It’s a doozy of a case in digital spying. Security researchers have revealed evidence of attempted or successful installations of Pegasus, software made by Israel-based cybersecurity company NSO Group, on 37 phones belonging to activists, rights workers, journalists and businesspeople. They appear to have been targets of secret surveillance by software that’s intended to help governments pursue criminals and terrorists.
One of the most powerful objections to Pegasus came from the US government, and now one reason for the wrath could have emerged Friday: The spyware was found on the phones of at least nine State Department employees whom Apple notified about the hack, Reuters reported. The officials were either based in Uganda or involved in matters associated with the African country, but it’s unclear who hacked the phones, the report said, citing unnamed sources. The New York Times corroborated the report, saying at least 11 employees were affected.
Get the CNET Apple Report newsletter
Receive the latest news and reviews on Apple products, iOS updates and more. Delivered Fridays.
Pegasus has been a politically explosive issue that’s put Israel under pressure from activists and from governments worried about misuse of the software. In November, the US federal government took much stronger action, blocking sale of US technology to NSO by putting the company on the government’s Entity List. NSO has suspended some countries’ Pegasus privileges but has sought to defend its software and controls it tries to place on its use.
Apple sued NSO Group in November, seeking to bar the company’s software from being used on Apple devices, require NSO to locate and delete any private data its app collected, and disclose the profits from the operations. “Private companies developing state-sponsored spyware have become even more dangerous,” said Apple software chief Craig Federighi.
The phones were on an activist organization’s list of more than 50,000 phone numbers for politicians, judges, lawyers, teachers and others. Also on that list are 10 prime ministers, three presidents and a king, according to an international investigation released in mid-July by The Washington Post and other media outlets, though there’s no proof that being on the list means an attack was attempted or successful.
Pegasus is the latest example of how vulnerable we all are to digital prying. Our phones store our most personal information, including photos, text messages and emails. Spyware can reveal directly what’s going on in our lives, bypassing the encryption that protects data sent over the internet.
The 50,000 phone numbers are connected to phones around the world, though NSO disputes the link between the list and actual phones targeted by Pegasus. The devices of dozens of people close to Mexican President Andrés Manuel López Obrador were on the list, as were those belonging to reporters at CNN, the Associated Press, The New York Times and The Wall Street Journal. Several phones on the list, including one belonging to Claude Mangin, the French wife of a political activist jailed in Morocco, were infected or attacked. Other cases of Pegasus infection have emerged since the initial revelations.
Here’s what you need to know about Pegasus.
What is NSO Group?
It’s a company that licenses surveillance software to government agencies. The company says its Pegasus software provides a valuable service because encryption technology has allowed criminals and terrorists to go “dark.” The software runs secretly on smartphones, shedding light on what their owners are doing. Other companies provide similar software.
Chief Executive Shalev Hulio co-founded the company in 2010. NSO also offers other tools that locate where a phone is being used, defend against drones and mine law enforcement data to spot patterns.
NSO has been implicated by previous reports and lawsuits in other hacks, including a reported hack of Amazon founder Jeff Bezos in 2018. A Saudi dissident sued the company in 2018 for its alleged role in hacking a device belonging to journalist Jamal Khashoggi, who had been murdered inside the Saudi embassy in Turkey that year.
What is Pegasus?
Pegasus is NSO’s best-known product. It can be installed remotely without a surveillance target ever having to open a document or website link, according to The Washington Post. Pegasus reveals all to the NSO customers who control it — text messages, photos, emails, videos, contact lists — and can record phone calls. It can also secretly turn on a phone’s microphone and cameras to create new recordings, The Washington Post said.
General security practices like updating your software and using two-factor authentication can help keep mainstream hackers at bay, but protection is really hard when expert, well-funded attackers concentrate their resources on an individual.
Pegasus isn’t supposed to be used to go after activists, journalists and politicians. “NSO Group licenses its products only to government intelligence and law enforcement agencies for the sole purpose of preventing and investigating terror and serious crime,” the company says on its website. “Our vetting process goes beyond legal and regulatory requirements to ensure the lawful use of our technology as designed.”
Human rights group Amnesty International, however, documents in detail how it traced compromised smartphones to NSO Group. Citizen Lab, a Canadian security organization at the University of Toronto, said it independently validated Amnesty International’s conclusions after examining phone backup data.
In September, though, Apple fixed a security hole that Pegasus exploited for installation on iPhones. Malware often uses collections of such vulnerabilities to gain a foothold on a device and then expand privileges to become more powerful. NSO Group’s software also runs on Android phones.
Why is Pegasus in the news?
