As can be judged, such high-profile persons usually ended up on the list at the behest of foreign countries – political opponents or curious geographical neighbors. So, obviously, it was in the situation with the French president Emmanuel MacronIraqi President Barham Saleh and their South African counterpart Cyril Ramaphosa.
However, the current president and prime minister of Kazakhstan, a cohort of people close to the current president of Mexico, as well as the king and head of the government of Morocco, seem to have been chosen for observation by some forces in their own countries.
In a statement to reporters from the Pegasus project, NSO Group representatives said the list of phone numbers “does not represent a list of targets or potential targets identified by NSO clients.” According to company officials, Emmanuel Macron and King Mohammed VI “do not and never act as targets or chosen targets for the acquirers of NSO Group systems.”
The Pegasus project is a collaboration of over 80 journalists from 17 media outlets, including OCCRP. The project was coordinated by the French journalistic NGO Forbidden Stories. The phone numbers of the heads of state were identified and confirmed to journalists among the information from the list that came to them, in which there are more than 50,000 phone numbers in about 50 countries. There is a strong opinion that the list contains the numbers of those who were chosen for observation by the customers of the program from the NSO Group.
Expert technical analysis confirms the conclusions of the Pegasus project
Although there is no direct evidence, strong circumstantial evidence indicates that the list leaked to journalists includes people whom official structures – users of the Pegasus software have identified for digital surveillance.
A technical check of dozens of phones with numbers from the list confirmed that they were infected with Pegasus spyware. An additional argument is the court materials on the suit of the platform whatsapp to NSO. They contain data that intersects with journalistic ones, a chronology tied to events taking place in the world, and information from a mass of sources who transmitted insiders about the NSO Group.
Due to the high political position of the heads of state, journalists were unable to conduct a technical examination of their phones.
To infect a phone with Pegasus, the owner does not need to click on a link, read a message, or answer a call. When Pegasus is installed, it can extract various data from the device – correspondence, contacts, call logs, and more. Spyware can even turn on microphones and cameras and discreetly record audio and video.
“Governments that buy such software don’t differentiate between targets,” said Nate Schenkkan, director of policy research at Freedom House, an American rights group. “They just use it as they please.”
“Leaders, politicians, officials – everyone has to use some kind of device to communicate. And if you allow people to buy and sell the technical means to infiltrate these devices anywhere in the world … you end up provoking a situation where every person’s gadget will be hacked or infected.
When López Obrador ran for president in 2018, his new fledgling Morena (National Renaissance Movement) party posed a threat to the then ruling party, which had dominated the country’s politics since the 1920s. The degree of this threat may be indicated by the choice of phone numbers for the likely implementation of the Pegasus software: these are the numbers of his closest relatives – his wife, three sons and three brothers.
Phones of Obrador’s relatives were “tagged” for two years, before the 2018 elections. They also chose the numbers of his cardiologist, head of the press service, consultant on international affairs and even his former driver. In total, the list included the phones of 26 people from the close circle of Lopez Obrador. The most likely operator of the Pegasus spyware in this case was the Mexican state itself.
“Now we find out that they spied on my wife, and my sons, and even my doctor,” Lopez Obrador told reporters. – In addition to the question of surveillance itself, imagine how much it cost! How much money did they spend on this surveillance?”
The leaks of private conversations between López Obrador’s relatives and Morena party officials were apparently meant to undermine his election campaign. So, in an apparent attempt to undermine Obrador’s anti-corruption platform, someone recorded and leaked an alleged telephone conversation between his son Andrés Manuel López Beltrán and party secretary general Yedkol Polevnski, in which they allegedly discussed party funding.
In another country, Morocco, local intelligence agencies apparently “registered” telephone numbers, including those of the country’s top officials – Prime Minister Saadedddin Osmani and King Mohammed VI himself.
High stakes diplomacy
The available data clearly indicate that the telephone numbers of the three current presidents involved in the Pegasus project – French leader Macron, Saleh (Iraq) and Ramaphosa (South Africa) – were actively interested in foreign countries. Saleh’s phone is among the many numbers associated with both Saudi Arabia and the UAE. Ramaphosa’s number is among those related to Rwanda.
Pakistani Prime Minister Imran Khan and his Egyptian counterpart Mustafa Madbouli are the other two current government leaders (besides Saadedddin Osmani) whose phones have become potential targets for the Pegasus software. Along with Sagintaev, six more former heads of ministers’ cabinets were on the list. Each of them was the acting prime minister when their phone numbers were probably mapped out for surveillance. These are Edouard Philippe (France), Saad Hariri (Lebanon), Nureddin Bedoui (Algeria), Ruhakana Rugunda (Uganda), Ahmed Obeid bin Dagr (Yemen) and Charles Michel (Belgium). Burundian prime minister Alain-Guillaume Bugnoni’s phone appears to have been “under control” in Rwanda before he took over the government.
The data from the list of numbers points to the following combination of potential targets and likely operators of spyware: India has targeted Imran Khan as its target; Saudi Arabia – Mustafa Madbouli; United Arab Emirates – Ahmed bin Dagra; the Saudis and the UAE – Saada Hariri; Rwanda to Ruhakan Rugund. The numbers of Philippe, Bedouit and Michel, as can be seen, were taken into the development of the structure in Morocco.
