Forensic Methodology Report: How to catch NSO Group's Pegasus


Amnesty International 18 July, 2021 - 12:48pm 9 views

Who created Pegasus spyware?

The highly advanced 'Pegasus' is a spyware – a malicious software created by Israeli-based cyber intelligence firm NSO Group to hack computers and smartphones in order to gather data and serve it to a third party. India.comExplained: What is Pegasus Spyware? How Does it Use WhatsApp to Hack a Device?

Khashoggi’s fiancee, son targeted by NSO tech, investigation reveals

Haaretz 19 July, 2021 - 08:01am

Close friends, colleagues and family members of the murdered journalist were all selected as targets by NSO clients, likely Saudis and UAE, according to Forbidden Stories investigation

Forbidden Stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance, revealing new details about the spyware used against slain Washington Post columnist Jamal Khashoggi. 

According to an analysis of these records by the group and its partners, more than 180 journalists were selected in 21 countries by at least 12 NSO clients. These government clients range from autocratic (BahrainMorocco and Saudi Arabia) to democratic (India and Mexico) and span the entire world, from Hungary and Azerbaijan in Europe to Togo and Rwanda in Africa. As the Pegasus Project will show, many of them have not been afraid to select journalists, human rights defenders, political opponents, businesspeople and even heads of state as targets of this invasive technology.

In NSO Group’s 2021 transparency report, one phrase appears three times: “save lives.” “Our goal,” the company writes at one point, “is to help states protect their citizens and save lives.” Yet the troubling use of NSO spyware against journalists and their family members, as identified in the Pegasus Project and in previous reports by digital rights NGOs, casts doubts on this narrative. 

On October 2, 2018, around 1 pm, Khashoggi walked into the Saudi consulate in Turkey and never came back out. The brazen assassination of the dissident journalist initiated a wave of global responses, with world leaders, human rights groups and concerned citizens calling for an in-depth investigation into his murder – and the potential implication of NSO Group’s spyware in it.

A day before his murder, digital rights organization Citizen Lab reported that a close friend of Khashoggi, Omar Abdulaziz, had been targeted with NSO’s Pegasus in the months before Khashoggi’s murder.

NSO, for its part, has repeatedly said that it has access to a “kill switch” and that it has revoked access to clients when human rights are not respected. The company has categorically denied any involvement in Khashoggi's murder.

But new revelations from Forbidden Stories and its partners have found that Pegasus spyware was successfully installed on the phone of Khashoggi’s fiancée Hatice Cengiz’s cell phone just four days after the murder. The phone of Khashoggi’s son, Abdullah, was selected as a target of an NSO client that appears to be the UAE government, based on the consortium's analysis of the leaked data, several weeks after the murder. Close friends, colleagues and family members of the murdered journalist were all selected as targets by NSO clients that appear to be the governments of Saudi Arabia and the UAE, according to the Pegasus Project revelations released today.

"As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi," NSO Group wrote in its letter to Forbidden Stories. "We can confirm that our technology was not used to listen, monitor, track or collect information regarding him or his family members mentioned in your inquiry."

Khashoggi’s death, and the spyware lingering on the margins of it, security experts say, was not necessarily a unique case.

"[Khashoggi is] certainly not the first journalist to have been killed by an angry government. And he's not the first journalist to have been killed by an angry government for his journalism with some element of malware and surveillance involved,” says Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation (EFF). “These are things that very frequently go together.”

On March 2, 2017, local Mexican journalist Cecilio Pineda took out his phone and recorded his final broadcast. In it, the reporter from the city of Altamirano, who ran a Facebook with more than 50,000 followers, spoke about alleged collusion between state and local police and the leader of a drug cartel.

Two hours later, he was dead – shot at least six times by two men on a motorcycle as he lay in a hammock outside of a car wash.

When Pineda was assassinated in 2017, at the age of 38, the world blinked and moved on. His death was seen as just another reporter killed in Mexico – the deadliest non-conflict zone in the world to be a journalist. But Pineda’s death may have been more than a drive-by job by a local cartel, according to the records accessed by Forbidden Stories and its partners.

Just a few weeks before he was killed, Pineda’s work cell phone was selected as a target of an NSO client in Mexico.

