pegasus.md 29 KB
+++ title= "Pegasus: Spyware sold to governments 'targets activists'" date= 2021-07-20T08:16:49+08:00 tags = ["ai"] type = "blog" categories = ["news"] banner = "img/banners/banner-3.jpg" +++
## Pegasus: Spyware sold to governments 'targets activists'
]
Pegasus: Spyware sold to governments 'targets activists' Published 10 hours ago
image copyright AFP
Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm, media reports say.
They are on a list of some 50,000 phone numbers of people believed to be of interest to clients of the company, NSO Group, leaked to major news outlets.
It was not clear where the list came from - or how many phones had actually been hacked.
NSO denies any wrongdoing.
It says the software is intended for use against criminals and terrorists and is made available only to military, law enforcement and intelligence agencies from countries with good human rights records.
It said the original investigation which led to the reports, by Paris-based NGO Forbidden Stories and the human rights group Amnesty International, was "full of wrong assumptions and uncorroborated theories".
But it added that it would "continue to investigate all credible claims of misuse and take appropriate action".
The allegations about use of the software, known as Pegasus, were carried on Sunday by the Washington Post, the Guardian, Le Monde and 14 other media organisations around the world.
Pegasus infects iPhones and Android devices, allowing operators to extract messages, photos and emails, record calls and secretly activate microphones and cameras.
What do we know about the people targeted?
Media outlets working on the investigation said they had identified more than 1,000 people spanning over 50 countries whose numbers were on the list.
They include politicians and heads of state, business executives, activists, and several Arab royal family members. More than 180 journalists were also found to be on the list, from organisations including CNN, the New York Times and Al Jazeera.
Many of the numbers were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates, according to the reports.
When contacted by the outlets involved in the investigation, spokespeople for these countries either denied that Pegasus was used or denied that they had abused their powers of surveillance.
It was not clear how many of the devices on the list had actually been targeted, but forensic analysis of 37 of the phones showed there had been "attempted and successful" hacks, the Washington Post reported.
This included people close to Saudi journalist Jamal Khashoggi, who was murdered in October 2018 while visiting the Saudi consulate in Istanbul, Turkey. His body was then dismembered.
The investigation found that spyware was installed on his fiancée's phone days after his murder, and that his wife's phone was targeted with spyware between September 2017 and April 2018.
media caption What’s it like to have spyware on your phone?
The NSO Group said its technology was "not associated in any way with the heinous murder".
The phone of Mexican journalist Cecilio Pineda Birto also appeared twice on the list, including in the month before he was murdered, the investigation found.
His phone disappeared from the scene of the murder so a forensic examination was not possible. NSO said that even if his phone was targeted, that did not mean that data collected was connected with his murder.
The phones of two Hungarian investigative journalists, Andras Szabo and Szabolcs Panyi, were found to have been successfully infected with the spyware.
Mr Panyi told Forbidden stories that learning of the hack was "devastating".
"There are some people in this country who consider a regular journalist as dangerous as someone suspected of terrorism," he said.
The Hungarian government was "not aware of any alleged data collection", a spokesperson told the Guardian.
In India, more than 40 journalists, three opposition leaders and two ministers in Prime Minister Narendra Modi's government were reported to be on the list.
This included the key opposition figure Rahul Gandhi, with two mobile phone numbers belonging to him found in the list. Mr Gandhi no longer has the devices so it was not possible to analyse them to determine if he had been hacked.
India's government has denied using unauthorised surveillance.
More details about who has been targeted are expected to be released in the coming days.
WhatsApp sued NSO in 2019, alleging the company was behind cyber-attacks on 1,400 mobile phones involving Pegasus. At the time, NSO denied any wrongdoing, but the company has been banned from using WhatsApp.
The allegations here are not new. What is new is the scale of the targeting of innocent people that's allegedly taking place. Nearly 200 reporters from 21 countries have their phone numbers on this list, and more names of high-profile public figures are expected to be revealed.
There are plenty of unknowns in these allegations - including where the list comes from and how many of the phone numbers were actively targeted with spyware. NSO Group has once again come out swinging and denies all accusations. However, it's a blow for the company, which is actively trying to reform its reputation.
Only two weeks ago it released its first "transparency report" detailing human right policies and pledges. Amnesty International brushed the 32-page document off as a "sales brochure".
