Pegasus, military-grade spyware designed by the Israeli surveillance firm NSO Group to track terrorists, was used to hack 37 smartphones of journalists, human rights activists and politicians, according to an investigation known as “The Pegasus Project” conducted by The Washington Post and 16 other news organizations led by the journalism nonprofit Forbidden Stories.
Forbidden Stories accessed a list of 50,000 phone numbers that were selected for surveillance by NSO Group’s customers, including several governments.
Reporters who examined the list were able to identify about 1,000 people across 50 different countries through research and interviews.
These people include several Arab royal family members, nearly 200 journalists, more than 600 politicians and government officials and nearly 100 business executives and human rights activists each.
The rest of the phone numbers remain unattributed.
NSO Group, which describes itself on its website as creating “cyber intelligence for global security and safety,” offered Pegasus to government customers as a tool for collecting data from the mobile devices of individuals “suspected to be involved in serious crime and terror.”
However, the people found to be part of the extensive list of tracked phone numbers suggest the spyware is being used for other purposes.
‘Zero-Click Attack’
Unlike other spyware, Pegasus doesn’t require the phone owner to click on any kind of malicious link or application in order for trackers to gain control over the device.
“This ‘zero-click attack’ strategy nullifies the need for an adversary to socially profile or manipulate a target through other means, like phishing scams or business email compromise attacks,” an article by The Soufan Center said.
“Pegasus can collect and access a wide range of data and tools on a target’s device, including but not limited to geo-locational information, browser history, read text messages, voicemails, and microphones and cameras.”
The person whose phone has been hacked is unlikely to be aware the spyware has been installed.
Apple’s iPhone 11 and 12 were found to be vulnerable to Pegasus despite the phone’s security programs.
Three Guiding Principles
The founders of the NSO Group said when creating the company, they agreed to three guiding principles: to license to only governments and not private citizens,
to not have any knowledge into who customers target after purchasing the software and to seek approval from the export controls unit of Israel’s Ministry of Defense.
The designers envisioned the product as an aid in law enforcement and terrorist investigations. But the investigation revealed that clients may be using it for other purposes.
The NSO Group, now valued at $1.5 billion, gained public attention in 2016 when a lab based at Toronto University, published a report documenting how the United Arab Emirates used Pegasus to break into a notable human rights activist’s phone.
WhatsApp and Facebook both filed lawsuits against the surveillance firm in 2019 after alleging NSO Group sent malware to 1,400 devices to survey select WhatsApp users.
Princess Latifa, the daughter of Dubai’s ruler in the United Arab Emirates, who tried to escape in 2018, may have been captured as a result of Pegasus spyware.
Although the princess decided to use new burner phones in order to communicate, the phone numbers of her friends showed up on a database part of the investigation into Pegasus, according to The Guardian.
This means a client of the NSO Group may have chosen the princess’ friends for surveillance after her escape.
The Pegasus Project also found the phones of journalist Jamal Khashoggi’s fourth wife and fiancée were targeted prior to his murder by the Saudi government in 2018.
Should Firms like the NSO Group Exist?
Although NSO Group requires its customers to sign an agreement stating they will only use the software for law enforcement purposes, the industry under which the NSO Group operates is underregulated, according to The Soufan Center.
The Soufan Center states there should be an ongoing discussion about whether the NSO Group, and firms like it, should exist in the first place.
The Center recommends lawmakers discuss ways that stricter laws and control methods regarding surveillance may be implemented and in the meantime companies such as Google and Apple should take a stance to protect their users against spyware such as Pegasus.