Enlarge
Getty Images
reader comments
182
with 109 posters participating
Share this story
Share on Facebook
Share on Twitter
Share on Reddit
Smartphones belonging to more than three dozen journalists, human rights activists, and business executives have been infected with powerful spyware that an Israeli firm sells, purportedly to catch terrorists and criminals, The Washington Post and other publications reported.
The handsets were infected with Pegasus, full-featured spyware developed by NSO Group. The Israel-based exploit seller has come under intense scrutiny in recent years after repressive governments in the United Arab Emirates, Mexico, and other countries have been found using the malware against journalists, activists, and other groups not affiliated with terrorism or crime.
Pegasus is frequently installed through “zero-click” exploits, such as those sent by text messages, which require no interaction from victims. After the exploits surreptitiously jailbreak or root a target's iPhone or Android device, Pegasus immediately trawls through a wealth of the device's resources. It copies call histories, text messages, calendar entries, and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target's movements and steal messages from end-to-end encrypted chat apps.
iPhone 12 running iOS 14.6 felled
According to research jointly done by 17 news organizations, Pegasus infected 37 phones belonging to people who don’t meet the criteria NSO says is required for its powerful spyware to be used. Victims included journalists, human rights activists, business executives, and two women close to murdered Saudi journalist Jamal Khashoggi,
according
to The Washington Post. Technical analysis from
Amnesty International
and the University of Toronto’s
Citizen Lab
confirmed the infections.
“The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021,” Amnesty International researchers
wrote
. “These also include so-called ‘zero-click’ attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful ‘zero-click’ attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.”
All 37 infected devices were included in a list of more than 50,000 phone numbers. It remains unknown who put the numbers on it, why they did so, and how many of the phones were actually targeted or surveilled. A forensic analysis of the 37 phones, however, often shows a tight correlation between time stamps associated with a number on the list and the time surveillance began on the corresponding phone, in some cases as brief as a few seconds.
Advertisement
Amnesty International and a Paris-based journalism nonprofit called Forbidden Stories had access to the list and shared it with the news organizations, which went on to do further research and analysis.
Reporters identified more than 1,000 people in more than 50 countries whose numbers were included on the list. Victims included Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials—including cabinet min
isters, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list. The Guardian,meanwhile
, said 15,000 politicians, journalists, judges, activists, and teachers in Mexico appear on the leaked list.
As detailed
here
, hundreds of journalists, activists, academics, lawyers, and even world leaders appear to have been targeted. Journalists on the list worked for leading news organizations, including CNN, the Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London, and Al Jazeera in Qatar.
“The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals,” Sunday’s Washington Post said. “The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.”
NSO pushes back
NSO officials are pushing back hard on the research. In a
statement
, they wrote:
In its own statement, Apple officials wrote:
Advertisement
Repeat offender
Further Reading
Actively exploited iOS flaws that hijack iPhones patched by Apple
This is by no means the first time that NSO has come under international criticism when its Pegasus spyware was found targeting journalists, dissidents, and others with no clear ties to crime or terrorism. The NSO spyware
came to light
in 2016 when Citizen Lab and security firm Lookout found it targeting a political dissident in the United Arab Emirates.
Researchers at the time determined that text messages sent to UAE dissident Ahmed Mansoor exploited what were three iPhone zero-day vulnerabilities to install Pegasus on his device. Mansoor forwarded the messages to Citizen Lab researchers, who determined that the linked webpages led to a chain of exploits that would have jailbroken his iPhone and installed the Pegasus spyware.
Further Reading
Zero-click iMessage zero-day used to hack the iPhones of 36 journalists
Eight months later, researchers from Lookout and Google retrieved a
Pegasus version for Android
.
In 2019, Google’s Project Zero exploit research team found NSO exploiting zero-day vulnerabilities that gave
full control of fully patched Android devices
. Days later, Amnesty International and Citizen Lab disclosed that the mobile phones of two prominent human rights activists were
repeatedly targeted with Pegasus
. That same month, Facebook
sued NSO
, allegedly for attacks that used clickless exploits to compromise WhatsApp users' phones.
Last December, Citizen Lab said a clickless attack developed by NSO exploited what had been a zero-day vulnerability in Apple’s iMessage to
target 36 journalists
.
The exploits that NSO and similar firms sell are extremely complex, costly to develop, and even more expensive to purchase. Smartphone users are unlikely to ever be on the receiving end of one of these attacks unless they are in the crosshairs of a wealthy government or law enforcement agency. People in this latter category should seek guidance from security experts on how to secure their devices.
