The Pegasus Project caused a global shock, a non-profit organization behind the latest investigation about Pegasus spyware Forbidden Stories claim. Yet, experts seem less astonished - the spyware is not new, nor it is surprising that oppressive regimes use such tools for nefarious purposes.
A leak of 50,000 phone numbers and its analysis, conducted by Paris-based non-profit journalism group Forbidden Stories with support of Amnesty International’s Security Lab, focuses on one specific tool. Named Pegasus, it’s hacking spyware owned by the Israeli NSO Group.
The spyware acts through iPhone and Android mobile devices and lets it access messages, emails, photos, or even secretly record calls and activate microphones.
An investigation published on Sunday by 17 media organizations, led by Forbidden Stories, said the spyware, made and licensed by the Israeli company NSO, had been used in attempted and successful hacks of 37 smartphones belonging to journalists, government officials, and human rights activists.
Who are its users? At least ten governments: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates (UAE). Three countries looked up the majority of the numbers. Mexico had 15,000 requests while Algeria and the UAE had 10,000 requests, respectively.
It’s been almost a week since the Pegasus Project broke the news. According to the Forbidden stories, it has sparked an enormous reaction worldwide: India is facing its own Watergate, and protests are growing against the government, accused of using spyware to monitor journalists and political opponents.
Chief of the European Commission, Ursula von der Leyen, condemned the misuse of Pegasus spyware. The Paris prosecutor’s office opened a probe on Tuesday into allegations by investigative news website Mediapart and two of its journalists that they had been spied on by Morocco using the Pegasus spyware.
Under international pressure, the Israeli government, according to unnamed officials, has set up a task force to manage the fallout from Pegasus project revelations.
Spyware is not new
"Spyware is not new, nor is the hoarding of zero-days discovered by spy agencies. One of the worst global ransomware attacks, WannaCry, used the EternalBlue toolkit stolen from the NSA when they were breached. Exposing NSO (not to be confused with NSA) and that their Pegasus tools were used by many regimes to spy on their citizens, including journalists and activists, shouldn't be terribly surprising," Stel Valavanis of Chicago based onShore Security told CyberNews in an email.
This is how governments can keep plausible deniability of their involvement when it reaches outside of their borders.
"There's no way that the Israeli government would allow NSO to sell Pegasus software if it were against their national interests just like Putin would never allow cybercrime gangs to attack western targets if that was bad for Russia,"Valavanis said.
Some of the governments that NSO supplied with the spyware, like Saudi Arabia and Hungary, are known oppressors of free speech. Therefore Valavanis is not surprised that they used Pegasus for nefarious purposes.
"The claim that no US phones are attacked falls on deaf ears when NSO also claims they don't control what their clients do with the software. And what happens if Pegasus gets in the wrong (worse) hands?" he said.
It is unlikely that cell phone manufacturers are complicit partly because there are too many variances, and a whistle-blower would be damaging. "Also, it's unnecessary as long as developers of spyware, dare I call them hackers, can find exploits. So we have a cat and mouse game not only with outright criminals but also with government actors."
“The cat is out of the bag”
A veteran cybersecurity professional and published author of fiction novels Bullseye Breach and Virus Bomb, Greg Scott says he doesn’t even know why it is in the news today.
“The world knew about it three years ago when it was all over the news. The Israelis use phishing and now zero-day vulnerabilities to get inside phones. And they only sell to governments. And they make sure everyone uses it responsibly. Uh-huh, yeah, okay, sure, we trust you. That was sarcasm. That’s how journalists critical of Saudi Arabia end up dead. Journalists everywhere should be outraged,” he told CyberNews via email.
“And even if Pegasus itself was not the tool on Khashoggi’s phone, it’s likely Pegasus inspired it. Unfortunately, now the cat is out of the bag, and we need to defend against it,” he added.
Jamal Ahmad Khashoggi was a Saudi Arabian journalist and dissident, assassinated at the Saudi consulate in Istanbul on 2 October 2018 by agents of the Saudi government, allegedly at the behest of Crown Prince Mohammed bin Salman.
According to Scott, we should assume that threat actors are trying to penetrate our phones 24/7.
“Make sure you apply updates when they come out. Maybe do your most sensitive communications some other way – with your phone turned off. Maybe you have a clean phone you only use with a small group of people, and only for voice calls, and a dirty phone with the rest of the world,” he said.
Rampant misuse of spyware
A non-profit organization Access Now is calling for urgent action to hold the surveillance industry and governments accountable in the light of state-sponsored human rights abuses facilitated by NSO Group, Candiru, and Cellebrite.
"These shocking exposés of privacy invasion, technology misuse, and human rights abuse facilitated by NSO Group, Cellebrite, and Candiru, are just more examples of why we urgently need to lift the curtain on this questionable industry, and hold these spyware firms and the governments to account," said Natalia Krapiva, Tech Legal Counsel at Access Now. "The industry has shown that it is incapable of policing itself, while governments — including democratic states — are hiding behind national security to whitewash these surveillance abuses. We need regulation, transparency, and accountability now."
Just a few days before the Pegasus Project investigation broke the news, Citizen Lab and Microsoft released their findings on another Israeli surveillance tech company Candiru. According to Reuters, it sold a tool to hack into Microsoft Windows. Candiru created and sold a software exploit that can penetrate Windows, one of many intelligence products sold by a secretive industry that finds flaws in common software platforms for their clients, said a report by Citizen Lab.
Technical analysis by security researchers details how Candiru's hacking tool spread around the globe to numerous unnamed customers, where it was then used to target various civil society organizations, including a Saudi dissident group and a left-leaning Indonesian news outlet.
"Spyware is proving time and time again to be incompatible with human rights," said Raman Jit Singh Chima, Global Cybersecurity Lead at Access Now. "No matter where it's deployed, there are always opportunities for exploitation, and its rampant misuse is making global digital communications insecure."
More great CyberNews stories:
Subscribe to our newsletter