Monday, August 23, 2021

Pegasus spyware

Pegasus: France opens spyware probe with Macron identified as target


 https://www.occrp.org/en/the-pegasus-project/

They never heard it. There was no beep, no sound at all. But in those silent seconds, a digital intruder entered their phones. Their private moments and their professional secrets became instantly accessible. Even their cameras could be activated to snap photos at the will of a faraway attacker.


The perpetrators were most likely their own governments. Their tool used to break in was Pegasus, a cutting-edge spyware product made by the Israeli company NSO Group.


Through Pegasus, corrupt and troubled regimes across the world can gain access to vast troves of personal information on just about anyone they want. The spyware, sold as a crime-fighting tool, is already known to have been used against journalists, activists, and political dissidents.


But NSO Group is so secretive, and its product is so stealthy, that it’s been nearly impossible to understand the scope of its use. So when a group of journalists gained access to a list of 50,000 phone numbers that had allegedly been picked as targets of the spyware, we sprang into action.

Working with new data from the journalism nonprofit Forbidden Stories and human rights group Amnesty International, OCCRP and 16 media partners around the world worked to uncover who might have fallen victim to Pegasus, and tell their stories.

A World of Surveillance

A consortium of journalists gained access to a leak of more than 50,000 phone numbers entered into a system used for targeting by Pegasus, a sophisticated spyware product made by the Israeli company NSO Group. Governments around the world paid the company vast sums of money to gain access to Pegasus and let them use it to attack their targets.

Although the specific government agencies that purchased the software aren’t named in the data, their countries of origin can be deduced from the geographical clustering of the leaked phone numbers.

NSO Group insists that its software is meant to be used only against criminals and terrorists — but we found hundreds of journalists, activists, academics, lawyers, and even world leaders in the leak. In this interactive, you can explore a small sample of the data. It will be updated as more names are revealed.

https://cdn.occrp.org/projects/project-p/#/


In Hungary, Szabolcs Panyi exposed spy intrigue and murky arms deals. In India, Paranjoy Guha Thakurta probed the ties between business and political interests. In Azerbaijan, Sevinj Vaqifqizi caught vote-rigging on tape.


Separated by thousands of miles, these journalists have one thing in common: their governments considered them a threat.


All three were among dozens of journalists and activists around the world whose smartphones were infected by Pegasus: spyware made by Israeli firm NSO Group that is able to secretly steal personal data, read conversations, and switch on microphones and cameras at will.

The attacks were revealed by The Pegasus Project, an international collaboration of more than 80 journalists from 17 media organizations, including OCCRP, and coordinated by Forbidden Stories.

The phones of Panyi, Thakurta, and Vaqifqizi were analyzed by Amnesty International’s Security Lab and found to be infected after their numbers appeared on a list of over 50,000 numbers that were allegedly selected for targeting by governments using NSO software. Reporters were able to identify the owners of hundreds of those numbers, and Amnesty conducted forensic analysis on as many of their phones as possible, confirming infection in dozens of cases. The reporting was backed up with interviews, documents, and other materials.

Phone Forensic Results

The strongest evidence that the list really does represent Pegasus targets came through forensic analysis.

Amnesty International’s Security Lab examined data from 67 phones whose numbers were in the list. Thirty-seven phones showed traces of Pegasus activity: 23 phones were successfully infected, and 14 showed signs of attempted targeting. For the remaining 30 phones, the tests were inconclusive, in several cases because the phones had been replaced.

Fifteen of the phones in the data were Android devices. Unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. However, three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

In a subset of 27 analyzed phones, Amnesty International researchers found 84 separate traces of Pegasus activity that closely corresponded to the numbers’ appearance on the leaked list. In 59 of these cases, the Pegasus traces appeared within 20 minutes of selection. In 15 cases, the trace appeared within one minute of selection.


In a series of responses, NSO Group denied that its spyware was systematically misused and challenged the validity of data obtained by reporters. It argued that Pegasus is sold to governments to go after criminals and terrorists, and has saved many lives. The company, which enjoys close ties to Israel’s security services, says it implements stringent controls to prevent misuse. NSO Group also specifically denies that it created or could create this type of list.

NSO GROUP RESPONDS

In response to requests for comment by Forbidden Stories, OCCRP, and the other participants in The Pegasus Project, NSO Group and a law firm retained by the company sent several replies.


In general, NSO Group strongly denies the journalistic consortium’s findings, which it describes as “uncorroborated theories” that rely on information that has “no factual basis” presented by an “unreliable” source.


