You don’t have to think about it: someone can remotely read all the content of your smartphone. Without you noticing anything and without being able to do anything about it. A major data breach revealed the existence of this type of malware: Pegasus. The controversy mainly lies in the fact that the surveillance malware was mainly used by governments.
When we think of cyber attacks, we often think of China and Russia. Who seem to link the intensity of their denials to the amount of evidence of the attack. But of course Western countries do not wash their hands in innocence when it comes to cyber attacks. The biggest example, of course, is the massive unauthorized (and human rights-violating) surveillance, hacks and attacks carried out by the US NSA, UK GCHQ and Western partners, which came to light thanks to Edward Snowden.
NSO Group: malware from Israel
The latest government malware scandal comes from Israel. Unusual, but not entirely unexpected either. Israel has been put on the map when it comes to cyber-attacks before, thanks to the Stuxnet malware. This malware was extremely sophisticated and designed to shut down Iranian nuclear reactors used for Iran’s nuclear program. Successfully. Stuxnet was discovered and the vulnerabilities used to make the malware do its job were exposed. This allowed cybercriminals to run off with code and vulnerabilities to develop their own malware, triggering a cybercrime chain reaction.
Behind Pegasus is the Israeli NSO Group, a tech firm that claims to develop surveillance tools and license them to foreign governments. In their own words, only to combat criminal and terrorist organizations. Although the leaks show that not all government buyers are equally reliable and many targets were not criminals or terrorists, but also often journalists and dissidents. The NSO Group is hiding behind the ambiguity of the origin of the leaks, which many media (including The Guardian) have been released.
These data breaches contain a database of 50,000 phone numbers of alleged targets since 2016. Forbidden Stories, a French nonprofit journalist organization, and Amnesty International obtained the list and worked with 16 media agencies to report on it.
What does Pegasus do?
Like Stuxnet, Pegasus notices that the malware is extremely advanced; where basically anyone with a smartphone can be a target. The malware is also used for targeted shooting. Specific targets are being sought out for the cyber attack. The researchers who uncovered Pegasus had a hard time identifying the malware. For example, forensics had to be carried out in the security laboratory of Amnesty International to find out the activities of the malware. How the malware settles on a device, nothing is known about it yet. As well as the question of who the client is. Pegasus targets and executors have mainly come to light through a data breach.
The malware manages to nestle on a smartphone by using vulnerabilities in the device and installed apps. It is also possible to install the malware on a device by having the target open a link that points to the malware.
When Pegasus has nestled on a smartphone, it can in theory reach everything. Record your text messages, emails, chats (both WhatsApp and iMessage), files, photos and videos, your contact list, calendar and system components such as your location data, microphone, camera and even phone calls.
The malware arsenal is so extensive that it doesn’t matter whether the target is using an iPhone or an Android smartphone.
Who Uses Pegasus?
The NSO Group does not make any statements about who its customers are, although the company does state that it has 60 customers in 40 countries. Examination of the data identified multiple governments, including Mexico, Morocco, Hungary, India, Saudi Arabia and Rwanda. A diverse palette of governments, including countries that struggle with press freedom and are therefore eager for tools like these to track journalists (and their contacts). The fact that the malware was found on journalists’ smartphones indicates that this actually happened. But judges, human rights activists, businessmen, diplomats and government officials also turned out to be targets. More stories about possible targets will be revealed in the coming weeks.
What can you do yourself?
We are all raised with sensible behavior on the internet. Protect your PC with a virus scanner, do not just click on links, do not leave your data everywhere, do not always press Ok and be careful with what you install. Pegasus is a confirmation that if you are an interesting target, you can always get infected. Regardless of your good internet habits. It just depends on how much a client is willing to follow you.
Pegasus teaches that anyone can be a target, regardless of safe internet habits.
Because the malware is invisible, you are not aware of the malware infection or operation. The reason Pegasus was so targeted is probably to keep the malware and vulnerabilities under wraps. That’s scary. Also that governments use it to spy. After the revelations of Edward Snowden, the reaction was that government cyber attacks are used for security. For example by countering terrorism. In fact, the target list shows that government malware is still being used for the opposite, and that it is definitely not just from the well-known Chinese and Russian quarters.
Now that the malware has come to light, another problem arises. After Stuxnet, a lot of new malware was developed that used bits of code and vulnerabilities from the malware. Now that Pegasus has been discovered, this may be the case again. If someone with malicious intent finds out and unravels the malware, it can be used for large-scale malware, such as ransomware distribution.
Government malware is not used in the Netherlands… Right?
It is still unclear whether there are Dutch targets. It is also not yet known whether Dutch governments and secret services are customers of the NSO Group. However, there is plenty of cause for concern. There is a chance that Dutch governments and secret services are not customers of the NSO Group at all. However, it is naive to think that such malware is not used here. It may be developed in-house, used in collaboration with other secret services, or purchased from other companies.
The special thing is: Dutch secret services are allowed to do this. Without having to clarify which tools and vulnerabilities are used. The latter would contribute to a safer digital world for everyone. The controversial Intelligence and Security Services Act 2017 (Wiv 2017), also called the sleep law, gives the green light for this. After the law was rejected in an advisory referendum in 2018, it was nevertheless put into use after (among other things) a review committee (TIB) was set up.
Nevertheless, the law has given secret services the freedom to also use this type of malware. In this way communication can be tapped from everyone. Also from non-suspicious citizens and people who have been in the vicinity of a suspicious person. Equipment may be broken into and collected data may be shared with foreign regimes without specifying which ones. Also, there is no need to share about which tools or shady companies are used for the hacks and infections.
Pegasus: the tip of the iceberg
The first reports about the Pegasus malware have recently appeared. Several media organizations are working with Amnesty International and Forbidden Stories to bring the abuses to light. .