ransomware to the top of President Biden’s national security agenda.
Why is the government getting involved? The attacks, which were mostly directed at individuals a few years ago, have dramatically escalated as hackers have begun targeting critical infrastructure in the U.S., including a major gasoline pipeline and meat processing plants.
The center also recommended maintaining physical control of devices and using trusted virtual private networks.
“While these steps mitigate risks, they don’t eliminate them,” the center said. “It’s always safest to behave as if the device is compromised, so be mindful of sensitive content.”
Christoph Hebeisen, the director of security intelligence research at the anti-malware firm Lookout, said that while phones have modern operating software with good security, many people are unaware of the vulnerabilities.
“People don’t realize that their phones are essentially computers that are always connected to the internet and can be attacked just the same,” he said.
Lookout has studied the Pegasus spyware developed by NSO to learn how it uses exploits to take over all the functions of a phone.
People often use apps that send encrypted data over the internet; but that information has to be unencrypted on the phone, and spyware like Pegasus can read it.
“Your device has the key,” Mr. Hebeisen said. “And at that point, it becomes possible to get at the data.”