The Pegasus Scandal: 9 questions and some answers
1. What is the “Pegasus” spyware?
Pegasus is the name of a piece of custom-made malware, designed to secretly penetrate a mobile device – usually a smartphone – to collect various data from it, and then covertly send that data to the attacker.
The collected data may be the contents of files stored on the device, such as photos or recordings, tracking keyboard input, text-based communication, phone conversations conducted over the phone network or over the Internet, location information about the device, etc. Pegasus also allows the attacker to remotely activate the device’s camera and/or microphone and use the device for tapping the victim.
The Israeli company NSO Group, creator and developer of Pegasus, claims that its intended purpose is to aid the authorities in tracking and catching terrorism and crime suspects. The obligation that Pegasus is to be used only for legitimate purposes of crime-fighting and anti-terrorism is part of the contracts which NSO Group signs with its clients, who are exclusively foreign government services from the military, intelligence and law enforcement sector.
2. How do we know about Pegasus’ existence?
Pegasus was first spotted in 2016, when an UAE journalist became suspicious of a tipoff he received by a chat message and sought the help of IT security experts who inspected the link he received in the message. It’s assumed that the malware was first used in 2013.
The latest scandal around Pegasus’ misuse stems from a media investigation published on July 18, a collaborative effort of 17 leading news outlets, among which are the Süddeutsche Zeitung, The Washington Post, Le Monde, The Guardian, and Haaretz.
The journalists have obtained from their sources a list of around 50 000 phone numbers from all over the world. The numbers are concentrated by nationality predominantly in ten countries. Some of the countries are known for their habit of spying on their own citizens and have been identified by investigative journalists as NSO Group clients. Around 1000 people have been identified through the phone numbers list, citizens of over 50 countries. Among those identified are hundreds of state officials and politicians, around 200 journalists, more than 60 high-ranking managers, nearly 100 human rights activists. Forensic research on the devices of some of those identified has confirmed that they have been attacked with the Pegasus spyware.
3. What makes Pegasus special enough to cause an international scandal?
The scandal is caused by the discovery that, besides criminals, Pegasus has been used for hacking the phones of politicians, businessmen, democracy and human rights activists from around the world.
Additional concern is caused by the fact that, in the version in which it has been examined by Amnesty International, Pegasus can penetrate devices without any chance for the victim to learn of the attack or counteract it. The so-called “zero-click” attack can be initiated by a phone call to the victim, by sending a specially crafted text message which doesn’t create a notification for the user but injects code that makes a request to a Pegasus-related server, or through other means. The request is transferred through multiple other servers which verify if it’s the intended victim’s device, and then the malware is downloaded, all unbeknownst to the user.
Experts suspect that in its newest version Pegasus never even stays on the device’s storage, but only in its operating memory during an attack, thus making it more difficult to be discovered by forensic research.
What can be said with certainty is that, in its current incarnation, Pegasus allows unauthorized access to mobile devices data storage – and thus to the personal life and secrets – of virtually anyone. From the publicly available information it is apparent that in many cases it has been used not for the prevention of crimes but for the spying and tracking of those opposed to one or another political regime.
4. Is there any Bulgarian participation in Pegasus’ development?
According to currently available information, most likely not. The Pegasus spyware is classified as a weapon by Israely authorities, which need to approve every instance of exporting Pegasus from Israel, and its export is subject to similar regulations as those to which weapon technology is subjected. The spyware itself relies on the exploitation of security flaws in the two major mobile operating systems (IOS and Android) – the nature and existence of these security flaws is in itself a well kept secret. The operating systems’ developers for their part (Apple and Google) offer substantial rewards – in the range of hundreds of thousands of dollars – for the reporting of critical security flaws such as those used in spyware attacks. On the black market, brokers offer sums in the millions of dollars for the same information. These factors, combined with the weaker control which NSO Group would have had over contractors in a foreign country, makes it more probable that Pegasus’ development is conducted exclusively in NSO’s offices in Israel. Interestingly, NSO spokesman Oded Hershkovitz was quoted describing NSO as a “Zionist company that operates only from Israel”.
As the Bulgarian outlet “Capital” reminds[bg], the company Circles which operates a Bulgarian office with about 150 employees is also a part of NSO Group. Circles however is known for developing a different software solution, which operates on a different principle than Pegasus. According to Bivol’s information, Circles’ software is used for tapping phone calls over the celluar network and doesn’t attack the victim’s device for that purpose. From the information available on Circles it doesn’t look likely that their Bulgarian office is tasked with development of Pegasus.
These articles analyses and comments are made possible thanks to your empathy and contributions, which are the only guarantors of independence and objectivity in our work. The Alternatives and Analysis team.
