You have been targeted by government spyware. Now what?

It was a normal day when Jay Gibson got an unexpected notification on his iPhone. « Apple has detected a targeted mercenary spyware attack on your iPhone, » the message reads.

Ironically, Gibson worked for companies that developed exactly the type of spyware that could trigger such a notification. Still, he was shocked to get a notification on his own phone. He called his father, turned off and put away his phone and went to buy a new one.

“I was panicking,” he told TechCrunch. « It was a mess. It was a huge mess. »

Gibson is just one of an ever-growing number of people receiving notifications from companies like Apple, Google and WhatsApp, all of which send similar warnings about spyware attacks to their users. Technology companies are increasingly proactive in alerting their users when they become targets of government hackers, and in particular those using spyware created by companies such as Intellexa, NSO Group and Paragon Solutions.

But while Apple, Google and WhatsApp issue warnings, they don’t intervene in what happens next. Tech companies point their users to people who might be able to help, but at that point the companies are pulling back.

Here’s what happens when you get one of these warnings.

Warning

You’ve received a notification that you’ve been targeted by government hackers. Now what?

First, take it seriously. These companies have a wealth of telemetry data about their users and what is happening both on their devices and on their online accounts. These tech giants have security teams that have been hunting, studying and analyzing this type of malicious activity for years. If they think you’ve been targeted, they’re probably right.

It is important to note that in the case of Apple and WhatsApp notifications, receiving one does not necessarily mean that you have been hacked. It’s possible that the hack attempt failed, but they can still tell you that someone tried.

In Google’s case, the company has most likely blocked the attack and is telling you so you can sign in to your account and make sure you have multi-factor authentication turned on (ideally a physical security key or access key) and turn on its Advanced Security program, which also requires a security key and adds other levels of security to your Google account. In other words, Google will tell you how to better protect yourself in the future.

In the Apple ecosystem, you need to turn on Lockdown Mode, which includes a series of security features that make it difficult for hackers to target your Apple devices. Apple has long claimed that it has never seen a successful hack against a user with Lockdown Mode enabled, but no system is perfect.

Mohammed Al-Maskati, director of Access Now’s Digital Security Hotline, a 24/7 global team of security experts who investigate spyware cases against members of civil society, shared with TechCrunch the advice the helpline gives to people who are worried they might be attacked with government-sponsored spyware.

This advice includes keeping your devices’ operating systems and applications up to date; turn on Apple Lock Mode and Google Advanced Security for Android accounts and devices; beware of questionable links and attachments; reboot your phone regularly; and to pay attention to changes in the functioning of your device.

Appeal for help

What happens next depends on who you are.

There are open source and downloadable tools that anyone can use to detect suspected spyware attacks on their devices, requiring little technical knowledge. You can use the Mobile Verification Toolkit, or MVT, a tool that allows you to look for forensic traces of an attack yourself, perhaps as a first step before seeking help.

If you don’t want to or can’t use MVT, you can go straight to someone who can help. If you are a journalist, dissident, academic or human rights activist, there are a handful of organizations that can help you.

You can contact Access Now and its digital security hotline. You can also contact Amnesty International, which has its own team of investigators and extensive experience in these cases. Or you can contact The Citizen Lab, a digital rights group at the University of Toronto that has been investigating spyware abuses for almost 15 years.

If you’re a journalist, Reporters Without Borders also has a digital security lab that offers investigations into suspected cases of hacking and surveillance.

Outside these categories of people, politicians or businessmen, for example, will have to go elsewhere.

If you work for a large company or political party, you probably have a competent (hopefully!) security team that you can go straight to. They may not have the specific knowledge to investigate in depth, but in that case they probably know who to turn to, even if Access Now, Amnesty and Citizen Lab can’t help those outside civil society.

Otherwise, there aren’t many places you can turn to executives or politicians, but we did some digging and found the ones below. We can’t fully vouch for any of these organizations, nor do we endorse them directly, but based on suggestions from people we trust, they’re worth mentioning.

Perhaps the most famous of these private security companies is iVerify, which makes an app for Android and iOS and also gives users the ability to request a thorough forensic investigation.

Matt Mitchell, a respected security expert who helps vulnerable populations protect themselves from surveillance, has a new startup called Safety Sync Group that offers this kind of service.

Jessica Hyde, a forensic investigator with experience in the public and private sectors, has her own startup called Hexordia and offers to investigate alleged hacks.

Mobile cybersecurity company Lookout, which has experience analyzing government spyware from around the world, has an online form that allows people to reach out for help investigating cyberattacks involving malware, device compromise, and more. The company’s threat intelligence and forensics teams may become involved.

Then there’s Costin Ryu, who leads TLPBLACK, a small team of security researchers who used to work in Kaspersky’s Global Research and Analysis Group, or GReAT. Ryu was the head of the department when his team discovered sophisticated cyberattacks by elite government hacking teams from the United States, Russia, Iran and other countries. Ryu told TechCrunch that people who suspect they’ve been hacked can email him directly.

Investigation

What happens next depends on who you go to for help.

Generally speaking, the organization you’re contacting may want to do an initial forensic check by looking at a diagnostic report file that you can create on your device that you can share with investigators remotely. At this point, it doesn’t require you to hand over your device to anyone.

This first step can detect signs of targeting or even infection. Nothing may come out. In either case, investigators may want to dig deeper, which would require you to submit a full backup of your device, or even your actual device. At that point, the investigators will do their work, which can take time as modern government spyware tries to hide and erase its tracks, and tell you what happened.

Unfortunately, modern spyware may not leave any traces. The modus operandi these days, according to Hassan Selmi, who leads the incident response team at Access Now’s digital security helpline, is a smash-and-grab strategy, meaning that once spyware infects a target device, it steals as much data as it can and then tries to remove every trace and uninstall itself. This is supposed to be an attempt by spyware creators to protect their product and hide its activity from investigators and researchers.

If you are a journalist, dissident, academic, human rights activist, the groups that help you may ask if you want to publicize the fact that you have been attacked, but you do not have to. They will be happy to help you without taking public credit for it. Still, there may be good reasons to come out: to denounce the fact that the government has targeted you, which may have the side effect of warning others like you about the dangers of spyware; or expose a spyware company by showing that their customers are abusing their technology.

We hope you never receive one of these notifications. But we also hope that if you do, you’ll find this guide useful. Be safe out there.