I. Pegasus (spyware)
From Wikipedia, the free encyclopedia
Type Spyware
Website nsogroup.com
Pegasus is spyware developed by the Israeli cyber-arms company NSO Group that can be covertly installed on mobile phones (and other devices) running most[1] versions of iOS and Android.[2] Pegasus is able to exploit iOS versions up to 14.6, through a zero-click exploit.[1] As of 2022, Pegasus was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device’s microphone and camera, and harvesting information from apps.[3][4] The spyware is named after Pegasus, the winged horse of Greek mythology. It is a Trojan horse computer virus that can be sent “flying through the air” to infect cell phones.[5]
Pegasus was discovered in August 2016 after a failed installation attempt on the iPhone of a human rights activist led to an investigation revealing details about the spyware, its abilities, and the security vulnerabilities it exploited. News of the spyware caused significant media coverage. It was called the “most sophisticated” smartphone attack ever, and was the first time that a malicious remote exploit used jailbreaking to gain unrestricted access to an iPhone.[6]
The spyware has been used for surveillance of anti-regime activists, journalists, and political leaders from several nations around the world.[7] In July 2021, the investigation initiative Pegasus Project, along with an in-depth analysis by human rights group Amnesty International, reported that Pegasus was still being widely used against high-profile targets.[1]
Contents
1 Background
1.1 Discovery
1.2 Chronology
2 Technical details
2.1 Development of capabilities
2.2 Vulnerabilities
2.3 Pegasus Anonymizing Transmission Network
3 Use by country
3.1 Armenia
3.2 Azerbaijan
3.3 Bahrain
3.4 Egypt
3.5 El Salvador
3.6 Estonia
3.7 Finland
3.8 France
3.9 Germany
3.10 Hungary
3.11 India
3.12 Iraq
3.13 Israel
3.14 Jordan
3.15 Kazakhstan
3.16 Mexico
3.17 Morocco
3.18 Netherlands
3.19 Panama
3.20 Palestine
3.21 Poland
3.22 Rwanda
3.23 Saudi Arabia
3.24 South Africa
3.25 Spain
3.25.1 Use against Catalan and Basque officials and independence proponents
3.25.2 Use against Spanish government officials
3.26 Togo
3.27 Uganda
3.28 Ukraine
3.29 United Arab Emirates
3.30 United Kingdom
3.31 United States
3.32 Yemen
3.33 International organizations
3.33.1 European Union
4 Pegasus Project
5 Reactions
5.1 NSO Group response
5.2 Bug-bounty program skepticism
6 See also
7 References
Background
NSO Group developed its first iteration of Pegasus spyware in 2011.[4] The company states that it provides “authorized governments with technology that helps them combat terror and crime.”[6][8] NSO Group has published sections of contracts which require customers to use its products only for criminal and national security investigations and has stated that it has an industry-leading approach to human rights.[9]
Discovery
Pegasus’s iOS exploitation was identified in August 2016. Arab human rights defender Ahmed Mansoor received a text message promising “secrets” about torture happening in prisons in the United Arab Emirates by following a link. Mansoor sent the link to Citizen Lab of the University of Toronto, which investigated, with the collaboration of Lookout, finding that if Mansoor had followed the link it would have jailbroken his phone and implanted the spyware into it, in a form of social engineering.[10]
Citizen Lab and Lookout discovered that the link downloaded software to exploit three previously unknown and unpatched zero-day vulnerabilities in iOS.[11][12] According to their analysis, the software can jailbreak an iPhone when a malicious URL is opened. The software installs itself and collects all communications and locations of targeted iPhones. The software can also collect Wi-Fi passwords.[13] The researchers noticed that the software’s code referenced an NSO Group product called “Pegasus” in leaked marketing materials.[14] Pegasus had previously come to light in a leak of records from Hacking Team, which indicated the software had been supplied to the government of Panama in 2015.[15] Citizen Lab and Lookout notified Apple’s security team, which patched the flaws within ten days and released an update for iOS.[16] A patch for macOS was released six days later.[17]
Regarding how widespread the issue was, Lookout explained in a blog post: “We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code” and pointed out that the code shows signs of a “kernel mapping table that has values all the way back to iOS 7” (released 2013).[18] The New York Times and The Times of Israel both reported that it appeared that the United Arab Emirates was using this spyware as early as 2013.[19][20][21] It was used in Panama by former president Ricardo Martinelli from 2012 to 2014, who established the Consejo de Seguridad Pública y Defensa Nacional (National Security Council) for its use.[22][23][24][25]
Chronology
Several lawsuits outstanding in 2018 claimed that NSO Group helped clients operate the software and therefore participated in numerous violations of human rights initiated by its clients.[21] Two months after the murder and dismemberment of The Washington Post journalist Jamal Khashoggi, a Saudi human rights activist, in the Saudi Arabian Consulate in Istanbul, Turkey, Saudi dissident Omar Abdulaziz, a Canadian resident, filed suit in Israel against NSO Group, accusing the firm of providing the Saudi government with the surveillance software to spy on him and his friends, including Khashoggi.[26]
In December 2020, an Al Jazeera investigative show The Hidden is More Immense covered Pegasus and its penetration into the phones of media professionals and activists; and its use by Israel to eavesdrop on both opponents and allies.[27][28]
Technical details
The spyware can be installed on devices running certain versions of iOS, Apple’s mobile operating system, as well as some Android devices.[1] Rather than being a specific exploit, Pegasus is a suite of exploits that uses many vulnerabilities in the system. Infection vectors include clicking links, the Photos app, the Apple Music app, and iMessage. Some of the exploits Pegasus uses are zero-click—that is, they can run without any interaction from the victim. Once installed, Pegasus has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings,[29] as well as gather information from apps including but not limited to communications apps iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype.[30]
In April 2017, after a Lookout report, Google researchers discovered Android malware “believed to be created by NSO Group Technologies” and named it Chrysaor (Pegasus’ brother in Greek mythology). According to Google, “Chrysaor is believed to be related to the Pegasus spyware”.[31] At the 2017 Security Analyst Summit held by Kaspersky Lab, researchers revealed that Pegasus was available for Android in addition to iOS. Its functionality is similar to the iOS version, but the mode of attack is different. The Android version tries to gain root access (similar to jailbreaking in iOS); if it fails, it asks the user for permissions that enable it to harvest at least some data. At the time Google said that only a few Android devices had been infected.[32]
Pegasus hides itself as far as is possible and self-destructs in an attempt to eliminate evidence if unable to communicate with its command-and-control server for more than 60 days, or if on the wrong device. Pegasus also can self-destruct on command.[32] If it is not possible to compromise a target device by simpler means, Pegasus can be installed by setting up a wireless transceiver near a target device, or by gaining physical access to the device.[33]
Development of capabilities
The earliest version of Pegasus – which was identified in 2016 – relied on a spear-phishing attack which required the target to click a malicious link in a text message or email.[33]
As of August 2016 – according to a former NSO Employee – the U.S. version of Pegasus had 1-click capabilities for all phones except old Blackberry models which could be infiltrated with a 0-click attack.[34]
In 2019, WhatsApp revealed Pegasus had employed a vulnerability in its app to launch zero-click attacks (the spyware would be installed onto a target’s phone by calling the target phone; the spyware would be installed even if the call was not answered).[33]
Since 2019, Pegasus has come to rely on iPhone iMessage vulnerabilities to deploy spyware.[33]
By 2020, Pegasus shifted towards zero-click exploits and network-based attacks. These methods allowed clients to break into target phones without requiring user interaction and without leaving any detectable traces.[35][36]
Vulnerabilities
Lookout provided details of the three iOS vulnerabilities:[18]
CVE-2016-4655: Information leak in kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing them to calculate the kernel’s location in memory.
CVE-2016-4656: Kernel memory corruption leads to jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to secretly jailbreak the device and install surveillance software – details in reference.[37]
CVE-2016-4657: Memory corruption in the webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
Google’s Project Zero documented another exploit, dubbed FORCEDENTRY, in December 2021. According to Google’s researchers, Pegasus sent an iMessage to its targets that contained what appeared to be GIF images, but which in fact contained a JBIG2 image. A vulnerability in the Xpdf implementation of JBIG2, re-used in Apple’s iOS phone operating software, allowed Pegasus to construct an emulated computer architecture inside the JBIG2 stream which was then used to implement the zero-click attack. Apple fixed the vulnerability in iOS 14.8 in September 2021 as CVE-2021-30860.[38]
As of July 2021, Pegasus likely uses many exploits, some not listed in the above CVEs.[1]
Pegasus Anonymizing Transmission Network
Human rights group Amnesty International reported in the 2021 investigation that Pegasus employs a sophisticated command-and-control (C&C) infrastructure to deliver exploit payloads and send commands to Pegasus targets. There are at least four known iterations of the C&C infrastructure, dubbed the Pegasus Anonymizing Transmission Network (PATN) by NSO group, each encompassing up to 500 domain names, DNS servers, and other network infrastructure. The PATN reportedly utilizes techniques such as registering high port numbers for their online infrastructure as to avoid conventional internet scanning. PATN also uses up to three randomised subdomains unique per exploit attempt as well as randomised URL paths.[1]
Use by country
Although Pegasus is stated as intended to be used against criminals and terrorists,[9] it has also been used by both authoritarian and democratic governments to spy on critics and opponents.[39] A UN special rapporteur on freedom of opinion found that the use of the spyware by abusive governments could “facilitate extrajudicial, summary or arbitrary executions and killings, or enforced disappearance of persons.”[40]
Armenia
About twenty Armenian citizens were spied on via Pegasus spyware. Media expert Arthur Papyan said it targeted the key figures of the opposition and the government – current and past government employees who knew valuable state secrets and have political influence, including the former director of the National Security Service and current chairman of the center-right Homeland Party. The local experts suspected that they were targeted either by the government of Armenia or Azerbaijan, or perhaps both. Papyan said that NSO group appears to be jailbreaking a phone and provides interface for viewing the obtained data. Minister of high-tech industry Vahagn Khachaturyan also received a warning letter from Apple, he rejected the theory that the spying party could be the current Armenian government.[41]
Azerbaijan
The list of spied-upon citizens included dozens of journalists and activists from Azerbaijan. It was alleged that their mobile phones were tapped.[42] The head of Azerbaijani service of Radio Liberty/Radio Free Europe (Azadliq) Jamie Fly expressed his anger when it was revealed that the phones of his five current and former employees were tapped with Pegasus.[43]
Bahrain
Citizen Lab revealed the government of Bahrain used the NSO Group’s Pegasus to hack activists, bloggers, members of Waad (a secular Bahraini political society), a member of Al Wefaq (a Shiite Bahraini political society), and members of the Bahrain Center for Human Rights. Bahrain reportedly acquired access to spyware in 2017. As per the report, the mobile phones of a total of nine rights activists were “successfully hacked” between June 2020 and February 2021. Those hacked included three members of Waad, three of the BCHR, one of Al Wefaq, and two of the exiled dissidents who reside in London. The Citizen Lab attributed “with high confidence” that a Pegasus operator, LULU, was used by the Bahraini government to breach the phones of at least four of the nine activists.[44][45]
In January 2022, Bahrain was accused of using the Pegasus spyware to hack a human rights defender, Ebtisam al-Saegh. The prominent activist’s phone was hacked at least eight times between August and November 2019. As per the Citizen Lab, following the hacking attempt, al-Saegh faced incidents where she was harassed by the Bahrain authorities. It included being summoned to a police station, interrogation, rape threats, and physical and sexual assault. The attack left the rights defender in a state of “daily fear and terror”.[46]
