Pegasus Spyware Used in 45 Countries

Citizen Lab has published a new report about the Pegasus spyware. From a ZDNet article:

The malware, known as Pegasus (or Trident), was created by Israeli cyber-security firm NSO Group and has been around for at least three years -- when it was first detailed in a report over the summer of 2016.

The malware can operate on both Android and iOS devices, albeit it's been mostly spotted in campaigns targeting iPhone users primarily. On infected devices, Pegasus is a powerful spyware that can do many things, such as record conversations, steal private messages, exfiltrate photos, and much much more.

From the report:

We found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d'Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia. As our findings are based on country-level geolocation of DNS servers, factors such as VPNs and satellite Internet teleport locations can introduce inaccuracies.

Six of those countries are known to deploy spyware against political opposition: Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.

Also note:

On 17 September 2018, we then received a public statement from NSO Group. The statement mentions that "the list of countries in which NSO is alleged to operate is simply inaccurate. NSO does not operate in many of the countries listed." This statement is a misunderstanding of our investigation: the list in our report is of suspected locations of NSO infections, it is not a list of suspected NSO customers. As we describe in Section 3, we observed DNS cache hits from what appear to be 33 distinct operators, some of whom appeared to be conducting operations in multiple countries. Thus, our list of 45 countries necessarily includes countries that are not NSO Group customers. We describe additional limitations of our method in Section 4, including factors such as VPNs and satellite connections, which can cause targets to appear in other countries.

Motherboard article. Slashdot and Boing Boing posts.

Posted on September 19, 2018 at 5:19 AM • 11 Comments

Comments

Denton ScratchSeptember 19, 2018 8:29 AM

"mostly ... "primarily" (I sometimes copy-edit on Wikipedia)

The CitizenLab report says:
"In this post, we develop new Internet scanning techniques to identify 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations."

That doesn't mention "infections". Granted, it doesn't say that NSO Group is conducting operations in those countries - just the operators of their spyware. That implies that NSO has customers (or at least users) in those countries. So I think it's quite understandable that NSO Group might want to clear up that misunderstanding - specially since NSO Group is an Israeli business, and a majority of the countries listed (I didn't actually count) appear to be Arab/Muslim countries with which the Israeli government may have less-than-cordial relations.

Israel seems to be a world leader in the production of spyware products. They don't seem to care much who they are sold to - perhaps hmm's comment above regarding raw data collection is on the ball.

The report comments on the dubious human rights record of some of the countries listed; sadly it doesn't mention the execrable human rights record of Israel itself (apartheid property laws, destruction of villages, arbitrary arrest, imprisonment without trial, political assassination).

"As an example, the product is specifically designed to not operate in the USA."

Isn't that interesting! It sounds like the malware works fine in the USA, but the C+C servers maybe don't. I wonder which bits work in Israel?

"Editing and other assistance provided by ... Jakub Dalek ..."

Cool name! I've never before come across the surname Dalek. I wonder if some Doctor Who fan changed their name by deed-poll?


echoSeptember 19, 2018 11:53 AM

@Denton Scratch

In English law a persons name is the name which is used. This is not the same as an alias.

A deed poll is bad opsec because in some use cases it needs to be registered with the courts which creates a public paper trail. A statutory declaration is legally firmer and can be used in Scotland too. Some companies don't recognise legal claims of name without adding unlawful burdens. Paypal is the worst for this. This is certainly an inconvenience for women changing their name after marriage or women seeking to escape a determined domestic abuser.

I agree Israel has every incentive to be as nosey as possible. Oddly, the UK seem very happy with arrangements with Saudi intelligence which may be one reason why the UK overlooks Saudi human rights abuses.

Denton ScratchSeptember 19, 2018 3:37 PM

@echo I wasn't aware of the opsec implications of changing your name by deed-poll, but it figures. Thanks.

Just that this Mr Dalek just seems to be an editorial assistant, and maybe doesn't really need operational security, never having engaged in an operation; so I thought it might be a real name.

I was kinda fishing for someone to pipe up and say "Oh, yeah; my name is Justine Dalek; my dad was called Oliver Dalek, and his dad was Knut Dalek. I come from a long line of Daleks".

Clive RobinsonSeptember 19, 2018 4:09 PM

@ Denton Scratch,

I come from a long line of Daleks".

Who all lived in bungalows...

JónasSeptember 19, 2018 4:10 PM

"In August 2016" "We clicked on the link" "and obtained three zero-day exploits" "as well as a copy of the Pegasus spyware."[1]

So did they (Citizen Lab) leak the code or what? I've read through a few of their articles and I see remarks about RE, string(s) and so on, but no code. Any YARA rules?

echoSeptember 19, 2018 4:28 PM

@Denton Scratch

Names are funny things. They may contain issues such as pronounceability and age identification and entropy among other things. Names can be so loaded too. Maybe it's just my zany mind but I find it odd how people get stuck with names and also why we find random oscillations of air so important. It may as well be gaaaa-aark bluh-hic-dah-thrrrrp for all the universe cares.

The internet tells me "Dalek" is a real name but this seems a bit silly and I don't want to look an idiot.

Gerard van VoorenSeptember 20, 2018 12:56 AM

Sometimes things get a little bit rusty in here but then it's my big friend the Israelis who can shine and polish anything they want. I looked at the map. I mean, even the Dutch are now part of the Israeli Friends? But what about Belgium? Or Germany?

Keep on going guys, sooner or later people are going to get really p.o. of you.

WeatherSeptember 20, 2018 1:30 AM

remarks about RE, string(s) and so on, but no code. Any YARA rules?
Thanks,don't people use snort,or is that smaller company

CallMeLateForSupperSeptember 21, 2018 9:39 AM

A second Motherboard article about this.

"When an Israeli entrepreneur went into a meeting with the infamous spyware vendor NSO, company representatives asked him if it would be OK for them to demo their powerful and expensive spying software, known as Pegasus, on his own phone."
[...]
"After 'five or seven minutes,' the contents of his phone’s screen appeared on a large display that was set up in the meeting room, all without him even clicking on a malicious link, he said."
https://motherboard.vice.com/en_us/article/qvakb3/inside-nso-group-spyware-demo

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.