What is Pegasus?
Pegasus is military-grade spyware that gives full access to the target’s smartphone including its data, images, photographs, and conversations as well as camera, microphone, and geolocation.
Experts say Pegasus is a zero-click Trojan virus – a type of malicious code or software that looks like a legitimate piece of software but is designed to damage, disrupt, steal, or in general inflict some other harmful action on your data or device.
Who created Pegasus?
Pegasus was created by NSO Group, an Israeli technology firm founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. The name NSO derives from the initials of the first names of the founders (Niv, Shalev and Omri). Based in Herzliya, near Tel Aviv, Israel, NSO employed almost 500 people as of 2017.
NSO Group is a subsidiary of the Q Cyber Technologies group of companies. Q Cyber Technologies is the name the NSO Group uses in Israel, OSY Technologies in Luxembourg, and in North American, it has a subsidiary named Westbridge. It has operated through other companies around the world.
Where is Pegasus used?
NSO claims that it provides authorized governments with technology that helps them combat terror and crime. The Pegasus spyware is classified as a weapon by Israel and any export of the technology must be approved by the government.
Practically, Pegasus is known to have been used by repressive regimes including India against in targeted attacks against human rights activists, journalists, and political rivals; and in-state espionage against Pakistan, again by India. Researchers say surveillance through Pegasus played a role in the murder of Saudi dissident Jamal Kashoggi.
How does Pegasus work?
The earliest version of Pegasus captured by a researcher in 2016 infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link. Since then, however, NSO’s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called “Zero-click” attacks, which do not require any link to install.
In 2019, instant messaging company WhatsApp revealed that NSO’s software had been used to send malware to more than 1,400 phones by exploring a zero-day vulnerability. Simply by placing a WhatsApp call to the target device, malicious Pegasus code could be installed on the phone, even if the target never answered the call.
In October 2019, WhatsApp and its parent company Facebook sued NSO and Q Cyber Technologies under the US Computer Fraud and Abuse Act (CFAA).
More recently, NSO has begun exploiting a vulnerability in Apple’s iMesssage software, giving it backdoor access to hundreds of millions of iPhones. Apple says it is continually updating its software to prevent such attacks.
Technical understanding of Pegasus, and how to find the evidential breadcrumbs it leaves on a phone after a successful infection has been improved by research conducted by Android operating systems.
Recently, as the technical partner of the Pegasus Project, an international consortium of media organizations including the Guardian, Amnesty’s Citizen Lab has discovered traces of successful attacks by Pegasus customers on iPhones running up-to-date versions of Apple’s iOS. The attacks were carried out as recently as July 2021.
As Pegasus’ fundamental purpose is to spy on the owner of the phone, one of its main operations is to gather data. The data-gathering functionality of Pegasus is among the most complete and comprehensive we have seen in any spyware package.
The software also gathers contacts from the system, dumping the victim’s entire address book. Pegasus also constantly updates and sends the location of the phone:
One of the most significant sets of private data on a phone is stored in the various user keychains. Apple’s KeyChain holds all of a user’s stored authentication info (usernames and passwords). Pegasus loads the keychain and dumps all of the victim’s data.
In addition to stealing all of the victim’s passwords, Pegasus interrogates the list of every Wi-Fi network that the phone has saved and grabs all of the SSIDs and WEP/WAP keys and users.
Pegasus also grabs the router password for Apple devices like Airport, Time Capsule, etc.
How do we know about Pegasus?
We know what we know about Pegasus thanks to the Pegasus Project – an international investigative journalism initiative that revealed governments’ espionage on journalists, opposition politicians, activists, business people, and others using the private NSO Group’s Pegasus spyware.
In 2020, a target list of 50,000 phone numbers leaked to Forbidden Stories. An analysis of the list revealed it contained many numbers of non-criminal targets including leading opposition politicians, human rights activists, journalists, lawyers, and other political dissidents.
The Pegasus Project is an umbrella name for 17 media organizations collaborating on the story. Reports by member organizations started to appear on 18 July 2021, revealing notable non-criminal targets and analyzing the practice as a threat to freedom of the press, freedom of speech, dissidents, and democratic opposition.
The world got its first inkling of Pegasus from a 2016 report by cybersecurity giant Lookout, who were in turn alerted by Citizen Lab. The 2016 report is an in-depth technical look at a targeted espionage attack being actively leveraged against an undetermined number of mobile users around the world.
The most detailed technical analysis of Pegasus so far has come from Lookout. The firm says it works with “100 million mobile sensors fuelling a dataset of virtually all the mobile code in the world”, and claims it can predict and stop mobile attacks before they do harm.
On 20 July, 14 heads of state were revealed as former targets of Pegasus malware including Pakistan’s Prime Minister Imran Khan, who has called for a United Nations inquiry into India’s use of the malware.
Calls have since been aired for further investigation into the abuses and a limitation on trading such repressive malware. Among groups airing these calls have been the newsrooms involved, the Committee to Protect Journalists, the International Press Institute, and the persecuted American whistle-blower Edward Snowden.
Amnesty International’s Security Lab has performed in-depth forensic analysis of numerous mobile devices from human rights defenders (HRDs) and journalists around the world. This research has uncovered widespread, persistent, and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.
As laid out in the UN Guiding Principles on Business and Human Rights, NSO Group should urgently take proactive steps to ensure that it does not cause or contribute to human rights abuses within its global operations, and to respond to any human rights abuses when they do occur. In order to meet that responsibility, NSO Group must carry out adequate human rights due diligence and take steps to ensure that HRDs and journalists do not continue to become targets of unlawful surveillance.