In February 2022, an investigation by Citizen Lab and Amnesty International revealed that the Pegasus spyware was used to infect the devices of a lawyer, an online journalist, and a mental health counsellor in Bahrain. All of the three activists were critical of the Bahraini authorities and were targeted with Pegasus between June and September 2021. One of the three activists remained anonymous, while the other two were Mohammed al-Tajer and Sharifa Swar (mental health counselor).[47]
Egypt
Egyptian PM Mostafa Madbouly was selected for potential targeting by Pegasus – apparently by Saudi Arabia.[48]
El Salvador
In January 2022, El Faro, a prominent Salvadoran news outlet, revealed that a majority of its staff had their phones infiltrated using Pegasus. The targeting was uncovered in an investigation conducted by Citizen Lab, and Access Now; the investigation revealed that the journalists of another 13 Salvadoran news organisations were targeted as well. Between July 2020 and November 2021, Pegasus was deployed on the phones of 22 employees of El Faro, including reporters, editors, and other staff. At the time of the targeting, the El Faro was looking into governmental corruption scandals, and the government’s clandestine dealings with the country’s gangs. The Salvadoran government denied responsibility for the espionage, and NSO Group declined to reveal whether the Salvadoran government was a client.[49]
Estonia
Estonia entered negotiations to procure Pegasus in 2018, and had made a $30 million down payment for the tool. Estonia hoped to use the tool against Russian phones (presumably for gathering intelligence). Israel initially approved the export of Pegasus to Estonia, but after a senior Russian defense official approached the Israeli defense agencies and revealed that Russia had learned of Estonia’s intentions to obtain Pegasus, Israel decided to disallow Estonia from using Pegasus against any Russian phone number (following a heated debate among Israeli officials) so as to avoid damaging Israeli relations with Russia.[50]
Finland
In January 2022 Finnish foreign ministry reported that several phones of Finnish diplomats have been infected with the Pegasus spyware.[51]
France
In July 2021, Le Monde reported that President of France Emmanuel Macron and 14 French ministers were flagged as potential Pegasus targets for Pegasus syping by Morocco; Moroccan authorities denied Pegasus use and labelled the allegation as “unfounded and false”.[52]
Germany
Pegasus is in use by German Federal Criminal Police Office (BKA). BKA acquired Pegasus in 2019 with “utmost secrecy”, and despite hesitations from its legal council. The use of Pegasus by BKA was later revealed by German media.[53]
Hungary
The government of Viktor Orbán authorized the use of Pegasus by Hungarian intelligence and law enforcement services to target the government’s political opponents.[50] The Orbán government has been accused of using it to spy on members of media as well as on Hungarian opposition.[54] According to the findings released in July 2021, journalists and managers of media holdings appear to have been spied on by the Hungarian government with Pegasus.[55] Phone numbers of at least 10 lawyers, at least 5 journalists, and an opposition politician were included on a leaked list of potential Pegasus surveillance targets.[56]
In November 2021, Lajos Kósa, head of a parliamentary defense and law enforcement committee, was the first Hungarian senior official who acknowledged that the country’s Interior Ministry purchased and used Pegasus.[57] Kósa admitted that Hungary had indeed purchased and used Pegasus, stating “I don’t see anything objectionable in it […] large tech companies carry out much broader monitoring of citizens than the Hungarian state does.”[54]
India
Main articles: Pegasus Project revelations in India and WhatsApp snooping scandal
In late 2019, Facebook initiated a suit against NSO, claiming that Pegasus had been used to intercept the WhatsApp communications of a number of activists, journalists, and bureaucrats in India, leading to accusations that the Indian government was involved.[58][59][60] 17 individuals including human rights activists, scholars, and journalists confirmed to an Indian publication they had been targeted.[61]
Phone numbers of Indian ministers, opposition leaders, ex-election commissioners and journalists were allegedly found on a database of NSO hacking targets by Pegasus Project in 2021.[62][63][64] Phone numbers of Koregaon Bhima activists who had compromising data implanted on their computers through a hack found on a Pegasus surveillance phone number list.[65]
Independent digital forensic analysis conducted on 10 Indian phones whose numbers were present in the data showed signs of either an attempted or successful Pegasus hack. The results of the forensic analysis threw up shows sequential correlations between the time and date a phone number is entered in the list and the beginning of surveillance. The gap usually ranges between a few minutes and a couple of hours.[66]
11 phone numbers associated with a female employee of the Supreme Court of India and her immediate family, who accused the former Chief Justice of India, Ranjan Gogoi, of sexual harassment, are also allegedly found on a database indicating possibility of their phones being snooped.[67][68]
Records also indicate that phone numbers of some of the key political players in Karnataka appear to have been selected around the time when an intense power struggle was taking place between the Bharatiya Janata Party and the Janata Dal (Secular)-Congress-led state government in 2019.[69][70]
Iraq
The phone of Iraqi President Barham Salih was found on a list of potential Pegasus surveillance targets (however actual targeting – attempted or successful – could not be determined).[71] The targeting of Salih appeared to have been linked to Saudi Arabia and UAE.[72]
Israel
Israeli police use
In January 2022, it was reported that Pegasus was unlawfully used by the Israeli Police to monitor citizens as well as foreign nationals who were accidentally or intentionally infected by the software.[73] The surveillance was ordered by high-ranking police officers, and was carried out without warrants or judicial supervision.[74] The legal basis for use of spyware against citizens is disputed.[75][76] The police had allegedly targeted civilians not suspected of any crime, including organisers of antigovernmental protesters, mayors, anti-LBGT parade activists, employees of government-owned companies, an associated of a senior politician,[75] and former government employees.[74] In one case, it was alleged that police targeted an activist who was not suspected of a crime, allegedly to gather information about the activist’s extra-marital affairs and use it as leverage.[75]
In some cases, Pegasus was used to obtain information unrelated to an ongoing investigation to be used later to pressure the subject of an investigation. In some cases, police used Pegasus to obtain incriminating information from suspects’ devices, and then concealed the source of the incriminating information claiming it would expose intelligence assets.[77] While the Israeli Police formally denied the allegations in the report, some senior police officials have hinted that the claims were true.[78] The report led to the announcement of a number of parallel investigations into the police’s conduct,[79] with some officials demanding a Commission of inquiry.[80] Although the Attorney General launched an internal probe into the allegations,[81] the Privacy Protection Council (which advises the Minister of Justice),[82] demanded that a state commission of inquiry be created.[80]
On February 1, the police admitted that there was, in fact, misuse of the software.[83] On February 7, the widespread extent of the warrantless surveillance was further revealed to have included politicians and government officials, heads of corporations, journalists, activists, and even Avner Netanyahu [he], the son of then-Prime Minister, Benjamin Netanyahu. This has led to renewed calls for a public inquiry, including from the current police commissioner Kobi Shabtai himself (appointed January 2021), as well as from the Minister of the Interior, Ayelet Shaked and others.[84]
Later in the day, the Minister of Public Security (the minister responsible for the police), Omer Bar-Lev, announced that he will be forming a commission of inquiry, to be chaired by a retired judge. Bar-Lev stressed that this commission will essentially be granted all the powers of a state commission (whose formation requires full cabinet support), including having the authority to subpoena witnesses, “regardless of seniority,” whose testimony may be used in future prosecutions.[85] Despite this, calls for a state commission persisted from several ex-ministry heads who were targeted. The next day, the State Comptroller Matanyahu Englman, calling the crisis a “trampling on the values of democracy and privacy,” said that the investigation launched by his office will also be extensive, adding that it will not only include the police, but also the Ministry of Justice and the State Attorney’s Office.[86]
Jordan
In January 2022, lawyer and activist Hala Ahed Deeb’s phone was targeted.[87]
Kazakhstan
Activists in Kazakhstan were targeted,[88] in addition to top-level officials, like Kassym-Jomart Tokayev, Askar Mamin and Bakytzhan Sagintayev. Among the 2000 targeted Kazak numbers were government critic Bakhytzhan Toregozhina, as well as journalists Serikzhan Mauletbay and Bigeldy Gabdullin.[89][90] Most of these victims were involved in a civic youth movement Oyan, Qazaqstan.[91]
Mexico
Mexico was the first country to purchase Pegasus.[92] Early versions of Pegasus were used to surveil the phone of Joaquín Guzmán, known as El Chapo. In 2011, Mexican President Felipe Calderón reportedly called NSO to thank the company for its role in Guzmán’s capture.[93][94] When a list of 50,000 phone numbers of potential Pegasus surveillance targets (selected by individual client governments) was leaked in 2021, a third of them were Mexican.[92]
Targeting of scientists and health campaigners
In 2017, Citizen Lab researchers revealed that NSO exploit links may have been sent to Mexican scientists and public health campaigners.[95] The targets supported measures to reduce childhood obesity, including Mexico’s “Soda Tax.”[96]
2014 Iguala mass kidnapping
In July 2017, the international team assembled to investigate the 2014 Iguala mass kidnapping publicly complained they thought they were being surveilled by the Mexican government.[97] They stated that the Mexican government used Pegasus to send them messages about funeral homes containing links which, when clicked, allowed the government to surreptitiously listen to the investigators.[97] The Mexican government has repeatedly denied any unauthorized hacking.[97]
Assassination of journalist Cecilio Pineda Birto
Cecilio Pineda Birto, a Mexican freelance journalist was assassinated by hitmen while resting in a hammock by a carwash. Brito had been reporting on the ties between local politicians and criminal organizations, and had received anonymous death threats during the weeks preceding the assassination; at about the same time, his phone number was selected as a possible target for Pegasus surveillance by a Mexican Pegasus client. Pegasus spyware may have been used to ascertain Brito’s location to carry out the hit by geolocating his phone; the deployment of Pegasus on his phone could however not be confirmed as his phone disappeared from the scene of the murder.[98]
Targeting of presidential candidate Obrador
In the run-up to the 2018 Mexican presidential election, dozens of close associates of the presidential candidate Andrés Manuel López Obrador (who was subsequently elected) were selected as potential targets. Potential targets included close family members, his cardiologist, and members of his personal and political inner circle. Recordings of Obrador’s conversations with family and party colleagues were subsequently leaked to the public in an attempt to disrupt his electoral campaign.[99]
Use by Mexican drug cartels
Pegasus has been used by drug cartels and cartel-entwined government actors to target and intimidate Mexican journalists.[100]
Other
A widow of slain renowned Mexican journalist was a target of an attempted Pegasus attack 10 days after her husband was assassinated.[101]
Morocco
In 2019, two Moroccan pro-democracy campaigners were notified by WhatsApp that their phones had been compromised with Pegasus.[61]
In June 2020, an investigation by Amnesty International alleged that Moroccan journalist Omar Radi was targeted by the Moroccan government using the Israeli spyware Pegasus. The rights group claimed that the journalist was targeted three times and spied on after his device was infected with an NSO tool. Meanwhile, Amnesty also claimed that the attack came after the NSO group updated their policy in September 2019.[102]
In July 2021, it was revealed that the Moroccan PM Saad Eddine el-Othamani and Moroccan King Mohammed VI were selected for targeting – apparently by Moroccan state actors themselves.[103]
According to revelatons from July 2021, Morocco had targeted more than 6,000 Algerian phones, including those of politicians and high-ranking military officials, with the spyware.[104][105] The Algerian government subsequently severed diplomatic relations with Morocco in August 2021, citing alleged Moroccan deployment of Pegasus against Algerian officials as one of the “hostile actions” that undergirded the decision.[106]
Netherlands
According to multiple news sources, the Pegasus spyware was used to spy on Ridouan Taghi, a high profile criminal. After the murder on the lawyer Derk Wiersum, the AIVD (Dutch security service) was asked to help with the process of catching Ridouan Taghi.
