Pegasus, the winged horse of Greek mythology, is haunting the Narendra Modi-led Indian government once again. Seventeen media organizations including the Wire, the Washington Post and the Guardian have spent months examining a list of 50,000 phone numbers belonging to individuals from around 50 countries.
This list was provided by the French journalism nonprofit Forbidden Stories and Amnesty International. These investigations by the media organizations helped zero in on possible targets of cyberattacks.
The mobile phones of 67 of the people who were on the target list were then forensically examined. The results revealed that 37 of the analyzed phones showed signs of being hacked by the Israeli firm NSO Group’s Pegasus spyware cyberweapon, or showed signs of attempted penetration.
It is just a matter of time before the smartphones we carry become the source of attack on the cyberinfrastructure on which we all depend.
Of the remaining 30, the results were inconclusive. Either the owners had changed their phones or the phones were Androids, which do not log the kind of information that helps in detecting such penetration.
The possible targets included not only journalists and activists, but also government officials. This includes 14 heads of states and governments:
- Three presidents (France’s Emmanuel Macron, Iraq’s Barham Salih and South Africa’s Cyril Ramaphosa)
- Three sitting Prime Ministers (Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani)
- Seven former prime ministers
- and a king (Morocco’s Mohammed VI)
Among the seven former prime ministers are Lebanon’s Saad Hariri, France’s Édouard Philippe, Algeria’s Noureddine Bedoui and Belgium’s Charles Michel, according to the Washington Post.
Once the malware is installed on a target’s phone, the spyware not only provides full access to the device’s data but also controls the phone’s microphone and camera. Instead of a device to be used by the owner, the phone becomes a device that can be used to spy on them, recording not only telephone conversations but also in-person conversations, including images of the participants. The collected information and data are then transmitted back to those deploying Pegasus.
Successive information and technology ministers in India—Ravi Shankar Prasad and Ashwini Vaishnaw—have stated that “the government has not indulged in any ‘unauthorized interception’” in the country, according to the Wire. Both ministers have chosen to duck critical questions such as:
- Did the government buy NSO’s hacking software and authorize the targeting of Indian citizens?
- Can the use of Pegasus spyware to infect smartphones and alter its basic functions be considered as legal authorization under the Indian Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 for “interception, monitoring or decryption of any information through any computer resource”?
I am going to leave the legal issues for those who are better equipped to handle them.
Instead, I am going to examine the new dangers of weaponizing malware by nation-states poses to the world. Pegasus is not the only example of a cyberweapon; Snowden surveillance revelations shed light on the all-encompassing surveillance regime run by the National Security Agency (NSA) of the United States and the Five Eyes governments.
These intelligence agencies and governments have hacked the digital infrastructure of other countries, snooped on their “secure” communications and even spied on their allies. Even German Chancellor Angela Merkel was not spared from NSA surveillance.
The key difference between nation-states and cybercriminals developing malware is that the nation-states possess far greater resources when it comes to developing such malware. Take a group called the Shadow Brokers for example, who dumped a gigabyte of weaponized software exploits of the NSA on the net in 2017.
Speaking about this, Matthew Hickey, a well-known security expert, told Ars Technica in 2017, “It is very significant as it effectively puts cyberweapons in the hands of anyone who downloads it.” Ransomware became big soon after, with WannaCry and NotPetya ransomware creating havoc by using the exploits within NSA’s toolkit.
Why am I recounting NSA’s malware tools while discussing Pegasus? Because Pegasus belongs to NSO, an Israeli company with very close ties to Unit 8200, the Israeli equivalent of the NSA.
NSO, like many other Israeli commercial cyber-intelligence companies, is founded and run by ex-intelligence officers from Unit 8200. It is this element—introducing skills and knowledge of nation-states—into the civilian sphere that makes such spyware so dangerous.
NSO also appears to have played a role in improving Israel’s relations with two Gulf petro-monarchies:
- the United Arab Emirates (UAE)
- Saudi Arabia
Israel, therefore, sees the sale of spyware to these countries as an extension of its foreign policy. Pegasus has been used extensively by the UAE and Saudi Arabia as a cyberweapon to target various domestic dissidents and even foreign critics. The most well-known example, of course, is Jamal Khashoggi, the Saudi dissident and a Washington Post columnist, who was killed in the Saudi consulate in Istanbul.
NSO’s market capitalization is reported to be in the range of $2 billion, making it perhaps one of the most expensive civilian cyber-intelligence companies. And its tools are frightening, as there does not seem to be any protection against them. Most of these tools are classified as cyberweapons and require the Israeli government’s approval for export, again showing the link between the Israeli state and NSO.
The other reason why Pegasus spyware is such an effective cyberweapon, is that it does not need any action on the part of the owner of a phone for the device to be hacked by the spyware. A device typically becomes infected with a virus when people click on a link sent to them through email/SMS, or when they go to a site and click on something there.
Pegasus exploited a security problem within the mobile application WhatsApp and was able to hack into a phone through a missed call. Just a ring was enough for the Pegasus spyware to be installed on the phone.
This has now been extended to use other vulnerabilities that exist within iMessage, WhatsApp, FaceTime, WeChat, Telegram, and various other applications that receive data from unknown sources. That means Pegasus can compromise a phone without the user having to click on a single link.
These are called zero-click exploits within the cyber community.
Once installed, Pegasus is able to:
- Read the user’s messages, emails, and call logs
- Capture screenshots
- Log pressed keys
- Collect browser history and contacts
- Exfiltrate—meaning send files— all of that data back to its server
Basically, it can spy on every aspect of a target’s life. Encrypting emails or using encryption services such as Signal won’t deter Pegasus, which can read what an infected phone’s user reads or capture what they type.
Many people use iPhones in the belief that they are safer. The sad truth is that the iPhone is as vulnerable to Pegasus attacks as Android phones, though in different ways.
However, it is easier to find out if an iPhone is infected, as these devices log what the phone is doing. The Android Platform does not maintain such logs, making it much easier for Pegasus to hide its traces.
In an interview with the Guardian published on July 19th, “after the first revelations from the Pegasus Project,” Snowden described for-profit malware developers as “an industry that should not exist… If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.” He called for an immediate global ban on the international spyware trade.
Snowden’s answer of banning the sale of such spyware is not enough.
We need instead to look at deweaponizing all of cyberspace, including spyware. The spate of recent cyberattacks—estimated to be tens of thousands a day—is a risk to the cyberinfrastructure, something almost every institution relies on, of all countries.
After the leak of NSA and CIA cyberweapons, and now with NSO’s indiscriminate use of Pegasus, we should be asking whether nation-states can really be trusted and allowed to develop such weapons.
In 2017, Brad Smith, the president of Microsoft and no peacenik or leftist,wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.” It is this concern that certain leading companies within the industry—Microsoft, Deutsche Telekom and others—had raised in 2017, calling for a new digital Geneva Convention banning cyberweapons.
Russia and China have also made similar demands in the past. It was rejected by the United States, who believed that it had a military advantage in cyberspace. Even if that were true, it is not something it should squander.
Pegasus is one more reminder of the danger of nation-states developing cyberweapons. Though here, it is not a leak but deliberate use of a dangerous technology for private profit that poses a real life risk to journalists, activists, opposition parties and finally to democracy.
It is just a matter of time before the smartphones that we carry become the vector for attacks on the very cyberinfrastructure on which we all depend.
Independent Media Institute
Please Click Here for a Spanish Translation of this Article. (Haga clic aquí para descargar la traducción al español de este artículo.)