Spyware produce by the Israeli surveillance firm NSO Group has been abused by governments to target dissenting journalists, activists, lawyers and more, an investigation by human rights groups and media organizations has found.
The Pegasus spyware was produced with the intention of targeting terrorists and other criminals, but an investigation into a huge data leak shows that it has also be misused by authoritarian governments to gather text message, photos, call logs and more from iPhones and Android handsets. The malware can also be used to acti8vate the microphone of a targeted device to eavesdrop on conversations. Targets includes not only journalists and activists, but also key business figures, members of government, presidents and prime ministers.
Among those involved in the investigation are the Guardian, the Washington Post and Amnesty International. The investigation was started following the leak of around 50,000 phone numbers belonging to people believed to be of interest to client of NSO Group. From this list of number, over half were found to have traces of the Pegasus spyware.
The malware is, according to NSO, only made available to military, law enforcement and intelligence agencies from countries with good human rights records, but there is strong evidence of it having been used by authoritarian leaders as well.
While only a few names on the list of targets have been revealed so far, more will be made public in the coming days and weeks. Initial reports show there is widespread use of Pegasus in Mexico, Morocco and the United Arab Emirates, but in all there are targets in dozens of countries. Data suggests that Hungary’s far-right government, headed by Viktor Orbán, is among those using the spyware to hack the phones of journalists, lawyers and opposition politicians.
A victim’s phone can be targeted through a wide range of known and established attack vectors, exploiting vulnerabilities or employing social engineering. Once infected with Pegasus, any and all data on a phone can be transmitted back to the perpetrator. Back in 2019, it was discovered that Pegasus has been installed on phones by exploiting a zero-day flaw in WhatsApp. By simply placing a call to a victim — which did not even need to be answered — it was possible to infect a handset. When an iPhone is infected, the attacker gains root access to the device.
The Guardian points out:
NSO has invested substantial effort in making its software difficult to detect and Pegasus infections are now very hard to identify. Security researchers suspect more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes.
One of the most significant challenges that Pegasus presents to journalists and human rights defenders is the fact that the software exploits undiscovered vulnerabilities, meaning even the most security-conscious mobile phone user cannot prevent an attack.
NSO Group has denied any wrongdoing, and only very recently published a transparency report in which is set out its human rights policies and pledges. Amnesty International has dismissed the report as being nothing more than a “sales brochure”.
The company has responded to reports followed the investigation saying they are “full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources”. The company says the reports are based on false accusation and misleading allegations”.
The news organizations involved in the investigations have promised that more information will be released in the coming days.
Image credit: Guardian