Panama
President of Panama Ricardo Martinelli personally sought to obtain cyberespionage tools after his election in 2009. After a rebuff by the U.S. in 2009, Martinelli successfully sought such tools from Israeli vendors, expressing an interest in acquiring a tool capable of hacking into mobile phones in a 2010 private meeting with Israeli PM Netanyahu. In 2012, NSO systems were installed in Panama City. The equipment was subsequently widely used for illicti domestic and foreign spying, including for spying on political opponents, magistrates, union leaders, and business competitors, with Martinelli allegedly going so far as to order the surveillance of his mistress using Pegasus.[4]
Palestine
The mobile phones of six Palestinian activists were hacked using Pegasus with some of the attacks reportedly occurring as far back as July 2020, according to a report from Front Line Defenders.[107]
Poland
Pegasus licenses were agreed on between Benjamin Netanyahu and Beata Szydło in July 2017.[108] Citizen Lab revealed that several members of political opposition groups in Poland were hacked by Pegasus spyware, raising alarming questions about the Polish government’s use of the software. A lawyer representing Polish opposition groups and a prosecutor involved in a case against the ruling Law and Justice party were also compromised.[109]
In December 2021, Citizen Lab announced that Pegasus was used against lawyer Roman Giertych and prosecutor Ewa Wrzosek, both critical of the ruling Law and Justice (PiS) government, with Giertych’s phone suffering 18 intrusions.[110] 33 hacks to the phone of Krzysztof Brejza, a senator from the opposition Civic Platform (PO) were uncovered,[111] and confirmed by Amnesty International.[112] Leading to the 2019 European and Polish parliamentary elections, Brejza’s text messages were stolen as he was leading the opposition parties’ campaign. The texts were doctored by state-run media, notably TVP, and used in a smear campaign against the opposition.[112][113][114] This prompted the Polish Senate to begin an inquiry into the deployment of the spyware.[115]
On January 25, 2022, more victims were confirmed by Citizen Lab, including Michał Kołodziejczak of the agrarian movement Agrounia, and Tomasz Szwejgiert, a journalist and alleged former associate of the CBA.[116][117]
According to the Supreme Audit Office (NIK), 544 of its employees’ devices were under surveillance over 7,300 times, some could be infected with Pegasus.[118]
Rwanda
A joint investigation by The Guardian and Le Monde alleged political activists in Rwanda were targeted with Pegasus.[119]
Saudi Arabia
In December 2020, it was reported that Saudi Arabia and the United Arab Emirates deployed a zero-click iMessage Pegasus exploit against two London-based reporters and 36 journalists at the Al Jazeera television network in Qatar.[35][36]
Jamal Khashoggi
Pegasus was used by Saudi Arabia to spy on Jamal Kashoggi,[120] who was later killed in Turkey. In October 2018, Citizen Lab reported on the use of NSO software to spy on the inner circle of Jamal Khashoggi just before his murder. Citizen Lab’s October report[121] stated with high confidence that NSO’s Pegasus had been placed on the iPhone of Saudi dissident Omar Abdulaziz, one of Khashoggi’s confidantes, months before. Abdulaziz stated that the software revealed Khashoggi’s “private criticisms of the Saudi royal family,” which according to Abdulaziz “played a major role” in Khashoggi’s death.[122]
In December 2018, a New York Times investigation concluded that Pegasus software played a role in the Khashoggi’s murder, with a friend of Khashoggi stating in a filing that Saudi authorities had used the Israeli-made software to spy on the dissident.[123] NSO CEO Shalev Hulio stated that the company had not been involved in the “terrible murder”, but declined to comment on reports that he had personally traveled to the Saudi capital Riyadh for a $55 million Pegasus sale.[124]
In 2021, allegations arose that the software may also have been used to spy on members of Kashoggi’s family.[125]
Targeting of Jeff Bezos
Pegasus was also used to spy on Jeff Bezos after Mohammed bin Salman, the crown-prince of Saudi Arabia, exchanged messages with him that exploited then-unknown vulnerabilities in WhatsApp.[126][127]
Targeting of journalist Ben Hubbard
A New York Times correspondent covering the Middle East, Ben Hubbard revealed in October 2021 that Saudi Arabia used the NSO Group’s Pegasus software to hack into his phone. Hubbard was targeted repeatedly over a three-year period between June 2018 to June 2021 while he was reporting on Saudi Arabia, and writing a book about the Saudi Crown Prince Mohammed bin Salman. Hubbard was possibly targeted for writing the book about the Crown Prince, and for his involvement in revealing the UAE’s hacking and surveillance attempt of Project Raven. Saudis attempted to peek into Hubbard’s personal information twice in 2018, one through a suspicious text message and the other through an Arabic WhatsApp message inviting him to a protest at a Saudi embassy in Washington.
Two other attacks were launched against him in 2020 and 2021 using the zero-click hacking capabilities. Lastly, on June 13, 2021, an iPhone belonging to Hubbard was successfully hacked using the FORCEDENTRY exploit. Citizen Lab said in “high confidence” that the four attacks were attempted using Pegasus.[128][129]
Other targets
Another Saudi exile Omar Abdulaziz in Canada was identified by McKinsey & Company as being an influential dissident, and hence had two brothers imprisoned by the Saudi authorities, and his cell phone hacked by Pegasus.[120][130]
South Africa
South African president Cyril Ramaphosa was revealed to have been selected as a potential target of Pegasus surveillance, possibly by the Rwandan state.[99]
Spain
Use against Catalan and Basque officials and independence proponents
According to an investigation by The Guardian and El País, Pegasus software was used by the government of Spain to compromise the phones of several politicians active in the Catalan independence movement, including President of the Parliament of Catalonia Roger Torrent, and former member of the Parliament of Catalonia Anna Gabriel i Sabaté.[131]
The scandal resurfaced in April 2022 following the publication of a report of a CitizenLab investigation that revealed widespread use of Pegasus against Catalan politicians and citizens, as well as Basque politician Arnaldo Otegi and MP Jon Iñarritu.[132][133] A total of 63 victims was identified,[134] with targets including elected officials (including high-ranking ones) and civil society members (including activists, journalists, lawyers, and computer scientists).[135] The true extent of the targeting was potentially far larger as Android devices are far more common in Spain while CitizenLab tools are specialised to uncover infiltration of Apple devices. CitizenLab did not attribute the responsibility for the attacks to any perpetrators, but did note that circumstantial evidence strongly suggests the attacks were perpetrated by the Spanish Government.[134] On May 5, 2022, the Spanish Defense Minister admitted to surveillance of 20 people involved in the Catalan independence movement.[136]
Use against Spanish government officials
On May the 2nd 2022 the Spanish Government revealed that the smartphones of President Pedro Sánchez and Defense Minister Margarita Robles had been targeted by Pegasus during May 2021.[137] President Sanchez’s device was infected twice, and Robles’ device was infected once. A total of over 2.7GB of data was exfiltrated from the PM device, while only 9MB of data was extracted from the Defense Minister’s device.[138] The espionage is, as of today, denied yet attributed to Moroccan entities, given the diplomatic tensions between the two at the time of the target.
Togo
A joint investigation by The Guardian and Le Monde alleged that Pegasus software was used to spy on six critics of the government in Togo.[119]
Uganda
It has been reported that Muhoozi Kainerugaba brokered a deal to use Pegasus in Uganda, paying between $10 and $20 million in 2019. The software was later used to hack the phones of 11 US diplomats and employees of the US embassy in Uganda some time during 2021.[139]
Ukraine
At least since 2019, Ukraine had sought to obtain Pegasus in its effort to counter what it saw as an increasing threat of Russian aggression and espionage, however, Israel had imposed a near-total ban on weapons sales to Ukraine (which also encompassed cyberespionage tools), wary of selling Pegasus to states that would use the tool against Russia so as not to damage relations with Russia. In August 2021, at a time when Russian troops were amassing on the Ukrainian border, Israel again rebuffed a request from a Ukrainian delegation asking to obtain Pegasus; according to a Ukrainian official familiar with the matter, Pegasus could have provided critical support in Ukraine’s effort to monitor Russian military activity. In the wake of the 2022 Russian invasion of Ukraine, Ukrainian officials rebuked Israel’s tepid support of Ukraine and Israeli efforts to maintain amicable relations with Russia.[50]
United Arab Emirates
In December 2020, it was reported that Saudi Arabia and the United Arab Emirates deployed a zero-click iMessage Pegasus exploit against two London-based reporters and 36 journalists at the Al Jazeera television network in Qatar.[35][36]
The United Arab Emirates used Pegasus to spy on the members of Saudi-backed Yemeni government according to an investigation published in July 2021. The UAE used the spyware to monitor and spy on the ministers of the internationally recognized government of President Abdrabbuh Mansur Hadi, including Yemeni president and his family members, former Prime Minister Ahmed Obaid Bin Dagher, former Foreign Minister Abdulmalik Al-Mekhlafi, and current Minister of Youth and Sports, Nayef al-Bakri.[140]
On 24 September 2021, The Guardian reported that the telephone of Alaa al-Siddiq, executive director of ALQST, who died in a car accident in London on 20 June 2021, was infected with the Pegasus spyware for 5 years until 2020. Citizen Lab confirmed that the Emirati activist was hacked by a government client of Israel’s NSO Group. The case represented a worrying trend for activists and dissidents, who escaped the UAE to live in the relative safety, but were never out of the reach of Pegasus.[141]
In October 2021, the British High Court ruled that agents of Mohammed bin Rashid Al Maktoum used Pegasus to hack the phones of his (ex)-wife, Princess Haya bint Hussein, her solicitors (including baroness Fiona Shackleton), a personal assistant and two members of her security team in the summer of 2020. The court ruled that the agents acted “with the express or implied authority” of the sheikh; he denied knowledge of the hacking. The judgment referred to the hacking as “serial breaches of (UK) domestic criminal law”, “in violation of fundamental common law and ECHR rights”, “interference with the process of this court and the mother’s access to justice” and “abuse of power” by a head of state. NSO had contacted an intermediary in August 2020 to inform Princess Haya of the hack and is believed to have terminated its contract with the UAE.[142]
On 7 October 2021, the NSO Group stated that it had terminated its contract with the UAE to use its Pegasus spyware tool after the ruling by UK’s High Court that Dubai’s ruler misused the firm’s Pegasus software to spy on his ex-wife and her legal advisers.[143]
In 2022, sources revealed that a unit of Abu Dhabi’s Mubadala Investment Company, Mubadala Capital was one of the largest investors in €1 billion Novalpina Capital private equity fund, which bought the NSO Group in 2019. Since then, Mubadala has been an investor in the firm with its commitment of €50 million, acquiring a seat on the committee of largest investors of the equity fund. Journalists, human rights defenders and the women of Dubai’s royal family were traced to have been hacked using the Pegasus spyware during the same time.[144]
A report by the Citizen Lab revealed that Pegasus spyware linked to an Emirati operative was used to hack into the phones at the Downing Street and the Foreign Office. One of the spyware attack on No 10 was on 7 July 2020, which was asserted to have infected the phone of British Prime Minister Boris Johnson. Besides, at least five attacks were identified on Foreign Office phones by UK allies, including the UAE, between July 2020 and June 2021.[145] The UAE was also alleged of hiring a firm to “monitor” Jeremy Corbyn.[146]
United Kingdom
In April 2022, Citizen Lab released a report stating that 10 Downing Street staff had been targeted by Pegasus, and that the United Arab Emirates was suspected of originating the attacks in 2020 and 2021.[147]
United States
NSO Group pitched its spyware to the Drug Enforcement Administration (DEA), which declined to purchase it due to its high cost.[148]
In August 2016, NSO Group (through its U.S. subsidiary Westbridge) pitched its U.S. version of Pegasus to the San Diego Police Department (SDPD). In the marketing material, Westbridge emphasized that the company is U.S.-based and majority-owned by a U.S. parent company. An SDPD Sergeant responded to the sales pitch with “sounds awesome”. The SDPD declined to purchase the spyware as it was too expensive.[34]
Pegasus spyware was found in 2021 on the iPhones of at least nine U.S. State Department employees.[149] The US government blacklisted the NSO Group to stop what it called “transnational repression”.[150]
In December 2021, AP reported that 11 U.S. State Department employees stationed in Uganda had their iPhones hacked with Pegasus.[151]
In January 2022 it was reported that the Federal Bureau of Investigation (FBI) had secretly bought the Pegasus spyware in 2019 and had seen a demonstration of Phantom, a newer tool that could hack American phone numbers. They considered using both tools for domestic surveillance in the U.S., which reportedly led to discussions between the FBI and United States Department of Justice which ultimately lead to the FBI deciding against using it and all NSO spyware in 2021. However, despite ruling against using it, Pegasus equipment is still in the FBI’s possession at a New Jersey facility.[152][153]
Yemen
The forensic analysis of UN independent investigator Kamel Jendoubi’s mobile phone revealed on 20 December 2021 that he was targeted using spyware while probing war crimes of Yemen. Jendoubi was targeted while he was examining possible war crimes in Yemen. Jendoubi’s mobile number was also found in the leaked database of the Pegasus Project. According to the data, Jendoubi was one of the potential targets of one of NSO Group’s long-time clients, Saudi Arabia. However, NSO spokesperson denied Kamel Jendoubi as any of its client’s targets.[154]
International organizations
European Union
In April 2022, according to two EU officials and documentation obtained by Reuters, the European Justice Commissioner Didier Reynders and other European Commission officials had been targeted by NSO’s software. The commision learned of this after Apple notified thousands of iPhone users in November 2021 that they were targeted by state-sponsored hackers. According to the same two sources, IT experts examined some of the smartphones, but the results were inconclusive.[155]
Pegasus Project
Main article: Pegasus Project (investigation)
A leak of a list of more than 50,000 telephone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 became available to Paris-based media nonprofit organisation Forbidden Stories and Amnesty International. They shared the information with seventeen news media organisations in what has been called Pegasus Project, and a months-long investigation was carried out, which reported from mid-July 2021. The Pegasus Project involved 80 journalists from the media partners including The Guardian (UK), Radio France and Le Monde (France), Die Zeit and Süddeutsche Zeitung (Germany), The Washington Post (United States), Haaretz (Israel), Aristegui Noticias, Proceso (Mexico), the Organized Crime and Corruption Reporting Project, Knack, Le Soir, The Wire,[156] Daraj,[157] Direkt36 (Hungary),[158] and Frontline.[159] Evidence was found that many phones with numbers in the list had been targets of Pegasus spyware.[9][160] However, The CEO of NSO Group categorically claimed that the list in question is unrelated to them, the source of the allegations can’t be verified as reliable one. “This is an attempt to build something on a crazy lack of information… There is something fundamentally wrong with this investigation”.[161]
French intelligence (ANSSI) confirmed that Pegasus spyware had been found on the phones of three journalists, including a journalist of France 24, in what was the first time an independent and official authority corroborated the findings of the investigation.[162]
On 26 January 2022, the reports revealed that mobile phones of Lama Fakih, a US-Lebanese citizen and director of crisis and conflict at Human Rights Watch, were repeatedly hacked by a client of NSO Group at a time when she was investigating the catastrophic August 2020 explosion that killed more than 200 people in Beirut.[163]
In July 2021, a joint investigation conducted by seventeen media organisations, revealed that Pegasus spyware was used to target and spy on heads of state, activists, journalists, and dissidents, enabling “human rights violations around the world on a massive scale”. The investigation was launched after a leak of 50,000 phone numbers of potential surveillance targets. Amnesty International carried out forensic analysis of mobile phones of potential targets. The investigation identified 11 countries as NSO clients: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates. The investigation also revealed that journalists from multiple media organizations including Al Jazeera, CNN, the Financial Times, the Associated Press, The New York Times, The Wall Street Journal, Bloomberg News and Le Monde were targeted, and identified at least 180 journalists from 20 countries who were selected for targeting with NSO spyware between 2016 and June 2021.[164][165]
Reactions
NSO Group response
Responding to August 2016 reports of a targeting of an Arab activist, NSO Group stated that they provide “authorized governments with technology that helps them combat terror and crime”, although the Group told him that they had no knowledge of any incidents.[166]
Bug-bounty program skepticism
In the aftermath of the news, critics asserted that Apple’s bug-bounty program, which rewards people for finding flaws in its software, might not have offered sufficient rewards to prevent exploits being sold on the black market, rather than being reported back to Apple. Russell Brandom of The Verge commented that the reward offered in Apple’s bug-bounty program maxes out at $200,000, “just a fraction of the millions that are regularly spent for iOS exploits on the black market”. He goes on to ask why Apple doesn’t “spend its way out of security vulnerabilities?”, but also writes that “as soon as [the Pegasus] vulnerabilities were reported, Apple patched them—but there are plenty of other bugs left. While spyware companies see an exploit purchase as a one-time payout for years of access, Apple’s bounty has to be paid out every time a new vulnerability pops up.”
