NSO Group’s Pegasus Spyware Used against Thailand Pro-Democracy Activists and Leaders

Yet another basic human rights violation, courtesy of NSO Group: Citizen Lab has the details:

Key Findings

  • We discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy.
  • We forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus spyware.
  • The observed infections took place between October 2020 and November 2021.
  • The ongoing investigation was triggered by notifications sent by Apple to Thai civil society members in November 2021. Following the notification, multiple recipients made contact with civil society groups, including the Citizen Lab.
  • The report describes the results of an ensuing collaborative investigation by the Citizen Lab, and Thai NGOs iLaw, and DigitalReach.
  • A sample of the victims was independently analyzed by Amnesty International’s Security Lab which confirms the methodology used to determine Pegasus infections.

[…]

NSO Group has denied any wrongdoing and maintains that its products are to be used “in a legal manner and according to court orders and the local law of each country.” This justification is problematic, given the presence of local laws that infringe on international human rights standards and the lack of judicial oversight, transparency, and accountability in governmental surveillance, which could result in abuses of power. In Thailand, for example, Section 112 of the Criminal Code (also known as the lèse-majesté law), which criminalizes defamation, insults, and threats to the Thai royal family, has been criticized for being “fundamentally incompatible with the right to freedom of expression,” while the amended Computer Crime Act opens the door to potential rights violations, as it “gives overly broad powers to the government to restrict free speech [and] enforce surveillance and censorship.” Both laws have been used in concert to prosecute lawyers and activists, some of whom were targeted with Pegasus.

More details. News articles.

A few months ago, Ronan Farrow wrote a really good article on NSO Group and its problems. The company was itself hacked in 2021.

L3Harris Corporation was looking to buy NSO Group, but dropped its bid after the Biden administration expressed concerns. The US government blacklisted NSO Group last year, and the company is even more toxic than it was as a result—and a mess internally.

In another story, the nephew of jailed Hotel Rwanda dissident was also hacked by Pegasus.

EDITED TO ADD (7/28): The House Intelligence Committee held hearings on what to do about this rogue industry. It’s important to remember that while NSO Group gets all the heat, there are many other companies that do the same thing.

John-Scott Railton at the hearing:

If NSO Group goes bankrupt tomorrow, there are other companies, perhaps seeded with U.S. venture capital, that will attempt to step in to fill the gap. As long as U.S. investors see the mercenary spyware industry as a growth market, the U.S. financial sector is poised to turbocharge the problem and set fire to our collective cybersecurity and privacy.

Posted on July 19, 2022 at 9:40 AM17 Comments

Comments

Erdem Memisyazici July 19, 2022 10:11 AM

What if they fixed every vulnerability they are aware of? I realize there is a supplychain attack component but if you’re the company who can hack anything, that just means you have the most up to date list of all broken software and hardware that needs to be patched.

So, maybe just change the business model from exploiting known flaws to fixing them?

I mean if I went out there saying I know enough about each car to issue recalls, and yet I just sat on that information telling people how to make individual cars catch on fire for a price people would not think I’m doing the right thing.

Me July 19, 2022 10:27 AM

@Erdem

Bravo and well said. The key is, however, how to make issuing recalls more profitable than starting car fires.

The eternal problem of how to make morality profitable.

JonKnowsNothing July 19, 2022 10:57 AM

@ Erdem Memisyazici, @All

re: What if they fixed every vulnerability they are aware of?

THAT will not happen. The 3Ls+Cos rely on bad software and hardware to pay their salaries. Whether the vulnerability is due to intentional flaw or unintentional flaw remains known but unanswered questions.

In the cases of intentional flaws, introduced directly by the 3Ls+Co, they park those in their list of future exploits. The cases of intentional flaws created by designers and programmers who deliberately sabotage or cripple a product, that may come under the heading of “designed obsolescence”. The unintentional flaws created because someone didn’t know, are just Bugs but as most will be Edge or Corner Cases these will never be fixed or “fixed in the next release” except no fix is released.

Recently (S v USA+3L) a case of releasing a large listing of 3Ls+Co not-publicly known flaws both intentional and unintentional, ended badly for S (round 1). It was often described as “Burning down the 3L” by releasing the listing along with other information about their deployment.

The 3Ls+Co and Modern Tech Marketing all depend on a constant supply of BREAK. Both use them for the same reasons: Money.

Ted July 19, 2022 3:06 PM

As of the date of publication of this report, we assess that there is currently at least one Pegasus operator active in Thailand

Is NSO Group still doing its thing? I am also wondering if people are still getting the “state-sponsored attacker” notifications from Apple.

