The case revealed by our colleagues at Forbidden Stories, in partnership with Amnesty International’s Security Lab, is taking an unusual scale and could even become an international diplomacy scandal comparable to the Snowden cyberespionage case. Several states have reportedly used spyware called Pegasus. The latter, marketed by the Israeli company NSO Group, has been used for several years, according to the consortium, by countries which operate a targeted espionage of journalists, activists, doctors, sportsmen or political figures – up to leaders – by spying on the ‘all the content and operations that circulate on their mobile phones, all in an unconventional way, and devilishly disturbing.
50,000 “target” telephone numbers from around 50 countries
Forbidden Stories and Amnesty International had access to a list of over 50,000 telephone numbers. All of them were targeted by clients of the Israeli company behind the infamous Pegasus software, NSO Group. This company, which employs 750 people in the suburbs of Tel Aviv, is supposed to work officially in the fight against crime, by helping the intelligence services.
No less than 180 journalists’ cellphones have been targeted in 20 countries. But not only. We thus find, in the list, businessmen, heads of state, activists, or human rights defenders, as we said above. There are no less than 10 so-called “government” clients of NSO. Suffice to say that we can climb high in the hierarchy.
These cell phones have been targeted from various countries all over the globe: from India to Hungary via Bahrain, Morocco, Saudi Arabia, Mexico, Azerbaijan, Togo and Rwanda.
Although it was, for practical reasons in particular, impossible to confirm all the targets, Amnesty International’s Security Lab was able to have in its possession 67 mobile phones belonging to journalists. Note that the analysis of the mobile was essential to confirm or not the spying of the device. And until this month, some of the studied motives were well scrutinized. We are therefore far from monitoring criminal activity. “These figures show in a striking way how widespread these abuses are, endangering the lives of journalists, but also that of their families and their colleagues. This undermines the freedom of the press and closes the door to any critical media”, reacted the Secretary General of Amnesty International, Agnes Callamard. “By suppressing dissenting voices, the goal is to control the public narrative and avoid any contradiction,” she continued.
Inescapable and unstoppable infections, “without click”
One of the questions one can ask oneself, in the cyber environment, is “how did these cell phones get infected?” By what stratagem did the targeted individuals fall into the trap?“. At one time, the method was traditional, conventional shall we say. A banal email sent, and the famous click inside it could trigger the installation of malware. That was the preferred method until 2014.
Then things got better on the cyberattacker side, and messages and other emails became more personal. Often, journalists were lured by information about potential scoops, or specific information about one or more of their relatives. Pure incentive then. But it still worked using the famous click on a link, to install the malware. In short: there was always, until recently, the obligation of human intervention – that of the targeted person – to see the malicious action succeed. It worked, as journalists were more “inclined” to fall into the phishing trapas long as they are a little less attentive, in a certain proportion. The first infections via Pegasus seem to date back to 2015 and 2016. Mexican investigative journalist Carmen Aristegui received, at the time, more than twenty text messages containing malicious links from Pegasus. The phone numbers of his family members and co-workers were also targeted in the batch.
Claudio Guarnieri, head of Amnesty International’s Security Lab, explains that there is now a “zero click” process that allows the customer to take control of the mobile without any manipulation.
Once installed, Pegasus offers NSO customers full access to the device on a tray. This goes from SMS to calls, through the activation of the microphone and the remote camera, the GPS location, the puncture of passwords or the capture of all files and data exchanged via so-called secure messaging, such as Telegram, Signal or WhatsApp .
Until the mobile is turned off, it is infected. And once turned back on, it can be re-infected. To avoid the slightest detection, the governments which have engaged in this cyber espionage have nevertheless practiced what Eva Galperin, Director in charge of cybersecurity at the Electronic Frontier Foundation (EFF), calls the “hit and run” strategy . Basically: the government infects the phone, does its business (thus extracts data), then leaves the device very quickly. And so on.
Edwy Plenel number targeted, NSO denies any criminal involvement
What is particularly worrying today is that the spyware market appears to be shaken up. If they developed, there was a time, their own malware, governments no longer hesitate to turn to specialized private companies, typically like NSO Group or others, such Hacking Team and FinFischer.
And what worries all the more is the hidden use of Pegasus, which Forbidden Stories does not hesitate to equate to a weapon. A potentially fatal weapon. Many have remembered the murder of Washington Post journalist Jamal Khashoggi, who had never left the Saudi consulate in Turkey, in October 2018. A few days after the tragedy, Citizen Lab revealed that a relative of Khashoggi, Omar Abdulaziz, had been targeted by Pegasus the month before the assassination. A disturbing detail, against which NSO defends itself, claiming to have an “emergency stop device” Allowing him to cease all collaboration with a client who does not respect human rights. The Israeli firm also denied any involvement in the assassination of dissident journalist Jamal Khashoggi.