“Pegasus” Trojan: How authoritarian states spy on their opponents

All over the world, journalists and members of the opposition have apparently been spied on using powerful spy software. This is shown by international research. Actually, it should only be used to prosecute criminals and terrorists.

They have apparently been targeted by secret services and police authorities around the world: hundreds of journalists, human rights activists, lawyers and politicians, including state presidents. Their cell phones are said to have been selected to be monitored with spy software. This is what research by an international journalist consortium suggests NDR, WDR, “Süddeutsche Zeitung” and the weekly newspaper “Zeit” are involved. Together with the organization Forbidden Stories and Amnesty International, the journalists evaluated a data set of more than 50,000 telephone numbers.

This is a list of potential spy targets selected by customers of the Israeli company NSO Group. NSO is one of the leading manufacturers of commercial spy software. The company sells products to law enforcement agencies, intelligence agencies and armies around the world that are used to extensively spy on cell phones. The company, which was founded in 2010 and is now worth more than one billion euros, has around 60 customers in 40 countries, according to its own information.

NSO’s best-known product is “Pegasus”, a Trojan horse that infects iPhones and Android smartphones unnoticed and can effortlessly monitor phone calls, text messages, e-mails and even encrypted chats. Considered one of the most powerful spy programs on the commercial market, the software can even turn on a device’s camera and microphone without being noticed.

Thousands of phone numbers

According to official reports, the Israeli manufacturer NSO only sells its espionage software to government agencies, which are supposed to use it exclusively for the fight against terrorism and serious crime. In fact, however, the research of the “Pegasus Project” suggests that authoritarian regimes are also using it to monitor and prosecute political opponents, oppositionists, human rights activists and critical journalists.

The phone list, which includes entries from 2016 to 2021, apparently contains the data of at least ten customers of NSO. The journalist consortium was able to assign thousands of numbers to specific people. The list includes mobile phone numbers of heads of state and government and of high-ranking diplomats, among other things. There are also the numbers of more than 180 journalists, including the editor-in-chief of the British “Financial Times”, reporters from the French media “Le Monde”, “Mediapart” and “Le Canard Enchainé”, a reporter for the US television channel CNN , from “The Wire” in India, an AFP correspondent in Morocco, a television presenter in Mexico, and editors from Hungary and Azerbaijan.

Prevents attacks, fights crime

In a statement written by a U.S. attorney on behalf of NSO, it said phone number collection could have many legitimate and completely clean uses that had nothing to do with surveillance or NSO. Even if these numbers had been fed into NSO, this “does not necessarily have to mean” that this was also “part of a surveillance attempt”. In addition, this does not say anything about whether the use of spy software was also successful. In addition, NSO has no knowledge of the educational objectives of its customers. The French association Forbidden Stories draws “wrong, too far-reaching and defamatory conclusions from the list of data”.

“The truth is, NSO Group’s technologies have helped prevent terrorist attacks, gun violence, car explosions and suicide attacks,” the Israeli company said when asked. NSO’s products are used daily by the authorities “to break up pedophilia, sex and drug trafficking rings, to locate missing and kidnapped children,” and the company is on a “life-saving mission” that it will “unwaveringly and conscientiously carry out, despite all continued attempts to discredit them on false grounds “.

Attack within seconds

According to insiders, if a cell phone is to be attacked using the spyware, this takes place in two steps. First of all, it is checked, for example, where the device is located and whether it can be reached. The attackers can then use this data to infect the cell phone with the Pegasus program. In more than a dozen cases on the list that the journalists’ consortium investigated, the attack took place less than a minute after the first data query, sometimes as little as seven seconds.

Traces of the Trojan found on numerous cell phones

In order to check whether attacks with the espionage software “Pegasus” have actually taken place on the listed telephone numbers, the media involved have met with alleged victims of the spying actions over the past few months and arranged random samples.

IT experts from the Amnesty International Security Lab in Berlin and the Citizen Lab at the University of Toronto performed forensic examinations on 44 iPhones of people whose numbers appeared to have been selected as potential targets by NSO customers. Traces of attacks with the “Pegasus” software were actually found on 37 devices, and the Trojan was apparently still active on some cell phones until July of this year.

The Kashoggi case

According to the experts from Citizen Lab, who have been working with the software of the Israeli company NSO for years, the traces on the cell phones examined show a high level of correspondence with traces of devices that had allegedly been infected with “Pegasus” in the past .

There was also criticism of NSO after indications emerged that the surveillance software “Pegasus” was supposed to have been used in the vicinity of the Saudi journalist and exiled oppositionist Jamal Khashoggi – which NSO denies. Khashoggi was considered a critic of the royal family and is said to have been murdered by a killer squad in Istanbul while visiting the Saudi consulate in 2018 and his body was then sawn up. The Israeli surveillance program is also said to have been used against the human rights activist Ahmad Mansur from the United Arab Emirates.

Use also in Europe

The new research of the “Pegasus Project” suggests that the spy software was also used in Europe. In Hungary, for example, several investigative journalists are said to have been attacked with it in 2019. The country does not comment on this. In a statement, however, the government writes that the rule of law prevails in Hungary.

In Azerbaijan, too, there were spying actions against well-known journalists critical of the government, for example against the reporters Khadija Ismayilova and Sevinc Vaqifici, as revealed by forensic analyzes of their cell phones. In France, according to the investigation, the mobile phone of Edwy Penel, the founder of the research platform “Mediapart”, was infected, as was that of a well-known reporter from “Le Monde”. The analysis of the data and further research suggest that the surveillance was initiated by agencies in Morocco.

The list includes a total of around 10,000 phone numbers that were apparently entered into the system by customers of NSO in Morocco. Around 100 subscribers could be identified by name, mostly French phone numbers. This makes the North African country one of the Israeli company’s largest customers. The Moroccan government left unanswered specific questions about the use of the Israeli software. In the coming days, among other things, will be on tagesschau.de, published the results of the research of the “Pegasus” project at the “Süddeutsche Zeitung” and “Zeit”.