Has anyone put forward some theories as to how they are pulling this off? Are th...

marcan_42 · on Nov 24, 2021

I assume they have iMessage metadata on what accounts the NSO accounts talked to. The contents are E2E encrypted, but unless they have explicitly promised not to keep logs, they probably have the metadata logged.

gjsman-1000 · on Nov 24, 2021

Apple claims in their lawsuit that they have over 100 false iCloud accounts that were created, and is confident in their identities to the degree they are going to use them for standing to prove that NSO signed a legal agreement in the lawsuit.

In which case, NSO f!@#ed up and left iCloud Messages Backup enabled, which stores unencrypted copies of the End-to-End messages and makes it trivial for Apple to alert any person that these accounts messaged to. That's one possibility.

smoldesu · on Nov 24, 2021

Because the NSO group definitely used iMessage to communicate with one another...

HatchedLake721 · on Nov 24, 2021

Not with one another. With targets

TheGeminon · on Nov 24, 2021

This is more likely targeting phishing messages coming from NSO Group to victims, rather than communication between NSO members.

kristofferR · on Nov 25, 2021

Not even phishing, NSO had a zero-click iMessage exploit (so they could just send a message to their victims and then hack their iPhones remotely).

randyrand · on Nov 24, 2021

It’s likely much more manual that.

They admit themselves that these attacks are not easy to detect.

diebeforei485 · on Nov 25, 2021

> If it’s relating to crash logs, it would be nice to know as I’m sure a bunch of privacy focused users have that disabled.

It is not possible to disable all telemetry entirely.