Brandom also wrote; “The same researchers participating in Apple’s bug bounty could make more money selling the same finds to an exploit broker.” He concluded the article by writing; “It’s hard to say how much damage might have been caused if Mansoor had clicked on the spyware link… The hope is that, when the next researcher finds the next bug, that thought matters more than the money.”[167]
See also
DROPOUTJEEP
RCSAndroid from Hacking Team
List of spyware programs
References
“Forensic Methodology Report: How to catch NSO Group’s Pegasus”. www.amnesty.org. July 18, 2021. Archived from the original on July 19, 2021. Retrieved July 19, 2021.
Timberg, Craig; Albergotti, Reed; Guéguen, Elodie (July 19, 2021). “Despite the hype, iPhone security no match for NSO spyware – International investigation finds 23 Apple devices that were successfully hacked”. The Washington Post. Archived from the original on July 19, 2021. Retrieved July 19, 2021.
Cox, Joseph (May 12, 2020). “NSO Group Pitched Phone Hacking Tech to American Police”. Vice. Archived from the original on January 30, 2022. Retrieved January 30, 2022.
Bergman, Ronen; Mazzetti, Mark (January 28, 2022). “The Battle for the World’s Most Powerful Cyberweapon”. The New York Times. ISSN 0362-4331. Archived from the original on January 30, 2022. Retrieved January 30, 2022.
Bouquet, Jonathan (May 19, 2019). “May I have a word about… Pegasus spyware”. The Guardian. Archived from the original on January 26, 2021. Retrieved July 18, 2021.
Franceschi-Bicchierai, Lorenzo (August 26, 2016). “Government Hackers Caught Using Unprecedented iPhone Spy Tool”. Motherboard. Vice Media. Archived from the original on September 3, 2020. Retrieved May 15, 2019.
“With Israel’s Encouragement, NSO Sold Spyware to UAE and Other Gulf States”. Haaretz. Archived from the original on August 23, 2020. Retrieved August 23, 2020.
“What is Pegasus spyware and how does it hack phones?”. The Guardian. July 18, 2021. Archived from the original on July 19, 2021. Retrieved July 19, 2021.
Kirchgaessner, Stephanie; Lewis, Paul; Pegg, David; Cutler, Sam (July 18, 2021). “Revealed: leak uncovers global abuse of cyber-surveillance weapon”. The Observer. Archived from the original on July 19, 2021. Retrieved July 18, 2021.
Lee, Dave (August 26, 2016). “Who are the hackers who cracked the iPhone?”. BBC News. Archived from the original on July 19, 2018. Retrieved June 21, 2018.
Marczak, Bill; Scott-Railton, John (August 24, 2016). “The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender”. Citizen Lab. Archived from the original on December 17, 2016. Retrieved March 25, 2017.
Technical Analysis of Pegasus Spyware (PDF) (Technical report). Lookout. August 25, 2016. Archived (PDF) from the original on February 19, 2022. Retrieved August 25, 2016.
Fox-Brewster, Thomas (August 25, 2016). “Everything We Know About NSO Group: The Professional Spies Who Hacked iPhones With A Single Text”. Forbes. Archived from the original on August 26, 2016. Retrieved August 25, 2016.
Lee, Dave (August 26, 2016). “Who are the hackers who cracked the iPhone?”. BBC News. Archived from the original on July 30, 2019. Retrieved August 26, 2016.
Rodriguez, Rolando B.; Diaz, Juan Manuel (August 7, 2015). “Abren sumario en caso Hacking Team”. La Prensa (Panama City). Archived from the original on March 28, 2019. Retrieved August 25, 2016.
“About the security content of iOS 9.3.5”. Apple Inc. August 25, 2016. Archived from the original on September 25, 2019. Retrieved August 25, 2016.
“About the security content of Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite”. Apple Inc. September 1, 2016. Archived from the original on September 25, 2019. Retrieved September 1, 2016.
“Sophisticated, persistent mobile attack against high-value targets on iOS”. Lookout. August 25, 2016. Archived from the original on December 17, 2016. Retrieved December 21, 2016.
Kirkpatrick, David D.; Ahmed, Azam (August 31, 2018). “Hacking a Prince, an Emir and a Journalist to Impress a Client”. The New York Times. Archived from the original on May 24, 2019. Retrieved August 31, 2018.
Perlroth, Nicole (September 2, 2016). “How Spy Tech Firms Let Governments See Everything on a Smartphone”. The New York Times. Archived from the original on May 14, 2019. Retrieved August 31, 2018.
“Lawsuits claim Israeli spyware firm helped UAE regime hack opponents’ phones”. The Times of Israel. August 31, 2018. Archived from the original on May 25, 2019. Retrieved August 31, 2018.
“El controversial pasado de Pegasus en Panamá | la Prensa Panamá”. October 31, 2019. Archived from the original on July 24, 2021. Retrieved July 24, 2021.
“¿Qué es el sistema Pegasus?”. Archived from the original on July 24, 2021. Retrieved July 24, 2021.
“NSO Group y su Pegasus, el software que metió en problemas judiciales a un expresidente panameño”. July 19, 2021. Archived from the original on July 24, 2021. Retrieved July 24, 2021.
“‘Martinelli pidió disco duro de Pegasus’ | la Prensa Panamá”. June 8, 2019. Archived from the original on July 24, 2021. Retrieved July 24, 2021.
Boot, Max (December 5, 2018). “An Israeli tech firm is selling spy software to dictators, betraying the country’s ideals”. The Washington Post. Archived from the original on April 19, 2019. Retrieved April 19, 2019.
“Al Jazeera journalists ‘hacked via NSO Group spyware'”. BBC News. December 21, 2020. Archived from the original on March 9, 2021. Retrieved March 10, 2021.
“Al Jazeera journalists hacked using Israeli firm’s spyware”. Al Jazeera. Archived from the original on March 10, 2021. Retrieved March 10, 2021.
Perlroth, Nicole (August 25, 2016). “IPhone Users Urged to Update Software After Security Flaws Are Found”. The New York Times. Archived from the original on May 29, 2019. Retrieved December 21, 2016.
Fox-Brewster, Thomas (August 25, 2016). “Everything We Know About NSO Group: The Professional Spies Who Hacked iPhones With A Single Text”. Forbes. Archived from the original on May 29, 2019. Retrieved December 21, 2016.
Rich Cannings; Jason Woloz; Neel Mehta; Ken Bodzak; Wentao Chang; Megan Ruthven. “An investigation of Chrysaor Malware on Android”. Android Developers Blog. Archived from the original on January 30, 2022. Retrieved January 30, 2022.
John Snow (August 17, 2017). “Pegasus: The ultimate spyware for iOS and Android”. Kaspersky Daily. Archived from the original on December 4, 2019. Retrieved December 4, 2019.
“What is Pegasus spyware and how does it hack phones?”. the Guardian. July 18, 2021. Archived from the original on July 19, 2021. Retrieved February 1, 2022.
“NSO Group Pitched Phone Hacking Tech to American Police”. www.vice.com. Archived from the original on January 30, 2022. Retrieved February 1, 2022.
“Report accuses Saudi Arabia, UAE of probably hacking phones of over three dozen journalists in London, Qatar”. The Washington Post. Archived from the original on December 18, 2021. Retrieved December 20, 2020.
“The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit”. The Citizen Lab. December 20, 2020. Archived from the original on January 30, 2022. Retrieved December 20, 2020.
Esser, Stefan (September 5, 2016). “PEGASUS iOS Kernel Vulnerability Explained – Part 2”. SektionEins GmbH. Archived from the original on August 31, 2019. Retrieved August 31, 2019.
Beer, Ian; Groß, Samuel (December 15, 2021). “Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution”. Google Project Zero. Archived from the original on December 16, 2021. Retrieved December 16, 2021.
“The NSO File: A Complete (Updating) List of Individuals Targeted With Pegasus Spyware”. Haaretz. Archived from the original on January 31, 2022. Retrieved January 31, 2022.
“Rights groups urge EU to ban NSO over clients’ use of Pegasus spyware”. the Guardian. December 3, 2021. Archived from the original on January 30, 2022. Retrieved January 30, 2022.
“Հայաստանյան ընդդիմության ու իշխանության առանցքային դեմքեր լրտեսական ծրագրի թիրախում են հայտնվել”. «Ազատ Եվրոպա/Ազատություն» ռադիոկայան (in Armenian). Archived from the original on November 25, 2021. Retrieved November 25, 2021.
“Apple NSO Group-u məhkəməyə verir”. Azadlıq Radiosu (in Azerbaijani). Archived from the original on November 25, 2021. Retrieved November 25, 2021.
“”Ազատ Եվրոպա/Ազատություն” ռ/կ նախագահը դատապարտում է ադրբեջանական ծառայության լրագրողների լրտեսումը Pegasus ծրագրով”. «Ազատ Եվրոպա/Ազատություն» ռադիոկայան (in Armenian). Archived from the original on November 25, 2021. Retrieved November 25, 2021.
