May 10, 2024
Two journalists, Laurent Richard and Sandrine Rigaud, from the Forbidden Stories non-profit organization got a list that contained ten of thousands of phone numbers. All these phone numbers were selected for possible Pegasus targeting by clients of the Israeli firm, NSO. They enlisted two security researchers, Claudio Guarnieri and Donncha O Cearbhaill, from Amnesty International's Security Lab to help them with this project.
Pegasus allowed complete control over the victim's phone. The problem was that the use of Pegasus wasn't limited to bad guys. Cyber security experts at University of Toronto's Citizen Lab and Amnesty International's Security Lab had found that Pegasus was used to target human rights defenders, lawyers, and journalists as well.
Bull SA, a French technology firm, had installed a cyber monitoring center for the Libyan dictator Muammar Gadhafi. The French company with the blessing of the French government had sold Gadhafi an internet surveillance system that allowed his agents to monitor the emails, chats, and messages of anybody in Libya. When these revelations were made, Bull SA simply off-loaded the technology to another company, Nexa Technologies, which continued to make it available on the open market. The surveillance system, which cost $12 million, was given as a gift by the UAE to the Egyptian president Abdel Fattah al-Sisi, who had seized power following the chaos of the Arab Spring.
The core group of reporters consisted of seven people and their ages ranged from twenty-three to thirty-one. The three biggest NSO clients were Mexico, Morocco, and Saudi Arabia.
The first step was to assess the list given to them. They had to put names to the tens of thousands of phone numbers and then they had to convince a few of them to allow the forensics team to check their mobile devices for any evidence of the Pegasus malware.
They also needed to decide on which media partners they wanted to bring in, convince them to share all their reporting with all the partners in the team, map out a plausible schedule for the project, coordinate a final publication data, and convince the partners to stick to a predetermined order of stories as they broke. They had to establish safety protocols for communication between partners as well.
The Panama Papers made Bastian Obermayer one of the most recognized and respected investigative reporters on the planet. The team enlisted him for this high-stakes and high-profile investigative project. The goal was to publish by June 2021.
Shalev Hulio, CEO of NSO, and Omri Lavie, were co-founders of NSO. They were both born around 1980. They met in the mid 1990s while both were studying arts and theater at a high school in Haifa and then proceeded to complete their compulsory military service.
They moved to a startup called CommuniTake. People having trouble using their smartphones would call CommuniTake and their support staff would try to help the users troubleshoot. Customers had to wait in long queues, and even when they managed to connect to a customer support staff, they had trouble following the instructions.
CommuniTake came up with a solution. They created a program that allowed the tech support staff to take control of the users' devices. All the users had to do was to click on a link and the rest would get done by the technicians. CommuniTake thrived and since then it has expanded and offers services like multilayer encryption for the mobile devices.
According to Shalev Hulio, an individual from European intelligence asked them to use this technology to gather intelligence since they were losing visibility into the cell phone communications of potential terrorists and criminals because of advances in encryption.
Shalev and Omri went to the CommuniTake's board of directors with a proposition which they refused. They parted ways with the company and raised $1.6 million for their startup. They also added a retired Israeli military officer who specialized in intelligence, Niv Karmi. They called their company NSO for Niv, Shalev, and Omri, and registered it with the State of Israel in January 2010 as NSO Group Technologies LTD.
Niv Karmi lasted only a few months at NSO and he doesn't agree with Shalev's version of the story where he said that he was approached by an individual from European Intelligence. It took them a year to build the product which they called Pegasus (it was called Pegasus "because what we built was actually a Trojan horse we sent flying through the air to devices.")
In 2013, NSO sold Pegasus to the UAE government. They could easily pay five or ten times what the Mexicans could with far fewer middlemen and corrupt government officials who needed a cut of the proceeds. It provided a much needed cash flow for NSO and was seen as a hit on the Hacking Team hegemony.
In its initial days, the governments that wanted to deploy Pegasus had to social engineer their target into clicking a SMS message that would redirect them to a domain from which the payload would be deployed. And this method was used by politicians and law enforcement agencies to target two Mexican journalists Carmen Aristegui and Jorge Carrasco when their reporting was seen unfavorably by the government officials. But fortunately for both these journalists, they didn't click on the SMS messages.
Jorge Carrasco agreed to hand over his phone to the Forbidden Stories and the Amnesty International Lab team for analysis. The Forbidden Stories team also met with Washington Posts' head of investigative units, Jeff Leen, to enlist his help for the project. And by January 2021, things were lining up.
