Pierluigi Paganini July 19, 2021

Pegasus Project investigation into the leak of 50,000 phone numbers of potential surveillance targets revealed the abuse of NSO Group’s spyware.

Pegasus Project is the name of a large-scale investigation into the leak of 50,000 phone numbers of potential surveillance targets that revealed the abuse of NSO Group’s spyware.

Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.

The investigation was conducted by more than 80 journalists from 17 media organizations in 10 countries coordinated by media, non-profit organization Forbidden Stories with the technical support of Amnesty International.

The surveillance campaign targeted heads of state, activists and journalists, including the family of the journalist Jamal Khashoggi family before and after he was killed in Istanbul on 2 October 2018 by Saudi operatives.

“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril,” said Agnès Callamard, Secretary General of Amnesty International.

“These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations.”

NSO Group labeled the evidence collected in the report false claims and uncorroborated theories.

The analysis of the leaked data and the forensics investigations conducted on the module devices revealed that at least 11 countries were buying the surveillance software from the Israeli firm, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).

The privacy advocates blame NSO Group for failing to take adequate action to stop the use of its tools for unlawful targeted surveillance of activists and journalists.

As part of The Pegasus Project, the experts identified that at least 180 journalists in 20 countries were the targets of a massive surveillance activity with NSO spyware between 2016 to June 2021.

The evidence demonstrates that governments used Pegasus to intimidate journalists and critical media. Exposing Pegasus infrastructure

Amnesty International published technical details about its forensics investigation which includes information about the evolution of Pegasus spyware infections since 2018. The researchers also shared data related to the Pegasus’s infrastructure, including more than 700 Pegasus-related domains.

The report also includes indicators of compromise for Pegasus spyware attacks.

“All indicators of compromise are available on our GitHub , including domain names of Pegasus infrastructure, email addresses recovered from iMessage account lookups involved in the attacks, and all process names Amnesty International has identified as associated with Pegasus.” states the report published by Amnesty.

“Amnesty International is also releasing a tool we have created, called Mobile Verification Toolkit (MVT). MVT is a modular tool that simplifies the process of acquiring and analysing data from Android devices, and the analysis of records from iOS backups and filesystem dumps, specifically to identify potential traces of compromise. MVT can be provided with indicators of compromise in STIX2 format and will identify any matching indicators found on the device. In conjunction with Pegasus indicators,  MVT can help identify if an iPhone have been compromised.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Pegasus Spyware)

[adrotate banner=”5″]

[adrotate banner=”13″]