These latest allegations will do further damage to its image, but they won't hurt the company financially. There are very few private companies able to produce the sort of invasive spy tools that NSO sells, and clearly the largely unregulated market for the software is booming.
## This tool tells you if NSO’s Pegasus spyware targeted your phone – TechCrunch
]
Over the weekend, an international consortium of news outlets reported that several authoritarian governments — including Mexico, Morocco and the United Arab Emirates — used spyware developed by NSO Group to hack into the phones of thousands of their most vocal critics, including journalists, activists, politicians and business executives.
A leaked list of 50,000 phone numbers of potential surveillance targets was obtained by Paris-based journalism nonprofit Forbidden Stories and Amnesty International and shared with the reporting consortium, including The Washington Post and The Guardian. Researchers analyzed the phones of dozens of victims to confirm they were targeted by the NSO’s Pegasus spyware, which can access all of the data on a person’s phone. The reports also confirm new details of the government customers themselves, which NSO Group closely guards. Hungary, a member of the European Union where privacy from surveillance is supposed to be a fundamental right for its 500 million residents, is named as an NSO customer.
The reporting shows for the first time how many individuals are likely targets of NSO’s intrusive device-level surveillance. Previous reporting had put the number of known victims in the hundreds or more than a thousand.
NSO Group sharply rejected the claims. NSO has long said that it doesn’t know who its customers target, which it reiterated in a statement to TechCrunch on Monday.
Researchers at Amnesty, whose work was reviewed by the Citizen Lab at the University of Toronto, found that NSO can deliver Pegasus by sending a victim a link which when opened infects the phone, or silently and without any interaction at all through a “zero-click” exploit, which takes advantage of vulnerabilities in the iPhone’s software. Citizen Lab researcher Bill Marczak said in a tweet that NSO’s zero-clicks worked on iOS 14.6, which until today was the most up-to-date version.
Amnesty’s researchers showed their work by publishing meticulously detailed technical notes and a toolkit that they said may help others identify if their phones have been targeted by Pegasus.
The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.
The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about 10 minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.
Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files. In our case, we got one “detection,” which turned out to be a false positive and has been removed from the IOCs after we checked with the Amnesty researchers. A new scan using the updated IOCs returned no signs of compromise.
Given it’s more difficult to detect an Android infection, MVT takes a similar but simpler approach by scanning your Android device backup for text messages with links to domains known to be used by NSO. The toolkit also lets you scan for potentially malicious applications installed on your device.
The toolkit is — as command line tools go — relatively simple to use, though the project is open source so it won’t be long before someone will surely build a user interface for it. The project’s detailed documentation will help you — as it did us.
You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.
## What the latest Pegasus spyware leaks tell us
]
The reports from the Guardian, the Washington Post, and 15 other media organizations are based on a leak of tens of thousands of phone numbers that appear to have been targeted by Pegasus. While the devices associated with the numbers on the list were not necessarily infected with the spyware, the outlets were able to use the data to establish that journalists and activists in many countries were targeted—and in some cases successfully hacked.
The leaks indicate the scope of what cybersecurity reporters and experts have said for years: that while NSO Group claims its spyware is designed to target criminals and terrorists, its actual applications are much more broad. (The company released a statement in response to the investigation, denying that its data was leaked, and that any of the resulting reporting was true.)
My colleague Patrick Howell O’Neill has been reporting for some time on claims against NSO Group, which “has been linked to cases including the murder of Saudi journalist Jamal Khashoggi, the targeting of scientists and campaigners pushing for political reform in Mexico, and Spanish government surveillance of Catalan separatist politicians,” he wrote in August 2020. In the past, NSO has denied these accusations, but it has also more broadly argued that it can’t be held responsible if governments misuse the technology it sells them.
The company’s central argument, we wrote at the time, is one “that is common among weapons manufacturers.” Namely: “The company is the creator of a technology that governments use, but it doesn’t attack anyone itself, so it can’t be held responsible.”
## Morocco and Hungary deny reports that they infiltrated phones with Pegasus spyware
]
Researchers say a sophisticated spyware campaign was used to target activists, journalists and others
Morocco and Hungary denied media reports on Monday that they had used secret software to infiltrate the smartphones of investigative journalists and other public figures.