Forbidden Stories, a Paris journalism nonprofit, and Amnesty International, a human rights group, shared with 17 news organizations a list of more than 50,000 phone numbers for people believed to be of interest to NSO customers.
The news sites confirmed the identities of many of the individuals on the list and infections on their phones. Of data from 67 phones on the list, 37 exhibited signs of Pegasus installation or attempted installation, according to The Washington Post. Of those 37 phones, 34 were Apple iPhones.
The list of 50,000 phone numbers includes French President Emmanuel Macron, Iraqi President Barham Salih and South African President Cyril Ramaphosa. Also on it are seven former prime ministers and three current ones, Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani. King Mohammed VI of Morocco also is on the list.
The episode hasn’t helped Apple’s reputation when it comes to device security. “We take any attack on our users very seriously,” Federighi said. The company said it’ll donate $10 million and any damages from the lawsuit to organizations that are advocating for privacy and are pursuing research on online surveillance. That’s a drop in the bucket for Apple, which reported a profit of $20.5 billion for its most recent quarter, but it can be significant for much smaller organizations, like Citizen Lab.
Whose phones did Pegasus infect?
In addition to Mangin, two journalists at Hungarian investigative outlet Direkt36 had infected phones, The Guardian reported.
A Pegasus attack was launched on the phone of Hanan Elatr, wife of murdered Saudi columnist Jamal Khashoggi, The Washington Post said, though it wasn’t clear if the attack succeeded. But the spyware did make it onto the phone of Khashoggi’s fiancee, Hatice Cengiz, shortly after his death.
Seven people in India were found with infected phones, including five journalists and one adviser to the opposition party critical of Prime Minister Narendra Modi, The Washington Post said.
And six people working for Palestinian human rights groups had Pegasus-infected phones, Citizen Lab reported in November,
What are the consequences of the Pegasus situation?
The US cut off NSO Group as a customer of US products, a serious move given that the company needs computer processors, phones and developer tools that often come from US companies. NSO “supplied spyware to foreign governments” that used it to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers. These tools have also enabled foreign governments to conduct transnational repression,” the Commerce Department said.
Macron changed one of his mobile phone numbers and requested new security checks, Politico reported. He convened a national security meeting to discuss the issue. Macron also raised Pegasus concerns with Israeli Prime Minister Naftali Bennett, calling for the country to investigate NSO and Pegasus, The Guardian reported. The Israeli government must approve export licenses for Pegasus.
Israel created a review commission to look into the Pegasus situation. And on July 28, Israeli defense authorities inspected NSO offices in person.
European Commission chief Ursula von der Leyen said if the allegations are verified, that Pegasus use is “completely unacceptable.” She added, “Freedom of media, free press is one of the core values of the EU.”
The Nationalist Congress Party in India demanded an investigation of Pegasus use.
Edward Snowden, who in 2013 leaked information about US National Security Agency surveillance practices, called for a ban on spyware sales in an interview with The Guardian. He argued that such tools otherwise will soon be used to spy on millions of people. “When we’re talking about something like an iPhone, they’re all running the same software around the world. So if they find a way to hack one iPhone, they’ve found a way to hack all of them,” Snowden said.
What does NSO have to say about this?
NSO acknowledges its software can be misused. It cut off two customers in recent 12 months because of concerns about human rights abuses, according to The Washington Post. “To date, NSO has rejected over US $300 million in sales opportunities as a result of its human rights review processes,” the company said in a June transparency report.
However, NSO strongly challenges any link to the list of phone numbers. “There is no link between the 50,000 numbers to NSO Group or Pegasus,” the company said in a statement.
“Every allegation about misuse of the system is concerning me,” Hulio told the Post. “It violates the trust that we give customers. We are investigating every allegation.”
In a statement, NSO denied “false claims” about Pegasus that it said were “based on misleading interpretation of leaked data.” Pegasus “cannot be used to conduct cybersurveillance within the United States,” the company added.
Regarding the alleged infection of State Department phones, NSO Group didn’t immediately respond to a request for comment. But it told Reuters it canceled relevant accounts, is investigating, and will take legal action if it finds misuse.
NSO will try to reverse the US government’s sanction. “We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products,” an NSO spokesperson said.
In the past, NSO had also blocked Saudi Arabia, Dubai in the United Arab Emirates and some Mexican government agencies from using the software, The Washington Post reported.
How can I tell if my phone has been infected?
Amnesty International released an open-source utility called MVT (Mobile Verification Toolkit) that’s designed to detect traces of Pegasus. The software runs on a personal computer and analyzes data including backup files exported from an iPhone or Android phone.