The smartphones of more than three dozen journalists, human rights activists and business people have been infected with powerful spyware that an Israeli company sells, allegedly to catch terrorists and criminals, the Washington Post and other publications reported.
The handsets were infected with Pegasus, a full-featured spyware developed by the NSO Group. The Israel-based exploit seller has received intense scrutiny in recent years after repressive governments in the United Arab Emirates, Mexico, and other countries used the malware against journalists, activists, and other groups unrelated to terrorism or crime.
Pegasus is often installed through “zero-click” exploits, such as those sent via SMS, and requiring no victim interaction. After the exploits secretly jailbreaked or rooted a target’s iPhone or Android device, Pegasus immediately sifted through an abundance of the device’s resources. It copies call logs, text messages, calendar entries and contacts. It is able to activate the cameras and microphones on compromised phones to eavesdrop on nearby activities. It can also track a target’s movements and steal messages from end-to-end encrypted chat apps.
iPhone 12 with iOS 14.6 like
According to research conducted jointly by 17 news organizations, Pegasus infected 37 phones belonging to people who did not meet the criteria required by the NSO to use the powerful spyware. The victims included journalists, human rights activists, executives and two women who were close to the murdered Saudi journalist Jamal Khashoggi, according to the Washington Post. A technical analysis by Amnesty International and the Citizen Lab at the University of Toronto confirmed the infections.
“The Pegasus attacks described in this report and accompanying appendices range from 2014 to July 2021,” wrote Amnesty International researchers. “This also includes so-called ‘zero-click’ attacks that do not require the target to interact. Zero-click attacks have been observed since May 2018 and continue to this day. A successful “zero-click” attack was recently observed, in which several zero days were exploited to attack a fully patched iPhone 12 with iOS 14.6 in July 2021. “
All 37 infected devices were added to a list of more than 50,000 phone numbers. It remains unknown who provided the numbers, why and how many of the phones were actually targeted or monitored. However, a forensic analysis of the 37 phones often reveals a close correlation between timestamps associated with a number on the list and when monitoring began on the corresponding phone, in some cases just a few seconds.
Amnesty International and a Paris-based nonprofit journalism called Forbidden Stories had access to the list and shared it with news organizations who carried out further research and analysis.
Reporters identified more than 1,000 people in more than 50 countries whose numbers were added to the list. The victims included members of the Arab royal family, at least 65 business people, 85 human rights activists, 189 journalists and more than 600 politicians and government officials – including cabinet ministers, diplomats, and military and security officials. The numbers of several heads of state and prime ministers also appeared on the list. The Guardian, meanwhile, said 15,000 politicians, journalists, judges, activists and teachers in Mexico are on the leaked list.
As described here, it appears that hundreds of journalists, activists, academics, lawyers and even world leaders have been targeted. Journalists on the list worked for leading news organizations including CNN, Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.
“Aiming at the 37 smartphones seems to contradict the stated purpose of the NSO licensing of the Pegasus spyware, which according to the company is only intended for the surveillance of terrorists and major criminals,” said the Washington Post on Sunday. “The evidence from these smartphones, which was first revealed here, calls into question the Israeli company’s pledges to monitor its customers for human rights abuses.”
NSO is pushing back
NSO officials are heavily pushing back research. In a statement they wrote:
Forbidden Stories’ report is full of false assumptions and unconfirmed theories that cast serious doubts on the reliability and interests of the sources. It appears that the “unknown sources” provided information that was not factually based, and [is] far from reality.
After reviewing their claims, we firmly reject the false claims in their report. Their sources have provided them with information that is completely unfounded, as demonstrated by the lack of evidence to support many of their claims. In fact, these allegations are so outrageous and far from reality that NSO is considering filing a defamation lawsuit.
The NSO Group has good reason to believe that the claims made by unnamed sources against Forbidden Stories are based on [a] misleading interpretation of data from accessible and overt base information such as HLR lookup services that does not affect the list of customer targets of Pegasus or other NSO products. Such services are readily available to anyone, anywhere, anytime, and are widely used by government agencies for a wide variety of purposes and by private companies around the world.
To claim that the data was leaked from our servers is a complete lie and ridiculous as such data did not exist on any of our servers.
In their own statement, Apple officials wrote:
Apple clearly condemns cyberattacks against journalists, human rights defenders, and others who want to make the world a better place. Apple has been an industry leader in security innovations for over a decade, and security researchers agree that the iPhone is the safest, most secure mobile device out there. Attacks like the one described are very sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to keep all of our customers safe and we are constantly adding new safeguards to their devices and data.
This is by no means the first time NSO has come under international criticism when its Pegasus spyware was found, which targets journalists, dissidents, and others with no clear links to crime or terrorism. The NSO spyware came to light in 2016 when Citizen Lab and security firm Lookout discovered that it was targeting a political dissident in the United Arab Emirates.
The researchers at the time discovered that text messages sent to UAE dissident Ahmed Mansoor exploited three zero-day vulnerabilities in the iPhone to install Pegasus on his device. Mansoor relayed the news to Citizen Lab researchers, who found that the linked websites led to a chain of exploits that jailbroken his iPhone and installed the Pegasus spyware.
Eight months later, researchers from Lookout and Google retrieved a version of Pegasus for Android.
In 2019, the Google Project Zero exploit research team found that NSO was exploiting zero-day vulnerabilities that allowed full control over fully patched Android devices. Days later, Amnesty International and Citizen Lab announced that the cell phones of two prominent human rights activists had been repeatedly targeted by Pegasus. That same month, Facebook sued NSO, allegedly for attacks that used clickless exploits to compromise WhatsApp users’ phones.
Last December, Citizen Lab said a clickless attack developed by NSO exploited a zero-day vulnerability in Apple’s iMessage to attack 36 journalists.
The exploits that NSO and similar companies sell are extremely complex, expensive to develop, and even more expensive to purchase. Smartphone users are unlikely to ever fall victim to one of these attacks unless they are in the crosshairs of a wealthy government or law enforcement agency. People in this latter category should seek advice from security professionals on how to protect their devices.