NSO dismissed the allegations arising from the data breach, but said it would “continue to investigate all credible allegations of abuse and take appropriate action.”
The company insisted that Pegasus is only intended for use against criminals and terrorists, and that it only sells to the military, law enforcement and intelligence agencies in 40 anonymous countries. . These clients have been vetted for their human rights records, NSO said.
But it’s not difficult for bad actors to create seemingly legitimate shell companies and trick sellers of such sensitive tools, said Vitaly Kamluk, director of the global research and analysis team. (APAC) at Kaspersky.
“It is possible to create someone who will only represent you and look like a legal entity that could be linked to the government,” he told TBEN on Wednesday (September 22).
“Some of the evidence can even be faked and I’m sure if you really focus on that you can somehow figure out how to become a legitimate customer of the NSO Group. And if you have enough money, you can buy these tools that they offer. “
NSO has been under intense scrutiny since 2016, when the company’s software was allegedly used against a human rights activist in the United Arab Emirates and a journalist in Mexico, The New York Times reported on July 18. .
In 2018, an investigation by the Citizen Lab research group at the University of Toronto found that some of the suspected infected phones were in the UK, US and Singapore. Citizen Lab also reviewed the work done by Amnesty researchers on the recent data breach.
The Singapore government said on September 13 that it was aware of the allegations but could not verify them because no report had been filed.
“As our results are based on the geolocation of DNS servers at the country level, factors such as VPNs and Internet satellite teleport locations may introduce inaccuracies,” the Citizen Lab report said.
Since Singapore hosts a number of data centers and is a regional internet communication hub, Kamluk said, the results could have indicated Singapore’s internet infrastructure instead of actual victims living here.
Here’s what we know about Pegasus so far:
HOW DOES PEGASUS INFECT A PHONE?
While earlier versions of the software used targeted spear-phishing attacks to gain access to a phone, it has since become much more efficient and is capable of infecting a device even if nothing is clicked.
Mr Kamluk said that Pegasus infects phones through “non-interaction” methods, which means malicious code is sent to a target and violates the target’s device “without any interaction with the target. user is required “.
For example, Pegasus first creates a fake WhatsApp account and then uses it to make video calls. When an unsuspecting user’s phone rings, malicious code is transmitted which installs spyware on the phone. The software is installed even if the call is not answered.
Pegasus has apparently also started exploiting vulnerabilities in Apple’s iMessage software, although Apple released a patch on September 13 to address this.
Nonetheless, Mr Kamluk said Pegasus would likely find new ways to continue mining iPhones through other backdoors.
“These vulnerabilities, they (Apple engineers) don’t plant them on purpose, that’s for sure, but it’s fundamental code of our human nature to make mistakes,” he said. “We’ll see new ones come and go, and Apple will fix it again as soon as they find that.”
When Pegasus is installed on a phone, it can acquire administrative privileges on a device, allowing it to do even more things than the owner of the device.
“It’s fully automatic,” Kamluk said. “They choose the target and at that point the operator has full control of the device.”
CAN PEGASUS BE IDENTIFIED AND DELETED?
When Pegasus infects a phone, it hides itself but leaves traces that can be spotted using specialized software, like the open source and free mobile verification toolkit released by Amnesty, Kamluk said.
But to thoroughly check an iPhone, for example, users would likely void their warranty because specialists would have to “jailbreak” the phone to check every item stored inside, Kamluk continued.
“Of course, NSO Group will improve,” he said. “So everything that is detected right now – all these signs and traces that have been noted by Amnesty International and Citizen Lab – will be changed so that this tool is blind to future diagnostic (software) versions.”
And because Pegasus sinks deep into the parts of a device that require the highest privileges to access it, Mr. Kamluk said removing it wouldn’t be as simple as uninstalling an app or stopping a service. .
“If the phone is infected, it probably means that it will stay there for a long time. Depending on the exploits they have and the post-exploitation stages, it can actually get deeper and even survive a restart or full reset of the ( phone), “he added.
“Once the phone is hacked, I wouldn’t recommend using it for anyone who cares about privacy or security.”
WHO ELSE WAS TARGETED?
Numbers on the leaked list include Mexican journalist Cecilio Pineda Birto, who was shot dead in the streets, as well as reporters from TBEN, The The Bharat Express News, The Wall Street Journal, Bloomberg News and The New York Times.
Two of the targeted phones belonged to Mr. Szabolcs Panyi and Mr. Andras Szabo, investigative journalists in Hungary who regularly cover government corruption.
Indian investigative site Wire also reported that 300 cell phone numbers used in India, including those of government ministers, opposition politicians, journalists, scientists and rights activists, were on the list. .
WHAT ARE THE IMPLICATIONS?
The Pegasus leak is likely to spark debates over government surveillance in several countries suspected of using the technology.
The investigation suggests that the Hungarian government of Viktor Orbán appears to have deployed NSO technology as part of its so-called war on the media, targeting investigative journalists in the country as well as the inner circle of one of the rare independent media executives in Hungary, the Guardian. report said.