Unveiling the Dark Realm of Pegasus Spyware
Explore the insidious world of Pegasus, an Israeli spyware tool that transcends conventional hacking, raising concerns about its misuse against activists, journalists, and political figures worldwide.
I first became aware of the Pegasus spyware in connection with journalist Jamal Khashoggi’s assassination and dismemberment in the Saudi consulate in Istanbul on October 2, 2018. His wife, Hanan Elatr, is attempting to sue the Israeli spyware company behind Pegasus—NSO Group—after it was revealed that she was targeted by one of their clients, Saudi Arabia. An investigation by The Guardian mostly points to Khashoggi’s close associates being surveilled by Pegasus in the months after the murder and also identifies evidence suggesting that an NSO Group client targeted his wife’s phone several months before his killing.
The former director general of the Al Jazeera television network and close friend of Khashoggi, Wadah Khanfar, was also hacked using Pegasus, with analysis showing that his phone was still infected as recently as July 2021. Khashoggi’s fiancee Hatiz Cengiz was also hacked (Khashoggi allegedly went to the Saudi Consulate in the first place to retrieve documents to finalize the divorce with his wife). A Saudi national in Canada he was corresponding with was also hacked. Saudi Arabia’s use of Pegasus likely played a pivotal role in the surveillance that led to his kidnapping and murder in the Saudi consulate in Istanbul.
What is Pegasus?
We should all be familiar with the advice not to click on mysterious links that appear in text messages or emails. They can lead your device to be infected by spyware of different types, giving hackers behind the link access to your device and then to your private, personal data. There are countless stories of victims whose passwords, photos, messages, etc. become compromised by this type of hack. Pegasus takes this exploit a step further.
Pegasus is a spyware product made and distributed by an Israeli cyber-espionage and malware company called NSO Group. The customers of NSO Group use the Pegasus spyware software to carry out zero-click exploits—meaning that a mobile device can be infected by the spyware even if its owner hasn’t clicked on anything. It then grabs everything it can, providing complete access to all aspects of the phone to the spyware operator. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails, and location data, or activate microphones and cameras without its owner knowing.
In short, it’s the holy grail of device hacking.
Pegasus isn't supposed to be used to go after activists, journalists and politicians. “NSO products are used exclusively by government intelligence and law enforcement agencies to fight crime and terror,” the company says on its website. “We take a pioneering approach to applying rigorous, ethical standards to everything we do. Our vetting methodology includes both a strict licensing process from the relevant export-control authority, as well as a structured in-depth, internal review under our Human Rights Policy, reviewing and providing recommendations and decisions for each marketing opportunity. Our process sets a benchmark for the industry.”
Putting it simply and avoiding all the technical jargon that describes what this software does in detail, Pegasus takes advantage of security vulnerabilities in a phone’s operating system (Apple iOS or Android) and/or in applications like Google Chrome, Apple Messages, Meta’s Whatsapp, Zoom, etc. These vulnerabilities can be known to the developer who is actively working on a fix (N-day exploits), or they have yet to be discovered by the developer (Zero-day exploits).
You can deep dive into Zero-day and N-day exploits here or here.
Is Pegasus the only one of its kind?
Not at all. Pegasus is one of many cyber espionage products that offer similar surveillance capabilities. There’s also Predator (by North Macedonia-based Cytrox, a subsidiary of Intellexa), Hermit (Italy’s RCS Labs), Heliconia (Spain’s Variston IT), Cognyte (Israel), Candiru (Israeli-based, co-founded by a former employee of NSO Group), Quadream (also founded by former NSO employees)… and the list of competing spyware providers goes on. Google’s Threat Analysis Group (TAG) is tracking over 30 vendors with “varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”
Who is using it, and who are they targeting?
The ideal client for NSO Group is a government or non-state actor with international or domestic surveillance ambitions that lacks the necessary investment and infrastructure to carry out sophisticated hacking and spying. For example, the US and its surveillance allies wouldn’t need to purchase Pegasus since they already have the spying capabilities it provides. Since 1946, secret agreements have allowed intelligence agencies in Australia, Canada, New Zealand, the United Kingdom, and the US to spy on the world and share their findings—the group is known as the “Five Eyes.” Each of the Five Eyes governments conducts interception, collection, acquisition, analysis, and decryption activities, sharing all intelligence information obtained with the others by default. Edward Snowden’s June 2013 revelations confirmed that these agencies have backdoors into all the major Western tech service providers (Google, Meta, Apple, Microsoft, etc.) Pegasus fills the gap between the mega-spies at the top of the surveillance pyramid and governments and actors who share the ambitions of the top dogs.
Haaretz has compiled a list of the known victims of Pegasus, based on the findings of the Forbidden Stories NGO which has done excellent collaborative work to uncover its targets, releasing 450 confirmed names among thousands of non-confirmed suspected victims.
Victims include journalists, human rights activists, diplomats—anyone you can imagine that a government might want to spy on. Countries in which Pegasus has been deployed at a minimum include Azerbaijan, Bahrain, El Salvador, Finland, France, Hungary, India, Israel, Jordan, Kazakhstan, Lebanon, Morocco, the West Bank, Poland, Rwanda, Saudi Arabia, Togo, UAE, United Kingdom, & United States.
According to Meta’s 2022 Threat Report on the Surveillance-for-Hire Industry, “Firms selling these capabilities often market themselves as ‘web intelligence services’ to enable collection, retention, analysis and searchability. They typically use fake [social media] accounts to search and view people’s profiles and other publicly available information. They can be managed by the service provider for its clients, or operated by the customers themselves through software provided by the surveillance-for-hire firm.”