NSO Group’s more specific responses are cited below:


The Source Data

The reporting for The Pegasus Project is based on 50,000 phone numbers believed to represent NSO Group’s customers selecting people for targeting with the Pegasus system. (For more information about the evidentiary basis for this finding, read OCCRP’s “About the Project” explainer.)


In its initial response, a law firm retained by NSO Group wrote:


“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes.”


The company then provided more detail:


“NSO Group has good reason to believe that claims that you have been provided with, are based on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products. Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide.


“The sheer volume of numbers on this purported list … confirms that it cannot be a list of numbers targeted by governments using Pegasus. There simply are not that many numbers targeted by governments using Pegasus. Thus, Forbidden Stories’s assertion that it reviewed records of thousands of ‘targets’ of NSO Group clients is false.”


“As to your request to confirm the ‘existence of such data’, obviously we cannot do so, since even if they were customers’ data, we have no visibility nor access to them.”


In another follow-up, NSO added:


“You have put forward a flawed and speculative thesis the data list may have been used by third parties prior to a surveillance attempt, but that assertion (even if true) does not establish that the “use” was in fact attempted to be used as part of the surveillance attempt, that the attempted use was successful, or that the attempted or completed attempts produced the consequences theorized in your questions. It is beyond dispute that an attempt at surveillance is NOT the only utility of the data. It is also beyond dispute that the data has many legitimate and entirely proper uses having nothing to do with surveillance or with NSO, so there can be no factual basis to suggest (as your questions imply) that a use of the data somehow equates to surveillance.”


“NSO does not have insight into the specific intelligence activities of its customers, but even a rudimentary, common sense understanding of intelligence leads to the clear conclusion that these types of systems are used mostly for purposes other than surveillance.”


In response to a technical report produced by Amnesty International, which is published along with this project and presents forensic evidence of Pegasus infections on dozens of analyzed phone numbers, NSO Group wrote:


“If you are relying on the ‘technical report’ for that purpose, that report is a compilation of speculative and baseless assumptions regarding the purported connection between what is described in the report and NSO Group’s technology. Specifically, your report depends on assumptions linking previous reports to NSO Group, which are in turn based on similar assumptions regarding even earlier reports, with no demonstrated linkage between the various layers of reports sufficient for a responsible journalist to publish these conclusions.”


NSO Group’s Clients

Sticking with a long-held policy, NSO Group declined to confirm or deny any of the client relationships suggested by the leaked data and other reporting:


“As we stated in the past, due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers.”


The company also said that it does not run the Pegasus software after it’s sold:


“NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.”


Cecilio Pineda’s murder

In response to a question about the use of NSO Group spyware against Cecilio Pineda, a Mexican journalist who was subsequently murdered, the law firm retained by the company wrote:


“Even if Forbidden Stories were correct that an NSO Group client in Mexico targeted the journalist’s phone number in February 2017, that does not mean that the NSO Group client or data collected by NSO Group software were in any way connected to the journalist’s murder the following month. Correlation does not equal causation, and the gunmen who murdered the journalist could have learned of his location at a public carwash through any number of means not related to NSO Group, its technologies, or its clients.”


Jamal Khashoggi

In response to questions about the use of NSO Group spyware against friends and family members of murdered Saudi dissident Jamal Khashoggi, the company wrote:


“Our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is being made without validation. … Forbidden Stories claimed that, in 2019, Saudi Arabia targeted a British human rights lawyer who represented “the fiancée of Jamal Khashoggi’’ and a “Saudi Arabian human rights activist.” This allegation simply cannot be true because NSO Group can prove that such use of Pegasus is technically impossible.”


and


“We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in your inquiry.”


NSO Group’s Mission

The law firm retained by NSO Group wrote that the company’s products are a source for good and that the company takes allegations of abuse seriously:


“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a customers’ system, something NSO has proven its ability and willingness to do, due to confirmed misuse, done it multiple times in the past, and will not hesitate to do again if a situation warrants. This process is documented in NSO Group’s ‘Transparency and Responsibility Report,’ which was released last month.”


“The fact is, NSO Group’s technologies have helped prevent terror attacks, gun violence, car explosions and suicide bombings. The technologies are also being used every day to break up pedophilia-, sex-, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones. Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”


Update, July 19, 2021:

After the publication of the initial set of stories in this investigation, NSO Group’s CEO, Shalev Hulio, reached out to The Washington Post to offer several additional comments.


He continued to dispute that the list of over 50,000 numbers used as a basis for this investigation represented targeting by NSO Group’s Pegasus software. He also said that most of the allegations made in the stories were untrue.


However, Hulio noted that NSO Group had terminated contracts with two clients within the last year because of concerns about human rights abuses. He described some of the revelations in the stories as “disturbing” and said he was “very concerned” about what he had read.


