After years of concerns that Thailand was purchasing Israeli-made cyberoffense surveillance technologies, rights groups have found the first forensic evidence linking the NSO Group’s infamous Pegasus spyware to the Southeast Asian kingdom.
A new report by Citizen Lab, published Monday together with two Thai civil society groups, says digital forensic evidence indicates that at least 30 cellphones belonging to activists in Thailand were targeted with Pegasus.
“We can now officially add Thailand to the growing list of countries where people peacefully calling for change, expressing an opinion or discussing government policies may trigger invasive surveillance with a profound toll on an individual’s freedom of expression, privacy and sense of security,” said Etienne Maynier, a technologist at Amnesty International, who peer reviewed the report and its methodologies.
Pegasus, which is made by the Israeli cyber firm NSO Group and sold only to state law enforcement and intelligence agencies, is considered the most sophisticated spyware in the world. The sale of technologies like Pegasus – which allows operators to access a hacked phone’s content, and even remotely turn on a compromised device’s microphone and camera, all unbeknownst to the target – is under strict regulation by Israel’s defense exports body.
Last year, following U.S. pressure, Israel severely reduced the list of countries to which cyberoffense tools can be sold. While Israeli firms were once able to sell to over 70 countries worldwide, the truncated list includes just over 30 – all Western states with generally clean human rights records.
Sources say Israeli firms used to be able to sell to Thailand in the past, but it was removed from the list and is no longer considered a legitimate client by Israeli defense export regulators.
In Monday’s report, published jointly by Citizen Lab, iLaw and Digital reach, the groups said they “identified at least 30 Pegasus victims among key civil society groups in Thailand, including activists, academics, lawyers and NGO workers.”
They noted that “the infections occurred from October 2020 to November 2021, coinciding with a period of widespread pro-democracy protests [in Thailand], and predominantly targeted key figures in the pro-democracy movement. Many of the victims included in this report have been repeatedly detained, arrested and imprisoned for their political activities or public criticism of the government.”
Thailand has been under military rule on and off since 2006 and 2014, when army coups took control of the country – a constitutional monarchy whose current king, Maha Vajiralongkorn, is widely unpopular. Since taking control amid calls for political and democratic reforms, the military junta has revived and even expanded the use of legislation intended to defend the monarchy’s good name in a bid to crack down on political activists, both offline and online.
An election was held in March 2019, which was seen as an attempt by the military leadership to consolidate its power by democratic means. In subsequent years, more and more political activists have been detained, arrested and even jailed, including for online activity. It is possible that the hacking of activists’ phones was done legally via Thai court orders.
Last November, the NSO Group was placed on the U.S. Department of Commerce’s so-called entity list – a blacklist that severely limits a firm’s ability to do business with American companies. This followed an announcement by Apple that Pegasus was used by one of NSO’s clients in Africa to hack the phones of over 10 U.S. State Department officials using local numbers.
At the time, Apple began sending out notifications to iPhone users who may have been compromised by what it termed a state-backed operation. Among those who received notifications were at least six activists and researchers who had been critical of Thailand’s government, according to Reuters.
Following the notifications, the potential victims reached out to groups such as Access Now and Amnesty International to have their phones checked. Local digital rights groups like DigitalReach and iLaw also began receiving additional requests from others who suspected their phones may have been infected.
This led to a digital forensic analysis by Citizen Lab, revealing that the phones of at least 30 people had been infected. The report also noted that some phones belonging to leading activists were examined but did not have traces of attempted infections.
Though forensic evidence cannot prove it, activists believe the NSO client behind these cases was the Thai state. It has long been suspected that Thailand was in the market for such technologies. According to leaked documents published through WikiLeaks, in 2013-2015 Thailand was in touch with NSO’s Italian competitor, Hacking Team, reportedly buying a spyware system from it.
A 2018 Citizen Lab report mapped potential victims of NSO’s clients to 45 countries, including Thailand. However, it was unclear if it was an operator or not. In 2020, Citizen Lab revealed that at least three Thai law enforcement and intelligence bodies were clients of Circles – another cyberoffense firm that shares some corporate ownership with NSO.
- U.S. intel officials backed NSO purchase, NYT reports, but talks called off
- Not Just NSO: Was Another Israeli Spyware Used in the Caribbean?
- White House 'deeply concerned' over any deal for infamous Israeli spyware maker NSO
Israel’s defense export body did not respond to a request for comment about this report and historical sales to Thailand.
An NSO Group spokesman said that “politically motivated organizations continue to make unverifiable claims against NSO, hoping they will result in an outright ban on all cyber intelligence technologies – despite their well-documented successes saving lives.”
NSO has long claimed that Citizen Lab’s forensics are not accurate, easy to fake and provide false positives regarding Pegasus infections.