Pegasus surveillance attack: what you need to know

Read in Indonesian

The discussion about Pegasus Spyware has brought shockwaves around the world. Amnesty International and Citizen Lab have confirmed that more than 50,000 phone numbers were leaked. The report also found that the Spyware was used by an unidentified Mexican client on Cecilio Pineda Birto, a Mexican freelance journalist, weeks before his murder. There is also a probability that the Spyware was used to survey Jamal Khashoggi, The Washington Post’s journalist who became victim of premeditated murder in 2018. 

Pegasus is a malware that infects Android and Apple devices. When the penetration is successful, the operator of the malware will be able to extract data in the device, such as images, messages and emails. The operator will also have access to record calls and activate microphones secretly. This malware is commonly used to put activists, journalists and politicians under surveillance. 

Pegasus is developed and sold by NSO Group, an Isreali surveillance company. Aside from Israel, Pegasus also has branch offices in Bulgaria, Cyprus, and several other countries. The company claimed that it sold the Spyware to 60 clients in 40 countries, but refused to disclose their identity. Therefore, media partners are looking closely into the leaked data and successfully identified 10 governments responsible for targeting those 50,000 individuals. They are Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the United Arab Emirates.

The Guardian, The New York Times and many other media partners built a collaborative investigation on NSO Group and their clients called Pegasus Project. They worked with Amnesty International and Forbidden Stories, a Paris-based non-profit journalism organisation, which have access to the 50,000 leaked data from Pegasus. The data is later shared to The Guardian and 16 more news organisations worldwide. 

NSO Group has since denied all claims made in the report made by Pegasus Project through its legal representative. It considered the volume of the leaked data was “exaggerated” and denied any connection made between the company as well as its clients and the leaked data. The company also stated it did not operate the malware it sold to clients. 

Even though NSO Group denied the connection between the use of its malware and Khashoggi’s murder, the Pegasus Project managed to reveal that it was used by a Mexican client on Birto. However, in NSO Group’s defense, Birto was among the 25 journalists chosen to be put under a two-year surveillance programme by the government. Therefore, Pegasus was not the only mean to retrieve his data that led to his murder. The company added that it will keep the investigation on misuse and would go as far as shutting down customers’ systems.

Some of the mentioned countries have denied the malicious connection reported by Pegasus Project and their government in official statements. Among the countries are Rwanda, Hungary, Morocco and India. The rest of the countries have not responded to the queries.

The Guardian and media partners will soon release the identity of people whose numbers are included in the data leak. Among the numbers are 180 journalists, including reporters, editors and executives at the Financial Times, CNN, the New York Times, France 24, the Economist, Associated Press and Reuters.

To this date, more than 100 organisations and experts worldwide have called on governments to implement an immediate moratorium on any activity of surveillance technology via a joint-open letter. Among them are Amnesty International, ELSAM and SAFENet. Their suggestions are:

  • Immediately put in place a moratorium on the sale, transfer and use of surveillance technology;

  • Conduct an independent, transparent and impartial investigation into cases of targeted surveillance and export licenses granted for targeted surveillance technology;

  • Adopt and enforce legal frameworks requiring private surveillance companies and their investors to conduct human rights due diligence, and uphold transparency;

  • Reform laws that pose barriers to remedy for victims of unlawful surveillance, and ensure that paths to remedy are available in practice; and  

  • To Israel, Bulgaria, Cyprus and all states in which NSO has a corporate presence: immediately revoke all marketing and export licenses issued to NSO Group and its entities, and conduct an independent, impartial, transparent investigation to determine the extent of unlawful targeting, and release a public statement on results of efforts and steps to prevent future harm.

How does Pegasus penetrate gadgets?

The malware can penetrate a phone through vulnerabilities of common apps or by having the target clicking on malicious links. Through these links, the malware then gets installed in the device and the operator will be able to access any data and exchanges in the device and harvest them. The operator of the malware will also have the access to the device’s camera and microphone to capture activities in the target’s vicinity.


Related articles


News