AI Security AI安全 7d ago Updated 7d ago 更新于 7天前 49

European Parliament Member Investigating Spyware Was Hacked With Pegasus 调查间谍软件的欧洲议会议员遭Pegasus黑客攻击

Former MEP Stelios Kouloglou was repeatedly hacked with Pegasus spyware while serving on the EU committee investigating its misuse, indicating direct retaliation against oversight efforts. Forensic analysis reveals the use of a zero-click exploit in Apple’s HomeKit software (codenamed PWNYOURHOME) to compromise his iPhone, highlighting vulnerabilities in smart home integrations. The attack infrastructure shares indicators with campaigns targeting Russian and Belarusian exiles, suggesting a singl 公民实验室报告揭露,前欧洲议会议员Stelios Kouloglou在调查商业间谍软件滥用期间,其iPhone多次被Pegasus间谍软件攻击。 攻击利用了苹果智能家居软件中的零点击漏洞(代号PWNYOURHOME),该漏洞已在iOS 16.3.1中修复,但当时议员设备运行的是iOS 15.5。 攻击基础设施与针对俄语和白俄罗斯语流亡记者的活动存在重叠,暗示攻击者拥有覆盖多个欧盟司法管辖区的NSO Group许可证。 这是PEGA委员会成员首次被公开确认为Pegasus受害者,凸显了监管者自身面临的高风险及商业间谍软件的广泛威胁。 报告同时关联了Cellebrite工具被用于俄罗斯反对派监控以

75
Hot 热度
70
Quality 质量
65
Impact 影响力

Analysis 深度分析

TL;DR

  • Former MEP Stelios Kouloglou was repeatedly hacked with Pegasus spyware while serving on the EU committee investigating its misuse, indicating direct retaliation against oversight efforts.
  • Forensic analysis reveals the use of a zero-click exploit in Apple’s HomeKit software (codenamed PWNYOURHOME) to compromise his iPhone, highlighting vulnerabilities in smart home integrations.
  • The attack infrastructure shares indicators with campaigns targeting Russian and Belarusian exiles, suggesting a single Pegasus customer with multi-country jurisdictional licenses is responsible.
  • This incident underscores the escalating risks to democratic institutions and lawmakers, as spyware operators increasingly target those tasked with regulating their own industry.

Why It Matters

This case demonstrates that commercial spyware is not merely a tool for law enforcement but is actively weaponized against political opponents and regulators, posing a direct threat to democratic processes and judicial independence. For security researchers and policymakers, it highlights the critical need for stricter oversight of NSO Group’s licensing practices and the urgent requirement for tech companies to patch zero-click vulnerabilities in peripheral ecosystems like IoT and smart home apps.

Technical Details

  • Exploit Vector: The initial compromise utilized a zero-click exploit in Apple’s HomeKit smart home software, specifically targeting the PWNYOURHOME vulnerability, which allowed remote code execution without user interaction.
  • Timeline and Frequency: Forensic artifacts indicate infections occurred around October 21, 2022, and again on March 6-7, 2023, while the device was running iOS 15.5, prior to the release of the patch in iOS 16.3.1.
  • Infrastructure Linkage: The attacker used the email address rauharepo888@gmail.com, which matches infrastructure previously linked to campaigns targeting Russian and Belarusian-speaking activists, implying a shared operator.
  • Detection Mechanisms: The victim received Apple’s native threat notifications regarding mercenary spyware attempts on March 2, 2023, August 29, 2023, and April 10, 2024, confirming ongoing surveillance attempts even after the initial compromise.

Industry Insight

  • Regulatory Paradox: The targeting of a committee member investigating spyware suggests that surveillance vendors and their clients view regulatory scrutiny as a threat, potentially leading to increased cyber-espionage against journalists, lawyers, and politicians involved in policy-making.
  • Supply Chain Security: The use of a HomeKit-related exploit emphasizes that the attack surface for zero-click exploits extends beyond core messaging apps to include IoT and smart home interfaces, necessitating broader security audits by OS providers.
  • Licensing Accountability: The evidence pointing to a single customer with multi-jurisdictional licenses calls for greater transparency from the NSO Group regarding client vetting and usage monitoring to prevent the misuse of technology against civil society and democratic institutions.

TL;DR

  • 公民实验室报告揭露,前欧洲议会议员Stelios Kouloglou在调查商业间谍软件滥用期间,其iPhone多次被Pegasus间谍软件攻击。
  • 攻击利用了苹果智能家居软件中的零点击漏洞(代号PWNYOURHOME),该漏洞已在iOS 16.3.1中修复,但当时议员设备运行的是iOS 15.5。
  • 攻击基础设施与针对俄语和白俄罗斯语流亡记者的活动存在重叠,暗示攻击者拥有覆盖多个欧盟司法管辖区的NSO Group许可证。
  • 这是PEGA委员会成员首次被公开确认为Pegasus受害者,凸显了监管者自身面临的高风险及商业间谍软件的广泛威胁。
  • 报告同时关联了Cellebrite工具被用于俄罗斯反对派监控以及利用电信协议弱点进行无恶意软件追踪的最新案例。

为什么值得看

本文揭示了负责监管商业间谍软件滥用的立法者本身成为目标的事实,深刻反映了此类工具对民主制度和法治构成的直接威胁。对于安全从业者和政策制定者而言,它提供了关于零点击漏洞利用、NSO许可模式以及跨国监控基础设施关联性的关键情报。

技术解析

  • 攻击向量与漏洞:攻击者利用苹果HomeKit软件中的零点击漏洞(代号PWNYOURHOME),通过查找特定HomeKit电子邮件地址触发,随后Pegasus进程使用移动数据建立连接。该漏洞无需用户交互即可植入间谍软件。
  • 时间线与版本:法医分析显示,Kouloglou的设备于2022年10月21日、2023年3月6日和7日遭到入侵。当时设备运行iOS 15.5,而苹果已在iOS 16.3.1中修补了此漏洞。
  • 基础设施关联:攻击使用的电子邮件地址“rauharepo888@gmail.com”与之前针对俄罗斯和白俄罗斯流亡记者的攻击活动相同。Citizen Lab指出,此类电子邮件地址通常对应特定的操作者,且拥有跨多国管辖权许可证的客户更可能是幕后黑手。
  • 威胁通知:尽管遭受攻击,Kouloglou收到了苹果发出的三次mercenary spyware威胁通知(2023年3月、8月和2024年4月),表明苹果的检测机制已生效,但未能阻止初始入侵。

行业启示

  • 监管悖论与高风险:即使是最致力于打击间谍软件滥用的监管者也无法幸免,这表明商业间谍软件已成为针对政治异见者和监督者的系统性威胁,亟需更严格的国际监管框架。
  • 供应链与许可透明度:攻击者能够跨越多国实施监控,反映出NSO Group等供应商的许可制度可能存在漏洞或被滥用,行业需推动更高的销售尽职调查和最终用户审查标准。
  • 防御策略升级:鉴于零点击漏洞和电信信令协议(如SS7/Diameter)的滥用,仅依赖终端防护已不足够,需加强操作系统更新管理、网络流量异常检测以及对底层通信基础设施的安全加固。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Policy 政策 Research 科学研究