“From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits”. The Citizen Lab. August 24, 2021. Archived from the original on January 2, 2020. Retrieved August 24, 2021.
“Phones of nine Bahraini activists found to have been hacked with NSO spyware”. The Guardian. August 24, 2021. Archived from the original on January 2, 2020. Retrieved August 24, 2021.
“Two female activists in Bahrain and Jordan hacked with NSO spyware”. The Guardian. January 17, 2022. Archived from the original on January 24, 2022. Retrieved January 17, 2022.
“Bahrain: Devices of three activists hacked with Pegasus spyware”. Amnesty International. February 18, 2022. Archived from the original on February 20, 2022. Retrieved February 18, 2022.
Patrucic, Pete Jones, Vyacheslav Abramov, and Miranda. “World Leaders on Pegasus List Include France’s President Macron, Morocco’s King Mohammed, Kazakhstan’s President”. OCCRP. Retrieved May 19, 2022.
Abi-Habib, Maria (January 13, 2022). “Journalists in El Salvador Targeted With Spyware Intended for Criminals”. The New York Times. ISSN 0362-4331. Retrieved April 26, 2022.
Bergman, Ronen; Mazzetti, Mark (March 23, 2022). “Israel, Fearing Russian Reaction, Blocked Spyware for Ukraine and Estonia”. The New York Times. ISSN 0362-4331. Archived from the original on April 13, 2022. Retrieved April 13, 2022.
Finnish diplomats were targeted by Pegasus spyware, says foreign ministry Archived January 28, 2022, at the Wayback Machine, 28/01/2022, euronews.com
“Pegasus spyware: French President Macron changes phone after hack reports”. BBC News. July 23, 2021. Retrieved May 19, 2022.
Welle (www.dw.com), Deutsche. “German police secretly bought NSO Pegasus spyware | DW | 07.09.2021”. DW.COM. Archived from the original on January 29, 2022. Retrieved January 30, 2022.
Welle (www.dw.com), Deutsche. “Hungary admits to using NSO Group’s Pegasus spyware | DW | 04.11.2021”. DW.COM. Archived from the original on January 30, 2022. Retrieved January 30, 2022.
“Viktor Orbán accused of using Pegasus to spy on journalists and critics”. the Guardian. July 18, 2021. Archived from the original on January 29, 2022. Retrieved July 18, 2021.
“Viktor Orbán accused of using Pegasus to spy on journalists and critics”. the Guardian. July 18, 2021. Archived from the original on January 29, 2022. Retrieved January 30, 2022.
“Hungarian official: Government bought, used Pegasus spyware”. Associated Press. Archived from the original on November 8, 2021. Retrieved November 14, 2021.
Bhattacharya, Ananya. “What is Pegasus and how did it target Indians on WhatsApp?”. Quartz. Archived from the original on June 28, 2021. Retrieved March 10, 2021.
“Did Indian Govt Buy Pegasus Spyware? Home Ministry’s Answer Is Worrying”. HuffPost. November 19, 2019. Archived from the original on November 1, 2020. Retrieved March 10, 2021.
“Indian Activists, Lawyers Were ‘Targeted’ Using Israeli Spyware Pegasus”. The Wire. Archived from the original on May 27, 2021. Retrieved March 10, 2021.
“WhatsApp ‘hack’ is serious rights violation, say alleged victims”. the Guardian. November 1, 2019. Archived from the original on December 22, 2021. Retrieved January 30, 2022.
“Phones Of Indian Politicians, Journalists Hacked Using Pegasus: 10 Facts On Report”. NDTV. Archived from the original on July 19, 2021. Retrieved July 19, 2021.
“Pegasus spyware used to ‘snoop’ on Indian journalists, activists”. The Hindu. Special Correspondent. July 19, 2021. ISSN 0971-751X. Archived from the original on July 19, 2021. Retrieved July 19, 2021.
“Phones of 2 Ministers, 3 Opp leaders among many targeted for surveillance: report”. The Indian Express. July 19, 2021. Archived from the original on July 19, 2021. Retrieved July 19, 2021.
Indian activists jailed on terrorism charges were on list with surveillance targets Archived December 6, 2021, at the Wayback Machine, The Washington Post, Joanna Slater and Niha Masih, July 20, 2021. Retrieved July 20, 2021.
“Snoop List Has 40 Indian Journalists, Forensic Tests Confirm Presence of Pegasus Spyware on Some”. thewire.in. Archived from the original on July 21, 2021. Retrieved July 21, 2021.
“Eleven phones targeted: Of woman who accused ex-CJI of harassment, kin”. The Indian Express. July 20, 2021. Archived from the original on July 21, 2021. Retrieved July 21, 2021.
“Days After Accusing CJI Gogoi of Sexual Harassment, Staffer Put on List of Potential Snoop Targets”. thewire.in. Archived from the original on July 21, 2021. Retrieved July 21, 2021.
“Leaked Snoop List Suggests Surveillance May Have Played Role in Toppling of Karnataka Govt in 2019”. thewire.in. Archived from the original on July 21, 2021. Retrieved July 21, 2021.
Bureau, Karnataka Bureau & New Delhi (July 20, 2021). “Key Cong-JDS leaders were ‘possible targets’ of Pegasus spyware during 2019 crisis: report”. The Hindu. ISSN 0971-751X. Archived from the original on July 21, 2021. Retrieved July 21, 2021.
Reuters (July 20, 2021). “Iraqi president on list for potential Pegasus surveillance – Washington Post”. Reuters. Retrieved May 19, 2022.
Patrucic, Pete Jones, Vyacheslav Abramov, and Miranda. “World Leaders on Pegasus List Include France’s President Macron, Morocco’s King Mohammed, Kazakhstan’s President”. OCCRP. Retrieved May 19, 2022.
“Israel police uses NSO’s Pegasus to spy on citizens”. CalcalistTech. January 18, 2022. Archived from the original on January 19, 2022. Retrieved January 19, 2022.
Ganon, Tomer (January 18, 2022). “Israel police uses NSO’s Pegasus to spy on citizens”. CTECH – www.calcalistech.com. Archived from the original on January 19, 2022. Retrieved February 1, 2022.
“Police targeted activist with NSO software, saved info on his sex life — report.” Archived January 28, 2022, at the Wayback Machine The Times of Israel, January 20, 2022.
Cahane, Amir (January 27, 2022). “Israeli Police: From Warrantless Cellphone Searches to Controversial Misuse of Spyware”. Lawfare. Archived from the original on February 3, 2022. Retrieved February 3, 2022.
Bachner, Michael. “Israel Police accused of using NSO spyware on civilians for years without oversight”. www.timesofisrael.com. Archived from the original on February 1, 2022. Retrieved February 1, 2022.
“What does the Israeli Police really say when it denies the Calcalist investigation?” Archived January 28, 2022, at the Wayback Machine (Hebrew). Calcalist, January 20, 2022.
“Gideon Sa’ar: Reports about NSO, police must be checked.” Archived January 20, 2022, at the Wayback Machine The Jerusalem Post, January 19, 2022.
“‘To form a Commission of inquiry to review the police and NSO affair. An internal probe will not be enough'” Archived January 21, 2022, at the Wayback Machine (Hebrew). Ynet, January 21, 2022.
“Attorney general opens investigation into police use of NSO spyware against Israelis”. The Times of Israel. January 20, 2022. Archived from the original on February 3, 2022. Retrieved February 3, 2022.
https://www.gov.il/he/departments/units/privacy_protection_council Archived January 28, 2022, at the Wayback Machine — entry on the Ministry of Justice website (Hebrew).
“The police zig-zags on the NSO affair: ‘evidence was discovered that changes things'” Archived February 1, 2022, at the Wayback Machine (Hebrew). Ynet. February 1, 2022.
“Ministry heads, Netanyahu associates, activists said targeted by police with spyware.” Archived February 7, 2022, at the Wayback Machine The Times of Israel, February 7, 2022.
“Police minister establishes commission to probe explosive NSO spying claims.” Archived February 7, 2022, at the Wayback Machine The Times of Israel, February 7, 2022.
“Ex-ministry chiefs demand state commission to probe police wiretap claims.” Archived February 8, 2022, at the Wayback Machine The Times of Israel, February 8, 2022.
“Two Activists From Jordan and Bahrain Targeted by Pegasus Spyware”. Al Bawaba. Archived from the original on January 18, 2022. Retrieved January 27, 2022.
Pegasus: Spyware sold to governments ‘targets activists’ Archived January 2, 2020, at the Wayback Machine, 19 July 2021, BBC
Kazakhstan: Activists tracked by Pegasus angered but not surprised Archived January 21, 2022, at the Wayback Machine, Almaz Kumenov Jul 21, 2021 eurasianet.org
“Who’s on the List? – The Pegasus Project”. OCCRP. Archived from the original on January 8, 2022. Retrieved January 21, 2022.
“Kazakhstan: Four activists’ mobile devices infected with Pegasus Spyware”. Amnesty International. December 9, 2021. Archived from the original on January 27, 2022. Retrieved January 27, 2022.
Welle (www.dw.com), Deutsche. “Pegasus spyware: Mexico one of the biggest targets | DW | 22.07.2021”. DW.COM. Archived from the original on January 30, 2022. Retrieved January 30, 2022.
Bergman, Ronen (January 10, 2019). “Exclusive: How Mexican drug baron El Chapo was brought down by technology made in Israel”. Ynetnews. Ynet. Archived from the original on July 25, 2019. Retrieved May 15, 2019.
Bergman, Ronen (January 11, 2019). “Weaving a cyber web”. Ynetnews. Archived from the original on July 27, 2019. Retrieved May 15, 2019.
Scott-Railton, John; Marczak, Bill; Guarnieri, Claudio; Crete-Nishihata, Masashi (February 11, 2017). “Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links”. Citizen Lab. Archived from the original on May 31, 2019. Retrieved March 25, 2017.
“Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links”. The Citizen Lab. February 11, 2017. Archived from the original on May 31, 2019. Retrieved June 14, 2019.
Ahmed, Azam (July 10, 2017). “Spyware in Mexico Targeted Investigators Seeking Students”. The New York Times. ISSN 0362-4331. Archived from the original on August 15, 2019. Retrieved July 13, 2017.
“Revealed: murdered journalist’s number selected by Mexican NSO client”. the Guardian. July 18, 2021. Archived from the original on July 19, 2021. Retrieved January 30, 2022.
Patrucic, Pete Jones, Vyacheslav Abramov, and Miranda. “World Leaders on Pegasus List Include France’s President Macron, Morocco’s King Mohammed, Kazakhstan’s President”. OCCRP. Retrieved May 19, 2022.
“‘It’s a free-for-all’: how hi-tech spyware ends up in the hands of Mexico’s cartels”. TheGuardian.com. December 7, 2020. Archived from the original on February 24, 2022. Retrieved January 30, 2022.
“Report: Slain Mexican journalist’s widow targeted by spyware”. AP NEWS. March 20, 2019. Archived from the original on January 30, 2022. Retrieved January 30, 2022.
Kirchgaessner, Stephanie (June 21, 2020). “Israeli spyware used to target Moroccan journalist, Amnesty claims”. The Guardian. Archived from the original on July 30, 2020. Retrieved June 21, 2020.
Patrucic, Pete Jones, Vyacheslav Abramov, and Miranda. “World Leaders on Pegasus List Include France’s President Macron, Morocco’s King Mohammed, Kazakhstan’s President”. OCCRP. Retrieved May 19, 2022.
Cheref, Abdelkader (July 29, 2021). “Is Morocco’s cyber espionage the last straw for Algeria?”. Archived from the original on October 1, 2021. Retrieved September 18, 2021.
“Pegasus: From its own king to Algeria, the infinite reach of Morocco’s intelligence services”. Middle East Eye. Archived from the original on September 18, 2021. Retrieved September 18, 2021.
Ahmed, Hamid Ould (August 25, 2021). “Algeria cuts diplomatic relations with Morocco”. Reuters. Retrieved May 19, 2022.
Kirchgaessner, Stephanie; Safi, Michael (November 8, 2021). “Palestinian activists’ mobile phones hacked using NSO spyware, says report”. The Guardian. Archived from the original on November 8, 2021. Retrieved November 8, 2021.