Advertising Read more
Morocco issued the first denial. It "categorically rejects" claims its intelligence services had used Israeli spyware Pegasus to monitor critics at home and abroad, a government statement read.
Rabat said it had "never acquired computer software to infiltrate communication devices" and denied it had "infiltrated the phones of several national and international public figures and heads of international organisations through computer software".
Hungary issued a similar repudiation.
"The government has no knowledge of this type of data collection," Foreign Minister Peter Szijjarto told a press conference, adding that Hungary's civilian intelligence agency did not use the Pegasus software "in any way".
A joint investigation by several Western media outlets said Sunday that numerous activists, journalists, executives and politicians around the world had been spied on using the software developed by Israeli firm NSO.
The media outlets, including The Washington Post, The Guardian and Le Monde, drew links between NSO Group and a list of tens of thousands of smartphone numbers, including those of activists, journalists, business executives and politicians around the world.
'Great astonishment'
Many numbers on the list were clustered in 10 countries, including Morocco. Hungary was the only EU country named on the list of leaked telephone numbers.
Rabat expressed "great astonishment" at the reports.
These are "false allegations devoid of any foundation," its statement read.
"Morocco... guarantees the secrecy of personal communications ...to all citizens and foreign residents in Morocco", it added.
01:43
According to the reports, phones monitored in Hungary included those of two investigative journalists, the owner of a news site critical of the government, an opposition mayor and several lawyers.
Janos Stummer of the opposition Jobbik party, who serves as head of the parliamentary National Security Committee, demanded "consequences".
Stummer sought to convene the committee to question intelligence chiefs, and Szijjarto said the secret service head would attend the meeting if called.
The committee's Vice-President Janos Halasz, a member of Orban's ruling Fidesz that has a majority on the committee, said however that the body did not need to meet.
The "left-wing" press reports were "unfounded", said Halasz.
The National Association of Hungarian Journalists (MUOSZ) said it was "shocked" by the revelations.
"If this is the case, it is unacceptable, outrageous and illegal, full information must be disclosed to the public immediately," the association said in a statement.
The reports "bring shame to the country", said Budapest Mayor Gergely Karacsony, who hopes to run against Orban at a general election next year.
"The government owes answers," he said.
Pegasus is a highly invasive tool that can switch on a target's phone camera and microphone, as well as access data on the device, effectively turning a phone into a pocket spy.
In some cases, it can be installed without the need to trick a user into initiating a download.
NSO has denied any wrongdoing.
(FRANCE 24 with AFP)
Daily newsletterReceive essential international news every morning Subscribe
## Hotel Rwanda activist’s daughter placed under Pegasus surveillance
]
The American daughter of Paul Rusesabagina, the imprisoned Rwandan activist who inspired the film Hotel Rwanda, has been the victim of a near-constant surveillance campaign, according to a forensic analysis of her mobile phone that found evidence of multiple attacks using NSO Group spyware.
Carine Kanimba, a US-Belgian dual citizen, has been leading her family’s effort to free her father from prison following Rusesabagina’s abduction and forced return to Kigali last year by the government of the Rwandan president, Paul Kagame.
Amnesty International’s forensic analysis found that Kanimba’s phone had been infiltrated since at least January this year.
Quick Guide What is in the Pegasus project data? Show What is in the data leak? The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses. What does the leak indicate? The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds. What did forensic analysis reveal? Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages. Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound. Which NSO clients were selecting numbers? While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO. What does NSO Group say? You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. What is HLR lookup data? The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system. Was this helpful? Thank you for your feedback.
It strongly suggests that the Kagame government – which has long been suspected of being a client of the Israeli surveillance firm NSO – has been able to monitor the 28-year-old’s private calls and discussions with US, European and British government officials. A spokesperson for the Rwandan government said the country “does not use this software system … and does not possess this technical capability in any form”.
A phone infected with NSO malware, as Kanimba’s has been, not only gives users of the spyware access to phone calls and messages, but it can also turn a mobile phone into a portable tracking and listening device. In the period before she was alerted to her phone being hacked, Kanimba said she had contacts with the US special presidential envoy for hostage affairs, British MPs, and the UK high commission office in Rwanda – all of which could have been monitored. She also held talks with Baroness Helena Kennedy, a barrister and member of the House of Lords.
