Leaked 50,000 contact details related to spyware targeting

Cyber ​​Warfare / Nation State Attacks, Endpoint Security, Fraud Management and Cybercrime

“Pegasus Project” Says List Used to Coordinate NSO Group Spyware Attacks

Mathew J. Schwartz (euroinfosec) •
July 19, 2021

Countries where journalists have been selected as targets (Source: forbidden stories)

A leak of 50,000 phone numbers and email addresses led to “Project Pegasus,” a research effort by a global media consortium that discovered how Pegasus spyware developed by NSO Group is used in the wild.

See also: Live Webinar | How to Create a Safe Hybrid Workplace with SASE

The list of contact details was obtained by a French non-profit journalism group Forbidden stories and human rights group Amnesty International. They say it appears to have been used to identify people of interest in 50 countries – including 1,000 people in Europe – who were to be potentially targeted by the Pegasus spyware.

Investigating who is on the target list – and whether they have been targeted – is the raison d’être of the Pegasus Project consortium of 17 media organizations, which conducted months of research and began publishing their findings on Sunday. Amnesty International has not explained how she came into possession of the apparent list of targets.

Pegasus is a remote access tool designed to infect both Android and Apple devices, sometimes through zero-day exploits on the Ether Platform. Developed and sold by Israeli software developer NSO Group, spyware Pegasus – like its rival Candiru, developed by an Israeli company of the same name – can only be exported to countries after approval by the Israeli Defense Ministry. .

Forbidden Stories says that connecting names on the leaked data list with subsequent Pegasus infections can only be done after performing a digital forensic analysis on an individual’s smartphone. When Amnesty International’s tech team performed a digital forensic analysis on 67 smartphones, they discovered that more than half of them appeared to have been infected with Pegasus, some as late as this month, via a “zero click” vulnerability in Apple’s iOS mobile operating system (see: Spyware Exposed Highlights Alleged Apple Zero-Day Flaws).

Spyware created by NSO Group previously used zero-day vulnerabilities in Apple and Android mobile operating systems to help infect target devices with the software, for example, through apps like WhatsApp and iMessage. Once on the device, the spyware has access to full functionality, including the ability to use the microphone, camera, and GPS to track and monitor targets in real time. All information stored on a device, including photographs and contacts, can also be exfiltrated.

Experts say Pegasus only appears to be used in highly targeted attacks. For targets, however, this does not decrease the risk they might face. “The minimal spread of spyware doesn’t make it any less dangerous, for each individual being monitored the extent of privacy damage is certainly very high,” says Jakub Vavra, mobile threat analyst at security software vendor Avast , which develops antivirus tools. .

The power of spyware

This spyware is presented to regulators, lawmakers and officials as necessary to fight criminals, such as drug traffickers, hackers, child sex abusers and terrorists. Companies like NSO Group also say they require customers to agree to terms and conditions that restrict how software gets used to only tackling “serious crime and terrorism.”

But research from Amnesty International as well as the University of Toronto’s Citizen Lab, which tracks illegal hacking and surveillance, suggests that while many governments are using the software for its stated purpose, some also appear to use it to target others, including executive companies, journalists, activists and human rights defenders.

These long-standing allegations have been made against companies, including NSO Group, which sell spyware to intelligence agencies. But NSO Group has continued to vigorously deny that its software is being misused.

Monday, NSO Group released a statement in response to research on forbidden stories. “Having verified their claims, we strongly deny the false allegations made in their report,” he said.

Many governments, on the other hand, seem reluctant to openly restrict the use of such software. Two years ago, the UN Special Rapporteur on Freedom of Opinion and Expression, David Kaye, called for a moratorium on the export of such software until better controls can be put in place.

“The private surveillance industry is a free-for-all,” which has led to the spread “of technology that causes immediate and regular damage to individuals and organizations that are essential to democratic life – journalists, activists, political figures. opposition, lawyers and others, ”Kaye said. “It is time for governments and businesses to recognize their responsibilities and impose tough demands on this industry, in an effort to protect human rights for all.

But no international standards or controls have been put in place. The EU, however, has started to institute export control rules for this technology.

Politicians, journalists, activists included in the list

The leaked list of contact details obtained by Forbidden Stories and Amnesty International includes details of numerous activists, government critics, politicians, business leaders as well as 180 journalists from nearly two dozen countries.

According to the media consortium behind the Pegasus project, analysis of the data suggests that at least 10 governments appear to have submitted names to the list: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and United States. United Arab Emirates.

The Guardian says some people’s smartphones are known to have been infected with Pegasus just seconds after being added to the leak list.

Journalists on the list include the editor of the UK Financial Times, as well as people working for Agence France-Presse, Al Jazeera, Associated Press, CNN, The Economist, Le Monde, The New York Times, Reuters, the Wall Street Journal and Voice. America, reports the Guardian.

Other people on the list include Indian Prime Minister Narendra Modi’s main rival, Rahul gandhi; Mexican journalist Cecilio Pineda Birto – murdered just one month after his phone number appeared on the list; as well as business leaders, lawyers, academics and government officials, including cabinet officials and heads of state, whom Project Pegasus partners say they want to appoint in the coming days.

In its statement, NSO Group says it has nothing to do with the alleged target selection list, and it says the list of 50,000 phone numbers and email addresses appears to have been obtained from legitimate searches, such as HRL Lookup.

“Such services are open to anyone, anywhere and anytime, and are commonly used by government agencies for many purposes, as well as private businesses around the world,” said NSO Group.

The company says to Guardian: “It is also indisputable that data has many legitimate and very appropriate uses unrelated to surveillance or NSO, so there can be no factual basis to suggest that one use of the data equals sort of like surveillance. “

Terms and conditions

NSO Group’s most recent “Transparency and Accountability Report”, released in June, indicates that the company has 60 clients in 40 countries. An anonymous source told the Guardian that NSO has approximately 45 Pegasus customers, each targeting an average of approximately 112 devices per year.

The number of people named in the list of leaked contact details who could have been targeted using Pegasus remains an open question from Project Pegasus. But Amnesty International’s testing of a small number of devices belonging to those named on the list found that just over half had been infected. Amnesty International’s technical findings have been independently confirmed by Citizen Laboratory.

NSO Group says it has no information on how “government vetted customers” are using its technology. “NSO does not operate the systems it sells to controlled government clients and does not have access to data of its clients’ targets. NSO does not operate its technology, collect, own, or access to any kind of customer data, ”he told The Guardian.

The company told Forbidden Stories that it is investigating all reports of misuse of its software and that it has previously revoked some customers’ ability to use the software. The evidence that such steps were taken, however, appears to be taken in a catch-22 scenario. “Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as the identities of customers whose systems we have shut down,” the company said.

Following the findings of Project Pegasus, Amnesty International called on the NSO group to crack down on governments that use Pegasus in a way that violates human rights.

“The NSO group must exercise human rights due diligence and take measures to ensure that human rights defenders and journalists do not continue to be the target of unlawful surveillance,” Amnesty International said .

Comments are closed.