Several Thai citizens were hit by Pegasus spyware in what appears to be “an extensive espionage campaign” against the local democracy movement.
On November 23, 2021, a number of people received notifications from Apple that they were targeted by state-backed attacks with mercenary spyware – specifically, with NSO Group’s Forcedentry exploit.
Researchers at the University of Toronto's Citizen Lab have concluded with high confidence that victims were affected by Pegasus software, identifying at least 30 impacted human rights activists, protesters, and political leaders. The infections took place from October 2020 to November 2021, during the peak of the pro-democratic campaign.
Many of the victims have been previously prosecuted by the Thai government, while others were not involved in the protests. Likely, this illustrates the goal of learning more about the structure of the opposition.
Based on further investigation, during the early stages of the attacks in 2020, the Kismet zero-click exploit was utilized and occurred primarily on out-of-date phones. Malicious image files were forwarded to phones and executed a WebKit instance. Certain Apple models, such as iOS14, seem to be protected against this exploit.
Later in February 2021, the Forcedentry exploit was primarily used and delivered via iMessage. It shared malicious PDF files with JBIG2 streams named using the “.gif” extension, hijacking control of the JBIG2 parser, and downloading a payload.
The researchers do not conclusively attribute the attack to a single state actor. However, they claim that much evidence points toward the Thai government, including the victims themselves being Thai, their political affiliations, as well as the timing of the attacks.
“Conducting such an extensive hacking campaign against high profile individuals in another country is risky and runs the possibility of discovery, especially given the well-known previous cases where Pegasus infections were publicly discovered and publicly disclosed,” they explain.
More from Cybernews:
Subscribe to our newsletter