In this context it’s worth noting that Circles opened its outsourced offices in Cyprus and Bulgaria before merging with NSO Group in 2014. Since then the Cyprus office has been closed and no new outsourced offices are known to have been opened. It would seem that it is not NSO’s policy to conduct development of its products outside of Israel.
Finally, in a response to a query by Free Europe[bg], NSO Group have denied Circles’ Bulgarian office’s participation in the development or distribution of Pegasus.
Although there is no evidence for Pegasus having been developed on Bulgarian soil, Amnesty International’s forensic investigation shows, that there probably is some part played by Bulgarians in Pegasus’ distribution, since one of the servers comprising the network infrastructure over which Pegasus attacks are being conducted, is located in a Bulgarian datacenter, owned by a Bulgarian company.
5. Has Pegasus been used by Bulgarian authorities?
In an official response[bg] to a query, the Bulgarian Council of Ministers denies to have concluded a contract with NSO Group, which is the only way for the spyware to have been greenlit for use by Bulgaria’s intelligence services, armed forces or police.
In a letter answering a query by the Access Now non-profit, one of NSO Group’s owners, Stephen Peel of Novalpina Capital announced that “Some of NSO’s products are exported from the EU (either Bulgaria or Cyprus)”. The response to an Access Now query to the Bulgarian Ministry of Economics (which sanctions the export of products from Bulgaria) was that Bulgaria has not issued licenses for export to NSO Group[bg].
Free Europe also quotes[bg] the Ministry of Economics that Bulgaria’s Circles office “has been issued export licenses, but the described products do not coincide with those described in the media publications”.
From this information we can make the conclusion that Pegasus has not been used by Bulgaria’s authorities, nor exported through Bulgaria into other countries, and export licenses have been issued for the products developed by Circles in its Bulgarian office. This is further circumstantial evidence in support of the assumption that Pegasus has not seen any development work in Bulgaria, as some Bulgarian media have been quick to announce with some sensationalism.
6. What actions can Bulgaria’s government take?
Bulgaria’s government naturally has the obligation to protect the security of its citizens, including from hacking attacks. The possibility that bulgarian citizens, including political and other public figures, cannot be discarded.
It would be proper for the Bulgarian authorities to first establish whether the leaked list of phone numbers acquired by the group of media outlets contains phone numbers of Bulgarian citizens.
Second, Bulgarian authorities should proactively conduct a checkup of mobile devices running Android or iOS, beginning with those used by high-ranking government officials in the last few years, and subsequently of those used by government officials at lower levels of the hierarchy. There are technical methods to conduct such a checkup which can indicate with a good degree of certainty whether a device has been targeted by Pegasus and whether the attack has been successful.
Third, the inquiry into whether Bulgarian citizens have been subjected to Pegasus attacks provides legal grounds for the examination of the Bulgarian server where, according to Amnesty International, part of Pegasus’ network infrastructure has been deployed. By examining the server, it can possibly be established how many and which devices have been sending requests to that server as part of a Pegasus attack.
7. Can we protect ourselves from an attack?
There is currently no reliable strategy or method of defending against the so-called “zero-click attack”, where the malware is installed on a device connected to the network with no input needed from the victim, and without its suspicion.
Naturally, keeping our device’s operating system and applications up to date with the latest updates is a good first step to keeping them at the maximum level of security.
The attacks may be hindered, and the potential damage reduced, if one consciously applies a low-tech approach, by reducing the usage of the devices for storing photos and audio/video recordings, limit the instances of using the device, and when not in active use, keeping it in airplane mode. Of course, this approach doesn’t guarantee we won’t be hacked, and comes at the price of lost convenience.
8. Can we find out if we have been attacked by Pegasus?
Amnesty International has released a tool with which we can independently check our phone for traces of Pegasus attacks, but the tool’s use also requires more technical proficiency than that of the average user.
9. What led to the mass misuse of an instrument targeted at terrorists and criminals?
The effectiveness of Pegasus, combined with the outline of the regimes operating it makes for an explosive combination.
Regardless of NSO Group’s assurances that the clients to which the software is sold undergo strict vetting of their human rights records, the list of nation states who are confirmed as Pegasus operators contains some regimes notorious for their human rights violations, the persecution of their political opposition, journalists and human rights activists.
There is much validity in the adage that where there is smoke, there is fire – states in need of quick and ready solution for spying and tracking, and who have no means to obtain it other than licensing it from a foreign country, are usually states with weak institutional control over the usage of such tools. This touches on another large topic which deserves elaboration in a separate article.
Georgi Antonov
Thank you for your donations via PayPal and bank transfers to IBAN BG58UBBS80021090022940