In this Forensic Methodology Report, Amnesty International is sharing its methodology and publishing an open-source mobile forensics tool and detailed technical indicators, in order to assist information security researchers and civil society with detecting and responding to these serious threats.
This report documents the forensic traces left on iOS and Android devices following targeting with the Pegasus spyware. This includes forensic records linking recent Pegasus infections back to the 2016 Pegasus payload used to target the HRD Ahmed Mansoor.
The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021. These also include so-called “zero-click” attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful “zero-click” attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.
Sections 1 to 8 of this report outline the forensic traces left on mobile devices follow- ing a Pegasus infection. This evidence has been collected from the phones of HRDs and journalists in multiple countries.
Finally, in section 9 the report documents the evolution of the Pegasus network infrastructure since 2016. NSO Group has redesigned its attack infrastructure by employing multiple layers of domains and servers. Repeated operational security mistakes have allowed the Amnesty International Security Lab to maintain continuous visibility into this infrastructure. We are publishing a set of 700 Pegasus-related domains.
Names of several of the civil society targets in the report have been anonymized for safety and security reasons. Individuals who have been anonymized have been assigned an alphanumeric code name in this report.
Technical analysis of Pegasus spyware
According to a technical evaluation of Pegasus, the software is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption.
It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging, and email apps, and others.
It steals the victim’s contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device. The iOS version of the attack uses what we refer to as Trident, an exploit of three related zero-day vulnerabilities in iOS, which Apple patched in iOS 9.3.5, available as of the publishing of this report.
According to news reports, NSO Group sells weaponized software that targets mobile phones to governments and has been operating since 2010, according to its LinkedIn page. The Pegasus spyware has existed for a significant amount of time and is advertised and sold for use on high-value targets for multiple purposes, including high-level espionage on iOS, Android, and Blackberry.
This spyware is extremely sophisticated and modular, in addition to allowing customization. It uses strong encryption to protect itself from detection by traditional security tools and has vigorous monitoring and self-destruct mechanisms. Lookout’s analysis determined that the malware exploits three zero-day vulnerabilities, Trident, in Apple’s iOS
Pegasus targets and perpetrators
According to an analysis by the German newspaper Die Zeit, no less than fourteen incumbent and former heads of state and government have been targeted – implying possible full access to their mobile phones’ data.
Prominent among the leaders targeted are President Emmanuel Macron of France, President Cyril Ramaphosa of South Africa, and Prime Minister Saad Hariri of Lebanon – besides of course PM Khan of Pakistan.
Many of the targeted numbers were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates, according to the reports.
The phones of two Hungarian investigative journalists, Andras Szabo and Szabolcs Panyi, were found to have been successfully infected with the spyware.
In India, more than 40 journalists, three opposition leaders, and two ministers in Prime Minister Narendra Modi’s government were reported to be on the list.
This included the key opposition figure Rahul Gandhi, with two mobile phone numbers belonging to him found in the list. Mr Gandhi no longer has the devices so it was not possible to analyze them to determine if he had been hacked.
More details about who has been targeted are expected to be released in the coming days.
Israeli commission of enquiry
International civil rights groups have been raising hues and cries about the revelation made in these newspapers about the role Pegasus software is playing in spying on important personalities internationally.
After coming under lots of pressure from international media and civil rights groups, the Israeli government constituted a commission of inquiry to review allegations that NSO Group’s controversial Pegasus phone surveillance software has been misused amid a hacking scandal.
The announcement to this effect came from the head of the Israeli parliament’s Foreign Affairs and Defence Committee came amid revelations that the Israeli firm’s spyware appears to have been used by governments in the surveillance of heads of states, opposition figures, activists, and journalists, whose names were among some 50,000 potential targets on a list leaked to rights group Amnesty International and Paris-based Forbidden Stories.
The revelations sparked calls for accountability and increased controls on the international sales of spyware technology. Pegasus can hack into mobile phones without a user knowing, enabling clients to read every message, track a user’s location and tap into the phone’s camera and microphone.
A look at NSO
Apparently, NSO was laughing all the way to the bank already three or four years ago. From humble beginnings in 2010, NSO has become in effect a company that helps its client’s spy on the world.
NSO’s annual revenues were around USD 40 million in 2013 and USD 150 million in 2015. In June 2017, the company was put up for sale for USD 1 billion by Francisco Partners.
Founders Lavie and Hulio, partnering with European private equity fund Novalpina Capital, purchased a majority stake in NSO in February 2019. It was reported at that time that NSO had “finished 2018 with revenues of $250 million, and dozens of licensed customers”.
The Pegasus project has raised new concerns about the scale and depth of the surveillance campaigns pursued by the company’s government clients – and more generally the lack of regulations around the many firms that now sell military-grade spyware.
Hulio, who served in the Israel Defence Forces (IDF), has said the idea for the company came after he and Lavie received a phone call from a European intelligence service, which had learned the pair had the know-how to access people’s phones. “Why aren’t you using this to collect intelligence?” the agency is said to have asked.
The proliferation of smartphones and encrypted communications technology, from Signal to WhatsApp and Telegram, meant intelligence and law enforcement agencies had gone “dark”, unable to monitor the activities of terrorists and other criminals.
“They said we didn’t really understand, that the situation was grave,” Hulio recalled. So grave, in fact, that when NSO began selling its technology, it quickly expanded, and currently employs about 750 staff. The company is the world leader in a niche market: Providing states with “off the shelf” cyber capabilities that allow them to compete with the National Security Agency (NSA) in the US and the UK’s GCHQ” According to Daily Guardian.
The name NSO is derived from the initials of the men who launched it: the friends Niv Carmi, Shalev Hulioand, and Omri Lavie.