Infected by Pegasus and Predator at the same time
PredatorGate is one of the biggest government spying scandals to hit Greece. Predator spyware was found on “92 smartphones, belonging to businessmen, journalists, prosecutors, state officers, politicians, government ministers and their associates.” The scandal led to the resignation of top government officials like the prime minister's chief of staff and the head of the National Intelligence Service.
According to Citizen Lab, “two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware. The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.”
In a comprehensive 2023 report by Amnesty International’s Security Lab, some of those targeted by Predator—though not necessarily infected—include the President of the European Parliament, Roberta Metsola, the President of Taiwan, Tsai Ing-Wen, US Congressman Michael McCaul, US Senator John Hoeven, the German Ambassador to the United States, Emily Haber and French MEP Pierre Karleskind.
Pegasus was “found on the phones of at least nine US State Department officials who were either based in Uganda or involved in matters associated with the African country, Reuters and The New York Times reported in December.”
Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia.
The Spanish government disclosed that Pegasus had also surveilled its officials in 2021. Prime Minister Pedro Sánchez and Defense Minister Margarita Robles were among the primary targets. In February 2021, while on an official visit to Morocco, their mobile phones fell victim to Pegasus infections. Additionally, Foreign Minister Arancha González Laya and Interior Minister Fernando Grande-Marlaska faced Pegasus surveillance in May 2021.
The Citizen Lab’s report revealed that Pegasus had specifically targeted more than 60 individuals associated with the Catalan independence movement from 2017 to 2020. This list includes notable figures such as three presidents of the Generalitat of Catalonia: Artur Mas, Quim Torra, and Pere Aragonès. These individuals have taken legal action, filing a complaint against Paz Esteban and the NSO Group. Paz Esteban serves as the director of CNI, Spain’s intelligence service.
Am I being targeted?
It’s highly unlikely. Chances are that unless you’re actively engaged in political or corporate subversion, or actively investigating wrongdoing by high-level government officials, resources have not been deployed to monitor your communications. The available evidence suggests that these surveillance tools are mainly deployed against diplomats, journalists, dissidents, political opponents, and activists looking to bring to light corporate or political malfeasance. Norton Antivirus reassuringly states that “regular” people aren’t often targeted because of the cost of running the software.
How much does it cost to run Pegasus?
According to the Guardian, the FBI obtained Pegasus in 2019 and ran a “one-year test project with the software and it cost about $5M, and they renewed for another $4M,” their source claimed.
The New York Times reported in 2016 that the NSO Group charged customers $500,000 just to install the software and $650,000 to get into 10 devices. The report also said that infiltrating 10 Android devices would cost an agency $650,000 and the same cost would apply for 10 iPhones. This comes with the caveat that the “price list mentioned is for the previous generation of Pegasus and current versions with greater features and even zero-click capabilities may cost more.”
Forbidden Stories and Amnesty International obtained a sample of 50,000 phone numbers selected by NSO Group’s clients as potential targets and shared it with a consortium of media outlets that conducted an investigation. The actual number of Pegasus targets may be much higher, as NSO Group claims to have more than 60 clients in 40 countries.
‘Nothing to hide, nothing to fear’
After Ed Snowden’s leak in 2013 of NSA documents detailing mass surveillance of electronic communications, the NSA was quick to react with the infamous phrase: “If you don’t have anything to hide, you have nothing to fear.”
However, most people recognize, as the ACLU suggests, that “privacy is a fundamental part of a dignified life” and “the ‘nothing to hide’ argument mistakenly suggests that privacy is something only criminals desire. We choose to do many things in private—sing in the shower, make love, confide in family and friends—even though they are not wrong or illegal. Who would not be embarrassed if all of their most intimate details were exposed? Fences and curtains are ways to ensure a measure of privacy, not indicators of criminal behavior.”
The stark reality reveals that tools such as Pegasus, Predator, and their counterparts are far from being employed within the bounds of their intended use by law enforcement agencies in the pursuit of criminals. Instead, they are wielded at the discretion of operators with a glaring absence of transparency and accountability in their application. The extensive, “collect it all” surveillance orchestrated by entities like the NSA differs significantly from the targeted approach employed by Pegasus. While the NSA's dragnet captures the communications of everyone, Pegasus specifically singles out individuals.
The notion of “having nothing to hide” falters here because these individuals likely have aspects of their lives they do indeed wish to hide. Journalists, for instance, make assurances to safeguard their sources, enabling the disclosure of crucial information without fear of retaliation. Journalists also delve into the misdeeds of influential figures who may have access to tools like Pegasus (Jamal Khashoggi was writing scathing critiques of Mohamed Bin Salman before his murder). Diplomats and politicians engage in confidential discussions on sensitive matters behind closed doors, while dissidents and activists strategize on undermining authoritarian regimes. Countless actors in civil society depend on privacy for their own safety and the safety of those they engage with. It is undeniable that innocent people who have not committed crimes are the targets of these spyware attacks.
Operating in the absence of regulation or oversight, entities like the NSO Group have unleashed a formidable force that renders encrypted messaging platforms such as Telegram and Signal, as well as encrypted email services, obsolete. These spyware tools represent an unwarranted response to civil society's efforts to fortify itself against cyber threats and surveillance through encrypted communication platforms. They are a stranglehold that erodes our collective freedom, fostering a climate of heightened paranoia and diminishing our capacity to resist tyranny and repression.