Israeli NSO's Pegasus Spyware: Were Women Journalists More Vulnerable to Cyber-attacks?

2021-08-03 09:44

Reports

NSO’S PEGASUS SPYWARE: SURVEILLANCE LIKE NEVER BEFORE

By: CFWIJ 

للنسخة العربية، الضغط هنا

Introduction

Pegasus is a spyware suite developed and distributed by the Israel based company, NSO Group, which targets individual cell phones. Operators of the software can target any phone through a software-generated exploit link, after which Pegasus installs itself on the device without the knowledge of the owner. Simply put: a text message sent through the spyware is enough to completely hack an updated and protected iPhone, without the owner of the phone knowing about it. 

Pegasus is invasive. 

Pegasus has a zero-click method of invasion. Which means the owner of the devices does not have to do anything to be trapped by it. Once installed in your phone, the software has access to your passwords, contacts, calendar, cellular network dependent text messages, and communication, whether text or call, on all popular messaging applications. The software can also invade the camera and microphone on the devices and turn it on or off at will. Pegasus does this by taking control of the device’s command and control (C&C) servers, and then receives and executes commands of the software’s operators. The invasive nature of Pegasus means that it puts at risk not only the owner of the phone it targets but Pegasus their entire social circle of friends, families and colleagues.

By the numbers:

  • According to an in-depth study by Citizenlab, there are at least 45 countries* where Pegasus operators are conducting a thorough surveillance operation. These include: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia. 

(*The investigation did not take into account VPN functionality and thus may contain slight inaccuracies).

  • There are approximately 36 operators of the Pegasus software globally. 

  • There are 10 countries where operators are engaged in cross-border surveillance. For example, studies found individuals in the US IP space being targeted through the software even though the operator does not belong to the United States. Needless to say, this is illegal, but worryingly, appears widespread.

  • An initial investigation by Amnesty International found that at least 60 journalists and activists were targeted by the software. Further investigations suggest that at least 189 journalists, and 85 human rights activists were targeted.

  • According to the Pegasus Project, a media consortium focused on covering the spyware, most of these attacks on civil society members appear to be clustered in 10 countries. These countries include:  Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.

  • At least six operators of the spyware are located in countries that have had a previous record of abusing surveillance technology to target citizens.

  • A list with over 50,000 phone numbers is currently under study. While the origins and purpose of the list remains unclear, The Pegasus Project observed a correlation between the time when the number was added to the list, and when the device operating on the number was targeted by the software.

Who was targeted?

Initially envisioned as a means for cyberwar against terrorist networks, the targets of Pegasus now include political personalities, activists, journalists and close associates of prominent personalities. At least 600 politicians were spied upon. The list of those targeted includes, but is not limited to, three sitting presidents, three sitting prime ministers, seven former prime ministers, and one king

Among the presidents targeted are France’s Emmanuel Macron, Iraq’s Barham Salih and South Africa’s Cyril Ramaphosa and the list of prime ministers feature Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani.

Beyond that, Yemen’s Ahmed Obeid bin Daghr, Lebanon’s Saad Hariri, Uganda’s Ruhakana Rugunda, France’s Édouard Philippe, Kazakhstan’s Bakitzhan Sagintayev, Algeria’s Noureddine Bedoui and Belgium’s Charles Michel are former prime ministers who were targeted whilst in office. 

Morocco’s King Mohammed VI is also under surveillance.

At least 189 journalists were also spied upon through Pegasus. These journalists were associated with well-reputed international organizations including, but not limited to, CNN, the New York Times, Bloomberg News, Voice of America, the Wall Street Journal, the Associated Press, Le Monde (France), Al Jazeera (Qatar) and the Financial Times (London).

Prominent personnel targeted by the spyware include Rahul Gandhi (Candidate for the office of Prime Minister in India during the previous elections), The Bhima Koregaon 16 (16 activists, lawyers, professors, poets, cartoonists in India jailed for an alleged conspiracy), Hanan Eltar (Jamal Khashoggi’s wife), Hatice Cengiz (Jamal Khashoggi’s fiance), Wadah Khanfar (Jamal Khashoggi’s associate), Ben Hubbard (New York Times Beirut bureau chief), Omar Radi (Moroccan journalist and activist), members of the Centro Miguel Agustin Pro Juarez, a prominent human rights group, and Mexicans Against Corruption and Impunity. This list is not exhaustive, but only a reference point for how comprehensive the surveillance web appears to be.

More about NSO, Pegasus, and its operations:

NSO is a cyber-surveillance company, which according to the description available on its own website creates products to help “government intelligence and law-enforcement agencies use technology to meet the challenges of encryption”. The company claims that it suspends access to operators as soon as it is brought to its attention that the software is being abused, however, that is understandably not enough for human-rights groups around the world concerned about digital security. The claim is further jeopardized when the company knowingly provides surveillance technologies to countries with a history of misuse. In fact, NSO has had a string of controversies in the past which were extensively covered by Forbidden Stories. Despite the controversy, NSO has refused to make public its official list of clients citing confidentiality agreements.

Pegasus is particularly insidious as a surveillance software since it has evolved into relying on a zero-click invasion method. This means that while previously it relied on device owners to click on phishing links to install itself, it now does this without any user interaction. The software simply sends a link to the device, installs itself and invades the software of the phone. According to the NSO, the software can also not be traced back to the government using it. A more detailed document published by the NSO provides further insights into the capabilities of the program. 

And there is huge sums of money involved. According to an article by The New York Times published in 2016, the NSO groups charges an initial fee of USD 50,000 to set up the program for a client and then an additional fee to target a device. Five years ago, the company was charging up to USD 650,000 to target iSO and Android and USD 50,000 for Blackberry devices. The company would also charge an annual fee of 17% of the total the client had paid as a “maintenance fee” and even offered “bulk” discount prices such as $800,000 for an “additional 100 phones”.  

