Timeline of Apple's Threat Notifications

What are Apple Threat Notifications?

Since November 2021, Apple has been actively issuing threat notifications to alert users who may be targets of state-sponsored attackers due to their identity or activities. These warnings are sent via email and iMessage to the contacts associated with the user’s Apple ID. The alerts inform users of potential unauthorized access to sensitive data or the possibility of their device’s camera or microphone being remotely activated. Apple advises those who receive these notifications to update their devices to the latest iOS version and to enable Lockdown Mode for added security.

How does Apple detect state-sponsored attacks?

The specifics of how Apple detects these state-sponsored attacks are largely undisclosed. Apple maintains that its detection methods are kept confidential to hinder attackers from modifying their strategies to evade discovery. However, we do know that victims have recieved threat notifications shortly after Citizen Lab has sent over the exploit chains to Apple:

We shared our observations of these exploit chains with Apple in October 2022 and in January 2023. Targets we found in the 2022 target pool reported receiving notifications from Apple in November and December 2022, and March 2023.

It is probable that Apple detects these intrusions by monitoring for atypical behavior patterns that align with known exploits, using analytics uploaded from devices to identify potential targets.

I am committed to keeping a close watch on these threat notifications and aim to maintain an up-to-date record of occurrences. If you have information regarding additional threat notifications from Apple and would like to contribute, please email me.

November 2021

In the aftermath of Citizen Lab’s revelation of the FORCEDENTRY exploit in September 2021, Apple took a firm stance against NSO Group, the entity behind the exploit. Apple’s legal action against NSO Group was complemented by a $10 million commitment to support cybersurveillance research and advocacy organizations. Moreover, Apple pledged to notify affected users of any activities consistent with state-sponsored spyware attacks, aligning with industry best practices.

• November 23, 2021: When you wake up to a threat notification from @Apple that your iPhone is being targeted then you know that cyber terrorism from state sponsored cyber terrorists is real.

  • Norbert Mao, the leader of Uganda’s Democratic Party, received a startling notification from Apple, indicating that his iPhone was under the threat of state-sponsored cyber terrorism.

• November 23, 2021: Spy Tool Was Deployed in State-Sponsored Hack of Ugandans

  • Two Ugandan journalists and an opposition leader were alerted by Apple about suspected state-sponsored hacks involving Pegasus spyware.

• November 25, 2021: Armenian Politicians ‘Alerted’ To ‘State-Sponsored’ Spyware Targeting

  • A series of alerts were issued to Armenian politicians and citizens, including both opposition and government figures, about potential state-sponsored hacking via Pegasus spyware. High-profile individuals, such as High-Tech Industry Minister Vahagn Khachaturian and opposition leader Artur Vanetsian, confirmed receiving these notifications from Apple.

• November 26, 2021: Apple alerted Polish prosecutor that her iPhone has likely been compromised by NSO

  • Polish prosecutor Ewa Wrzosek was notified by Apple of a likely compromise of her iPhone by Pegasus spyware.

• November 2021: Exclusive: Senior Indonesian officials targeted by spyware last year

  • A group of senior Indonesian officials, including Chief Economic Minister Airlangga Hartarto and military personnel, were alerted to state-sponsored attacks by Apple.

November/December 2022

• NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains

  • Targtets reported recieving notifications in November 2022, December 2022, and March 2023.

• December 16, 2022: Agencies trying to hack iPhone, got Apple notice: Telangana BSP chief RS Praveen Kumar

  • Former IPS officer and BSP state president RS Praveen Kumar has reported that his iPhone was targeted in a suspected state-sponsored hacking attempt, as indicated by an alert from Apple. He suggests that the Telangana’s BRS or the BJP central government could be behind it and has called for an investigation by a Supreme Court judge.

March 2023

• March 3, 2023: Reports confirmed a new series of Apple alerts warning users about nation state-backed hacking activities.

• March 3, 2023: We have in #Armenia a new wave of emails from Apple about possible attacks from state sponsored hackers.

  • Public Facebook posts and other reports indicated that several individuals in Armenia, including a high-ranking official, the President of the National Assembly, Alen Simonyan, were recipients of Apple’s state-sponsored threat notifications. A December 2021 report by Citizen Lab had identified “likely Predator customers in Armenia” among other countries.

June 2023

• June 22, 2023: Hacking Meduza: Pegasus spyware used to target Putin’s critic
  • Galina Timchenko, executive editor of Meduza, faced state-sponsored hacking attempts via Pegasus spyware, following the Russian government’s crackdown on independent media.
• June 23, 2023: A fresh batch of Apple threat notifications was sent out worldwide, indicating a potential surge in state-sponsored spyware attacks. The exact number of affected users remains unclear.

August 2023

• August 29, 2023: The CEO of ‘Nova-Europa’ Maria Epifanova and Latvian journalist Evgeny Pavlov reported a possible attack using the Pegasus spyware
  • Maria Epifanova of Novaya Gazeta Europe, along with several colleagues, were alerted by Apple about potential compromises of their digital devices. Pegasus spyware is suspected to be the tool used in these incursions, with a particular focus on those using Latvian telecommunications services.

October/November 2023

• October 31, 2023: ‘State-sponsored’ attacks on phones of India opposition leaders, says Apple

  • Apple issued warnings to Indian opposition leaders and journalists, indicating possible intrusions by state-sponsored hackers. The Indian government has challenged the specificity of these alerts and has reached out to Apple for collaboration in the ongoing investigation.

• November 3, 2023: Apple warns Armenians of state-sponsored hacking attempts

  • Armenian nationals were notified by Apple of targeted cyber espionage activities. The CyberHUB implicated Pegasus spyware in these attacks, with potential connections to the Azerbaijani government amid heightened national tensions.

Further Reading

• About Apple threat notifications and protecting against state-sponsored attacks
• About Lockdown Mode
• Apple sues NSO Group to curb the abuse of state-sponsored spyware
• Apple v. NSO Complaint