THE winged horse of the Greek fable Pegasus is haunting the Modi government once again. 17 news organisations including The Wire, Washington Post, The Guardian along with two NGO’s – Amnesty International and Forbidden Stories – have spent months examining a possible list of 50,000 phone numbers from 45-50 countries. They have found out who could indeed be possible targets of cyber attacks in these countries. They then forensically examined the phones on the target list of some of the people who were willing to have their phones tested. The results show that 85 per cent of phones show signs of being hacked by Pegasus spyware.
The possible targets not only include journalists and activists, but also government officials. Capping it all, it includes fourteen heads of states and governments: three presidents – France’s Emmanuel Macron, Iraq’s Barham Salih and South Africa’s Cyril Ramaphosa, three sitting and seven former prime ministers, and a king, Morocco’s Mohammed VI. The three sitting prime ministers are Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani. Among the seven former prime ministers are Lebanon’s Saad Hariri, France’s Édouard Philippe, Algeria’s Noureddine Bedoui and Belgium’s Charles Michel.
Whoever installs the malware on the target phones, gets full access not only to their data on the phone but also controls the phone’s microphone and camera. Instead of a device for use by the owner, it became a spy in her/his pocket, recording not simply telephonic but every physical conversation including images of the participants. It then transmits this information back to those deploying Pegasus.
Successive IT Ministers – Ravi Shankar Prasad and Ashwini Vaishnaw – have stated that there has been “no unauthorised interception” in the country. Did the government then buy NSO’s hacking software and authorise the targetting of Indian citizens? And can the use of Pegasus spyware to infect smart phones and alter its basic functions be considered as legal authorisation under the Rules of the IT Act for “interception, monitoring or decryption of any information through any computer resource”?
I am going to leave the legal issues for those who are better equipped to handle them. Instead, I am going to examine the new dangers that weaponising malware by nation-states poses to the world. Pegasus is not the only example of such software, Snowden revelations showed us what the National Security Agency (NSA) of the US and the Five-Eyes governments do.
The key difference between nation-states and cyber criminals developing malware is the far greater resources that nation-states possess to develop such malware. Take the example of Shadowbrokers, who dumped a gigabyte of weaponised software exploits of the National Security Agency on the net in 2017. Matthew Hickey, a well-known security expert told ArsTechnica: “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it.” Ransomware hit big time soon after with WannaCry and NotPetya ransomware, both using the exploits of NSA’s toolkit and creating havoc.
Why am I recounting NSA’s malware tools while discussing Pegasus? Because Pegasus belongs to NSO, an Israeli company with very close ties to Unit 8200, the Israeli equivalent of the NSA. NSO, like many other Israeli commercial cyber intelligence companies, is founded and run by ex-intelligence officers from Unit 8200. It is this element – introducing skills and knowledge of nation-states – into the civilian sphere that makes these spywares so dangerous.
NSO also appears to have played a role in improving Israel’s relations with the two Gulf Petro-monarchies, United Arab Emirates (UAE) and Saudi Arabia. Israel, therefore, sees the sale of spyware to such countries as an extension of its foreign policy. Pegasus has been used extensively by UAE and Saudi Arabia to target various domestic dissidents and even foreign critics. The most well-known of course is Jamal Khashoggi, the Saudi dissident and Washington Post’s columnist, who was killed in the Saudi Consulate in Istanbul.
NSO’s market capitalisation is reported to be more than one billion dollars, making it perhaps one of the most expensive civilian cyber intelligence companies. And its tools are frightening as there does not seem to be any protection against them. Most of these tools are classified as cyber weapons and require the Israeli government approval for export, again showing the link between the Israeli State and the NSO.
What is Pegasus? And why is it so dangerous? Pegasus is not simply listening or monitoring our communications. Once it infects our smart phones, it “modifies” the software of the phone to access all its functions. Effectively, it now owns your phone and can eavesdrop on any physical conversation you are having; not just a telephonic one. It can take any picture that the camera on the phone can “see”, and record them all on the phone. These recorded files are then sent to a Pegasus server, from where the buyer of the Pegasus license can retrieve them.
The other reason why Pegasus is so dangerous is that it does not need any action on your part for your phone to be infected. Most infections of our devices take place when we click on a link sent to us through email/SMS; or going to a site and clicking something there. Pegasus exploited a security problem with WhatsApp and was able to infect the phone through just a missed call. Just a ring was enough for the Pegasus spyware load to be delivered to the phone. This has now been extended to using other vulnerabilities that exist within iMessage, WhatsApp, FaceTime, WeChat, Telegram, and various other apps that receive data from unknown sources. That means Pegasus can compromise a phone without the user having to click on a single link. These are called zero-click exploits in the cyber community.
Once installed, Pegasus reads the user’s messages, emails, calls, captures screenshots, logs pressed keys, browser history and contacts. It exfiltrates – meaning sends files –back to its server. Basically, it can spy on every aspect of a target’s life. Encrypting emails or using encrypted services, for example, Signal, is no use as it reads what you read or captures what you type on the phone.
Many people use iPhones in the belief that they are safer. The sad truth is that iPhone is as vulnerable to Pegasus attacks as the Android phones, though in different ways. It is easier to find out if an iPhone is infected, as it logs what the phone is doing. As the Android systems do not maintain such logs, Pegasus can hide its traces better.
Snowden described for-profit malware developers as “an industry that should not exist…If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.” He called for an immediate global moratorium on the international spyware trade.
Snowden’s answer of banning the sale of such spyware is not enough. We need instead to look at de-weaponising all of the cyberspace including spyware. The spate of recent cyber attacks – estimated to be tens of thousands a day – is a risk to our entire cyber infrastructure on which all our institutions depend. After the leak of NSA and CIA’s cyber weapons, and now with NSO’s indiscriminate use of Pegasus, we should be asking the question of whether nation-states can really be trusted to develop such weapons?
Brad Smith, the president of Microsoft in 2017 and no peacenik or leftist wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage…” It is this concern that certain leading companies within the industry – Microsoft, Deutsch Telekom and others – had raised in 2017, calling for a new Geneva Convention banning cyber weapons. This has also been a much older call from Russia and China. It was rejected out of hand by the US, believing that it had a military advantage in cyberspace, which it should not squander.
Pegasus is one more reminder of the danger of nation-states developing cyber weapons. Though here, it is not a leak but deliberate use of a dangerous technology for private profit that poses a risk to journalists, activists, opposition parties and finally to democracy. It is a matter of time before the smart phones, which we carry themselves become attack vectors for attacking the cyber infrastructure on which we depend.