Pegasus surveillance software: what is it and how does it affect you?

The Pegasus Project, an international effort coordinated by Forbidden Stories and Amnesty International involving 17 media outlets in 10 countries, has revealed extensive evidence of surveillance targeting journalists and activists across the world using software designed by Israeli spyware firm NSO Group.

The Pegasus Project is based on a leaked list of 50,000 phone numbers sent to Amnesty International, all allegedly subject to targeting from governments who are clients of NSO Group.

The international investigation was coordinated to independently verify the phone numbers on the list, identify the NSO Group’s client base and expose how cases clustered in countries with poor human rights records.

What is Pegasus? How does it work?

Pegasus is a type of software designed to infiltrate a person’s phone, usually by exploiting vulnerabilities in the system or, in its earlier, cruder forms, exploiting the phone’s user by tricking them into behaviour which enables Pegasus operators to commandeer a phone and turn it into a ‘pocket spy’.

Pegasus software can use your phone’s camera and microphone to secretly record conversations or take pictures or footage, track physical movement, relay messages, calls and other sensitive data back to the operators, logging every single key stroke, password and any other information that could prove useful to the operator.

Pegasus was first detected in action in 2016 when a phone belonging to human rights activist Ahmed Mansoor was forensically analysed by Citizen Lab, a research laboratory that focuses on network surveillance.

Mansoor’s phone was breached after he clicked a malicious link that was sent to him. The operators behind the first recorded attack had used Mansoor’s advocacy for human rights in his country, the United Arab Emirates, to bait him into clicking a link that falsely claimed to offer “new secrets” about torture carried about by the authorities.

Mansoor was later imprisoned by the same authorities, and remains incarcerated to this day.

Over time, Pegasus’ sophistication has increased at an alarming rate, with further investigation unearthing instances in which the spyware had been updated to delete itself or alter system files to mask its digital trail.

Since 2019, the software now also uses what are known as “zero-click exploits”: a successful breach into someone’s phone by exploiting bugs in common messenger apps such as WhatsApp and Apple’s iMessage to access the app’s protocol and implement code changes as needed.

A user that is being targeted by operators may also automatically get their phone infected by using an unprotected website that has been infected by Pegasus coding, triggering an automatic download of the spyware.

Although Pegasus software keeps updating to stay ahead of tech giants scrambling to patch holes in the security of their devices, forensic analysis of suspected cases for the Pegasus project has so far yielded at least 37 definite instances of successful breaches from a total of 67 phones.

Who created it? Who uses it?

The NSO Group, one of Israel’s many military defence contractors, had responded to mounting public pressure based on evidence of abuse of its software by its client states such as the United Arab Emirates, India, Azerbaijan, Mexico and Hungary by sending public letters to Amnesty International promising that its software would only be used to fight terrorism and international drug trafficking.

The company acquired dozens of clients, over 700 employees, and revenues of $250 million as of 2018, according to OCCRP. The value of the mobile spyware market alone is estimated at around $12 billion.

However, the revelations surfacing from the Pegasus Project indicate otherwise, with some of the more prominent cases including the use of Pegasus in an attempt at spying on slain journalist Jamal Khashoggi’s wife before his murder, among other high profile journalists exposing corruption in countries with repressive governments.

For example, The Guardian, one of the partners in the project, published an article detailing how an NSO committee approved a request from Emirati authorities to expand their surveillance to targets in the UK, in spite of privacy laws that are meant to prevent that from happening unless a warrant is issued.

The evidence backing The Guardian’s piece, published on 23 July, confirms how the Emirati government was given the go-ahead to use the software to spy on dissidents and exiles under the guise of targeting international criminals.

A lawsuit filed by WhatsApp against the NSO Group involves a 2019 attack using Pegasus that targeted 1,400 users, according to the messenger app’s CEO, many of which were senior government officials across the world.

The NSO has denied the data being unearthed by the international team of journalists behind the project. Amnesty International issued a statement “categorically” standing by its findings.

Can targeted individuals do anything about it?

So far, forensic analysis carried out by Amnesty International’s Security Lab and other similar institutions have only been able to detect specific instances in which phones were being exploited by the spyware. Sifting a phone’s digital contents for traces of Pegasus is only a method of detecting its activity after the damage has been done.

