Apple notifies users in 92 countries about mercenary spyware attacks

Apple has sent a new batch of threat notifications to users in 92 countries who may have been targeted by mercenary spyware attacks, according to several media reports.

The alerts were sent on Wednesday, warning users that attackers tried to remotely compromise their iPhones. On the same day, Apple also updated its support page, explaining how threat notifications work and what targeted users should do if they receive one.

In previous alerts, the company described such incidents as “state-sponsored,” but according to its updated policy, it will now refer to them as “mercenary spyware attacks.” Common sources of spyware include private companies such as NSO Group and Cytrox.

According to Reuters, Apple's removal of the term "state-sponsored" from its description of threat notifications comes after it repeatedly faced pressure from the Indian government because of linking such breaches to nation-state actors. Sources told Reuters that Apple held extensive talks with Indian officials before releasing the latest set of alerts.

Spyware attacks affect a very small number of specific individuals — often journalists, activists, politicians, and diplomats — and are extremely costly, sophisticated and hard to detect, Apple explained. Since 2021, the company has sent threat notifications to users in over 150 countries. 

Apple didn't reveal who was on the list of targets in the latest set of alerts, but sources told The Economic Times, an Indian English-language newspaper, that Indian users were among those included.

Last October, Apple warned over half a dozen Indian lawmakers from Prime Minister Narendra Modi’s main opposition party about spyware attacks. These attacks were reportedly part of an espionage campaign preceding this year’s general elections, held in seven phases between April 19 and June 1.

The company stated that it relies solely on internal threat intelligence to detect such attacks. Other organizations, such as the Canada-based Citizen Lab, also produce reports about spyware infections on Apple devices.

“Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack, and should be taken very seriously,” the company said in an update.

Apple typically notifies users multiple times a year in two ways: by displaying an alert at the top of the page after the user signs into their Apple ID, or by sending an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

The company said that it cannot provide more information about what causes the company to send this notification, as that may help attackers adapt their behavior to evade detection in the future.

Earlier in February, Poland’s prime minister stated that he had uncovered documents confirming that the prior administration illegally deployed Pegasus spyware. Poland’s investigators claimed that the country’s 2019 elections were unfair due to the deployment of Pegasus, which is sold to governments worldwide by the Israel-based NSO Group. The company says it only supports lawful use of its products. 

In September, the phones of prominent Russian journalists and critics of the Kremlin were infected with Pegasus spyware. Among the targets was Galina Timchenko, owner of the Russian independent media outlet Meduza.

She was infected with Pegasus while in Berlin for a private conference with other Russian independent journalists living in exile. This marked the first documented case of a Pegasus infection targeting a Russian citizen.