Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Report Reveals Widespread Use of Pegasus Spyware

As part of a 2-year investigation into NSO Group’s sophisticated Pegasus spyware, Citizen Lab has identified 45 countries where operators might be leveraging the malware to conduct surveillance operations.

As part of a 2-year investigation into NSO Group’s sophisticated Pegasus spyware, Citizen Lab has identified 45 countries where operators might be leveraging the malware to conduct surveillance operations.

First detailed in August 2016, Pegasus is developed by NSO Group Technologies Ltd, a Herzelia, Israel-based company founded in 2010 and now owned by U.S. private equity firm Francisco Partners.

In 2016, Citizen Lab and Lookout revealed that Pegasus was targeting Apple devices using a chain of vulnerabilities referred to as Trident, which Apple was quick to patch. The installation process requires the intended victim to click on a specially crafted exploit link that delivers a chain of exploits that compromise the phone.

Once installed, the spyware contacts the command and control (C&C) server to receive and execute commands and to exfiltrate the target’s information, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. It can also turn on the phone’s camera and microphone for recording purposes.

The modular, highly customizable software is sold exclusively to governments and law enforcement agencies, supposedly for fighting crime and terror, but was observed being abused for surveillance purposes.

An investigation Citizen Lab has conducted between August 2016 and August 2018 not only confirmed the use of Pegasus to target activists, journalists, and human rights fighters, but also painted a more detailed picture of how widespread the tool’s operators are.

The organization found 1,091 IP addresses that matched their fingerprint for Pegasus, as well as 1,014 domain names that pointed to those IPs. The investigation also revealed that at least 10 Pegasus operators (assumed to be NSO customers) might be actively engaged in cross-border surveillance.

Advertisement. Scroll to continue reading.

“We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator,” Citizen Lab notes in a report published on Tuesday, which also details the techniques used to fingerprint Pegasus and to investigate operators.

The organization found significant Pegasus operations in six countries previously “linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.”

Furthermore, the spyware is apparently “in use by countries with dubious human rights records and histories of abusive behaviour by state security services.”

The countries with suspected Pegasus infections are Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Last year, the Pegasus spyware was found to have targeted dozens of Mexican lawyers, journalists, human rights defenders, opposition politicians, anti-corruption advocates, and an international investigation operating in Mexico. Even after the report, however, three separate operators continue to be active in the country as of July 2018. A lawsuit was filed in Tel Aviv in early September 2018.

Citizen Lab also identified at least six operators with significant operations in the Gulf Cooperation Council (GCC) countries in the Middle East: at least two focus on the UAE, one on Bahrain, and one on Saudi Arabia.

“Three operators may be conducting surveillance beyond the MENA region, including in Canada, France, Greece, the United Kingdom, and the United States,” Citizen Lab says.

The investigation also revealed five operators active in Africa: one predominantly focusing on the West African country of Togo, and one focused on Morocco (which may also spy on targets in Algeria, France, and Tunisia). There are also several operators in Israel: four operate domestically and one operating in other countries as well, including the Netherlands, Palestine, Qatar, Turkey, and the USA.

In their report, Citizen Lab provides further information on the identified operators focusing on specific regions, such as Americas, Africa, Asia, Europe, and the Middle East. Furthermore, the organization details a series of operators that appear to lack a clear focus, but all using a large degree of customization in their operations.

“Ten Pegasus operators appear to be conducting surveillance in multiple countries. While we have observed prior cases of cross-border targeting, this investigation suggests that cross-border targeting and/or monitoring is a relatively common practice. The scope of this activity suggests that government-exclusive spyware is widely used to conduct activities that may be illegal in the countries where the targets are located,” Citizen Lab notes.

Before publishing their report, Citizen Lab notified NSO of their findings, but the company once again said their “product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror.” NSO also informed the organization of the existence of a Business Ethics Committee that includes outside experts, which reviews and approves each transaction, and which is authorized to reject or cancel agreements.

“We have seen no public details concerning the membership or deliberations of this committee but encourage NSO Group to disclose them. NSO’s statements about a Business Ethics Committee recall the example of Hacking Team’s ‘outside panel of technical experts and legal advisors … that reviews potential sales’,” Citizen Lab notes.

“There are multiple problems with Citizen Lab’s latest report. Most significantly, the list of countries in which NSO is alleged to sell or where our customers presumably operate the products is simply inaccurate. NSO does not sell its products in many of the countries listed. The product is only licensed to operate in countries approved under our Business
Ethics Framework and the product will not operate outside of approved countries. As an example, the product is specifically designed to not operate in the USA,” NSO told Citizen Lab on Tuesday.

In 2016, however, Citizen Lab was able to infect a device in the United States with Pegasus spyware although the infection link had been sent to UAE activist Ahmed Mansoor.

Related: Ex-NSO Employee Accused of Stealing Spyware Source Code

Related: Internet Provider Redirects Users in Turkey to Spyware: Report


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...