Bartkiewicz, Artur (January 3, 2022). “”Gazeta Wyborcza”: Jak kupowano Pegasusa dla CBA” [“Gazeta Wyborcza”: How Pegasus Was Bought for the CBA]. Rzeczpospolita (in Polish). Archived from the original on January 7, 2022. Retrieved January 6, 2022.
“Poland admits purchase of Israeli NSO spyware”. Independent. January 7, 2022. Archived from the original on January 10, 2022. Retrieved January 8, 2022.
“AP Exclusive: Polish opposition duo hacked with NSO spyware”. AP NEWS. December 20, 2021. Archived from the original on January 6, 2022. Retrieved January 6, 2022.
“Brejza inwigilowany Pegasusem. “PiS posłużył się podłymi metodami””. RMF FM (in Polish). Archived from the original on January 6, 2022. Retrieved January 6, 2022.
“Rights group verifies Polish senator was hacked with spyware”. AP NEWS. January 6, 2022. Archived from the original on January 6, 2022. Retrieved January 6, 2022.
“AP Exclusive: Polish opposition senator hacked with spyware”. AP NEWS. December 23, 2021. Archived from the original on January 7, 2022. Retrieved January 6, 2022.
“‘Polish Watergate’: Warsaw accused of using Pegasus to spy on rivals”. euronews. January 5, 2022. Archived from the original on January 6, 2022. Retrieved January 6, 2022.
News, Polsat. “Senacka komisja ds. Pegasusa rozpoczęła prace. Pierwszymi świadkami będą eksperci z Citizen Lab – Polsat News”. polsatnews.pl (in Polish). Archived from the original on January 25, 2022. Retrieved January 25, 2022.
“Citizen Lab: Kolejnych dwóch Polaków szpiegowanych Pegasusem”. Rzeczpospolita (in Polish). Archived from the original on January 25, 2022. Retrieved January 25, 2022.
“Citizen Lab: Dwie kolejne osoby inwigilowane Pegasusem”. www.rmf24.pl (in Polish). Archived from the original on January 25, 2022. Retrieved January 25, 2022.
Wroński, Paweł; Tynkowski, Marcin (February 7, 2022). “Cyberatak na Najwyższą Izbę Kontroli. “Mamy podejrzenie włamania Pegasusem na trzy telefony”” [Cyber attack on the Supreme Audit Office. “We have a suspicion of a Pegasus hacking on three phones”]. Gazeta Wyborcza (in Polish). Archived from the original on February 8, 2022. Retrieved February 8, 2022.
“WhatsApp spyware attack: senior clergymen in Togo among activists targeted”. the Guardian. August 3, 2020. Archived from the original on April 6, 2022. Retrieved April 18, 2022.
Kirkpatrick, David D. (December 2, 2018). “Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit Says (Published 2018)”. The New York Times. ISSN 0362-4331. Archived from the original on March 8, 2021. Retrieved March 8, 2021.
“The Kingdom Came to Canada – How Saudi-Linked Digital Espionage Reached Canadian Soil”. The Citizen Lab. Toronto. October 1, 2018. Archived from the original on November 8, 2018. Retrieved November 8, 2019.
Satter, Raphael (January 25, 2019). “APNewsBreak: Undercover agents target cybersecurity watchdog”. The Seattle Times via AP News. New York. Archived from the original on January 26, 2019. Retrieved January 26, 2019. Updated January 26
“Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit Says”. Archived from the original on December 3, 2018. Retrieved December 3, 2018.
Falconer, Rebecca (March 24, 2019). “Israeli firm won’t say if it sold Saudis spyware linked to Khashoggi killing”. Axios. Archived from the original on March 25, 2019. Retrieved November 9, 2019.
“Saudis behind NSO spyware attack on Jamal Khashoggi’s family, leak suggests”. TheGuardian.com. July 18, 2021. Archived from the original on March 21, 2022. Retrieved March 21, 2022.
Burgess, Matt (January 23, 2020). “If Saudi Arabia did hack Jeff Bezos, this is probably how it went down”. Wired UK. Archived from the original on July 20, 2021.
Sarkar, Debashis (January 23, 2020). “Forensic report reveals Israeli spyware Pegasus behind Jeff Bezos’s phone hack”. Times of India. Archived from the original on July 20, 2021.
“New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts”. The Citizen Lab. October 24, 2021. Archived from the original on January 2, 2020. Retrieved October 24, 2021.
Hubbard, Ben (October 24, 2021). “I Was Hacked. The Spyware Used Against Me Makes Us All Vulnerable”. The New York Times. Archived from the original on October 31, 2021. Retrieved October 24, 2021.
The Kingdom Came to Canada; How Saudi-Linked Digital Espionage Reached Canadian Soil Archived November 8, 2018, at the Wayback Machine, By Bill Marczak, John Scott-Railton, Adam Senft, Bahr Abdul Razzak, and Ron Deibert October 1, 2018
Kirchgaessner, Stephanie; Jones, Sam (July 13, 2020). “Phone of top Catalan politician ‘targeted by government-grade spyware'”. The Guardian. Archived from the original on February 18, 2021. Retrieved January 30, 2022.
“Hauek dira Pegasus eta Candiru programekin ustez espiatu dituzten independentistak”. EITB (in Basque). April 19, 2022. Retrieved April 23, 2022.
Aduriz, Iñigo (April 19, 2022). “Unidas Podemos pide a Robles y Marlaska que investiguen el espionaje a dirigentes independentistas: “Tienen que rodar cabezas””. ElDiario.es (in Spanish). Retrieved April 23, 2022.
“CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru”. The Citizen Lab. April 18, 2022. Retrieved April 26, 2022.
“Hauek dira Pegasus eta Candiru programekin ustez espiatu dituzten independentistak”. EITB (in Basque). April 19, 2022. Retrieved April 23, 2022.
Orla Barry (May 5, 2022). “Pegasus spyware strikes again in Europe”. The World.
“Spanish prime minister’s mobile phone infected by Pegasus spyware, government says”. Reuters. May 2, 2022.
“El Gobierno asegura que los móviles de Sánchez y Robles fueron espiados con Pegasus”. Vozpopuli (in Spanish). May 2, 2022. Retrieved May 2, 2022.
Srivastava, Mmehul (December 21, 2021). “The secret Uganda deal that has brought NSO to the brink of collapse”. ArsTechnica. Archived from the original on December 28, 2021. Retrieved December 22, 2021.
“UAE targeted Yemen officials with Israeli Pegasus spyware: report”. Daily Sabah. August 4, 2021. Archived from the original on August 6, 2021. Retrieved August 4, 2021.
“New evidence suggests spyware used to surveil Emirati activist Alaa Al-Siddiq”. The Guardian. September 24, 2021. Archived from the original on September 27, 2021. Retrieved September 24, 2021.
Gardner, Frank (October 6, 2021). “Princess Haya: Dubai ruler had ex-wife’s phone hacked – UK court”. BBC News. Archived from the original on October 6, 2021. Retrieved October 6, 2021.
“Pegasus spyware maker ends contract with UAE after UK high court’s hacking ruling”. CNN. October 7, 2021. Archived from the original on October 13, 2021. Retrieved October 7, 2021.
Wiggins, Kaye (April 2022). “Abu Dhabi state funds were used to buy Israeli spyware group NSO”. The Financial Times. Archived from the original on April 5, 2022. Retrieved April 1, 2022.
“UAE linked to Downing Street spyware attack that may have compromised Boris Johnson’s phone”. The Telegraph. Retrieved April 18, 2022.
“UAE tried to ‘influence’ Tory ministers to ‘mislead’ the public, sacked embassy guard says in court papers”. The Telegraph. Retrieved April 23, 2022.
Kirchgaessner, Stephanie (April 18, 2022). “No 10 suspected of being target of NSO spyware attack, Boris Johnson ‘told'”. The Guardian. Retrieved April 19, 2022.
“The DEA Didn’t Buy Malware From Israel’s Controversial NSO Group Because It Was Too Expensive”. www.vice.com. Archived from the original on February 1, 2022. Retrieved February 1, 2022.
Bing, Christopher; Menn, Joseph (December 3, 2021). “U.S. State Department phones hacked with Israeli company spyware – sources”. Reuters. Archived from the original on December 4, 2021. Retrieved December 4, 2021.
Toosi, Nahal (November 19, 2021). “Biden’s balancing act in the Middle East has a problem: Israel”. POLITICO. Archived from the original on December 5, 2021. Retrieved December 5, 2021.
“AP Source: NSO Group spyware used to hack State employees”. AP NEWS. December 3, 2021. Archived from the original on February 1, 2022. Retrieved February 1, 2022.
Levenson, Michael (January 28, 2022). “F.B.I. Secretly Bought Israeli Spyware and Explored Hacking U.S. Phones”. The New York Times. ISSN 0362-4331. Archived from the original on January 31, 2022. Retrieved January 31, 2022.
“The FBI Reportedly Considered Buying Spyware That Could Hack Any Phone in the U.S.” Gizmodo. Archived from the original on January 31, 2022. Retrieved January 31, 2022.
“UN-backed investigator into possible Yemen war crimes targeted by spyware”. The Guardian. December 20, 2021. Archived from the original on January 30, 2022. Retrieved December 20, 2021.
Satter, Raphael; Bing, Christopher (April 11, 2022). “Senior EU officials were targeted with Israeli spyware”. Reuters. Archived from the original on April 13, 2022. Retrieved April 13, 2022.
“BJP Fields State Leaders to Tackle Pegasus Allegations, Uses ‘International Conspiracy’ Bogey”. The Wire. Archived from the original on July 21, 2021. Retrieved July 21, 2021.
“Israel Helped Over Ten Countries Tap Over 50,000 Phones”. Daraj. July 18, 2021. Archived from the original on July 19, 2021. Retrieved July 19, 2021.
“Direkt36” (in Hungarian). Archived from the original on July 18, 2021. Retrieved July 19, 2021.
“About The Pegasus Project”. Forbidden Stories. Archived from the original on July 19, 2021. Retrieved July 19, 2021.
“THE PEGASUS PROJECT Live Blog: Major Stories from Partners”. FRONTLINE. Archived from the original on July 21, 2021. Retrieved July 21, 2021.
“NSO CEO exclusively responds to allegations: “The list of 50,000 phone numbers has nothing to do with us” | Ctech”. m.calcalistech.com. Archived from the original on July 20, 2021. Retrieved July 21, 2021.
“Pegasus spyware found on journalists’ phones, French intelligence confirms”. the Guardian. August 2, 2021. Archived from the original on August 2, 2021. Retrieved August 2, 2021.
“Top Human Rights Watch investigator allegedly hacked with Pegasus spyware”. The Guardian. January 26, 2022. Archived from the original on January 26, 2022. Retrieved January 26, 2022.
“Massive data leak reveals Israeli NSO Group’s spyware used to target activists, journalists, and political leaders globally”. Amnesty International. July 18, 2021. Archived from the original on July 18, 2021. Retrieved July 18, 2021.
Priest, Dana; Timberg, Craig; Mekhennet, Souad. “Private Israeli spyware used to hack cellphones of journalists, activists worldwide”. The Washington Post. Archived from the original on January 2, 2020. Retrieved July 20, 2021.
Tynan, Dan (August 25, 2016). “Apple issues global iOS update after attempt to use spyware on activist’s iPhone”. The Guardian. Archived from the original on April 18, 2019. Retrieved December 21, 2016.
