Pegasus Spyware Used to Monitor Activists, Journalists, and Politicians

Over the past weekend, the human rights organization Amnesty International, the nonprofit project Forbidden Stories, and more than 80 journalists from a consortium of 17 media organizations in 10 countries published the results of a joint investigation called the “Pegasus Project.”

Experts uncovered widespread abuse of spyware developed by the Israeli company NSO Group. According to the report, this spyware is actively used to violate human rights and surveil politicians, activists, journalists, and human rights defenders worldwide.

The malware in question is the notorious Pegasus, first discovered in 2016. In the years since, cybersecurity experts have continued to find new incidents involving Pegasus and have criticized NSO Group for selling its solutions to governments and intelligence agencies around the world—often to repressive regimes—even though the use of the malware is rarely documented.

Pegasus is designed for espionage and can collect text messages, app data, eavesdrop on calls, track location, steal passwords, and more from both iOS and Android devices.

“NSO Group’s spyware is the weapon of choice for repressive regimes seeking to silence journalists, attack activists, and crush dissent, endangering countless lives,” said Amnesty International Secretary General Agnès Callamard. “Our findings debunk any claims by NSO that such attacks are rare or due to misuse of their technology. While the company claims its spyware is used only against real criminals and for fighting terrorism, it’s clear their technology enables systematic abuse. They present an image of legitimacy but profit from widespread human rights violations. Our latest findings show that NSO Group clients can now remotely hack even the latest iPhone models and all versions of iOS.”

Researchers obtained a list of 50,000 phone numbers allegedly “of interest” to NSO Group clients, carefully selected since 2016. While being on the list does not necessarily mean the owner was attacked, infection with the spyware was confirmed in “dozens of cases.”

The list includes politicians, activists, journalists, human rights defenders, business leaders, religious figures, scientists, and more. Notably, it contains the phone numbers of at least 10 heads of state.

The investigation identified NSO Group clients in at least 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the UAE. Rwanda, Morocco, India, and Hungary have already denied using Pegasus.

Zero-Day Exploits in iOS

During the investigation, researchers discovered iPhones running the latest version of iOS that had been hacked using zero-click exploits (which require no user interaction) for iMessage. For example, Amnesty International confirmed the active infection of an activist’s iPhone X (CODE RWHRD1) on June 24, 2021, running iOS 14.6.

“Amnesty International found evidence of the hacking of an Indian journalist’s iPhone XR (CODE INJRN1), which was running iOS 14.6 (the latest version at the time) as recently as June 16, 2021,” the report states.

The researchers’ findings were independently verified by Bill Marczak, an expert at Citizen Lab, who conducted an independent review of the “Pegasus Project.”

“The mechanics of this zero-click exploit for iOS 14.x appear to be significantly different from the KISMET exploit for iOS 13.5.1 and 13.7, suggesting this is actually a different zero-click exploit for iMessage,” wrote Citizen Lab experts.

Amazon Bans NSO Group Infrastructure

After the report was published, Amazon Web Services (AWS) blocked all infrastructure and accounts associated with NSO Group. Researchers had noticed that “Pegasus was sending information to a service hosted by Amazon CloudFront,” indicating that NSO Group had recently switched to using AWS.

CloudFront infrastructure was used to deploy malware for various purposes, including targeting the phone of a French human rights lawyer. Researchers noted that switching to CloudFront offered NSO some protection from researchers or third parties trying to study the company’s infrastructure.

The report also notes that NSO uses services from other companies, such as Digital Ocean, OVH, and Linode.

“When we learned of this activity, we quickly shut down the relevant infrastructure and accounts,” an AWS spokesperson told Vice Motherboard.

NSO Group’s Response

NSO Group representatives rarely remain silent in response to such accusations. The company typically claims it sells its tools only to government customers and law enforcement agencies, but cannot control how clients use them. This time was no exception. In a statement to The Guardian, company representatives said:

“NSO does not operate the systems it sells to vetted government customers, and has no access to the data of its clients’ targets. NSO does not use its technology, does not collect, possess, or have access to any client data. For contractual and national security reasons, NSO cannot confirm or deny the identity of our government clients.”

The company has also published an official statement on its website, denying all allegations and calling them false:

“After checking the claims [by Amnesty International and Forbidden Stories], we strongly deny all the false allegations contained in their report. Their sources provided information with no factual basis, as evidenced by the lack of supporting documentation for many of their claims. In fact, these accusations are so outrageous and far from reality that NSO is considering a defamation lawsuit.”