By Reuters and published by CNA plus The FCPA Blog
AT LEAST 30 Thai political activists have been hacked using Israeli surveillance spyware Pegasus, according to a joint investigation by human rights and cyber monitoring groups, which suspect the attacks were launched locally.
The probe by Thai human rights group iLaw, Southeast Asian internet watchdog Digital Reach and Toronto-based Citizen Lab, followed a mass alert from Apple Inc in November informing thousands of iPhone users, including in Thailand, that they were targets of “state-sponsored attackers”.
Pegasus has been used by governments to spy on journalists, activists, and dissidents and the Israeli firm behind it, NSO Group, has been sued by Apple and placed on a US trade blacklist.
iLaw in its report on Monday (July 18) said 24 political activists, three academics and three members of civil society groups were targeted between October 2020 and November 2021, ranging from one to 14 hacking incidents each.
Yingcheep Atchanont, programme manager at iLaw, was among those hacked and said his group would investigate further, and pursue legal action once it becomes clear who in Thailand was operating Pegasus.
“NSO has said that they only sell the software to governments and that all the victims here are Thai government critics, so they benefited the most,” he said.
NSO Group and a spokesperson for Thailand’s government did not immediately respond to requests for comment.
Wetang Phuangsup, a spokesperson for Thailand’s ministry of Digital Economy and Society, said his ministry was not aware of any usage of spyware by the government.
Citizen Lab’s report, which was separate to that of iLaw, examined digital traces left in the victims’ phones and identified Pegasus usage in Thailand as far back as May 2014.
John Scott-Railton, a Citizen Lab researcher, said the investigation showed Pegasus was being operated in Thailand, with many more hacking victims likely.
“What we uncovered is a lot of targeting of dozens of people over a specific time frame, but having done investigation into Pegasus … over the decade, I am confident that it is the tip of the iceberg,” he said in an online presentation on Monday.
Check your devices for Pegasus spyware
The FCPA Blog
WHILE performing a routine malware scan on my devices, I recently got an unexpected hit: Positive for Pegasus. It appeared that my phone had been compromised by the military-grade spyware wreaking havoc across the globe.
With poise and grace, I contemplated the next steps (i.e., I freaked out). I contacted the company whose software had detected it. They sent the following note, along with the contact information for Amnesty International’s Security Lab: “Please inform [Amnesty] that you had a positive detection of Pegasus . . . and include the report in your email.”
As instructed, I emailed Amnesty, who investigated the report further. One sleepless night later, I received an email from Amnesty informing me that it was a false positive. The kind folks at Amnesty’s Security Lab explained how they had determined it was a false positive, and the relief was overwhelming.
Here’s what I learned during the ordeal.
What is Pegasus?
Pegasus is spyware developed by Israel-based NSO Group that can access everything on your device. It can also covertly activate functions like the camera and microphone, as well as track your GPS location in real-time.
It’s what’s known as a “zero-click” exploit, meaning the targeted individual doesn’t have to click on a link or perform any interaction to have their device compromised. Security expert Gavin de Becker has said newer versions of Pegasus only require a phone number to take complete control of a device.
Typically, vulnerabilities are exploited via iMessage or WhatsApp.
Detecting Pegasus can be difficult. According to de Becker, if a device is turned off or stops transmitting information, Pegasus can self-destruct, leaving little or no trace it ever existed.
Journalists and activists, particularly those covering corruption, are favourite targets.
The chances of your device being infected with Pegasus are small. Still, Amnesty International said its Pegasus Project has found around 50,000 phone numbers of potential surveillance targets, including at least 180 journalists and other targets like human rights defenders, academics, lawyers, and politicians.
How to check for Pegasus
Amnesty International’s Security Lab developed a free tool called Mobile Verification Toolkit (MVT), which scans your device’s logs for known indicators of Pegasus. MVT is a command-line tool, so it’s only recommended if you feel comfortable using the terminal.
Amnesty includes this warning on MVT:
MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. This is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance.
A more user-friendly option, built on Amnesty’s MVT, is available from Geneva-based software company iMazing. The company offers its malware detection functionality for free. A step-by-step guide for detecting Pegasus on iPhones or iPads using iMazing can be found here.
How to protect from Pegasus
Safeguarding devices from Pegasus is difficult, but there are some things users can do to reduce exposure.
Keep your phone updated. No one has more skin in the game than Apple and Google, so don’t ignore OS updates that don’t appear to add any features. The updates are likely full of invisible but important security updates to fix vulnerabilities.
Reboot your phone daily. Research from Amnesty International and Citizen Lab has shown that Pegasus often doesn’t have persistence, meaning regular reboots help sanitise the device, and require attackers to re-infect after each reboot. Occasional factory resets aren’t a bad idea either.
Never click links received in messages. Yes, Pegasus is a “zero-click” exploit, but not everyone using Pegasus can afford this premium feature, and some attacks still rely on user interaction.
Use a VPN. How this works is a bit technical, but VPNs can help prevent man-in-the-middle (MITM) attacks. Select a VPN carefully, and free VPNs aren’t recommended.
Scan for malware regularly. Just because you didn’t find any today doesn’t mean you won’t find any tomorrow. With new advancements in spyware, if you don’t catch it in the act, there may be no way to tell if your device was ever compromised.
What to do if you have Pegasus
If your organisation has an IT department, contact them immediately.
If you’ve discovered a potential Pegasus breach using third-party software like iMazing, let the software supplier know what you’ve found. Be sure to provide logs and results of the malware scan. They will put you in touch with people who can help.
You can also contact Amnesty International’s Security Lab. They may be able to provide additional information and resources, like they did when I reached out.
Publisher and editor of the FCPA Blog.
He’s the CEO of Recathlon LLC. The firm provides global compliance information and data services and is the owner of the FCPA Blog. He lived and worked in Asia (Singapore and Hong Kong) for many years and joined the FCPA Blog in 2010. He holds an IACA Level 1 anti-corruption expert qualification and an undergraduate degree from Valparaiso University in international economics and Chinese.)
Top: The word Pegasus and binary code are displayed on a smartphone which is placed on a keyboard in this illustration taken May 4, 2022. File photo: Reuters/Dado Ruvic/Illustration and published by CNA
Front Page: Pegasus software can extract data and activate cameras or microphones once it has successfully infiltrated a mobile device. Photo: Reuters and published by The Straits Times