‘Mercenary spyware’: Apple updates threat notification system
This is a shift from Apple’s previous threat notifications that warned users about attempts to compromise devices using state-sponsored attacks
Apple has sent out the first batch of threat notifications for this year to 92 countries, including India, on Thursday, warning users that they may have been individually targeted using mercenary spyware. An Apple spokesperson, however, declined to specify the number of users across the world and in India who received this threat.
The threat notification, sent as an email at 12:30 am IST to addresses linked to Apple accounts of the affected users, had the subject ‘ALERT: Apple detected a targeted mercenary spyware attack against your iPhone’. It warned users that they have been individually targeted using mercenary spyware. HT has seen the notification.
This is a shift from Apple’s previous threat notifications that warned users about attempts to compromise their devices using state-sponsored attacks. Apple accordingly updated its FAQ site about the threat notification system on April 10. HT has asked Apple what prompted this change.
Apple launched the threat notification system in November 2021 to warn users who may have been targeted by state-sponsored attackers. This system was launched after Apple had sued the NSO Group, the Israeli maker of Pegasus, in the same month in the wake of the second bout of Pegasus-related exposures in July 2021. These threat notifications are sent by Apple to potentially affected users quarterly, HT has learnt.
“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID [Apple ID specified]. This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously. Mercenary spyware attacks, such as those using Pegasus from the NSO Group, are exceptionally rare and vastly more sophisticated than regular cybercriminal activity or consumer malware. These attacks cost millions of dollars and are individually deployed against a very small number of people, but the targeting is ongoing and global. Since 2021, we have sent Apple threat notifications like this one, multiple times a year, as we detect mercenary spyware attacks. Today’s notification is being sent to targeted users in 92 countries, and to date we have notified users in over 150 countries in total. The extreme cost, sophistication, and worldwide nature makes mercenary spyware attacks some of the most advanced digital threats in existence today. As a result, Apple does not attribute the attacks or the notice you’re receiving to any specific attackers or geographical regions,” the notification read.
“Public reporting and research have shown that mercenary spyware attacks target users across modern computing platforms, including iOS and Safari as well as Google Android, Google Chrome, and Microsoft Windows, as well as a variety of messaging and cloud apps including iMessage and WhatsApp. These attacks are very well funded and are constantly evolving,” the notification said.
On April 10, Apple updated its FAQ about the system so that its description now says that “Apple threat notifications are designed to inform and assist users who may have been individually targeted by mercenary spyware attacks”.
In October 2023, Apple had warned opposition leaders and journalists in India — including Shashi Tharoor, Mahua Moitra, The Wire’s Siddharth Varadarajan and others — through this threat notification system that state-sponsored attackers may have targeted them.
“Such attacks are vastly more complex than regular cybercriminal activity and consumer malware, as mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices. Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent. The vast majority of users will never be targeted by such attacks,” Apple’s updated site read.
When the system was announced and even in October 2023, the threat notification system’s description called them ‘state-sponsored attacks’. “Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent. State-sponsored attacks are highly complex, cost millions of dollars to develop and often have a short shelf life. The vast majority of users will never be targeted by such attacks,” Apple’s earlier version said.
“Mercenary spyware attacks are exceptionally well funded, and they evolve over time. Apple relies solely on internal threat-intelligence information and investigations to detect such attacks. Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack and should be taken very seriously. We are unable to provide information about what causes us to issue threat notifications, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future,” the updated site says.
The earlier description read: “State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behavior to evade detection in the future.”
In November 2023, CERT-In had started investigating these notifications and officials from Apple’s cyber security team in the US had met Indian government officials in December. The current status of the investigation is unknown.
