What is Pegasus?
It’s a spyware made by Israeli firm NSO Group that is able to secretly steal personal data, read conversations, and switch on microphones and cameras at will.
Amnesty International’s Security Lab examined data from 67 phones whose numbers were in the list.
Thirty-seven phones showed traces of Pegasus activity: 23 phones were successfully infected, and 14 showed signs of attempted targeting.
For the remaining 30 phones, the tests were inconclusive, in several cases because the phones had been replaced.
Fifteen of the phones in the data were Android devices.
Unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work.
However, three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
In a subset of 27 analyzed phones, Amnesty International researchers found 84 separate traces of Pegasus activity that closely corresponded to the numbers’ appearance on the leaked list.
In 59 of these cases, the Pegasus traces appeared within 20 minutes of selection.
In 15 cases, the trace appeared within one minute of selection.
What is The Pegasus Project?
The project is a group of journalists trying to combat Pegasus created by ‘Forbidden stories”
Forbidden Stories is in the process of building a worldwide network of journalists committed to continuing the work of threatened, jailed or killed fellow reporters.
If a journalist is silenced in any part of the world, Forbidden Stories will be able to activate its network to take over her/his work and collaborate to continue and get her/his stories out.
We aim to expand this network in every country where independent media are censored.
Together, we send a strong message to enemies of the free press: “Even if you succeed in stopping a single messenger, dozens will take their place and deliver the message”.
The Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 media organisations in 10 countries coordinated by Forbidden Stories with technical support of Amnesty International’s Security Lab.
The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021.
Zero day errors
These also include so-called “zero-click” attacks which do not require any interaction from the target.
Zero-click attacks have been observed since May 2018 and continue until now.
Most recently, a successful “zero-click” attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.
At the centre of this investigation is NSO Group’s Pegasus spyware which, when surreptitiously installed on victims’ phones, allows an attacker complete access to the device’s messages, emails, media, microphone, camera, calls and contacts.
Over the next week, media partners of The Pegasus Project – including The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post – will run a series of stories exposing details of how world leaders, politicians, human rights activists, and journalists have been selected as potential targets of this spyware.
From the leaked data and their investigations, Forbidden Stories and its media partners identified potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates.
NSO Group has not taken adequate action to stop the use of its tools for unlawful targeted surveillance of activists and journalists, despite the fact that it either knew, or arguably ought to have known, that this was taking place.
Agnès Callamard said:
“As a first step, NSO Group must immediately shut down clients’ systems where there is credible evidence of misuse. The Pegasus Project provides this in abundance.”
During the investigation, evidence has also emerged that family members of Saudi journalist Jamal Khashoggi were targeted by Pegasus before and after his murder in Istanbul on 2 October 2018 by Saudi operatives, despite repeated denials from NSO Group.
Amnesty’s Security Lab established that Pegasus spyware was successfully installed on the phone of Khashoggi’s fiancée Hatice Cengiz just four days after his murder.
His wife, Hanan Elatr was also repeatedly targeted with the spyware between September 2017 and April 2018 as well as his son, Abdullah, who was also selected as a target along with other family members in Saudi Arabia and the UAE.
In a statement, the NSO Group responded to the Pegasus Project allegations saying that its “technology was not associated in any way with the heinous murder of Jamal Khashoggi”.
The company said it “previously investigated this claim, immediately after the heinous murder, which again, is being made without validation”.
Journalists under attack
The investigation has so far identified at least 180 journalists in 20 countries who were selected for potential targeting with NSO spyware between 2016 to June 2021, including in Azerbaijan, Hungary, India and Morocco, countries where crackdowns against independent media have intensified.
The revelations show the real-world harm caused by unlawful surveillance:
There is nothing to suggest that NSO’s customers did not also use Pegasus in terrorism and crime investigations, and the Forbidden Stories consortium also found numbers in the data belonging to suspected criminals.
In response to a request for comment by media organisations involved in the Pegasus Project, NSO Group said it “firmly denies” the claims and stated that “many of them are uncorroborated theories which raise serious doubts about the reliability of your sources, as well as the basis of your story”.
NSO Group did not confirm which governments are NSO Group’s customers, although it said the Pegasus Project had made “incorrect assumptions” in this regard. Notwithstanding its general denial, NSO Group said it “will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations”.
CIA ‘hoarded’ vulnerabilities (“zero days”)
In the wake of Edward Snowden’s leaks about the NSA, the U.S. technology industry secured a commitment from the Obama administration that the executive would disclose on an ongoing basis — rather than hoard — serious vulnerabilities, exploits, bugs or “zero days” to Apple, Google, Microsoft, and other US-based manufacturers.
Serious vulnerabilities not disclosed to the manufacturers places huge swathes of the population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability.
If the CIA can discover such vulnerabilities so can others.
The U.S. government’s commitment to this came after significant lobbying by US technology companies, who risk losing their share of the global market over real and perceived hidden vulnerabilities.
The government stated that it would disclose all pervasive vulnerabilities discovered after 2010 on an ongoing basis.
“Year Zero” documents show that the CIA breached the Obama administration’s commitments.
Many of the vulnerabilities used in the CIA’s cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.
As an example, specific CIA malware revealed in “Year Zero” is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts.
The CIA attacks this software by using undisclosed security vulnerabilities (“zero days”) possessed by the CIA but if the CIA can hack these phones then so can everyone else who has obtained or discovered the vulnerability.
As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable.
The same vulnerabilities exist for the population at large, including the U.S.
Cabinet, Congress, top CEOs, system administrators, security officers and engineers.
By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable.
‘Cyberwar’ programs are a serious proliferation risk
Cyber ‘weapons’ are not possible to keep under effective control.
While nuclear proliferation has been restrained by the enormous costs and visible infrastructure involved in assembling enough fissile material to produce a critical nuclear mass, cyber ‘weapons’, once developed, are very hard to retain.
Cyber ‘weapons’ are in fact just computer programs which can be pirated like any other. Since they are entirely comprised of information they can be copied quickly with no marginal cost.
Securing such ‘weapons’ is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces — sometimes by using the very same ‘weapons’ against the organizations that contain them.
There are substantial price incentives for government hackers and consultants to obtain copies since there is a global “vulnerability market” that will pay hundreds of thousands to millions of dollars for copies of such ‘weapons’. Similarly, contractors and companies who obtain such ‘weapons’ sometimes use them for their own purposes, obtaining advantage over their competitors in selling ‘hacking’ services.
Over the last three years the United States intelligence sector, which consists of government agencies such as the CIA and NSA and their contractors, such as Booz Allan Hamilton, has been subject to unprecedented series of data exfiltrations by its own workers.
A number of intelligence community members not yet publicly named have been arrested or subject to federal criminal investigations in separate incidents.
Most visibly, on February 8, 2017 a U.S. federal grand jury indicted Harold T. Martin III with 20 counts of mishandling classified information.
The Department of Justice alleged that it seized some 50,000 gigabytes of information from Harold T. Martin III that he had obtained from classified programs at NSA and CIA, including the source code for numerous hacking tools.
Once a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike.
The latest in sophisticated spyware being used on citizens has caused a big outrage and conversation.
What is your thoughts on the privacy violations this involves?