Full Report
Dada et al v. NSO Group has been one of many cases where alleged spyware victims have run into jurisdictional hurdles. The post Judges strike skeptical note of NSO Group’s argument to dismiss case from El Salvadoran journos appeared first on CyberScoop.
Analysis Summary
This document summarizes the legal proceedings described in the source material regarding the lawsuit filed by El Salvadoran journalists against NSO Group. Since the article focuses on a legal appeal hearing rather than a technical security incident, the timeline and technical details will reflect the allegations and legal arguments presented.
# Incident Report: Appeal Hearing in NSO Group Pegasus Spying Case (Dada et al v. NSO Group)
## Executive Summary
This report concerns the ongoing legal actions by El Salvadoran journalists against NSO Group, alleging infection of their phones by Pegasus spyware. Following an initial dismissal by a district court, judges reviewing the appeal expressed skepticism toward NSO Group's jurisdictional arguments. The central debate revolves around whether the "misconduct" occurred primarily in El Salvador (where the plaintiffs are located) or in California (where Apple servers involved in the attack chain reside).
## Incident Details
- **Discovery Date:** Not applicable in this context (Focus is on legal appeal).
- **Incident Date:** Not applicable (Focus is on legal appeal concerning past alleged infections).
- **Affected Organization:** El Salvadoran Journalists (Plaintiffs in *Dada et al v. NSO Group*).
- **Sector:** Journalism/Media (Victims); Technology/Cybersecurity Vendor (Defendant).
- **Geography:** El Salvador (Plaintiffs); Israel (NSO Group); United States (Courts/Apple servers).
## Timeline of Events
### Initial Access (Alleged Incident)
- **Date/Time:** Not specified in detail.
- **Vector:** Allegedly, the deployment of NSO Group's Pegasus spyware onto the plaintiffs' iPhones.
- **Details:** The plaintiffs allege their phones were infected, facilitated by vulnerabilities in Apple software and the use of Apple ID accounts.
### Lateral Movement
- Not explicitly detailed in the context of the appeal hearing.
### Data Exfiltration/Impact (Alleged Incident)
- Not explicitly detailed in the context of the appeal hearing, though the suit concerns the impact of being spied upon.
### Detection & Response (Legal Response)
- **How it was discovered:** The article implies the plaintiffs discovered the alleged infection and initiated legal action.
- **Response actions taken (Initial Ruling):** Judge James Donato of the Northern District of California initially granted NSO Group's motion to dismiss, citing a different court venue as more appropriate.
- **Response actions taken (Appeal):** El Salvadoran journalists appealed this ruling. On the date of the hearing (Thursday, per the article), three appellate judges questioned NSO Group's defense, focusing on the location of the "misconduct."
## Attack Methodology
*Note: These steps describe the alleged underlying activity that prompted the lawsuit, not the response to the appeal hearing.*
- **Initial Access:** Exploitation of iPhone vulnerabilities/Apple software to deliver Pegasus spyware.
- **Persistence:** (Implied function of Pegasus spyware)
- **Privilege Escalation:** (Implied function of Pegasus spyware)
- **Defense Evasion:** (Implied function of Pegasus spyware)
- **Credential Access:** (Likely, given the nature of the spyware)
- **Discovery:** (Likely, once access was gained)
- **Lateral Movement:** (Not specified)
- **Collection:** (Implied data gathering targeting journalists)
- **Exfiltration:** (Implied data theft)
- **Impact:** Surveillance and compromise of private communications/data of the journalists.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Compromise of communications and potential sensitive data belonging to El Salvadoran journalists.
- **Operational:** Disruption to the plaintiffs' ability to report freely, stemming from surveillance.
- **Reputational:** Damage to NSO Group's reputation due to ongoing litigation concerning state-sponsored surveillance actors using their technology.
## Indicators of Compromise
*No specific network or file IOCs were available as the article details a legal proceeding, not a forensic analysis.*
## Response Actions (Legal Context)
- **Containment measures:** N/A (Focus is on legal venue).
- **Eradication steps:** N/A.
- **Recovery actions:** Plaintiffs are seeking reinstatement of their lawsuit in the Northern District of California.
## Lessons Learned
- **Key takeaways:** Jurisdictional disputes in international cyber litigation, especially involving proprietary technology like spyware, are complex; the locus of technical components (e.g., cloud servers) may be as relevant to venue as the location of the final victim.
- **What could have been done better:** NSO Group lost ground when attempting to argue that technical infrastructure locations (Apple servers) did not constitute the core "misconduct" when plaintiffs are arguing harm flowed from those technical actions in that district.
## Recommendations
- **Prevention measures for similar incidents:** (For NSO Group defendants): Must prepare robust arguments justifying why foreign jurisdiction is appropriate, even when U.S.-based technology companies are involved in the attack chain. (For potential victims/legal teams): Clearly delineate where the actionable misconduct occurred to secure favorable venue.