Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International had access to NSO records of phone numbers, which they have shared with Haaretz and 16 other news organizations worldwide that have worked collaboratively to conduct further analysis and reporting over several months. Forbidden Stories oversaw the investigation, called The Pegasus Project, and Amnesty International provided forensic analyses and technical support.
Amnesty International Security Lab’s forensics analyses of cell phones targeted with Pegasus as part of the Pegasus Project are consistent with past analyses of journalists targeted through NSO’s spyware, including the dozens of journalists allegedly hacked in the UAE and Saudi Arabia and identified by Citizen Lab in December of last year.
The Pegasus Project >> The Israeli cyber weapon used against 180 journalists ■ Khashoggi’s fiancee, son targeted by NSO tech, investigation reveals ■ How NSO's Pegasus is used to spy on journalists ■ Analysis: How Israeli spy-tech became dictators' weapon of choice ■ Israel's cyber-spy industry helps dictators hunt dissidents and gays
In more than 85 percent of the forensics done with iPhones that were used by potential victims at the time of their number's selection revealed traces of NSO software activity.
“There are a bunch of different pieces, essentially, and they all fit together very well,” Claudio Guarnieri, director of Amnesty International’s Security Lab, said. “There's no doubt in my mind that what we're looking at is Pegasus because the characteristics are very distinct and all of the traces that we see confirm each other.”
In all, the Committee to Protect Journalists (CPJ) had previously documented 38 cases of spyware – developed by software companies in four countries – used against journalists in nine countries since 2011.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation (EFF), was one of the first security researchers to identify and document cyber attacks against journalists and human rights defenders in Mexico, Vietnam and elsewhere in the early 2010s.
- NSO's Pegasus: The Israeli cyber weapon oppressive regimes used against 180 journalists
- Khashoggi’s fiancee, son targeted by NSO tech, investigation reveals
- How Israeli spy-tech became dictators' weapon of choice
At the time, in the early 2010s, most malware attacks were less sophisticated than they are today, she explained. “Back in 2011, you would receive an email and the email would go to your computer and the malware would be designed to install itself on your computer,” she said.
It wasn’t until around 2014 that a “mobile-first” approach to spying on journalists gained popularity, as smartphones became more ubiquitous, she said.
Clients of companies like NSO, Hacking Team and FinFisher used “social engineering” to send specifically-crafted messages to targets, often baiting them with information about potential scoops or targeted information about members of their families. Targets would have to click a link in order for the malware to be installed onto their phones.
Journalists are obvious targets for intelligence agencies, said Igor Ostrovskiy, a private investigator in New York City who previously spied on journalists as a subcontractor for the Israeli company Black Cube and now trains journalists in information security.
They are targets he says because journalists are always seeking new sources of information – opening themselves up to phishing attempts – and because many often don’t follow “industry best practices on digital security.”
Some of the first Pegasus infections of journalists were identified in Mexico in 2015 and 2016.
In January 2016, Carmen Aristegui, an investigative journalist in Mexico and the founder of Aristegui Noticias, began to receive messages with suspicious links after she published an investigation into property owned by former Mexican President Enrique Pena Nieto.
Aristegui received more than 20 text messages containing malicious Pegasus links, digital rights group Citizen Lab would later reveal in the 2017 Gobierno Espia (“Government Spying”) report. According to the report, the phones of a number of her colleagues and family members were also targeted with text messages containing malicious links during that same time period, including those of colleagues Sebastian Barragan and Rafael Cabrera and her son Emilio Aristegui – just 16-years-old at the time.
Forbidden Stories and its partners were able to identify for the first time three other people close to Aristegui who were selected as targets for surveillance in 2016: her sister Teresa Aristegui, her CNN producer Karina Maciel and her former assistant Sandra Nogales.
“It was a huge shock to see others close to me in the list,” Aristegui, who was part of the Pegasus Project, said. “I have six siblings, but at least one of them, my sister, was entered into the system. My assistant Sandra Nogales, who knew everything about me – who had access to my schedule, all of my contacts, my day-to-day, my hour-to-hour – was also entered into the system.”
Since those early days, the installation of Pegasus spyware on smartphones has become more subtle, Guarnieri said. Instead of the target having to click on a link to install the spyware, so-called “zero-click” exploits allow the client to take control of the phone without any engagement on the part of the target.
“The complexity of performing these attacks has increased exponentially,” he said.
Once successfully installed on the phone, Pegasus spyware gives NSO clients complete device access and thereby the ability to bypass even encrypted messaging apps like Signal, WhatsApp and Telegram. Pegasus can be activated at will until the device is shut off. As soon as it's powered back on, the phone can be reinfected.
“If someone is reading over your shoulder, it doesn't matter what kind of encryption was used,” said Bruce Schneier, a cryptologist and a fellow at Harvard’ s Berkman Center for Internet and Society.
According to Guarnieri, Pegasus operators are able to remotely record audio and video, extract data from messaging apps, use the GPS for location tracking, and recover passwords and authentication keys, among other things. Spying governments have moved in recent years toward a more "hit and run" strategy to avoid detection, Galperin said: infecting phones, exfiltrating the data and quickly exiting the device.
These types of digital technologies go hand-in-hand with physical surveillance, according to Ostrovskiy.
“Digital intrusions are extremely valuable,” he said. “If we could, for instance, have known your calendar, if we could have known that you're going to have a certain meeting or we could take a look at your email, your notes to whatever the materials that most of us have on our phones, we'd have a huge leg up in being more successful in whatever goal we're trying to achieve.”