Apple’s threat notification system will now warn users that they have been individually targeted using mercenary spyware, a shift from the company’s previous threat notifications that warned users about attempts to compromise their devices using state-sponsored attacks. Apple accordingly updated its FAQ site about the threat notification system on April 10.
Apple launched the threat notification system in November 2021 to warn users who may have been targeted by state-sponsored attackers. This system was launched after the company sued the NSO Group, the Israeli maker of ‘Pegasus’, in the same month in the wake of the second bout of Pegasus-related exposures in July 2021.
On April 10, Apple updated its FAQ about the system so that its description now says “Apple threat notifications are designed to inform and assist users who may have been individually targeted by mercenary spyware attacks”. “Since 2021, we have sent Apple threat notifications multiple times a year as we have detected these attacks, and to date we have notified users in over 150 countries in total,” Apple’s updated FAQ said.
HT has asked Apple what prompted this change.
In October 2023, Apple had warned opposition leaders and journalists in India — including Shashi Tharoor, Mahua Moitra, The Wire’s Siddharth Varadarajan and others — through this threat notification system that state-sponsored attackers may have targeted them.
Apple’s policy is to not attribute these attacks or threat notifications to specific attackers or geographical regions because “the extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today”.
“Such attacks are vastly more complex than regular cybercriminal activity and consumer malware, as mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices. Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent. The vast majority of users will never be targeted by such attacks,” Apple’s updated site read.
When the system was announced and even in October 2023, the threat notification system’s description called them ‘state-sponsored attacks’. “Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent. State-sponsored attacks are highly complex, cost millions of dollars to develop and often have a short shelf life. The vast majority of users will never be targeted by such attacks,” Apple’s earlier version said.
“Mercenary spyware attacks are exceptionally well funded, and they evolve over time. Apple relies solely on internal threat-intelligence information and investigations to detect such attacks. Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack and should be taken very seriously. We are unable to provide information about what causes us to issue threat notifications, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future,” the updated site says.
The earlier description read: “State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behavior to evade detection in the future.”
In November 2023, CERT-In had started investigating these notifications and officials from Apple’s cyber security team in the US had met Indian government officials in December. The current status of the investigation is unknown.