Forbidden Stories has been able to confirm that not just Pineda, but also the state prosecutor who investigated the case, Xavier Olea Pelaez, were selected as targets of Pegasus in the weeks and months before his murder. Forbidden Stories was unable to analyze Pineda’s phone because it disappeared immediately after his death. Pelaez did not keep his phone from the time, so it was not possible to confirm an infection by Pegasus. Pineda’s reporting, however, gives traces as to why Pineda’s work could have troubled Mexican authorities who may have had access to this technology.

At the time of his selection, Pineda was investigating links between the local crime boss, known as El Tequilero, and the governor of the state of Guerrero, Hector Astudillo. Friends and family who spoke with Forbidden Stories and its partners said that Pineda had received threats and had asked to be placed in a federal mechanism for the protection of journalists.

“Cecilio received many serious threats but he would play them down,” Israel Flores, a friend of Pineda’s, said in a recent interview. “He’d always say ‘nothing will happen.’”

As Pineda continued to report on the nexus of local politicians and drug traffickers, the threats came ever closer to him. A few days before his death, men in a white car took photos of his home, his mother said. The day he was killed, he stopped by his mother’s house before meeting a friend at a political rally. That was the last time she saw him.

“He told me ‘the bad guys aren’t going to kill me, they know me, they’re my friends. If they kill me it will be the government,” her mother said in an interview.

Pineda’s wife, Marisol Toledo, told a member of the Forbidden Stories consortium that the day after Pineda’s death she received a call from a government employee who told her he was investigating the murder. He never followed up.

“We don’t know what happened in the investigation,” Toledo said. “We don’t want trouble. People with power can do what they want, to who they want.” 

Pineda’s phone was also never found – as it had disappeared from the crime scene by the time the authorities had arrived. But when told about the possible role of spyware in tracking Pineda’s movements, Toledo was not surprised.

“If they succeeded, they would have known where he was at all times,” she said.

Want to enjoy 'Zen' reading - with no ads and just the article? Subscribe today

Sign in to join the conversation.

Your comment was successfully submitted and will be published in accordance with site policy.

If you would like to be notified when your comment is published, please fill in your email address in the form below.

Key Modi rival Rahul Gandhi among potential Indian targets of NSO client

The Guardian 19 July, 2021 - 06:00am

Two numbers belonging to Gandhi, who led the Congress party during India’s 2019 national elections, were selected as candidates for possible surveillance in the year before the vote and in the months afterwards by NSO, whose spying tool Pegasus allows customers to infiltrate mobile phones and monitor messages, camera feeds and microphones.

Phones belonging to at least five of Gandhi’s close friends and other Congress party officials were also identified as potential targets using the spyware, according to a leaked list of potential targets selected by NSO customers. The data was accessed by the nonprofit journalism organisation Forbidden Stories and Amnesty International and shared with the Guardian and other media outlets as part of the Pegasus project.

The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.

The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.

Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.

While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.

You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”.

The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.

Gandhi, who changes his device every few months to avoid surveillance, was not able to provide the phone he used at the time for examination. A successful hacking would have granted Modi’s government access to the private data of the prime minister’s primary challenger in the year before the 2019 elections.

“If your information is correct, the scale and nature of surveillance you describe goes beyond an attack on the privacy of individuals. It is an attack on the democratic foundations of our country. It must be thoroughly investigated and those responsible be identified and punished.”

The selection of the opposition leader’s phone as a possible surveillance target in 2019 coincided with the identification of the numbers of two staff members, Sachin Rao and Alankar Sawai, who at the time were working on forthcoming state election campaigns against Modi’s party in Haryana and Maharashtra.

Forensic analysis conducted on Wednesday on the phone of Prashant Kishor, a political strategist working for the party that defeated Modi’s Bharatiya Janata party (BJP) in the West Bengal state election earlier this year, established it had been hacked using Pegasus as recently as the day it was examined.

Kishor said the findings were “really disappointing”. “Those who did [the hacking] were looking to take undue advantage of their position of power with the help of illegal snooping,” he said.

Analysis of the more than 1,000 mostly Indian phone numbers selected for potential targeting by the NSO client that hacked Kishor strongly indicate intelligence agencies within the Indian government were behind the selection.

Other numbers identified in the records included those of known priorities of the country’s security agencies, including Kashmiri separatist leaders, Pakistani diplomats, Chinese journalists, Sikh activists and businesspeople known to be the subject of police investigations. The client also identified two numbers registered to or once known to have been used by the Pakistani prime minister, Imran Khan.