As the days passed, the team was able to identify more names in the list. Some of them were members of the Macron government. Turkish president Erdogran's son was also in the list. Among the phone numbers in the list, twenty belonged to Mexican journalists and a few numbers belonged to people working for the Mexican president. Other numbers that were verified belong to journalists from India working for the 'Hindustan Times', the 'Hindu', the 'Wire', and the 'Tehelka'. Some Hungarian phone numbers that were identified belonged to journalists who had been doing work critical of anti-immigrant prime minister Victor Orban.
Claudio had seen evidence that Turkey was blocking all the URLs that were identified by Amnesty International's previous reports as related to the Pegasus spyware. Not only that, URLs that were identified but not yet published, were also blocked by Turkish authorities which showed that the Turkish cybersecurity experts were themselves spotting new cases of Pegasus infections.
In Azerbaijan, Khadija Ismayilova and people connected to her, including her personal attorney, were identified. And Morocco appeared to be the most prolific Pegasus user after Mexico.
The 'News of the World' tabloid which belonged to Rupert Murdoch had stolen voicemails from the phones of thousands of private individuals. Among the alleged victims were Tony Blair, Gordon Brown, Victoria Beckham, and Prince Charles. Donncha and his friends thought it would be fun to hack Rupert Murdoch's flagship London newspaper, the 'Sun', and redirect all traffic to a fake home page. He was eventually ordered to pay 5,000 euros in damages.
Donncha is a self-taught computer scientist but a formally trained, university-educated chemist. His first full-time job was with an NGO that created digital tools to help people fight back against cyberattacks and state-run censorship.
The servers that were used by NSO to deploy the Pegasus spyware had an encryption algorithm that was carefully tuned for added security. After mapping the configuration, Claudio and Donncha ran a scan on all the servers on the web to identify servers with the same fingerprint. They were able to identify almost six hundred servers that were used by NSO to launch the Pegasus spyware.
"Each Pegasus Installation server or Command-and-Control (C&C) server hosted a web server on port 443 with a unique domain and TLS certificate. These edge servers would then proxy connections through a chain of servers, referred to by NSO Group as the 'Pegasus Anonymizing Transmission Network.'"
When Security Lab published its reports in 2018, NSO had shut down version 3 of its infrastructure and reconstituted a fourth. The company constructed extra barriers to detection on both their new Command-and-Control servers and the servers that launched the spyware infections. The new precautions included "port-knocking" and "DNS knocking" which were the equivalents of secret knock/signal. If these knocks were made in the correct sequence, access would be granted, perhaps to an entirely new different server, from which the Pegasus attack could be launched.
In its initial days, in order to infect mobile devices with Pegasus, the victim had to click on a link that was sent to them via a SMS. But then the cybersurveillance tool evolved and could infect mobile phones with a new exploitation technique called "network injection attack" or in layman's terms "zero-click" exploit. It meant that the target no longer had to click on a link to get the spyware installed on his/her phone. Instead, a rogue cell tower or dedicated equipment placed at a mobile operator could be used to inject the payload to the victim's phone.
The iPhone retained years of information in its various backup logs. The Android, on the other hand, deletes a lot of information in a matter of months or whenever the phone is rebooted. The Apple iOS had a log called DataUsage.sqlite which recorded the distinct name of every process happening on the device and how much mobile data was used. This opened an entirely new path for tracking Pegasus.
One thing that the security team found interesting in the forensic analysis was the presence of a process called "bh". It was first identified in 2016 and was a tool that helped in the delivery of "next stage payloads" and "their proper placement on the victim's iPhone." The payloads were probably web-browser exploits. And the evidence suggests that "bh" was a short-form for "Bridgehead." What Claudio and Donncha found was a bh module that "completes the browser exploitation, roots the device and prepares for its infection with the full Pegasus suite."
Claudio and Donncha found another interesting thing from the forensic analysis of the Moroccan journalist Omar Radi. Buried deep in the iPhone was a malicious configuration file called CrashReporter[.]plist. This engineered file blocked the phone from doing its programmed duty of automatically reporting any software crash back to the Apple engineers. This file helped NSO to cover the presence of Pegasus and make sure they didn't tip off the folks at Apple that there was a security vulnerability that needed patching.
