Pegasus Spyware - Current Developments
beebom.com
What is the NSO?
NSO Group, is an Israeli company that licenses surveillance software to government agencies. One of their products in the Pegasus Spyware.
NSO has been implicated by previous reports and lawsuits in other hacks, including a reported hack of Amazon founder Jeff Bezos in 2018.
NSO does not operate the systems that it sells to vetted government customers and does not have access to the data of its customers’ targets. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers.
What is the Pegasus Spyware?
Pegasus Spyware is a surveillance software sold exclusively to, as per NSO, government agencies for spying on criminals and terrorists. NSO says Pegasus provides an extremely valuable service in gathering information on terrorists and criminals who use the encryption technology to go ‘dark’.
The software’s key capabilities include the ability to extract photos, recordings, location records, communications, passwords, call logs and social media posts from the device, as well as the ability to activate the smartphone’s cameras and microphones for real-time surveillance. The spyware essentials turns a person into an informant against themselves
What happened?
Amnesty International and Forbidden Stories got access to more than 50,000 phone numbers that the organisations believed were potential targets of the spyware. The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted.They shared this multiple news agencies around the world, including the Guardian and the Wire, who carried out further research and analysis on the list. The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people in more than 50 countries through research and interviews. This includes several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats and military and security officers, as well as 10 prime ministers, three presidents and one king. At least 1/3rd of the numbers are from Mexico. The purpose of the list could not be conclusively determined.
Amnesty’s Security Lab conducted forensic tests on some of the phones and confirmed 37 phones were hacked. These phones belonged to journalists, human rights activists, business executives and the two women closest to murdered Saudi journalist Jamal Khashoggi. These numbers are concentrated in countries known to engage in surveillance of their citizens and known clients of NSO. 10 of these numbers belong to Indians and 5 to Hungarians. Both countries have denied any illegal surveillance activities.
As mentioned before the exact nature of the list is not clear but the forensic analysis of the 37 phones show that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance attempts, in some cases as brief as a few seconds.
These phones were infected by methods including phishing (the victim opens a malicious link contained within a text/iMessage/WhatsApp message) and zero-click (the victim’s smartphone is compromised without any interaction required by the victim, for example a missed call to the victim’s phone).
Notable victims
Princess Latifa, Daughter of Dubai’s ruler: A new investigation shows that in the days after she went missing, her phone number and those of friends were added to a list that also includes numbers of phones targeted by the powerful Pegasus spyware.
Princess Haya, estranged wife of Dubai’s ruler: Princess Haya is currently locked in a child protection battle in the UK with the ruler, Sheikh Mohammed bin Rashid al-Maktoum. Princess Haya, and members of her legal and security team were also entered into the list when she fled later to London. Haya’s phone was found to have been hacked 11 times in July and August last year with Sheikh Mohammed’s “express or implied authority”.
NSO said that post this revelation, the spyware is no longer effective against UK numbers.
This issue of Haya’s phone hacking by the Sheikh was taken to a British Court. The Sheikh’s legal team argued that British courts had no jurisdiction to to sit in judgment on a foreign act of state, namely the alleged use of spyware by the UAE and/or Dubai. However, in separate hearings this was rejected by the high court and court of appeal, with the supreme court refusing to allow a further appeal.
Mexican Journalists: The phone of Mexican journalist Cecilio Pineda Birto also appeared twice on the list, including in the month before he was murdered, the investigation found. His phone disappeared from the scene of the murder, so a forensic examination was not possible.
NSO has defended itself by saying that even if his phone was targeted, that did not mean that data collected was connected with his murder.
Indian Citizens: More than 40 journalists, three opposition leaders and two ministers in Prime Minister Narendra Modi's government were reported to be on the list. This included the key opposition figure in the Parliament, Rahul Gandhi, with two mobile phone numbers belonging to him found in the list.
French Citizens: Traces of Pegasus spyware were found on the mobile phones of at least five current French cabinet ministers. The French President’s number also appeared on this list. NSO has said that President Macron was not and never had been a “target” of any of its customers.