I didn’t realize how roiled the situation was in Thailand. Freedom House gives the country a score of 29 out of 100 on the freedom scale. The Pegasus infections seem to add insult to injury on top of everything else, not to mention the lèse-majesté law. Sheesh.

https://freedomhouse.org/country/thailand/freedom-world/2022

Frankly July 19, 2022 3:52 PM

NSO Group knows which side of the bread has the honey on it. Most companies would do the same. They do what is legal and profitable. If criticized, they say what they are doing is legal. They have no internal process for even evaluating, as a company, what is a human rights abuse or what does more harm than good to society or to a particular nation.

Chaldea July 19, 2022 6:58 PM

NSO group is just the tip of the iceberg. Most nations now have military sponsored cyberwarfare capabilities of some kind. The fact that Pegasus, which is supposed to be used as an investigative tool for serious crime, consistently gets turned against political opponents aptly demonstrates how other cyberwarfare resources in military, intelligence agency and secret police hands are also likely being used.

Erdem Memisyazici July 19, 2022 9:09 PM

@Me

Not robbing a bank is also not very profitable for that matter.

There certainly is profit in selling products that work as intended.

JonKnowsNothing July 20, 2022 12:09 AM

@All

re: Bread and Honey

A MSM report on the restriction and certification of “kosher phones” in ISR. There are many groups that have restrictions on using technology and some are more determined than others to keep That Stuff Away.

The MSM report indicates that some of the restrictees are sneaking unrestricted phones onto their persons. There is a push to remove the committee that makes the certifications on what sorts of things can be on the phone.

They don’t allow very much. Something on the par with what folks say the would prefer.

The curious thing is, why opposing groups want to remove the restrictions… since it’s the land of Pegasus it’s a curious flight path.

===

Search Terms

Kosher Phone
Dispute
Certification

Winter July 20, 2022 1:10 AM

@JonKnowsNothing

A MSM report on the restriction and certification of “kosher phones” in ISR.

God is Good, God is perfect, and he created Man in His Perfect Image.

The logical conclusion then should be that God is addicted to intercourse and watches depictions of intercourse 24/7 (with whom?), because that is what men created according to His image seem to want to do on their phones/the internet. [1]

Now, all religions have silently decided behind closed doors that He is not perfect and that men should not do what they are created to do: performing or watching intercourse as much as possible.

And such is the story behind the Kosher Phones. Their only reason for existence is to prevent men from doing what they want to do, limiting them to do business and communicating with fellows of the faith.

[1] Religions do not think about women at all. Except that they should neither be seen nor heard. As long as it does not involve men, and women do their chores, nothing women do or say is of interest to Men of Religion.

John July 20, 2022 1:38 AM

hmm….

Curious that a ‘phone’ cannot call or text a nearby phone directly with no ISP in the middle or ‘connected’ to it? Why not??!!

A working version of zoiper disappeared from my direct manufacturer purchased open phone once it was on an ISP’s network.

Where is Linux and ‘open’ source when you want things to just work?

John

Paul July 20, 2022 5:21 AM

@TED
The EU has a whole committee (PEGA)… Yes, Spain, Greece, Italy would never violate the human rights of their people or political opponents. EU, epitome of tiny iron fist in velvet glove.

Winter July 20, 2022 5:39 AM

@Paul

EU, epitome of tiny iron fist in velvet glove.

Human rights are taken seriously by courts in Europe. That cannot be said of all other states.

@Winter July 20, 2022 12:44 PM

If Spain, Italy, Greece, and soon to be Turkey are part of the EU, then, no, human rights are just are facade.

Ted July 29, 2022 3:45 PM

@Bruce

I appreciate your added comments on this post.

I found the Gizmodo article “Blacklist and Bankrupt Abusive Spyware Makers… ” particularly poignant since I’ve been listening to the audiobook “American Kleptocracy: How the U.S. Created the World’s Greatest Money Laundering Scheme in History.”

I haven’t finished the book yet (at 60%) but I’m finding it to be both unsettling and informative. I hope there are more positive developments in the later chapters.

Let me just say I had no idea how easy it was to create shell companies in certain US states, particularly Delaware, Nevada, and Wyoming. Since it was (or is?) fairly trivial to obscure beneficiary info or exploit various other legal loopholes, I’m really interested in how funding for national security threats will be traced.

Oddly enough, it took The Patriot Act to push through more, and much needed, anti-money laundering legislation that previously went unratified.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.