Ultra-intrusive spyware targeting journalists and activists has UK links

Produced by Israeli company NSO, the ultra-intrusive Pegasus spyware targets journalists, dissidents, and human rights advocates. There’s now evidence that UK servers are implicated in the transmission of the spyware.

Spyware condemned by Snowden

The Pegasus Project is investigating the spyware. The project began when more than 50,000 phone numbers “believed to be… targets of NSO Group’s phone hacking software” were leaked to Amnesty International.

The project includes 80 journalists from “Forbidden Stories, The Washington Post, Le Monde, Süddeutsche Zeitung, Die Zeit, the Guardian, Daraj, Direkt36, Le Soir, Knack, Radio France, the Wire, Proceso, Aristegui Noticias, the Organized Crime and Corruption Reporting Project, Haaretz and PBS Frontline”.

NSA whistleblower Edward Snowden warns that the spyware could target millions:

If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.

Targets

The Pegasus Project found that:

of over 1,000 numbers whose owners were identified, at least 188 were journalists. Many others were human rights activists, diplomats, politicians, and government officials. At least 10 heads of state were on the list.

Indeed, the Washington Post reports that:

Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar

How Pegasus infects phones

The spyware is implanted into a phone via a malicious clickable link. Organized Crime and Corruption Reporting Project (OCCRP) explains how:

Once implanted on a user’s phone, the system can collect a stunning range of information, including photos, emails, contacts, and data transmitted over other apps, like Facebook and WhatsApp. It can even record live audio and video.

Former US intelligence cyber engineer Timothy Summers further explains that once it’s been implanted into a device Pegasus:

hooks into most messaging systems including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others. With a line-up like this, one could spy on almost the entire world population.

Other means of intrusion

As well as gaining access to all the data on a target’s phone, Pegasus also:

monitors the keystrokes on an infected device – all written communications and web searches, even passwords – and returns them to the client, while also providing access [to] the phone’s microphone and camera, turning it into a mobile spying device that the target unwittingly carries with them.

Further, for Pegasus to grab data it requires “only an unanswered phone call or a message to embed itself onto a device”.

OCCRP explains that Pegasus takes advantage of these ‘zero-click exploits’ (or zero-click attacks), which:

rely on bugs in popular apps like iMessage, WhatsApp, and FaceTime, which all receive and sort data, sometimes from unknown sources.

Once a vulnerability is found, Pegasus can infiltrate a device using the protocol of the app. The user does not have to click on a link, read a message, or answer a call — they may not even see a missed call or message.

Claudio Guarnieri, from Amnesty International’s Security Lab, said “These zero-click exploits constitute the majority of cases we’ve seen since 2019”.

UK implicated

Meanwhile, Amnesty International published its peer reviewed forensic report on Pegasus on 18 July 2021. It states that:

Pegasus infrastructure primarily consists of servers hosted at datacentres located in European countries. The countries hosting the most infection domain DNS servers included Germany, the United Kingdom, Switzerland, France, and the United States (US). [Emphasis added]

Amnesty adds that there are 79 servers in the UK that are involved in the transmission of the spyware. According to a Citizen Lab investigation, ‘Operation Blackbird’ is responsible for targets in a number of countries, including the UK, with Middle East connections. It also identified British Telecom as being part of the ‘Operation Kingdom’ infection, which also targets the Middle East..

Another UK link

Around two-thirds of the shares of NSO’s holding company are owned by Novalpina Capital, based in the UK and Luxembourg. According to journalist Ian Cobain, NSO has retained Cherie Blair to “act as an external advisor on ethics”.

Altogether, Citizen Lab found:

suspected NSO Pegasus infections… we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Toolkit

A toolkit is now available to “technologists and investigators” to detect if a device has been compromised. The Verge has produced a guide on how to use it. Also, CNET has published a number of suggestions for improving security on smartphones, as well as improvements for browser settings.

Meanwhile, an NSO spokesperson told the Verge that the allegations made in the Amnesty report were “outrageous and far from reality”. It published a more detailed rebuttal here.

Featured image via Unsplash/ Justin Main