The winged horse of the Greek fable Pegasus is haunting the Modi government again. Seventeen news organisations, including The Wire, Washington Post and The Guardian, along with two NGOs—Amnesty International and Forbidden Stories—have spent months examining a possible list of 50,000 phone numbers from 45-50 countries. They have found out who could indeed be possible targets of cyberattacks in these countries. They then forensically examined the phones of some of the people on the target list who were willing to have their phones tested. The results are that 85% of phones show signs of being hacked by Pegasus spyware.
The possible targets include not only journalists and activists but also government officials. Capping it all, the list includes fourteen heads of states and governments: three presidents—France’s Emmanuel Macron, Iraq’s Barham Salih and South Africa’s Cyril Ramaphosa, three sitting and seven former prime ministers, and a king, Morocco’s Mohammed VI. The three sitting prime ministers are Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani. Among the seven former prime ministers are Lebanon’s Saad Hariri, France’s Édouard Philippe, Algeria’s Noureddine Bedoui and Belgium’s Charles Michel.
Whoever installs the malware on the target phones does not just get full access to the data on the phone but also control over its microphone and camera. Instead of a device for use by the owner, it becomes a spy in her/his pocket, recording not just telephonic but every physical conversation, including images of participants. It then transmits this information to those who deployed Pegasus.
Successive IT ministers—Ravi Shankar Prasad and Ashwini Vaishnaw—have stated that there has been “no unauthorised interception” in India. Both duck the question: did the government buy NSO’s hacking software and authorise the targetting of Indian citizens? And can the use of Pegasus spyware to infect smartphones and alter their basic functions be considered legal authorisation under the Rules of the IT Act for “interception, monitoring or decryption of any information through any computer resource”?
I leave the legal issues to those better equipped to handle them. I am going to examine the new dangers that weaponising malware by nation-states poses to the world. Pegasus is not the only such software. The Snowden revelations showed us what the National Security Agency (NSA) of the US and the Five-Eyes governments and their all-encompassing surveillance regimes do. They have hacked the digital infrastructure of other countries, snooped on “secure” communications overseas and even spied on allies. Not even German Chancellor Angela Merkel was spared from NSA surveillance.
The key difference between nation-states and cybercriminals is the far greater resources the nation-states possess to develop malware. Take the example of Shadowbrokers, who dumped a gigabyte of the weaponised software exploits of the National Security Agency on the net in 2017. Matthey Hickey, a well-known security expert, told ArsTechnica, “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it.” Ransomware hit the big time soon after, with the WannaCry and NotPetya ransomware creating havoc using the exploits in NSA’s toolkit.
Why am I recounting NSA’s malware tools while discussing Pegasus? Because Pegasus belongs to the NSO, an Israeli company with very close ties to Unit 8200, the Israeli equivalent of the NSA. NSO, like many other Israeli commercial cyber intelligence companies, is founded and run by ex-intelligence officers from Unit 8200. It is this element—introducing the skills and knowledge of nation-states into the civilian sphere—that makes such spyware so dangerous.
NSO also appears to have played a role in improving Israel’s relations with the two Gulf Petro-monarchies, the United Arab Emirates (UAE) and Saudi Arabia. Israel, therefore, sees the sale of spyware to such countries as an extension of foreign policy. Pegasus has been used extensively by the UAE and Saudi Arabia to target domestic dissidents and even foreign critics. The most well-known, of course, is the Saudi dissident and Washington Post columnist Jamal Khashoggi, who was killed in the Saudi consulate in Istanbul.
NSO’s market capitalisation is reported to be more than one billion dollars, making it perhaps one of the most expensive civilian cyber intelligence companies. And its tools are frightening as there does not seem to be any protection against them. Most of these tools are classified as cyberweapons and require Israeli government approval for export, again showing the link between the Israeli state and NSO.
What is Pegasus? Why is it so dangerous? Pegasus is not simply listening to or monitoring our communications. Once it infects our smartphones, it “modifies” the software of the phone to access all its functions. Effectively, it now owns your phone and can eavesdrop on any physical conversation you have; not just telephonic ones. It can take any picture of what the camera on the phone can “see” and record them all on the phone. These recorded files are then sent to a Pegasus server, from where the buyer of the Pegasus license can retrieve them.
The other reason why Pegasus is so dangerous is that it does not need any action on your part for your phone to get infected. Most infections of our devices take place when we click on a link sent through email or SMS or when we visit a site and click something there. Pegasus exploited a security problem with WhatsApp and was able to infect phones through just a missed call. Just a ring was enough to deliver the Pegasus spyware load to a phone. It has now extended to using other vulnerabilities within iMessage, WhatsApp, FaceTime, WeChat, Telegram, and various other apps that receive data from unknown sources. It means Pegasus can compromise a phone without the user having to click on even a single link. These are called zero-click exploits in the cyber community.
Once installed, Pegasus reads the user’s messages, emails, calls, captures screenshots, logs pressed keys, browser history and contacts. It exfiltrates files—meaning sends them back—to its server. Basically, it can spy on every aspect of a target’s life. Encrypting emails or using encrypted services, for example with Signal, is no use as it reads what you read and captures what you type on the phone.
Many people use iPhones in the belief that they are safer. The sad truth is that iPhones are as vulnerable to Pegasus attacks as Android phones, though in different ways. It is easier to find out if an iPhone is infected, as it logs what the phone does. As Android systems do not maintain such logs, Pegasus can better hide its traces.
Snowden has described for-profit malware developers as “an industry that should not exist…If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.” He has called for an immediate global moratorium on the international spyware trade.
Snowden’s answer, to ban the sale of such spyware, is not enough. We need instead to de-weaponise all of cyberspace, including spyware. The spate of recent cyber attacks—estimated to be tens of thousands a day—is a risk to our entire cyber infrastructure on which all our institutions depend. After the leak of NSA and CIA cyber weapons, and now with NSO’s indiscriminate use of Pegasus, we should be asking whether nation-states can really be trusted to develop such weapons?
Brad Smith, the president of Microsoft in 2017, no peacenik or leftist wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage…” It is this concern that certain leading companies within the industry—Microsoft, Deutsche Telekom and others—raised in 2017, calling for a new Geneva Convention to ban cyberweapons. This has been a much older call from Russia and China. It was rejected out of hand by the US, believing that it had a military advantage in cyberspace, which it should not squander.
Pegasus is one more reminder of the danger of nation-states developing cyberweapons. It is not a leak but deliberate use of a dangerous technology for private profit that poses a risk to journalists, activists, opposition parties, and finally, to democracy. It is a matter of time before the smartphones that we carry become vectors for attacks on the cyber infrastructure on which we all depend.