What the latest Pegasus spyware leaks tell us

New documents show journalists and activists are being surveilled using the tools built by secretive Israeli security company NSO.

On 19 July, a consortium of 17 international media organisations published an investigation around a leaked list of phone numbers from across the world, dubbed the Pegasus Project. These numbers are allegedly a “target list” of phones hacked/to be hacked by the Pegasus spyware product sold by Israel’s NSO Group. The list is apparently notable for its sheer size, as well as for containing the numbers of prominent journalists, dissidents from various countries, politicians, judges, businessmen, rights activists and heads of state. Some targets listed have cooperated with the consortium of media and Amnesty International for a forensic examination of their devices, and have found evidence of hacking using the Pegasus suite.

What is Pegasus?

Pegasus is a spyware suite sold by Israeli company NSO Group to “vetted government clients”. It is used to compromise and conduct surveillance on targeted Windows, Mac computers, and also Android and iOS smartphones. The spyware can be delivered using links sent via email or SMS, via WhatsApp or using far more sophisticated ‘0-day’ vulnerability exploits, which are security flaws or bugs unknown even to device manufacturers. Finding and exploiting such ‘0-day’ vulnerabilities is a highly specialised, complex and time consuming task. It has, at one point, been able to infect target smartphones simply by placing a WhatsApp call, regardless of whether the call was answered or not.

Why is this important?

According to The Wire’s report, the NSO Group’s client list includes the governments of Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates, as well as India. On the list, The Wire reports, are 300 numbers of Indian nationals including some politicians, rights activists and journalists. The NSO Group claims to sell the Pegasus suite only to “vetted governments” and not private entities, which suggests that the target list comprises persons under surveillance by the government.

The cost of the suite also puts it out of the reach of most private entities. A small sample of 37 phones were subjected to forensic analysis – including 10 Indian phones – by Amnesty International and found to show signs of a Pegasus infection. These devices belonged to journalists, politicians, businesspersons, legal and other professionals – people of note, not criminals or terrorists. The correlation being drawn is that this is indeed a list of Pegasus spyware targets.

Infiltrating phones or computers using such methods comprises ‘hacking’, which is a punishable offence under the Information Technology Act, 2000.

Who have been targeted?