Mobile Phones compromised
Pegasus spyware makes prime targets out of iPhones and Android based devices. It appears that it has made an impact on users in at least 45 countries around the world. Of those countries, 6 have been known in the past to use surveillance malware to abuse human rights.
Between the years of 2016 and 2018, The Citizen Lab had a group of researchers take part in a huge project that scanned the internet to find servers that were somehow associated with Pegasus mobile spyware. The senior research fellow at The Citizens Lab, Bill Marczak reported that in the beginning of their research period, they found roughly 200 servers in 2016. Over the course of time, that number increased tremendously to 600 in the year 2018. This seems to strongly indicate that NSO Group is increasing their operations.
Beginning in August 2016, the malware was discovered to be active when the NSO Group was selling the mobile spyware to third parties and governments who wanted to have the capabilities to track calls, read texts, find passwords, and gather other app data from potential victims.
Generally, Pegasus is spread through phishing techniques via exploit links that are specially formulated. When the links are clicked, the spyware is able to penetrate the security features of victim’s phones. According to the latest report of The Citizen Lab, Pegasus has become much more widespread than it was previously. It is now being used by some countries to target the rights of humans.
Why is it being used to target civilians?
Pegasus has expanded to now include usage in Gulf Cooperation Council countries throughout the Middle East. It is being used to track certain dissidents, such as Ahmed Mansoor, UAE activist. He was targeted not only in 2016 but in 2018 as well.
In regards to their findings, researchers say that a bleak picture has been painted of the human rights risks that are posed by MSO global proliferation. There are at least 6, and possibly more, countries that have significant Pegasus operations. These operations have been linked to spyware that has been used to target the civil society in countries such as Mexico, Bahrain, Kazakhstan, Morocco, Saudi Arabia, and the United Arab Emirates.
In 2017, there were dozens of Mexican journalists and lawyers that had their devices infected with this spyware. This also included a child. This particular Pegasus campaign is believed to have been set forth by the nation’s government.
According to Marczak, the abuse by the spyware is certainly a sign of what is set to come. It is projected that civil society will find itself the target of this type of surveillance unless the government finds a better way to regulate spyware being set forth.
Between the years of 2016 and 2018, the research team was able to find 1,091 IP addresses and 1,014 domain names that match the behavior of a command and control server as well as an exploit link that are highly associated with Pegasus.
Researchers at The Citizen Lab came up with a technique that they refer to as Athena that they use to track many different Pegasus operators. This technique cluster matches the spyware’s servers into 36 different Pegasus systems, each one seemingly run by a separate operator. After that, the research team probed tens of thousands of ISP DNS caches all over the world under the assumption that the devices that were infected would routinely look up the different domain names for servers of operators using their ISP’s DNS servers.
Researchers shared that they took the time to design and carry out a DNS cache probing study. This study was conducted on the matching domain names so that they could identify which country each operator was spying on. This technique was able to identify a total of 45 different countries that were victim to Pegasus surveillance operations. It was also found that at least 10 of the Pegasus operators were actively engaging in surveillance across the border.
The following countries were found to have harboring this particular spyware: Bahrain, Algeria, Brazil, Bangladesh, Cote d’lvoire, Canada, Egypt, Greece, India, France, Israel, Iraq, Jordan, Kenya, Kazakhstan, Kyrgyzstan, Lativa, Libya, Lebanon, Morocco, Mexico, Oman, the Netherlands, Pakistan, Poland, Palestine, Qatar, Rwanda, Singapore, Saudi Arabia, South Africa, Switzerland, Thailand, Tajikistan, Togo, Tunisia, the UAE, Turkey, Uganda, the United States, the United Kingdom, Uzbekistan, Zambia, and Yemen.
Surprisingly, there were several infections found in the United States IP space by the research team. However, the Pegasus customers were not directly linked to the United States, indicating a cross border compromise.
Upon presentation of The Citizen Lab, the NSO released a statement saying there were multiple problems with their report, including inaccuracy.
In response, The Citizen Lab researchers disagreed with those claims and stood behind their findings. They foresee there being increased problems with human rights at the hands of Pegasus.