Charles Michel, who has been President of the European Council since 2019, told reporters from the Pegasus project: “We were aware of such threats and we took measures to minimize the risks.”
It appears that Macron’s phone was also targeted by Moroccans in the first half of 2019. Around the same time, the phone numbers of several French ministers and other government officials were targeted, including Macron’s chief adviser on Africa, Franck Pari and Alexandra Benallu – Head of Macron’s bodyguard.
The reason for this “curiosity” may be Morocco’s desire to serve its own interests in the situation with the giant neighbor Algeria, which plunged into a political crisis around the same time that the numbers of Macron and French officials became targets. In March 2019, after mass protests, the permanent Prime Minister of Algeria, Abdel Aziz Bouteflika, withdrew from the next election race, and postponed the elections themselves. As a result, Bouteflika resigned, and a new government was created in the country.
According to the data of the Pegasus project, at about the same time as Macron, the phone of the Algerian diplomat Lakhdar Brahimi was targeted. Moreover, the influential member of the new Algerian government, Ramtan Lamamra, and the French ambassador to Algeria, Xavier Driancourt, have become possible targets for surveillance via telephone.
Two most important summits for Morocco were planned for 2019: the meeting of the heads of the five states of the Sahel region (G5 Sahel) and the assembly of the African Union. The controversial claims of Morocco in Western Sahara, attempts to achieve the ratification of a trade agreement under the auspices of the African Union, the crisis in Algeria – all this was probably discussed at the summits by Macron and his representatives. Judging by Project Pegasus data, Morocco apparently wanted to covertly keep abreast of all the details of these summits.
The original of this material
© OCCRP07/18/2021
How does Pegasus work?
The shocking revelations of Edward Snowden about the mass surveillance organized by the US government made the whole world think about cybersecurity.
End-to-end encryption, which used to be of interest only to spies and security geeks, has become commonplace: people prefer to use applications such as WhatsApp and signal.
Governments lost the ability to monitor their citizens, and they urgently needed to do something about it.
And so the Pegasus program was born.
Pegasus is the flagship product of the Israeli cyber-spying software company NSO Group. Perhaps this is the most famous of these companies. The technology created by the NSO Group allows customers, knowing only the phone number of a potential target, to embed Pegasus into the phone. The company claims to work only with governments and does not sell its product to individuals or firms.
However, instead of reading the information that is exchanged between device owners (which is most likely encrypted), Pegasus allows users to control the phone and access all data.
Pegasus monitors every action on the infected smartphone – all correspondence, search queries, and even passwords – and transfers them to the client. In addition, the program gives attackers access to a microphone and camera, turning the phone into a recording device that the victim carries with him everywhere.
“The program is designed in such a way that hackers, having infected the device, receive administrator rights. Because of this, they can do almost anything,” says Claudio Guarnieri from the Amnesty International Security Laboratory, where they developed a technique for analyzing infected phones.
Governments around the world desperately need Pegasus, and with it, full direct access to correspondence, as well as data on the movements of terrorists and criminals. However, the Pegasus project reveals that the NSO Group is likely selling the program to governments with a dubious record of respecting human rights. Moreover, Pegasus is used to spy on journalists and activists. Evidence collected by Project Pegasus indicates that governments around the world, from India to Azerbaijan, from Rwanda to Mexico, are using NSO-developed spyware.
To ensure that customers do not lose access to their devices, employees of the company need to constantly update the program, ahead of companies like Apple and Google, which are trying to patch security holes in the security systems of their devices and programs. Over the past five years, Pegasus has evolved from a relatively crude product based on social engineering to a program that can be injected into a phone without the involvement or knowledge of the owner of the device.
Zero click vulnerabilities
Previously, hacker attacks using Pegasus were not complete without the active participation of the owner of the device. Pegasus operators sent SMS messages with malicious links to the phones of potential surveillance targets. Clicking on the link opened a browser and downloaded the program to the phone.
NSO Group clients used different tactics to increase the click-through rate of the link.
“[Клиенты] send spam messages to confuse the target, and then send another message asking them to click on a link so that they don’t receive any more unnecessary information,” says Guarnieri.
Social engineering methods help increase the chances of clicking on a link – messages are most often manipulated by the fears or interests of the victim.
“The messages may contain links to interesting [цель] news or ads for products that a person wants, like a gym membership or an online store,” says Guarnieri.
Over time, people have become more aware of these techniques and have learned to recognize malicious spam. More subtle tricks were needed.
And then the developers began to use the “zero click” method. In this case, no actions of its owner are required to infect the device. Guarnieri says this is the method favored in recent years by governments using Pegasus.
The zero-click method relies on vulnerabilities in popular apps like iMessage, WhatsApp, and FaceTime that receive and sort data—sometimes from unknown sources.
Once a vulnerability is identified, Pegasus infiltrates the device through the application protocol. The user doesn’t need to click on a link, open a message, or answer a call, and it’s not as reliable.