NSO has always maintained it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”. In statements issued through its lawyers, NSO said it would “continue to investigate all credible claims of misuse and take appropriate action”.

Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.

NSO markets Pegasus as a tool for fighting terrorism and crime, but the inclusion of a major Indian opposition leader in the records – alongside political staffers, labour unionists, Tibetan Buddhist clerics, social justice campaigners and a woman who accused India’s most senior judge of sexual harassment – raises troubling questions about the way the hacking software may have been used in India.

It also reinforces concerns about the health of the world’s largest democracy under Modi. An independent civil rights watchdog this year downgraded India to a “partly free” country, while another classified it as an “electoral autocracy”, both citing increased intimidation of journalists, meddling in the judiciary and violence against the country’s Muslim minority since the BJP came to power in 2014.

Lawyers have argued the use of Pegasus, NSO’s flagship surveillance tool, may be illegal under Indian law, which permits monitoring communications in some circumstances but explicitly bans hacking into devices. However, India does not officially admit to being an NSO customer, a significant hurdle to challenging the use of the spyware in court.

“The government has only said that if they do something, it would be done according to the proper process,” said Raman Jit Singh Chima, senior international counsel at the digital rights group Access Now.

“The allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever,” India’s ministry of electronics and information technology said in a statement. “Any interception, monitoring or decryption of any information through any computer resource is done as per due process of law.”

Modi and the then Israeli prime minister, Benjamin Netanyahu, were pictured during the trip walking barefoot together on a beach. Days before, Indian targets had started being selected.

The Indian candidates for surveillance went beyond opposition politicians. The phone number of a woman who accused India’s then chief justice of sexual harassment was selected shortly after her claims became public, along with 10 other numbers linked to her including those used by her husband and two other family members. The judge – recently nominated to parliament by Modi’s party – strongly denied the allegations and was cleared by a supreme court panel.

The motive for the scrutiny is unclear, though the Modi government has expressed suspicion of foreign funding for charities, research institutes and NGOs and has sought to tighten restrictions for bringing in money from overseas.

More than a dozen people associated with an Indian cabinet minister, Prahlad Singh Patel, are listed in the data including the elected official himself, his family members, advisers and personal staff including a cook and gardener in 2019, the records show. It is unclear why Patel and his associates were selected.

A second cabinet official, India’s newly sworn-in minister for electronics and information technology, Ashwini Vaishnaw – whose portfolio includes the regulation of the use of digital surveillance – was also selected as a potential surveillance target in 2017. Again, the NSO client’s motives for doing so are unclear.

Journalists emerge as a major focus in the records, including several covering defence and politics at major newspapers, such as the Indian Express and the Hindu, and others associated with the Wire, a media partner of the Pegasus project.

Forensic analysis detected Pegasus activity as recently as this month on a phone used by Sushant Singh, a journalist who investigated a controversial billion-dollar contract awarded to one of Modi’s close allies in business to build a fleet of fighter jets with the French manufacturer Dassault. The deal is reportedly being investigated in France for evidence of possible “corruption and favouritism”.

The Wire reporter Rohini Singh is facing civil and criminal defamation charges over an investigation she produced into the finances of the son of India’s home minister, Amit Shah. She was selected as a target over the two years that followed the publication of the story, along with one of the Wire’s columnists, Prem Shankar Jha, and its diplomatic editor, Devirupa Mitra.

The leaked records also suggest that critics of Modi inside independent government agencies were also selected as possible targets. Ashok Lavasa was appointed by the government to the Election Commission of India, which regulates campaigning and polling, and which has for decades enjoyed a near-sacrosanct status as a symbol of the integrity of Indian democracy.

A few months after Lavasa’s criticisms of Modi became public, Indian law enforcement agencies launched what became a series of investigations into him and four other members of his family. The Pegasus project records show his phone was identified as a target for possible surveillance soon after. Lavasa, who as an election commissioner, could only have been impeached by a two-thirds majority of the Indian parliament, retired early from the organisation last year.

A national newspaper journalist who reported on the story of Lavasa’s dissenting views was also selected around the same time, along with Jagdeep Chhokar, a member of the Association for Democratic Reforms, a watchdog group that was among those sounding alarm bells about the erosion of India’s democratic norms.

Technology Stories