The State Department declined to comment.
The forensic evidence suggests the spying began in January – though it may have been earlier – and paused in May while Kanimba was in the US. It resumed again on 14 June, the day she met the Belgian foreign affairs minister, Sophie Wilmès. Sources in the minister’s office said no sensitive information was shared in the meeting.
04:55 Pegasus: the spyware technology that threatens democracy – video
Rusesabagina is a Belgian national widely credited with saving more than 1,000 people in the Rwandan genocide. He became a vocal critic of Kagame and was living in the US and Belgium until his arrest by the Rwandan government last year. He is facing life in prison after being accused of terror-related charges, including murder and staging attacks in Rwanda. The 67-year-old’s family staunchly deny the allegations.
In an interview with Knack, a journalism partner in the Pegasus project, Kanimba described how the diplomatic effort to have her father released began from the moment she and her family discovered he had been kidnapped, with calls to “every single member of the European parliament and every member of the Belgian parliament” as well as human rights organisations.
“In 1994, during the genocide, the way my father was able to protect people in the hotel was that he made calls every day. With the last working telephone in the hotel,” she said. “And we did the exact same thing.”
News of the hacking campaign will heighten scrutiny of the Rwandan government’s treatment of Rusesabagina at a time when some US lawmakers have pushed for the administration of Joe Biden to put more pressure on Kagame to release him and to protect Rwandans in the US from harassment.
Q&A What is the Pegasus project? Show The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories. Was this helpful? Thank you for your feedback.
Rwanda has long been suspected of being an end user of NSO malware, with a history of targeting dissidents at home and abroad.
In 2019 at least six dissidents connected to Rwanda were warned by WhatsApp that they had been targeted by spyware made by the NSO in an attack that affected hundreds of users around the world over a two-week period from April to May that year.
Key figures in the Rwandan diaspora, including exiles living in Canada and the US, appear to have been included in a leaked list of persons of interest to NSO clients.
Rusesabagina, who has been referred to as “Africa’s Schindler”, is alleged by family members to have been tortured in the days after his rendition. Rwandan authorities have denied that he was kidnapped or mistreated in custody. His trial has been condemned by human rights groups and has sharpened criticism of Kagame’s nearly three-decade-long hold over Rwanda from key allies in the UK and the US.
In an interview, Anaïse Kanimba, Carine’s sister, said her entire family felt as if they were under constant watch by the Kagame government.
In one case, she said she and her family had reason to suspect their emails were being monitored after her father’s lawyer, Felix Rudakemwa, was searched during a prison visit following a private communication from the family about an affidavit he wanted Rusesabagina to sign that would attest to his allegations of torture. The search, she said, appeared to be focused on finding the affidavit.
“We just assume we are being watched,” Anaïse Kanimba said. “We tell ourselves we have nothing to hide. But this idea of knowing constantly that someone is looking over you, it is really uncomfortable and scary … I hate living with it.”
There is no evidence that Anaïse Kanimba’s phone was hacked.
Vincent Biruta, Rwanda’s minister of foreign affairs, said: “Rwanda does not use this software system … and does not possess this technical capability in any form. These false accusations are part of an ongoing campaign to cause tensions between Rwanda and other countries, and to sow disinformation about Rwanda domestically and internationally.”
NSO denied “false claims” made about the activities of its clients, but said it would “continue to investigate all credible claims of misuse and take appropriate action”. It said in the past it had shut off client access to Pegasus where abuse had been confirmed.
Among the Rwandans that the Pegasus project found were listed in the data as candidates for possible surveillance was David Himbara, an economist who formerly worked for Kagame in Rwanda but later fled and sought protection in Canada. Himbara has questioned claims of stellar economic growth over the years, calling the figures a “fantasy”.
“The lifestyle forced on me is a preoccupation to avoid becoming another victim of Kagame’s death warrant. I do not take personal security for granted even though the distance between Toronto, Canada, where I live, and Kigali, Rwanda, is 11,703km to be precise,” he said.
A forensic analysis of Himbara’s mobile phone by Amnesty International has not found any evidence that it was successfully hacked. It is not clear from leaked records which client country selected Himbara as a potential target.