“In most of the cases recorded since 2019, the ”zero click” method was used to hack devices,” says Guarnieri, whose team published a technical report on the methodology of the Pegasus project.
“This is a nasty program, very nasty,” Timothy Summers, a former cybersecurity engineer, told reporters. – It breaks into almost all messaging systems, including gmail, FacebookWhatsapp, FaceTime, Viber, WeChat, Telegraminternal services Apple and other applications. With this program, you can spy on almost the entire population of the world. Clearly, the NSO is selling off-the-shelf spy agency services.”
To push back
Experts say that the iMessage application, despite its reliable reputation, is vulnerable to hacker attacks. Matt Green, a cryptographer and security expert at Johns Hopkins University, told reporters that iMessage became more vulnerable when Apple made the architecture of the operating system more complex. Thus, the company unknowingly provided attackers with new opportunities to exploit bugs in the code. Apple regularly releases updates to fix vulnerabilities, but it seems that the spyware industry is always at least one step ahead.
“There is no doubt that [Pegasus] can be implemented in the latest versions of iOS, says Guarnieri. “Probably, much more money and time is spent on identifying these vulnerabilities than on preventing and eliminating them. It’s like a game of cat and mouse, only the cat is always ahead because it has an economic incentive.”
An Apple spokesman, speaking to The Washington Post, dismissed reports that the company is lagging behind spyware makers.
“Attacks on iPhones, like those organized by the NSO Group, target individuals, cost millions of dollars, and are often limited in time because we identify and fix problems. We are doing everything we can to make massive attacks on iPhone users economically unprofitable,” said Ivan Krstić, Apple’s head of security engineering.
Obviously, this is a profitable business. In 2016, The New York Times reported that it would cost $650,000 to spy on 10 iPhones using an NSO-developed program, with another $500,000 to install, most likely using less advanced technology than what is currently available. . According to official figures, in 2020 the company earned $243 million.
Disadvantaged tech companies have taken legal action in an attempt to fight back against the spyware maker. In 2019, WhatsApp sued the NSO Group in the United States, alleging that the Israeli firm used the service’s vulnerabilities to hack over 1,400 devices. WhatsApp officials say journalists, lawyers, religious leaders and political dissidents are among the victims. The complaint was supported by several large companies, including Microsoft and Google.
Earlier, Amnesty International (the organization filed a lawsuit against the Israeli Ministry of Defense, which approves all the company’s transactions with foreign governments), as well as activists and journalists, against whom the technology it developed was allegedly used, applied to the court.
“Network Implementation”
In addition to zero-click vulnerabilities, NSO Group customers can use the so-called network injection method to access devices. In this case, the smartphone owner does not need to click on any links. All he needs to do is open a browser and visit an unsecured site. As soon as a person clicks on a link that leads to an insecure page, the program developed by the NSO Group gains access to the device and injects itself into it.
“There’s nothing you can do about it,” Guarnieri says. – Only milliseconds pass [с момента перехода на незащищенный сайт до заражения Pegasus]”.
This method is much more difficult than using a malicious link or zero-click vulnerabilities: it is necessary to track the moment when the owner of the device decides to go to an insecure site. Most often, this is done by mobile operators controlled by some governments.
Due to the involvement of third parties, it is extremely difficult for governments using this method to keep track of people who are in other jurisdictions. There are no such restrictions when addressing zero-click vulnerabilities, which makes this method more popular.
“Patient Zero”: where does the trail lead?
Amnesty International analyzed data from dozens of phones that were tested for Pegasus infection. First of all, they look for the most obvious traces that the program leaves – malicious links in SMS messages. These links lead to one of the domains that the NSO Group uses to download spyware onto devices, the company’s so-called network infrastructure.
“The NSO made a mistake when they created the infrastructure to carry out attacks,” Guarnieri said. In the first case, when the so-called zero patient appeared, the network infrastructure “brought to the corporate infrastructure [NSO]”.
Apparently, the NSO Group used several fake email addresses to create much of this infrastructure. To prove its belonging to the NSO Group, it is enough to identify the connection of any of these accounts with some of the domains.
Patient Zero was a UAE human rights activist named Ahmed Mansour. In 2016, Citizen Lab found that Mansour’s phone was hacked – he received a message with a malicious link to “new secrets” about torture used by the UAE authorities. Citizen Lab experts have proven that the Pegasus operators sent the message.
“There is always a trail leading to Patient Zero,” says Guarnieri.
Amnesty staff, in addition to links leading to NSO-related domains, also found similarities between malicious system processes on infected devices. There are not so many of them, but one – BridgeHead (or BH) – is a constant companion of spyware. It was even used on Mansour’s phone.
Guarnieri said he downloaded every version of iOS released since 2016 to trace the origin of the processes he identified on infected devices. None of them were released by Apple.
“We know that these processes are illegal – they are malicious. We are sure that this is Pegasus, because they bring to the infrastructure we already know,” says Guarnieri. Amnesty has identified a pattern: “The owner of the device enters the site, the app crashes, and changes are made to some files, all within seconds or milliseconds. In all analyzed cases, the same processes are used. I have no doubt that we have Pegasus in front of us.