There has been a lot of fuss in the name of the Pegasus spyware. But before we dive in, it is worth mentioning that the name “Pegasus”, belongs to the winged horse from Greek mythology. Legend has it that wherever the winged horse struck his hoof, a water spring burst forth.
Presently, people associate this with the most powerful spyware developed by a private company. Once the Pegasus spyware is covertly installed onto a phone, it turns that phone into a 24-hour surveillance device. The operator of the tool can copy messages that the owner of the phone sends or receives, get access to photos, and record calls. The Pegasus spyware can film secretly through the phone’s camera and even activate the microphone to record conversations. It can use the phone’s GPS to potentially pinpoint the location of the owner of the phone in real-time.
Who developed the Pegasus spyware and why?
An Israeli private company, NSO Group, developed and markets the Pegasus spyware. Given the havoc the spyware can cause, NSO Group licenses this product only to government intelligence agencies and law enforcement agencies after doing due diligence.
The NSO Group says that the Pegasus spyware helps prevent terrorism, breaks up criminal operations, finds missing persons and assists search and rescue teams. Mexico, the first client of the Pegasus spyware, had used it to fight the drug cartels. Notorious Mexican drug lord, Joaquin Guzman Loera, better known as El Chapo, was arrested with the help of this hacking software.
Why is the Pegasus spyware so special?
Pegasus is a world-leading cyber intelligence solution that enables intelligence agencies and law enforcement agencies to remotely and covertly extract data from any mobile device, be it android or IOS.
Until early 2018, NSO Group’s clients had to rely on SMS and WhatsApp messages to trick targets into opening a malicious link that would infect their phones with this malware. Since then, the Pegasus spyware’s attack capabilities have become much more improved. Infections can now be achieved with “zero-click” attacks. This means that the spyware can now be installed in a phone without requiring any interaction with the phone’s owner.
The hacking software can achieve such “zero-click” installations in several ways. One option is to send a push message covertly that makes the target device load the spyware, with the device’s owner completely unaware of the installation. These attributes differentiate Pegasus spyware from any other spyware available in the market.
When neither phishing nor “zero-click” attacks succeed, spies can install Pegasus spyware with the help of a wireless transceiver located near the target or simply by getting hold of the target’s phone in his/her absence.
Once installed, the Pegasus spyware contacts the attacker’s command-and-control servers to receive and carry out instructions and send the target’s private data to the attacker, including contact lists, calendar events, passwords, text messages, and live calls, even those which are end-to-end encrypted.
The Pegasus spyware only sends scheduled updates to avoid extensive bandwidth consumption that may alert the client and prevent detection by anti-virus software; it also evades forensic analysis, allowing the attacker to deactivate the spyware as and when necessary.
How did the controversy start?
In July 2021, Amnesty International, a London-based NGO, along with 17 media outlets worldwide, released a report on how the Pegasus Spyware was being used to snoop on Human Rights Activists, journalists, lawyers, and politicians by authoritarian governments in various countries.
Forbidden Stories, a Paris-based non-profit media organization, and Amnesty International claimed access to a leaked list containing over 50,000 phone numbers of people under the radar. They shared this list with their 17 media partners as part of the “Pegasus Project,” a reporting consortium.
Is the claim based on flimsy ground?
Amnesty International never disclosed the source of the leak and what type of test scans were carried out to establish the integrity of the data. The consortium claimed to have identified only 1000 telephone numbers out of 50,000. The phone number on the list did not reveal whether the device was infected by Pegasus or subjected to an attempted hack.
Amnesty International’s statement that its test scan methodology could not scan Android devices sounds bizarre and raises serious doubts about the integrity of the scan process itself. Also, the consortium had not shared the country-wise break-up of the phone numbers for snooping. This, even though Citizen Lab, an interdisciplinary laboratory based at the University of Toronto, had claimed that the Pegasus Spyware was used by 45 countries. It would be worth mentioning here that Amnesty International and Citizen Lab have a history of working together.
Forbidden Stories and Amnesty International had drawn their conclusion based on the forensic analysis of 67 phones out of the 50,000 phone numbers on the list, providing no details about the identity of these phone numbers.
The question that remains unanswered is how many of these 67 phone numbers belonged to employees or associates of Amnesty International, Forbidden Stories, Citizen Lab, and the seventeen media partners of the consortium?
What were the repercussions?
Despite the declaration by the consortium that the mere presence of the phone numbers in the leaked list is not proof of infection or snooping, serious allegations were leveled on eleven countries, including Mexico, United Arab Emirates, Saudi Arabia, Morocco, Bahrain, Kazakhstan, India, and Hungary. Based on the sample size of sixty-seven, the consortium concluded that these countries were guilty of large-scale snooping-a preposterous and outrageously scandalous claim.
As a result of this claim, mass hysteria broke loose. Media outlets persuasively reported global abuse of this cyber-surveillance weapon. Opposition parties took this opportunity to put democratically elected governments under pressure, and everybody started fearing that hackers will hack their phones. There was enough hue and cry for the entire world to know about Pegasus’s flight from Greek mythology to the complicated world of spyware.
These are some of the news that has been reported by “The Pegasus Project” (as reported by “The Guardian” a British newspaper and one of the seventeen media outlets):
- The mobile phone of a British lawyer and human rights campaigner named David Haigh, who fought to free Dubai’s Princess Latifa, was compromised by the Pegasus spyware.
- There has been a call for ministers in Hungary to resign in the wake of Pegasus revelations.
- Pegasus spyware was found on journalists’ phones in France.
- The USA has voiced concerns with the Israeli officials regarding Pegasus revelations.
- Israeli authorities have inspected NSO Group offices after Pegasus revelations.
- Investors of the NSO Group are in talks to transfer the Management of funds.
What is the NSO Group saying?
The NSO Group told ANI, “Where is the proof? We are used to these accusations. No proof is given, they are relying on nothing. They approached us saying fifty thousand targets of Pegasus were noticed. This is ridiculous! We sell the licenses, we know that this is an impossibility. What has come out in the reports so far is that out of fifty thousand now they seem to be talking about one-eighty, from one-eighty it has come down to thirty-seven… and now it seems in actuality it is twelve.”
The NSO Group further added, “This is clearly some international conspiracy. The entire idea of Pegasus is to fight terror and crime and those that buy these services are trying to break terror outfits that use end-to-end encryptions. Law agencies have no other way to fight terror than to use credible technology like ours which have several firewalls of regulation and human rights policies and verification processes.”
What we can conclude from all these!
The consortium’s report may have made a mountain out of a molehill and as a result, people and governments may have overreacted. The quasi-intellectuals are playing their parts to perfection. There indeed could be a conspiracy to undermine right-wing governments. But imagine what would happen if the Pegasus Spyware falls in the wrong hands.
EC-Council University is one place that teaches you, among other things, how to think like a hacker. Once you can get inside the hacker’s mind, you will be able to pre-empt cyber attacks and also test your organization’s vulnerabilities. Have you heard about the “Certified Ethical Hacker” online certificate in Cyber Security offered by EC-Council University?
Cybercriminals are getting sophisticated every day. There is no stopping them unless we have more Cyber Security professionals joining the security brigade and better contingency plans in place. At present, the demand for Cyber Security professionals exceeds the supply.
To be a skilled Cyber Security professional, get a Cyber Security degree from EC-Council University, and be eligible for up to seven industry certifications.