Brandom, Russell (August 26, 2016). “Why can’t Apple spend its way out of security vulnerabilities?”. The Verge. Archived from the original on December 21, 2016. Retrieved December 21, 2016.
vte
Hacking in the 2010s
← 2000s Timeline 2020s →
Major incidents
2010
Operation Aurora Australian cyberattacks Operation ShadowNet Operation Payback
2011
DigiNotar DNSChanger HBGary Federal Operation AntiSec Operation Tunisia PlayStation RSA SecurID compromise
2012
LinkedIn hack Stratfor email leak Operation High Roller
2013
South Korea cyberattack Snapchat hack Cyberterrorism Attack of June 25 2013 Yahoo! data breach Singapore cyberattacks
2014
Anthem medical data breach Operation Tovar 2014 celebrity nude photo leak 2014 JPMorgan Chase data breach Sony Pictures hack Russian hacker password theft 2014 Yahoo! data breach
2015
Office of Personnel Management data breach Hacking Team Ashley Madison data breach VTech data breach Ukrainian Power Grid Cyberattack SWIFT banking hack
2016
Bangladesh Bank robbery Hollywood Presbyterian Medical Center ransomware incident Commission on Elections data breach Democratic National Committee cyber attacks Vietnam Airport Hacks DCCC cyber attacks Indian Bank data breaches Surkov leaks Dyn cyberattack Russian interference in the 2016 U.S. elections 2016 Bitfinex hack
2017
SHAttered 2017 Macron e-mail leaks WannaCry ransomware attack Westminster data breach Petya cyberattack
2017 cyberattacks on Ukraine Equifax data breach Deloitte breach Disqus breach
2018
Trustico Atlanta cyberattack SingHealth data breach
2019
Sri Lanka cyberattack Baltimore ransomware attack Bulgarian revenue agency hack Jeff Bezos phone hacking
Hacktivism
Anonymous
associated events CyberBerkut GNAA Goatse Security Lizard Squad LulzRaft LulzSec New World Hackers NullCrew OurMine PayPal 14 RedHack TeaMp0isoN TDO UGNazi Ukrainian Cyber Alliance
Advanced
persistent threats
Bureau 121 Charming Kitten Cozy Bear Dark Basin Elfin Team Equation Group Fancy Bear GOSSIPGIRL (confederation) Guccifer 2.0 Hacking Team Helix Kitten Iranian Cyber Army Lazarus Group (BlueNorOff) (AndAriel) NSO Group PLA Unit 61398 PLA Unit 61486 PLATINUM Pranknet Red Apollo Rocket Kitten Syrian Electronic Army Tailored Access Operations The Shadow Brokers Yemen Cyber Army
Individuals
George Hotz Guccifer Jeremy Hammond Junaid Hussain Kristoffer von Hassel Mustafa Al-Bassam MLT Ryan Ackroyd Sabu Topiary Track2 The Jester
Major vulnerabilities
publicly disclosed
Evercookie (2010) iSeeYou (2013) Heartbleed (2014) Shellshock (2014) POODLE (2014) Rootpipe (2014) Row hammer (2014) SS7 vulnerabilities (2014) JASBUG (2015) Stagefright (2015) DROWN (2016) Badlock (2016) Dirty COW (2016) Cloudbleed (2017) Broadcom Wi-Fi (2017) EternalBlue (2017) DoublePulsar (2017) Silent Bob is Silent (2017) KRACK (2017) ROCA vulnerability (2017) BlueBorne (2017) Meltdown (2018) Spectre (2018) EFAIL (2018) Exactis (2018) Speculative Store Bypass (2018) Lazy FP State Restore (2018) TLBleed (2018) SigSpoof (2018) Foreshadow (2018) Dragonblood (2019) Microarchitectural Data Sampling (2019) BlueKeep (2019) Kr00k (2019)
Malware
2010
Bad Rabbit SpyEye Stuxnet
2011
Alureon Duqu Kelihos Metulji botnet Stars
2012
Carna Dexter FBI Flame Mahdi Red October Shamoon
2013
CryptoLocker DarkSeoul
2014
Brambul Carbanak Careto DarkHotel Duqu 2.0 FinFisher Gameover ZeuS Regin
2015
Dridex Hidden Tear Rombertik TeslaCrypt
2016
Hitler Jigsaw KeRanger MEMZ Mirai Pegasus Petya (NotPetya) X-Agent
2017
BrickerBot Kirk LogicLocker Rensenware ransomware Triton WannaCry XafeCopy
2019
Grum Joanap NetTraveler R2D2 Tinba Titanium Vault 7 ZeroAccess botnet
Categories:
Hacking in the 2010sMalware toolkitsAndroid (operating system) malwareIOS malwareEspionage scandals and incidentsSpywareSpyware used by governments
II. Meet Toka, the Most Dangerous Israeli Spyware Firm You’ve Never Heard of
July 25, 2021
© Photo: pixahive.com
The mainstream media’s myopic focus on Israel’s Pegasus spyware and the threats it poses means that other companies, like Toka, go uninvestigated, even when their products present an even greater potential for abuse and illegal surveillance.
By Whitney WEBB
This past Sunday, an investigation into the global abuse of spyware developed by veterans of Israeli intelligence Unit 8200 gained widespread attention, as it was revealed that the software – sold to democratic and authoritarian governments alike – had been used to illegally spy on an estimated 50,000 individuals. Among those who had their communications and devices spied on by the software, known as Pegasus, were journalists, human rights activists, business executives, academics and prominent political leaders. Among those targeted political leaders, per reports, were the current leaders of France, Pakistan, South Africa, Egypt, Morocco and Iraq.
The abuse of Pegasus software in this very way has been known for several years, though these latest revelations appear to have gained such traction in the mainstream owing to the high number of civilians who have reportedly been surveilled through its use. The continuation of the now-years-long scandal surrounding the abuse of Pegasus has also brought considerable controversy and notoriety to the Israeli company that developed it, the NSO Group.
While the NSO Group has become infamous, other Israeli companies with even deeper ties to Israel’s intelligence apparatus have been selling software that not only provides the exact same services to governments and intelligence agencies but purports to go even farther.
Originally founded by former Israeli Prime Minister and Jeffrey Epstein associate Ehud Barak, one of these companies’ wares are being used by countries around the world, including in developing countries with the direct facilitation of global financial institutions like the Inter-American Development Bank (IDB) and the World Bank. In addition, the software is only made available to governments that are “trusted” by Israel’s government, which “works closely” with the company.
Despite the fact that this firm has been around since 2018 and was covered in detail by this author for MintPress News in January 2020, no mainstream outlet – including those that have extensively covered the NSO Group – has bothered to examine the implications of this story.
Worse than Pegasus
Toka was launched in 2018 with the explicit purpose of selling a “tailored ecosystem of cyber capabilities and software products for governmental, law enforcement, and security agencies.” According to a profile of the company published in Forbes shortly after it launched, Toka advertised itself as “a one-stop hacking shop for governments that require extra capability to fight terrorists and other threats to national security in the digital domain.”
Toka launched with plans to “provide spy tools for whatever device its clients require,” including not only smartphones but a “special focus on the so-called Internet of Things (IoT).” Per the company, this includes devices like Amazon Echo, Google Nest-connected home products, as well as connected fridges, thermostats and alarms. Exploits in these products discovered by Toka, the company said at the time, would not be disclosed to vendors, meaning those flaws would continue to remain vulnerable to any hacker, whether a client of Toka or not.
Today, Toka’s software suite claims to offer its customers in law enforcement, government and intelligence the ability to obtain “targeted intelligence” and to conduct “forensic investigations” as well as “covert operations.” In addition, Toka offers governments its “Cyber Designers” service, which provides “agencies with the full-spectrum strategies, customized projects and technologies needed to keep critical infrastructure, the digital landscape and government institutions secure and durable.”
Given that NSO’s Pegasus targets only smartphones, Toka’s hacking suite – which, like Pegasus, is also classified as a “lawful intercept” product – is capable of targeting any device connected to the internet, including but not limited to smartphones. In addition, its target clientele are the same as those of Pegasus, providing an easy opportunity for governments to gain access to even more surveillance capabilities than Pegasus offers, but without risking notoriety in the media, since Toka has long avoided the limelight.
Toka IoT
A slide from an April 20, 2021 presentation given by Toka’s VP of Global Sales, Michael Anderson
In addition, while Toka professes that its products are only used by “trusted” governments and agencies to combat “terrorism” and maintain order and public safety, the sales pitch for the NSO Group’s Pegasus is remarkably similar, and that sales pitch has not stopped its software from being used to target dissidents, politicians and journalists. It also allows many of the same groups who are Toka clients, like intelligence agencies, to use these tools for the purpose of obtaining blackmail. The use of blackmail by Israeli security agencies against civilian Palestinians to attempt to weaken Palestinian society and for political persecution is well-documented.
Toka has been described by market analysts as an “offensive security” company, though the company’s leadership rejects this characterization. Company co-founder and current CEO Yaron Rosen asserted that, as opposed to purely offensive, the company’s operations are “something in the middle,” which he classifies as bridging cyber defense and offensive cyber activities — e.g., hacking.
The company’s activities are concerning in light of the fact that Toka has been directly partnered with Israel’s Ministry of Defense and other Israeli intelligence and security agencies since its founding. The company “works closely” with these government agencies, according to an Israeli Ministry of Defense website. This collaboration, per Toka, is meant to “enhance” their products. Toka’s direct IDF links are in contrast to the NSO Group, a company that does not maintain overt ties with the Israeli security state.
Toka’s direct collaboration with Israel’s government is also made clear through its claim that it sells its products and offers its services only to “trusted” governments, law enforcement agencies and intelligence agencies. Toka’s Rosen has stated that Russia, China, and “other enemy countries” would never be customers of the company. In other words, only countries aligned with Israeli policy goals, particularly in occupied Palestine, are permitted to be customers and gain access to its trove of powerful hacking tools. This is consistent with Israeli government efforts to leverage Israel’s hi-tech sector as a means of countering the Boycott, Divest and Sanctions (BDS) movement globally.
Yaron Rosen
A profile photo of former Chief of Cyber Staff for the IDF and Toka co-founder, Yaron Rosen. Credit | Spy Legends
Further evidence that Toka is part of this Israeli government effort to seed foreign governments with technology products deeply tied to Israel’s military and intelligence services is the fact that one of the main investors in Toka is Dell Technologies Capital, which is an extension of the well-known tech company Dell. Dell was founded by Michael Dell, a well-known pro-Israel partisan who has donated millions of dollars to the Friends of the IDF and is one of the top supporters of the so-called “anti-BDS” bills that prevent publicly employed individuals or public institutions in several U.S. states from supporting non-violent boycotts of Israel, even on humanitarian grounds. As MintPress previously noted, the fact that a major producer of consumer electronic goods is heavily investing in a company that markets the hacking of that very technology should be a red flag.
The government’s initial admitted use of the hi-tech sector to counter the BDS movement coincided with the launch of a new Israeli military and intelligence agency policy in 2012, whereby “cyber-related and intelligence projects that were previously carried out in-house in the Israeli military and Israel’s main intelligence arms are transferred to companies that, in some cases, were built for this exact purpose.”
One of the reasons this was reportedly launched was to retain members of Unit 8200 engaged in military work who were moving to jobs in the country’s high-paying tech sector. Through this new policy that has worked to essentially merge much of the private tech sector with Israel’s national security state, some Unit 8200 and other intelligence veterans continue their work for the state but benefit from a private sector salary. The end result is that an unknown – and likely very high – number of Israeli tech companies are led by veterans of the Israeli military and Israeli intelligence agencies and serve, for all intents and purposes, as front companies. A closer examination of Toka strongly suggests that it is one such front company.
Toka — born out of Israel’s national security state
The company was co-founded by Ehud Barak, Alon Kantor, Kfir Waldman and retired IDF Brigadier General Yaron Rosen. Rosen, the firm’s founding CEO and now co-CEO, is the former Chief of the IDF’s cyber staff, where he was “the lead architect of all [IDF] cyber activities,” including those executed by Israeli military intelligence Unit 8200. Alon Kantor is the former Vice President of Business Development for Check Point Software, a software and hardware company founded by Unit 8200 veterans. Kfir Waldman is the former CEO of Go Arc and a former Director of Engineering at technology giant Cisco. Cisco is a leader in the field of Internet of Things devices and IoT cybersecurity, while Go Arc focuses on applications for mobile devices. As previously mentioned, Toka hacks not only mobile devices but also has a “special focus” on hacking IoT devices.
Toka IoT
A slide from an April 20, 2021 presentation given by Toka’s VP of Global Sales, Michael Anderson
In addition to having served as prime minister of Israel, Toka co-founder Ehud Barak previously served as head of Israeli military intelligence directorate Aman, as well as several other prominent posts in the IDF, before eventually leading the Israeli military as minister of defense. While minister of defense, he led Operation Cast Lead against the blockaded Gaza Strip in 2009, which resulted in the deaths of over 1,000 Palestinians and saw Israel illegally use chemical weapons against civilians.