Given the way the Pegasus software is constantly updated to exploit bugs that haven’t even been spotted by the phone’s manufacturers as well as its increasing capacity to operate almost invisibly, even the most disciplined users can be subject to an attack.

While some journalists such as Bradley Hope have advocated for “old-school” journalism that does not rely on sensitive data going through smartphones, more accessible ways of detecting any traces of Pegasus activity are slowly emerging. Amnesty International has published a tool kit that can help users learn if their phone was breached.

The Washington Post, another partner in the project, published a column highlighting how users should set their phones to automatically update whenever new features are presented for the phone’s operating system or any apps that are used.

Another way of increasing security is to use a password management tool to create individual passwords for every single access point on one’s phone, including sensitive apps such as the ones shown to be targeted by NSO’s clients.

Leaked emails suggest Malta had phone hacking software in 2013

The Maltese government was considered as potential clients for software similar to Pegasus, which was created and sold by the now-defunct The Hacking Team, but the deal didn’t progress as they were already in possession of “similar software”.

A series of leaked emails published by Wikileaks show that Alberta Group, contacted The Hacking Team in May 2013, just two months after Labour came to power.

Reporters Without Borders had previously named The Hacking Team as one of the “Enemies of the Internet” as they had sold tools to repressive regimes. These tools had been used to hack the computers and phones of journalists and activists across the world, according to Vice.

The software was used by the governments of Italy, Spain, Hungary, Saudi Arabia, the Czech Republic, the US and Albania. Corporate clients include Barclays Banks, British Telecom and Deutsche Bank. It was also used by drug cartels and involved politicians to target and intimidate Mexican journalists.

Formerly based in Milan, Italy, The Hacking Team sold intrusion and surveillance software to governments, businesses, and enforcement agencies. It has since been purchased by the InTheCyber Group and is now called Memento Labs.

In an email sent to the hacker software creators in 2013, Alberta company director Duncan Barbaro Sant asked whether the software was available to government entities. He added: “Can we try marketing your product to  the Maltese government or even the Malta Secret Service?”

The Hacking Team replied by providing information on the product. Called “Remote Control System”, the company describe it as being designed to “attack, infect, and monitor target PCs and smart phones in a stealth way (sic).” They added that it works on most platforms including Mac and Windows, and all major mobile phones.

Barbaro Sant signed an NDA with the company, and told them: “In 30 minutes I have a meeting with the Chief of Staff of the Ministry of Justice and Home Affairs, Prisons / Malta Secret Service / Police / Armed Forces / Courts of Justice / Probation and Parole etc etc.”

On 14 May 2013, Barbaro Sant tells the company that the “meeting went well”. He added, “I have been made aware that the Malta Secret Service is already in possession of a similar software BUT I told them that it is probably the software that was installed ages ago.”

He added that a  second meeting will be organised, but this time with the Malta Secret Service. Barbaro Sant also mentioned that an introductory letter could be sent to him and he would forward it to “the Prime Minister with whom I also have good relations (for what it’s worth).”

The Shift contacted Barbaro Sant and asked him what the software in possession of the Malta Secret Service was, and if it was Pegasus. He said in his response that “no such sensitive information would have ever been disclosed to me” and that they didn’t tell him if the software in their possession was being actively used.

He added: “Assuming they had a system in place was an educated guess on my part. They would never share information related to what systems they had in place. Mindful of this sensitive space, I would not dare ask.”

Barbaro Sant also said he did not introduce disgraced ex-Prime Minister Joseph Muscat to The Hacking Team and he said no further meetings or communications were held.

So what software does the Maltese government possess?

A former employee of NSO Group told Vice that a Spanish customer had purchased the Pegasus software in 2015. They said that beyond domestic use, it had been “unlocked” for use in other territories including Malta.

NSO Group prices its products depending on how many territories the customer can hack phones or computers.

The Shift contacted Vice on Malta’s involvement. The journalists were unable to share any further information but confirmed what was written in the article.

It’s also worth noting that between 2015 and 2016, Russian/Israeli citizen Anatoly Hurgin was granted Maltese citizenship as a part of the cash-for-passports scheme. Himself the owner of a spy hacking company, Ability Inc, he is also linked to the NSO Group.

Hurgin referred to NSO Group as “one of the best companies in the field” and indicated they had worked together. It’s believed Ability inc handled the network side of operations and NSO Group was responsible for placing malware onto target devices.