Pegasus Spyware may have been used outside of the ethical guidelines of its vendor, according to a new report.
According to a report by researchers at Citizen Lab at the Munk School of Global Affairs at the University of Toronto, Canada, the spyware has been used in 45 countries across the world.
Between August 2016 and August 2018, it scanned the internet for servers associated with NSO Group’s Pegasus spyware. It found 1,091 IP addresses that matched its fingerprint and 1,014 domain names that pointed to them.
Pegasus is a mobile phone spyware developed by Israeli-based NSO Group. It is distributed through a specially crafted exploit link (via phishing techniques) which when clicked delivers a chain of zero-day exploits to penetrate security features on the phone.
Researchers working at Citizen Lab developed and used Athena, a novel technique to cluster some of its matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.
It also designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. This identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.
"Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation. At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates," said the report’s authors Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert.
The report’s authors said that Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. "In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of "legitimate" criminal investigations."
In a statement, NSO Group said that there were "multiple problems" with Citizen Lab’s latest report.
"Most significantly, the list of countries in which NSO is alleged to operate is simply inaccurate. NSO does not operate in many of the countries listed. The product is only licensed to operate in countries approved under our Business Ethics Framework and the product will not operate outside of approved countries," the statement read.
The report’s authors hit back and said that the "continued supply of services to countries with problematic human rights track records and where highly-publicised abuses of spyware have occurred raise serious doubts about the effectiveness of this internal mechanism, if it exists at all."
Andy Norton, director of threat intelligence at Lastline, told SC Media UK that countries that buy tools like Pegasus, Finfisher, DaVinci, tend to have some sort of fragility to their regime, they wish to monitor- either corruption, criticism or counter regimes, and consider the usage of this type of tool to be part of a lawful intercept program.
"As such the target profile of the victim is extremely narrow and not generally concern for your average organisation, unless of course you are doing business at a strategic level with any of the outlined operators in the report. If you are a champion of human rights issues, exposing corruption and monitoring democratic electoral systems, then working with organisations like citizens lab is a good start," he said.
Jake Moore, security specialist at ESET, told SC Media UK that perpetrators attempt to monitor the target by convincing them to click on a specially crafted exploit link. "The fact that this vector is yet another human manipulated into a task specifically designed to attack the device highlights the importance of awareness yet again," he said.