Toka is the first start-up created by Barak. However, Barak had previously chaired and invested in Carbyne911, a controversial Israeli emergency services start-up that has expanded around the world and has become particularly entrenched in the United States. Carbyne’s success has been despite the Jeffrey Epstein scandal, given that the intelligence-linked pedophile and sex trafficker had invested heavily in the company at Barak’s behest. Barak’s close relationship with Epstein, including overnight visits to Epstein’s now-notorious island and apartment complexes that housed trafficked women and underage girls, has been extensively documented.
Barak stepped away from Toka in April of last year, likely as the result of the controversy over his Epstein links, which also saw Barak withdraw from his chairmanship of Carbyne in the wake of Epstein’s death. Considerable evidence has pointed to Epstein having been an intelligence asset of Israeli military intelligence who accrued blackmail on powerful individuals for the benefit of Israel’s national security state and other intelligence agencies, as well as for personal gain.
Another notable Toka executive is Nir Peleg, the company’s Vice President for Strategic Projects. Peleg is the former head of the Research and Development Division at Israel’s National Cyber Directorate, where he led national cybersecurity projects as well as government initiatives and collaborations with international partners and Israeli cybersecurity innovative companies. Prior to this, Peleg claims to have served for more than 20 years in leading positions at the IDF’s “elite technology unit,” though he does specify exactly which unit this was. His LinkedIn profile lists him as having been head of the IDF’s entire Technology Department from 2008 to 2011.
While at Israel’s National Cyber Directorate, Peleg worked closely with Tal Goldstein, now the head of strategy for the World Economic Forum’s Partnership against Cybercrime (WEF-PAC), whose members include government agencies of the U.S., Israel and the U.K., along with some of the world’s most powerful companies in technology and finance. The goal of this effort is to establish a global entity that is capable of controlling the flow of information, data, and money on the internet. Notably, Toka CEO Yaron Rosen recently called for essentially this exact organization to be established when he stated that the international community needed to urgently create the “cyber” equivalent of the World Health Organization to combat the so-called “cyber pandemic.”
Claims that a “cyber pandemic” is imminent have been frequent from individuals tied to the WEF-PAC, including CEO of Checkpoint Software Gil Shwed. Checkpoint is a member of WEF-PAC and two of its former vice presidents, Michael Anderson and Alon Kantor, are now Vice President for Global Sales and co-CEO of Toka, respectively.
Tal Goldstein
The Wolrd Economic Forum does little to hide its partnership with former Israeli intelligence officials
Toka’s Chief Technology Officer, and the chief architect of its hacking suite, is Moty Zaltsman, who is the only chief executive of the company not listed on the firm’s website. Per his LinkedIn, Zaltsman was the Chief Technology Officer for then-Israeli Prime Minister Benjamin Netanyahu. Last January, when Toka was covered by MintPress News, his profile stated that he had developed “offensive technologies” for Israel’s head of state, but Zaltsman has since removed this claim. The last Toka executive of note is Michael Volfman, the company’s Vice President of Research and Development. Volfman was previously a cyber research and development leader at an unspecified “leading technology unit” of the IDF.
Also worth mentioning are Toka’s main investors, particularly Entrèe Capital, which is managed by Aviad Eyal and Ran Achituv. Achituv, who manages Entrée’s investment in Toka and sits on Toka’s board of directors, was the founder of the IDF’s satellite-based signals intelligence unit and also a former senior vice president at both Amdocs and Comverse Infosys. Both Amdocs and Comverse courted scandal in the late 1990s and early 2000s for their role in a massive Israeli government-backed espionage operation that targeted U.S. federal agencies during that period.
Despite this scandal and others in the company’s past, Comverse subsidiary Verint was subsequently contracted by the U.S. National Security Agency (NSA) to bug the telecommunications network of Verizon shortly after their previous espionage scandal was covered by mainstream media. The contract was part of Operation Stellar Winds and was approved by then-NSA Director Keith Alexander, who has since been an outspoken advocate of closer Israeli-American government cooperation in cybersecurity.
In addition to Entrèe Capital, Andreessen Horowitz is another of Toka’s main investors. The venture capital firm co-founded by Silicon Valley titan Marc Andreessen is currently advised by former Secretary of the Treasury Larry Summers, a close friend of the infamous pedophile Jeffery Epstein. Early investors in Toka that are no longer listed on the firm’s website include Launch Capital, which is deeply tied to the Pritzker family — one of the wealthiest families in the U.S., with close ties to the Clintons and Obamas as well as the U.S.’ pro-Israel lobby — and Ray Rothrock, a venture capitalist who spent nearly three decades at VenRock, the Rockefeller family venture capital fund.
In light of the aforementioned policy of Israel’s government to use private tech companies as fronts, the combination of Toka’s direct Israeli government ties, the nature of its products and services, and the numerous, significant connections of its leaders and investors to both Israeli military intelligence and past Israeli espionage scandals strongly suggests that Toka is one such front.
If this is the case, there is reason to believe that, when Toka clients hack and gain access to a device, elements of the Israeli state could also gain access. This concern is born out of the fact that Israeli intelligence has engaged in this exact type of behavior before as part of the PROMIS software scandal, whereby Israeli “superspy” Robert Maxwell sold bugged software to the U.S. government, including highly sensitive locations involved in classified nuclear weapons research. When that software, known as PROMIS, was installed on U.S. government computers, Israeli intelligence gained access to those same systems and devices.
The U.S. government was not the only target of this operation, however, as the bugged PROMIS software was placed on the networks of several intelligence agencies around the world as well as powerful corporations and several large banks. Israeli intelligence gained access to all of their systems until the compromised nature of the software was made public. However, Israel’s government was not held accountable by the U.S. government or the international community for its far-reaching espionage program, a program directly facilitated by technology-focused front companies. The similarities between the products marketed and clients targeted by Maxwell during the PROMIS scandal and currently by Toka are considerable.
World Bank, IDB aid Toka in targeting Palestine’s allies
While the ties between Toka and Israel’s national security state are clear as day, what is also significant and unsettling about this company is how its entry into developing and developed countries alike is being facilitated by global financial institutions, specifically the World Bank and the Inter-American Development Bank. Notably, these are the only deals with governments that Toka advertises on its website, as the others are not made public.
Several projects funded by one or another of these two institutions have seen Toka become the “cyber designer” of national cybersecurity strategies for Nigeria and Chile since last year. Significantly, both countries’ populations show strong support for Palestine and the BDS movement. In addition, Toka garnered a World Bank-funded contract with the government of Moldova, an ally of Israel, last September.
The World Bank selected Toka in February of last year to “enhance Nigeria’s cyber development,” which includes developing “national frameworks, technical capabilities and enhancement of skills.” Through the World Bank contract, Toka has now become intimately involved with both the public and private sectors of Nigeria that it relates to the country’s “cyber ecosystem.” The World Bank’s decision to choose Toka is likely the result of a partnership forged in 2019 by the state of Israel with the global financial institution “to boost cybersecurity in the developing world,” with a focus on Africa and Asia.
Nigeria Toka
Toka executives pose with Nigerian officials in 2020. Photo | Israel Defense
“Designing and building sustainable and robust national cyber strategy and cyber resilience is a critical enabler to fulfilling the objectives of Nigeria’s national cybersecurity policy and strategic framework,” Toka CEO Yaron Rosen said in a press release regarding the contract.
Given Toka’s aforementioned use of its technology for only “trusted” governments, it is notable that Nigeria has been a strong ally of Palestine for most of the past decade, save for one abstention at a crucial UN vote in 2014. In addition to the government, numerous student groups, human rights organizations, and Islamic organizations in the country are outspoken in their support for Palestine. With Toka’s efforts to offer its products only to countries who align themselves with “friendly” countries, their now intimate involvement with Nigeria’s cyber development could soon have consequences for a government that has tended to support the Palestinian cause. This is even more likely given Toka CEO Rosen’s statements at an April 2021 event hosted by Israel’s Ministry of Economy, where he emphasized the role of cyber in developing countries specifically in terms of their national defense and economic strategy.
Three months after the deal was struck with Nigeria through the World Bank, the Inter-American Development Bank (IDB) selected Toka to advise the government of Chile on “next steps for the country’s national cybersecurity readiness and operational capacity building.” As part of the project, “Toka will assess the current cybersecurity gaps and challenges in Chile and support the IDB project implementation by recommending specific cybersecurity readiness improvements,” per a press release. Toka claims it will help “establish Chile as a cybersecurity leader in South America.” Regarding the deal, Toka’s Rosen stated that he was “thankful” that the IDB had “provided us with this opportunity to work with the Government of Chile.”
Israel signed consequential agreements for cooperation with the IDB in 2015, before further deepening those ties in 2019 by partnering with the IDB to invest $250 million from Israeli institutions in Latin America specifically.
Toka executives are pictured with Chilean officials during a 2020 meeting in Santiago
Like Nigeria, Chile has a strong connection with Palestine and is often a target of Israeli government influence efforts. Though the current far-right government of Sebastián Piñera has grown close to Israel, Chile is home to the largest Palestinian exile community in the world outside of the Middle East. As a result, Chile has one of the strongest BDS movements in the Americas, with cities declaring a non-violent boycott of Israel until the Piñera administration stepped in to claim that such boycotts can only be implemented at the federal level. Palestinian Chileans have strong influence on Chilean politics, with a recent, popular presidential candidate, Daniel Jadue, being the son of Palestinian immigrants to Chile. Earlier this year, in June, Chile’s congress drafted a bill to boycott goods, services and products from illegal Israeli settlements.
While Toka frames both of these projects as aimed at helping the cyber readiness and economies of the countries it now services, Israeli media has painted a different picture. For instance, Haaretz wrote that Israel’s partnerships with development banks, specifically those made in 2019 that resulted in these Toka contracts, were planned by an inter-ministerial committee set up by then-Prime Minister Benjamin Netanyahu “to realize the potential of international development to strengthen the Israeli economy, improve Israel’s political standing and strengthen its international role.” One source, quoted by Haaretz as being close to this undertaking, stated that “development banks are a way to help advance Israel’s interests and agenda in the developing world, including Latin America. But it’s not philanthropy.”
Given these statements, and Toka’s own modus operandi as a company and its background, it seems highly likely that the reason both Nigeria and Chile were chosen as the first of Toka’s development banks contracts was aimed at advancing the Israeli government’s agenda in those specific countries, one that seeks to counter and mitigate the vocal support for Palestine among those countries’ inhabitants.
The spyware problem goes far beyond NSO Group
The NSO Group and its Pegasus software is clearly a major scandal that deserves scrutiny. However, the treatment of the incident by the media has largely absolved the Israeli government of any role in that affair, despite the fact that the NSO Group’s sales of Pegasus to foreign governments has been approved and defended by Israel’s government. This, of course, means that Israel’s government has obvious responsibility in the whole scandal as well.
In addition, the myopic focus on the NSO Group when it comes to mainstream media reporting on Israeli private spyware and the threats it poses means that other companies, like Toka, go uninvestigated, even if their products present an even greater potential for abuse and illegal surveillance than those currently marketed and sold by the NSO Group.
Given the longstanding history of Israeli intelligence’s use of technology firms for international surveillance and espionage, as well as its admitted policy of using tech companies as fronts to combat BDS and ensure Israel’s “cyber dominance,” the investigation into Israeli spyware cannot stop just with NSO Group. However, not stopping there risks directly challenging the Israeli state, particularly in Toka’s case, and this is something that mainstream media outlets tend to avoid. This is due to a mix of factors, but the fact that NSO’s Pegasus has been used to spy on journalists so extensively certainly doesn’t help the matter.
Yet, Israel’s weaponization of its tech industry, and the global use of its spyware offerings by governments and security agencies around the world, must be addressed, especially because it has been explicitly weaponized to prevent non-violent boycotts of Israel’s occupation of Palestine, including those solely based on humanitarian grounds or out of respect for international laws that Israel routinely breaks. Allowing a government to engage in this activity on a global scale to stifle criticism of flagrantly illegal policies and war crimes cannot continue and this should be the case for any government, not just Israel.
If the outlets eagerly reporting on the latest Pegasus revelations are truly concerned with the abuse of spyware by governments and intelligence agencies around the world, they should also give attention to Toka, as it is actively arming these same institutions with weapons far worse than any NSO Group product.
mintpressnews.com