“We are investigating everything,” he said. “I believe that we need to check. If we check, we will find that some of this will be true.”


Update, July 21, 2021:

NSO Group has provided an additional response to what it described as a “well-orchestrated media campaign led by Forbidden Stories and pushed by special interest groups,” saying it will no longer respond to media inquiries.

“Enough is enough,” a spokesperson wrote, reiterating that the list of 50,000 phone numbers obtained by reporters is “not a list of targets or potential targets of Pegasus” and that “the numbers in the list are not related to NSO Group.”


“NSO is a technology company,” the statement continued. “We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.”

“NSO will continue its mission of saving lives, helping governments around the world prevent terror attacks, break up pedophilia, sex, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.”

Separately, NSO Group related to OCCRP that its clients are “required under contract to provide [NSO Group] with audit rights in the event of any suspected misuse” of its software.

It described the list of countries believed by The Pegasus Project to be NSO Group clients as “inaccurate” without providing further details.

Asked whether the company purchases exploits from freelance hackers, NSO Group wrote that “R&D processes are proprietary information.”

THE CLIENTS

Based on the geographical clustering of the numbers on the leaked list, reporters identified potential NSO Group clients from more than 10 countries, including: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates.

But instead of targeting only criminals, governments in more than 10 countries appear to have also selected political opponents, academics, reporters, human rights defenders, doctors, and religious leaders. NSO clients may have also used the company’s software to conduct espionage by targeting foreign officials, diplomats, and even heads of state.


Journalists and Activists in the Crosshairs

In the coming days, OCCRP and other Pegasus Project partners will release stories highlighting the threat of surveillance through misuse of NSO Group software around the world. But to start with, we will focus on some of the most egregious cases: the use of spyware to surveil, harass, and intimidate journalists and activists — and those close to them.


Among those on the list were multiple close relations of Jamal Khashoggi, the Washington Post columnist who was murdered and dismembered by Saudi operatives in the country’s Istanbul consulate. Forensic analyses show that Khashoggi’s Turkish fiancée, Hatice Cengiz, and other loved ones and colleagues were successfully compromised with NSO Group software both before and after Khashoggi’s 2018 killing. (NSO Group said that it has investigated this claim and has denied its software was used in connection with the Khashoggi case.)


Sandra Nogales, the assistant of star Mexican journalist Carmen Aristegui, was also targeted with Pegasus through a malicious text message, according to a forensic analysis of her phone.


Aristegui had already known that she was a Pegasus target. Her case was featured in a 2017 report by Citizen Lab, an interdisciplinary laboratory at the University of Toronto. Still, “it was a huge shock to see others close to me on the list,” Aristegui told The Pegasus Project.


“My assistant, Sandra Nogales, who knew everything about me — who had access to my schedule, all of my contacts, my day-to-day, my hour-to-hour — was also entered into the system.”


Ismayilova in a crowd of people

Credit: OCCRP

Khadija Ismayilova at work in Azerbaijan.

Several reporters in OCCRP’s network were among the at least 188 journalists on the list of potential targets. They include Khadija Ismayilova, an OCCRP investigative journalist whose uncompromising reporting has made her a target of the kleptocratic regime of the country’s president, Ilham Aliyev. Independent forensic analysis of Ismayilova’s Apple iPhone shows that Pegasus was used consistently from 2019 to 2021 to penetrate her device, primarily by using an exploit in the iMessage app.


Ismayilova is no stranger to government surveillance. Roughly a decade ago, her reporting led her to be threatened with compromising videos that she learned to her horror had been shot with hidden cameras installed in her home. She refused to back down, and as a result had the footage broadcast across the internet.


Ismayilova sits in front of a camera

Credit: OCCRP

Ismayilova in Turkey earlier this year, after she learned her phone had been infected with Pegasus spyware.

But even after this, Ismayilova was shocked by the all-consuming nature of her surveillance by Pegasus.


“It’s horrifying, because you think that this tool is encrypted, you can use it… but then you realize that no, the moment you are on the internet they [can] watch you,” Ismayilova said. “I’m angry with the governments who produce all of these tools and sell it to the bad guys like [the] Aliyev regime.”


Panyi and his colleague András Szabó, both OCCRP partner journalists in Hungary, also had their phones successfully hijacked by Pegasus, potentially granting their attackers access to sensitive data like encrypted chats and story drafts. As investigative journalists at one of the country’s few remaining independent outlets, Direkt36, they had spent years investigating corruption and intrigue as their country became increasingly authoritarian under the rule of Prime Minister Viktor Orban.