Legal and current developments
Apple: Out of the 37 phones confirmed to be hacked by Amnesty, 34 were iPhones. Apple has since updated its security fix the flaw that Pegasus exploited.
French Investigations: French intelligence investigators have confirmed that Pegasus spyware has been found on the phones of three journalists, including a senior member of staff at the country’s international television station France 24. This was the first independent and official authority to corroborate the findings by Amnesty and news agencies.
President Macron has ordered multiple investigations into the spyware and its illegal use.
Morocco: Research by the news agencies and other organisations suggested that Morocco was the country that may have been interested in President Macron and his senior team. Morocco has “categorically” rejected and condemned what it called “unfounded and false allegations” that it had used Pegasus to spy on high-profile international figures. Lawyers for the government said last week that it had filed defamation claims in Paris against Amnesty International and Forbidden Stories.
Hungary: At least five Hungarian journalists appeared on a leaked list reviewed by the Pegasus papers consortium. Also on the list was the number of the opposition politician György Gémesi, the mayor of the town of Gödöllő and the head of a nationwide association of mayors.
Hungary’s data protection authority, the NAIH, has said it has launched an official investigation into allegations about the Hungarian government’s use of the Pegasus software.
Whatsapp Lawsuit: Whatsapp sued NSO in 2019 in the US. It alleged that NSO is behind cyber-attacks on 1,400 mobile phones involving Pegasus. In its lawsuit, WhatsApp didn't reveal the identity of its users whose devices were attacked by the Pegasus spyware. The lawsuit claims that NSO’s operations have “burdened” WhatsApp’s networks and injured company’s “reputation, public trust and goodwill”. WhatsApp’s argument also rests on the Computer Fraud and Abuse Act, which makes it illegal to tap into computers without authorization. This might be a difficult argument for WhatsApp to argue given that the devices that were compromised by NSO belong to WhatsApp users, not WhatsApp itself. As per New York Times, “WhatsApp does its best to argue that NSO gained access to its own signalling and relay servers without authorization in the process of contacting WhatsApp users, but this is a dicey interpretation of the Computer Fraud and Abuse Act, akin to arguing that you need Google’s permission to send an email to a Gmail user through Google’s servers.”
NSO has denied any wrongdoing, but since then the company has been banned from using WhatsApp. WhatsApp has also asked the court to prevent NSO from "trespassing" the property of its parent company Facebook and pay damages for violating the data privacy and fraud laws, and for breaching the contract between WhatsApp and its users.
On 2nd March 2020, a default notice was passed against NSO in California for failing to appear in court. This notice was challenged by NSO. They argued that WhatsApp did not serve adequate notice to them as per the established rules of private international law.
NSO has argued that it should be covered by the principle of sovereign immunity as its products are given only to those governments/state agencies who request for it. Countering this argument, WhatsApp submitted that NSO is a third-party entity and not a "state agency".
As of December 2020, Microsoft, Google, Internet Association, GitHub LinkedIn and more have moved a motion to join Facebook (WhatsApp’s parent company) to join the lawsuit.
Israel’s response: The Israeli government has stood behind the NSO Group and declined to revoke its export license, despite the efforts of Amnesty International.
NSO’s response: NSO has maintained that its software is only sold to “vetted government customers” and used for purposes of law enforcement. The company has said that the list is in no way indicative of whether or not a number was selected for surveillance using Pegasus. They have also questioned the accuracy of the leaked list.
Other Lawsuits: Legal action is being taken by alleged targets against NSO and, conversely, by NSO clients against Amnesty. Meanwhile, Amnesty is calling on the Israeli government to revoke existing export licenses to NSO Group. Another lawsuit has been filed in Israel by the Montreal-based Saudi dissident Omar Abdulaziz, follows parallel suits by journalists, activists and others alleging that the NSO Group has helped the Mexican and the UAE government spy on their smartphones even though the individuals had no criminal records and posed no threat of violence.
by Swarnim Agrahari