You have been targeted by government spyware. Now what?

It was a normal day When Jay Gibson received an unexpected notification on his iPhone. “Apple has detected a targeted, mercenary spyware attack against your iPhone,” the message read.

Ironically, Gibson worked for companies that developed the kind of spyware that could trigger such a notice. However, he was shocked when he received a notification on his own phone. He called his father, turned off his phone, put it aside, and went to buy a new phone.

“I was panicking,” he told TechCrunch. “It was a mess. It was a big mess.”

Gibson is just one of an ever-growing number of people receiving notices from companies like apple, Googleand WhatsAppall of which send similar warnings to their users about spyware attacks. Technology companies are increasingly active in alerting their users when they become targets of government hackers, especially those using spyware made by companies like Intellexa, NSO Groupand Solutions to the proverb.

But while Apple, Google and WhatsApp are giving notice, they’re not getting involved in what happens next. Tech companies point their users to people who can help, but at that point the companies turn away.

This is what happens when you receive one of these warnings.

warning

You have received notification that you have been a target of government hackers. Now what?

First of all, take it seriously. These companies possess large amounts of telemetry data about their users and what happens on their devices and online accounts. Tech giants have security teams that have been hunting, studying and analyzing this type of malicious activity for years. If they think you’re being targeted, they’re probably right.

It is important to note that in the case of Apple and WhatsApp notifications, receiving them does not necessarily mean that you have been hacked. It’s possible that the hacking attempt failed, but they can still tell you that someone tried it.

In Google’s case, the company likely prevented the attack, and notified you so you could log into your account and make sure multi-factor authentication was turned on (ideally if Physical security key or passkey), and also turn it on Advanced Protection Programwhich also requires a security key and adds other layers of security to your Google account. In other words, Google will tell you how to better protect yourself in the future.

In the Apple ecosystem, you have to turn it on Lock modewhich turns on a series of security features that make it harder for hackers to target your Apple devices. apple She has long claimed to have never experienced a successful hack Against a user with lockout mode enabled, but no system is perfect.

Mohammed Al Maskati, Digital Security Helpline Manager at Access Now, A global team of security experts works 24/7 to investigate spyware cases against members of civil societyshared with TechCrunch the advice the helpline offers to people who are concerned they may be targeted by government spyware.

This advice includes keeping your devices’ operating systems and apps up to date; Switch on Apple Lock modeAnd advanced protection from Google For accounts and For Android devices; Be careful with suspicious links and attachments; To reboot your phone regularly; And pay attention to changes in how your device works.

Reach out for help

What happens next depends on who you are.

There are open source and downloadable tools that anyone can use to detect suspected spyware attacks on their devices, which requires little technical knowledge. You can use Mobile verification toolkitor MVT, which is a tool that Allows you to search for forensic traces of an attack On your own, perhaps as a first step before seeking help.

If you don’t want or can’t use an MVT, you can go directly to someone who can help. If you are a journalist, dissident, academic or human rights activist, there are a few organizations that can help you.

You can resort to Access Now and its digital security helpline. You can also contact Amnesty International, which has done this Its own team of investigators And extensive experience in these cases. Or you can contact Citizen Laba digital rights group at the University of Toronto, which has been investigating spyware abuses for nearly 15 years.

If you are a journalist, Reporters Without Borders It also has a digital security lab that offers to investigate suspected cases of hacking and surveillance.

Outside of these categories of people, politicians or businessmen, for example, will have to go elsewhere.

If you work for a large company or political party, you probably have a competent security team (hopefully!) that you can turn to directly. They may not have the specific knowledge to conduct an in-depth investigation, but in that case they may know who to turn to, even if Access Now, Amnesty International and Citizen Lab cannot help those outside civil society.

Other than that, there aren’t many places you can turn for executives or politicians, but we’ve searched and found the places below. We can’t fully vouch for any of these organizations, nor do we directly endorse them, but based on suggestions from people we trust, they’re worth mentioning.

Perhaps the most famous of these private security companies is: iVerifywhich makes an app for Android and iOS, also gives users the option to request an in-depth criminal investigation.

matt mitchell, Respected security expert Who has been helping vulnerable populations protect themselves from surveillance has a new startup called Security sync groupwhich provides this type of service.

Jessica Hyde, a forensic investigator with experience in both the public and private sectors, has her own startup called HexordiaIt offers investigation into suspected hacking operations.

Mobile cybersecurity company Lookout, which has expertise analysis government Spyware from all over the world, He has an online form It allows people to reach out for help investigating cyberattacks that include malware, device compromise, and more. The company’s threat intelligence and forensics teams may then intervene.

Then there’s Costin Rayo, who chairs TLPBLACKa small team of security researchers who used to work at Kaspersky’s Global Research and Analysis Group, or GReAT. Rayo was head of the unit when his team discovered sophisticated cyberattacks from elite government hacking teams from the United States, Russia, Iran and other countries. Raiu told TechCrunch that people who suspect they’ve been hacked can do so Send him an email directly.

investigation

What happens next depends on who you go to for help.

In general, the organization you are contacting may want to perform an initial forensic examination by looking at a diagnostic report file that you can create on your device, which you can share with remote investigators. At this point, this does not require you to hand over your device to anyone.

This first step may be able to detect signs of targeting or even infection. It may also lead to nothing. In either case, investigators may want to dig deeper, which will require you to submit a full backup of your device, or even your actual device. At that point, the investigators will do their work, which may take some time because modern government spyware tries to cover its tracks, delete it, and tell you what happened.

Unfortunately, modern spyware may leave no trace. The way it works these days, according to Hassan Salmi, who leads the incident response team in… Access our digital security helpline nowis a “smash and grab” strategy, meaning that once the spyware infects the target device, it steals as much data as possible, then attempts to remove any trace and uninstall itself. It is assumed that spyware makers are trying to protect their products and hide their activity from investigators and researchers.

If you are a journalist, dissident, academic or human rights activist, the groups helping you may ask you if you want to publicize the fact that you were attacked, but you are not required to do so. They will be happy to help you without taking public credit for it. However, there may be good reasons to come out: to denounce the fact that the government has targeted you, which may have the side effect of warning others like you about the dangers of spyware; Or to expose a spyware company by showing that its customers are abusing its technology.

We hope you never receive one of these notifications. But we also hope that, if you do, you find this guide useful. Stay safe out there.