Now they found out that they were the story.


For Panyi, the descendant of Jewish Holocaust survivors, something stung in particular: that the software had been developed in Israel, and exported to a country whose leadership regularly flirts with antisemitism.


“According to my family memory, after surviving Auschwitz, my grandmother’s brother left to Israel, where he became a soldier and soon died during the Arab-Israeli war of 1948,” Panyi wrote in a first-person account of learning he had been hacked. “I know it is silly and makes no difference at all, but probably I would feel slightly different if it turned out that my surveillance was assisted by any other state, like Russia or China.”


Two journalists sit together looking at a laptop

Credit: András Pethő/Direkt36

Hungarian journalists Szabolcs Panyi (left) and Andras Szabo from independent outlet Direkt36.

The alleged surveillance list includes more than 15,000 potential targets in Mexico during the previous government of President Enrique Peña Nieto. Many were journalists, like Alejandro Sicairos, a reporter from Sinaloa state who co-founded the journalism site RíoDoce. Data seen by The Pegasus Project show Sicairos’ phone was selected as a target for NSO Group’s software in 2017 shortly after his colleague, prominent journalist Javier Valdéz, was shot dead near RíoDoce’s office.


Others on the list were regular people thrust into activism by Mexico’s chaos and violence. Cristina Bautista is a poor farmer whose son, Benjamin Ascencio Bautista, was one of 43 students abducted in Iguala, in the Mexican state of Guerrero, in 2014 and remains missing until this day. The case shook Mexican society to its core and prompted Bautista and other parents to take to the streets in protest, and to assist independent experts in their own investigations.


The vocal stance taken by Bautista and other parents put them directly in the sights of Mexican authorities and Peña Nieto, who denounced the protests as destabilizing the country.


“Oh yeah, they were watching us! Whenever we went, a patrol followed us,” she said.


“They were chasing us.”


A woman stands in front of a memorial

Credit: OCCRP

Cristina Bautista stands in front of a memorial to the 43 students abducted after a police massacre in Guerrero state, Mexico.

A “Natural Tool” for Autocrats

While The Pegasus Project exposes clear cases of misuse of NSO Group’s software, the company is just one player in a global, multi-billion-dollar spyware industry.


Estimated by NSO managers to be worth approximately $12 billion, the mobile spyware market has democratized access to cutting-edge technology for intelligence agencies and police forces that, in years past, could only dream of having it.


“You’re giving lots more regimes an intelligence service,” said John Scott-Railton, a senior researcher at Citizen Lab. “Like a foreign intelligence service in a box.”


The NSO Group booth filled with people

Credit: Eddie Gerald/Alamy Stock Photo

An NSO Group booth at the International Security & Cyber exhibition in Tel Aviv, Israel, in 2018.

Like many private spyware companies, NSO Group’s stock in trade is so-called “zero-day exploits” — previously undiscovered flaws in commercial software that can allow third parties to gain access to devices, such as mobile phones. Pegasus and other top tools enjoy a particular strength: They are often able to infect devices silently, without the user even having to click a link. 

Such tools have given governments the edge amid the widespread adoption of encrypted messaging applications, such as WhatsApp and Signal, which otherwise supposedly allow for users to communicate beyond the reach of state surveillance. Once devices are successfully compromised, however, the contents of such apps become readily available, along with other sensitive data like messages, photographs, and calls. Meanwhile, the ubiquity of mobile phone cameras and microphones means they can be easily accessed by spyware clients as remote recording devices.


“In order to bypass [encrypted messaging] you just need to get to the device at one or the other end of that communication,” said Claudio Guarnieri, head of Amnesty International’s Security Lab. Pegasus does just that. “Pegasus can do more [with the device] than the owner can. If Signal, for example, encrypts the message… [an attacker] can just record using the microphone, or take screenshots of the phone so you can read [the conversation]. There is virtually nothing from an encryption standpoint to protect against this.”


In fact, there isn’t much anyone can do to protect themselves from a Pegasus attack. Guarnieri is skeptical of applications that claim they are completely secure, and instead recommends mitigating the risks of spyware by practicing good cybersecurity hygiene. “Make sure to compartmentalize things and divide your information in such a way that even if an attack is successful, the damage can be minimized.”


At its heart, The Pegasus Project reveals a disturbing truth: In a world where smartphones are ubiquitous, governments have a simple, commercial solution that allows them to spy on virtually whoever they want, wherever they want.


“I think it’s very clear: Autocrats fear the truth and autocrats fear criticism,” said Scott-Railton of Citizen Lab.


“They see journalists as a threat, and Pegasus is a natural tool for them to target their threats.”





No comments: