PSU Vanguard Shield Icon

The Pegasus Project: Uncovering spyware and its abuse

It was revealed on July 18 that a private Israeli firm, NSO Group, developed Pegasus spyware used to hack the iPhones of journalists, activists and government officials. The investigation into use of the spyware and the individuals affected is known as the Pegasus Project.


The investigation has uncovered a list of more than 50,000 phone numbers and 37 confirmed hacks by NSO’s Pegasus software. Among the targets of these attacks were two women close to murdered Saudi journalist Jamal Khashoggi, French President Emmanuel Macron, Telegram founder Pavel Durov and even advisors to the Dalai Lama


What makes the spyware so dangerous is that it is what’s known as a “zero click attack.” Essentially, malware can be deployed without the user ever having to interact with the device. 


Many apps and software that tout end-to-end encryption work really well to defend against attacks known as “man-in-the-middle” attacks. These attacks involve a hacker discreetly placing themselves in between two communicating computers or phones, retrieving or executing data as it is being transmitted. End-to-end encryption locks the communication line, preventing any hacker from retrieving the data. 


The malware being investigated by the Pegasus Project uses an attack type known as an endpoint attack, where a hacker targets and takes control of one of the computers directly, instead of sitting in between two computers. 


Often, a hacker must force the target individual to interact with something in order to conduct the attack, for example by clicking a malicious email, reading a text message or getting them to plug in a USB drive. 


In contrast, zero click attacks don’t require any interaction from the victims themselves. The malware can be sent and executed without the victim ever finding out. This is why it’s so powerfuland why journalists have been demanding censure. 


These attacks are usually the kind depicted in movies and TV shows. A hacker can execute code on a computer and then gain access to a device, retrieving whatever information they’re looking for. In reality, however, these hacks are extremely rare, highly sophisticated and seldom used against consumer individuals. 


The chances of being compromised through this malware are extremely slim, unless you’re in the intelligence industry, an international journalist living in a foreign country or an activist advocating under hostile governments.


What makes the use of the Pegasus software so complex has to do with NSO Group’s unusual business model. NSO leads in the field of spyware development, but their role isn’t to deploy the spyware themselves. Rather, their clients have the autonomy to decide how to use it. These clients are almost exclusively government entities. 


NSO currently rests at the center of a global debate between weapons-grade surveillance technology, which remains largely unregulated. Shalev Hulio, NSO’s chief executive and co-founder, has expressed how these tools were meant to be used against legitimate threats and terrorists.


“We built this company to save life,” Hulio said. “Period.” 


While Hulio has acknowledged that some of NSO’s clients misused their software in the past, he explained that all of the aforementioned clients’ access were shut off after a human rights audit was conducted. NSO also requires their clients to sign an agreement promising to use the software only for law enforcement or counterterrorism purposes.


Pegasus was first demoed in 2018, and many expressed concern that this company was selling surveillance technology to nations that perpetrated human rights abuses as far back as 2016. Other reports claim the malware was deployed on the phones of journalists and activists in December 2020. 


These reports do little to corroborate NSO’s claims about preventing their clients from using surveillance software for malicious purposes. 


The Washington Post is awaiting responses from several countries that are alleged to be involved in the deployment of NSO’s spyware. 


Israel responded by citing the 2007 Defense Export Control Act, explaining the state “approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end use /end user certificates provided by the acquiring government.” Appropriate measures are taken to resolve any violations of this law, Israel claims. 


Currently, the Indian government has denied allegations that they used Pegasus software, as have Morocco and Rwanda. 


More detailed information regarding the Pegasus Project and ongoing investigations can be found on The Guardian’s website, where dedicated articles relating to the subject are published daily.