Skip to content

Illustration by Security Management

Journalists, Activists Among Those Surveilled by Governments Via Pegasus Hack

A group of more than 80 reporters, coordinated through the international organization Forbidden Stories, reported that at least 180 journalists have been targeted by Pegasus users—clients of Israeli private cyber-surveillance company NSO Group.  

According to the Pegasus Project—supported by freelancers and reporters from 17 media outlets across 10 countries, including The Guardian and The Washington Post—more than 50,000 phone numbers from more than 50 countries were chosen for invasive surveillance. Once it is installed, Pegasus, perhaps one of the most powerful spywares developed, can harvest essentially any data on a phone, whether it runs on an Android or iOS platform.  

“The consortium said the numbers on the list include those of the editor of The Financial Times, Roula Khalaf; people close to Mr. Khashoggi; a Mexican reporter who was gunned down on the street, Cecilio Pineda Birto; and journalists from CNN, The Associated Press, The Wall Street Journal, Bloomberg News and The New York Times,” according to The New York Times. 

But it isn’t only journalists who were on the list—human rights activists, lawyers, political dissidents, union leaders, academics, diplomats, businesspeople, doctors, and opposition politicians are also potential targets.  

“It can copy messages you send or receive, harvest your photos and record your calls,” The Guardian reported. Granting a user root privileges to the target’s smartphone and then turning it into a constant and unrelenting surveillance device, Pegasus can collect contact information, SMS messages, emails, calendars, communication logs, and browsing history. “It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met.” 

Pegasus Project journalists spoke with a source (on the condition of anonymity), who has direct knowledge of the company’s systems. According to the source, a lookup of Home Location Register—a database necessary to operating mobile phone networks—is essential in determining a phone’s characteristics, including if it is turned on or if it is currently in a country that permits use of Pegasus. 

It is unknown how many of those phones have been installed with Pegasus, partly because of how sophisticated the spyware is. The malware can infect a phone through a few different methods, including “zero-click” attacks, which do not need interaction from a device’s user for a successful installation. 

Besides zero-click attacks, the spyware can also be installed through spear-phishing attacks, via wireless transceiver near a targeted device, or manually with access to a target’s phone.  

In 2019, messaging application WhatsApp disclosed that Pegasus had exploited a zero-day vulnerability to send malware to more than 1,400 smartphones.  

More recently, The Washington Postin partnership with the Pegasus Project, reported that at least 23 Apple devices were hacked with help from Pegasus. An iMessage delivered to the phone would also directly install the spyware, without even setting off the usual alert tone for a text message.  

“Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple’s reputation for superior security when compared with its leading rivals, which run Android operating systems by Google,” the Post reported.  

The Pegasus Project is also supported by Amnesty International’s Security Lab. The lab’s researchers discovered signs of successful Pegasus attacks on iPhones as recently as July 2021. Out of the 67 devices the lab analyzed, which were also on the Forbidden Stories list, researchers found evidence of either successful or attempted Pegasus installation in 37 of the phones. Of those, 34 of them were iPhones. 

Amnesty’s researchers also published its Forensic Methodology Report to share its process and tools, helping other security and civil researchers detect mobile device breaches and spyware.

Although only three of the Android phones displayed indicators of at least an attempt to install Pegasus, this was likely because Android’s data logs “are not comprehensive enough to store the information needed for conclusive results,” according to the Post.  

Researchers also suspect that making it even more difficult to detect, Pegasus can inhabit solely a phone’s temporary memory so once a phone is turned off, virtually all signs of the software disappear. 

NSO insists that Pegasus is only sold to government clients and only for the purpose of targeting mobile devices of persons suspected of serious crimes or terrorism. “After checking their claims, we firmly deny the false allegations made in their report,” the company said in a letter published responding to the Pegasus Project story. “Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from reality, that NSO is considering a defamation lawsuit.” 

Pegasus was first discovered on devices by researchers in 2016. 

The Israeli government is also facing criticisms for granting NSO an export license, which allows it to sell the software to countries with authoritarian governments using the spyware to surveil any state critics. 

“Separately, a person familiar with NSO contracts told The Times that NSO systems were sold to the governments of Azerbaijan, Bahrain, India, Mexico, Morocco, Saudi Arabia, and the U.A.E.,” The Times reported.