As part of a 2-year investigation into NSO Group’s sophisticated Pegasus spyware, Citizen Lab has identified 45 countries where operators might be leveraging the malware to conduct surveillance operations.
First detailed in August 2016, Pegasus is developed by NSO Group Technologies Ltd, a Herzelia, Israel-based company founded in 2010 and now owned by U.S. private equity firm Francisco Partners.
In 2016, Citizen Lab and Lookout revealed that Pegasus was targeting Apple devices using a chain of vulnerabilities referred to as Trident, which Apple was quick to patch. The installation process requires the intended victim to click on a specially crafted exploit link that delivers a chain of exploits that compromise the phone.
Once installed, the spyware contacts the command and control (C&C) server to receive and execute commands and to exfiltrate the target’s information, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. It can also turn on the phone’s camera and microphone for recording purposes.
The modular, highly customizable software is sold exclusively to governments and law enforcement agencies, supposedly for fighting crime and terror, but was observed being abused for surveillance purposes.
An investigation Citizen Lab has conducted between August 2016 and August 2018 not only confirmed the use of Pegasus to target activists, journalists, and human rights fighters, but also painted a more detailed picture of how widespread the tool’s operators are.
The organization found 1,091 IP addresses that matched their fingerprint for Pegasus, as well as 1,014 domain names that pointed to those IPs. The investigation also revealed that at least 10 Pegasus operators (assumed to be NSO customers) might be actively engaged in cross-border surveillance.
“We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator,” Citizen Lab notes in a report published on Tuesday, which also details the techniques used to fingerprint Pegasus and to investigate operators.
The organization found significant Pegasus operations in six countries previously “linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.”
Furthermore, the spyware is apparently “in use by countries with dubious human rights records and histories of abusive behaviour by state security services.”
The countries with suspected Pegasus infections are Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.
Last year, the Pegasus spyware was found to have targeted dozens of Mexican lawyers, journalists, human rights defenders, opposition politicians, anti-corruption advocates, and an international investigation operating in Mexico. Even after the report, however, three separate operators continue to be active in the country as of July 2018. A lawsuit was filed in Tel Aviv in early September 2018.
Citizen Lab also identified at least six operators with significant operations in the Gulf Cooperation Council (GCC) countries in the Middle East: at least two focus on the UAE, one on Bahrain, and one on Saudi Arabia.
“Three operators may be conducting surveillance beyond the MENA region, including in Canada, France, Greece, the United Kingdom, and the United States,” Citizen Lab says.
The investigation also revealed five operators active in Africa: one predominantly focusing on the West African country of Togo, and one focused on Morocco (which may also spy on targets in Algeria, France, and Tunisia). There are also several operators in Israel: four operate domestically and one operating in other countries as well, including the Netherlands, Palestine, Qatar, Turkey, and the USA.
In their report, Citizen Lab provides further information on the identified operators focusing on specific regions, such as Americas, Africa, Asia, Europe, and the Middle East. Furthermore, the organization details a series of operators that appear to lack a clear focus, but all using a large degree of customization in their operations.
“Ten Pegasus operators appear to be conducting surveillance in multiple countries. While we have observed prior cases of cross-border targeting, this investigation suggests that cross-border targeting and/or monitoring is a relatively common practice. The scope of this activity suggests that government-exclusive spyware is widely used to conduct activities that may be illegal in the countries where the targets are located,” Citizen Lab notes.
Before publishing their report, Citizen Lab notified NSO of their findings, but the company once again said their “product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror.” NSO also informed the organization of the existence of a Business Ethics Committee that includes outside experts, which reviews and approves each transaction, and which is authorized to reject or cancel agreements.
“We have seen no public details concerning the membership or deliberations of this committee but encourage NSO Group to disclose them. NSO’s statements about a Business Ethics Committee recall the example of Hacking Team’s ‘outside panel of technical experts and legal advisors … that reviews potential sales’,” Citizen Lab notes.
“There are multiple problems with Citizen Lab’s latest report. Most significantly, the list of countries in which NSO is alleged to sell or where our customers presumably operate the products is simply inaccurate. NSO does not sell its products in many of the countries listed. The product is only licensed to operate in countries approved under our Business
Ethics Framework and the product will not operate outside of approved countries. As an example, the product is specifically designed to not operate in the USA,” NSO told Citizen Lab on Tuesday.
In 2016, however, Citizen Lab was able to infect a device in the United States with Pegasus spyware although the infection link had been sent to UAE activist Ahmed Mansoor.
Related: Ex-NSO Employee Accused of Stealing Spyware Source Code
Related: Internet Provider Redirects Users in Turkey to Spyware: Report