While the NSO Group’s CEO and co-founder Shalev Hulio claimed that the reports are concerning and he would investigate the matter in an interview to The Washington Post, he has also denied the allegations of his company’s involvement stating that their background checks on their clients revealed no foul-play.

Who is vulnerable?

All research has indicated that despite the latest digital security measures taken by Apple, Pegasus is fully capable of invading a fully updated iPhone. In fact, in a statement, Apple admitted that its security valves are no match for Pegasus, claiming that, “...iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers…”

However, this does not mean that iOS is uniquely vulnerable to the software. Apple’s iPhones have just proven to be easier to trace and analyze for signs of invasion by Pegasus than Androids. However, NSO claims that Pegasus has the capability to hack into both operating softwares just as easily. 

This has understandably caused great unease among tech giants. Apple stated that it, “unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place.” While Google issued warnings for its user base to be mindful of any attempted infiltrations even if backed by their states. 

This is not the first time Pegasus has made international news:

Pegasus has made repeated appearances in the news for the past few years.

In 2016, Citizenlab published a report detailing the surveillance attack on prominent human rights defender and Martin Ennals Award winner Ahmed Mansoor. Mansoor is a resident of the UAE and carried an iPhone 6 at the time. 

In 2017, Citizenlab again issued a comprehensive report on the spyware’s operation in Mexico. The investigation was carried out in collaboration with R3D, SocialTic, and Article 19 and alleged that at least 76 prominent civil society members were targeted from 2015 to 2016 through Pegasus generated texts in the country. These included 10 journalists, one human rights defender, one US citizen, one minor, and several government food scientists and health, and consumer advocates. While it is unclear why these journalists in particular were targeted, several other journalists targeted by this cyberattack, including TV journalist Carmen Aristegui, were investigating the “Casa-Blanca” scandal at the time. 

In 2018, the software was used to infiltrate the device of Amazon CEO and billionaire Jeff Bezos. His phone was allegedly hacked by a party in Saudi Arabia and the FBI subsequently launched an investigation into NSO in 2020 in relation to this episode. However, at the time NSO denied any such investigations. And presently, the FBI refused to comment on it. 

Are women journalists specially more vulnerable to Pegasus?

Yes, and no. This is a complex question and requires an analysis that goes beyond just this one particular software and investigates the broader issue of gender and surveillance. Pegasus obviously does not possess special features that particularly target women journalists, however, that does not mean that women are not more vulnerable to surveillance than men because of the social structures we operate in. Of the 10 countries identified as hosting a large chunk of NSO’s clientele, several function with deeply entrenched patriarchal systems. Surveillance, thus, can harm the reputation or careers of men. But for women can be a tool to inflict immense sexual violence. As writer Richa Kaul Padte writes in her essay, The Not-So-Strange Feeling Someone Is Always Watching You:

Proponents of mass surveillance often ask the question, ‘If you have nothing to hide, why are you worried?’ Leaving aside the dangers of mass data collection, racial profiling, and treating everyone like a criminal-until-proven-innocent, this question has a bunch of different implications for women. The constant and rigorous emphasis placed on the female body in societies across the world tells us two things: One, our bodies are something that we should hide, and paradoxically two, our bodies are something that are constantly on display. The presence of surveillance cameras in pubic or private spaces – hidden or otherwise – encapsulates this dichotomy perfectly. You have nothing to hide except your body, which is of course impossible, because no matter how many clothes you put on, it’s still there. When it comes to spaces that tend to be male-dominated, your crime is the presence of your body, and the camera is, by extension, justified in capturing what you are ‘supposed to hide’.”

In India, for example, one of the targets of Pegasus was Minal Gadling. Minal is a 48 year-old home-maker, but a person of interest for the operators of Pegasus due to her marriage with Surendra Gadling, a well-known criminal lawyer in Nagpur. Similarly, it is no coincidence that while NSO’s CEO has strongly denied that Jamal Khashoggi was ever spied upon through their software, two women who had personal affiliations with the journalist were targeted. 

Another example of the uniquely gendered risks women face with regards to surveillance is that of the accuser in Chief Justice of India Ranjan Gogoi’s sexual harassment case. Reportedly 11 individuals in her social circle were cited as “persons of interest” by one of Pegasus’s Indian clients. 

It is widely acknowledged that women in patriarchal and misogynistic societies have had their private space repeatedly invaded as repercussions from straying from the “norms”. Revenge porn, leaked media, and manipulated photographs are all evidence of the gendered threats of surveillance. Adding a layer of political targeting and digital spying only complicates the already dangerous terrain that women journalists are forced to walk on by the virtue of their gender.

Conclusion

In 2014, Edward Snowden told Arundhati Roy that;

 “The technology cannot be rolled back, technology is not going anywhere … it is going to be cheaper, it is going to be more effective, it is going to be more available. If we do nothing, we sort of sleepwalk into a total surveillance state where we have both a super state that has unlimited capacity to apply force with an unlimited ability to know and [therefore be able to] target [that] force – and that’s a very dangerous combination … This is the direction of the future.” 

Pegasus might be a deeply iniquitous prospect, but it is far from being the only surveillance tool available for misuse. With nation states scrambling to ensure perfect knowledge of their citizens’ digital lives, the spyware industry is booming. Privacy is an inalienable right and it is not untrue that investigation of criminal and terrorist networks often act as excuses for much more insidious aims by governments around the world. If civil society is collectively unable to protect its right to privacy, Snowden’s words could prove prophetic. 

NOTE: You can use this tool made available by Amnesty International to check if you have been a target of Pegasus. 

 

Cover Photo Credit: occrp