Moroccans were using the Eagle cyber surveillance system from French company Amesys, RCS from the Hacking Team, FinFisher from the Gamma Group, and Pegasus from NSO. On June 22, 2020, Forbidden Stories published the story of the Pegasus attack on Omar Radi, a Moroccan journalist. On July 29, 2020, Omar had been picked up and remanded to pretrial detention on charges of accepting money from foreign intelligence services, undermining state security, and rape.
Claudio and Donncha found out that NSO hackers had found a way to open a back door in Apple Photos. They noticed that the "bh" process was executed seconds after network traffic for the iOS Photos app (com.apple.mobileslideshow) was recorded for the first time. Crash reporting was disabled by writing a "com.apple.CrashReporter[.]plist" file. It also revealed a connection with a Pegasus-created iCloud account.
NSO was cleverly naming the malicious Pegasus processes to help camouflage the attacks. Apple's legitimate 'ckkeyrolld' became 'ckkeyrollfd', 'fseventsd' became 'eventsfssd', and some more. According to Donncha, the really sophisticated part of Pegasus isn't the Pegasus malware itself, but the exploit, the actual way of injecting the spyware on the phone, is quite complicated and changes all the time.
The Security Lab had identified exploits engineered to attack through iMessage and Apple Photos. But a single exploit is rarely enough to break down modern cyber defenses and get access to the device. It usually takes a chain of three or more exploits to do the trick. When an iPhone gets compromised with an iMessage exploit, for example, NSO is probably using three or more exploits packaged into one.
A single exploit chain might go for a million dollars or more. NSO was also investing heavily to develop the in-house expertise to create these exploit chains.
Amazon, Google, Microsoft, NEC, IBM, and Cisco, all had operations in Israel. Most companies in Israel were busy developing defensive technologies that protected businesses against cyber attacks. NSO's signature technology, however, was engineered to exploit and take over a mobile phone. It was considered a military grade, offensive weapon. As a result, NSO had to follow the strict guidelines of the Israeli Ministry of Defense.
If you reboot your device or the battery drains out, the Pegasus software gets cleaned up. But that is not a problem, because they can infect you again and again for as long as they want. There is no condition that stops them from being successful. As long as the exploit works, they can infect your device with the Pegasus software five times a day.
Claudio and Donncha noticed that the new versions of the Pegasus spyware were not only scrubbing the forensic evidence of the new attack, but also attempting to erase the traces of Pegasus left behind by earlier attacks.
Carmen Arestigui, one of the most admired and popular journalists in Mexico and her sixteen-year-old son were also targets of the Pegasus spyware. She had also received a cache of more than twenty thousand documents from a source who worked for NSO's suspected sales agent in Mexico, Uri Ansbacher.
Khadija Ismayilova was able to leave Azerbaijan in May 2021. This was the first time she was allowed to leave her country since 2014. In Ankara, the Security Lab team found that there were multiple attempted or actual infections starting back in 2018.
Claudio and Donncha found that there were over a hundred separate attacks on Khadija Ismayilova's phone over a period of eighteen months.
NSO had clients in more than forty countries and employed around 860 people. More than half of its customers were government agencies and European countries. NSO officials estimated its value at $1.5 billion. Novalpina owned 70 percent of NSO, Shalev and Omri, the founders, maintained personal interest in the company worth about $10 million each. Pegasus represented around 65 percent of NSO's business, but the company hoped it would soon be less than half. It had plans to enter the drone market.
There were eighty journalists working on this project, and they had separate investigations going in Europe, Asia, Africa, the Americas, and the Middle East.
For the peer review of the forensic analysis conducted by Claudio and Donncha, the team chose Citizen Lab. Citizen Lab was known in the field and respected around the world. And their conclusion was that they were highly confident that the three iPhones that they had examined were infected by the Pegasus spyware.
The plan was to send a letter to NSO and give them four days to respond and then spend another four days with NSO to discuss any necessary refinements and emendations.
Of the 50,000 phone numbers in the data, the Forbidden Stories team was able to identify 1000 people from fifty countries. The list included 600 politicians (among them were 10 prime ministers, 3 presidents and 1 king). Other prominent groups included 65 businessmen, 85 human rights activists or attorneys, 2 Emirati princesses, and 192 journalists.
By the time the reports were published, Claudio and Donncha had examined sixty-five mobile phones that appeared on the list. NSO had rented servers from the UK, Switzerland, France, Germany, and the US for their operations. They had also used Amazon Web Services for seventy-three of their servers.
If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.