Pegasus Spyware Discovered Attacking Military Targets
Credit: Tero Vesalainen / ShutterstockToggle Dark Mode
Security researchers have discovered the fingers of NSO Group’s Pegasus spyware in the midst of a military conflict, marking the first time the spyware is known to have been used in such a manner.
The insidious spyware known as Pegasus has been around since at least 2014, but over the past few years, more reports have been slowly piling up of its misuse and abuse.
The powerful and sophisticated tool, which is developed by Israeli technology firm NSO Group, relies on finding security vulnerabilities in the iPhone and iOS that allow it to gain nearly complete access to a user’s personal information, often with nothing more than a maliciously-formed text message, email, or web page link. Most of the time, NSO Group’s researchers are able to find “zero-click exploits” that allow them to compromise an iPhone without any interaction by the device’s owner.
According to NSO Group, Pegasus is designed to be used for good, such as fighting terrorism and organized crime. Sadly, any such tool is a double-edged sword — it can spy on the innocent as easily as the guilty — and it’s inevitable that something as powerful as Pegasus will be used for nefarious purposes.
NSO Group only licenses Pegasus to governments, but it also doesn’t seem particularly picky about which governments it counts as customers. While it has revoked licenses for those found misusing Pegasus, that’s only done after the fact — and in the face of solid evidence of abuse.
Unfortunately, while it’s easy to find Pegasus’ fingerprints on a victim’s iPhone, it’s more difficult to trace that back to its source. Two years ago, a forensic analysis conducted by Amnesty International and the University of Toronto’s Citizen Lab revealed the spyware had been used to target and spy on dozens of “human rights defenders (HRDs) and journalists around the world” and that it was the source of “widespread, persistent and ongoing unlawful surveillance and human rights abuses.” However, researchers could only speculate on where these attacks had originated from.
Nevertheless, this report was serious enough that Apple decided it was time to try and sue NSO Group out of existence, describing the Israeli firm as a group of “amoral 21st-century mercenaries.” Around the same time, Apple also promised to begin notifying iPhone users who may have become targets of state-sponsored spyware.
The steps we’re taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place.
Ivan Kristin, head of Apple Security Engineering and Architecture
While Pegasus is perhaps the most well-known of these military-grade spyware tools, it’s not the only one. A few months later, news of Predator surfaced, another dangerous spyware tool developed by one of NSO Group’s competitors, with reports that it had been found alongside Pegasus on iPhones belonging to individuals who had fallen politically out of favor with their governments.
Meanwhile, once Apple started its notification program, several employees of the US State Department found that they had been targeted by Pegasus, along with dozens of pro-democracy Thai activists, a Polish prosecutor, and several senior EU officials, including the Prime Minister of Spain. While circumstantial evidence pointed to the Ugandan government as the source of the attack on US State Department employees, such a link was never proven.
Pegasus Enters a Military Conflict
Now, The Guardian reports that at least one country has taken Pegasus, and possibly Predator, to a whole new level by deploying them against opponents in a military conflict.
A coalition of researchers at Access Now, CyberHUB-AM, the University of Toronto’s Citizen Lab, Amnesty International’s Security Lab, and independent researcher Ruben Muradyan have identified a “hacking campaign” that targeted officials involved in a long-running military conflict between Armenia and Azerbaijan.
The two countries have been contesting ownership of the Nagorno-Karabakh region since 1994 and went to war in 2020 over control of the region. While there are recent signs this conflict may soon come to a peaceful end, it appears that Pegasus and Predator were used as weapons of war throughout the campaign.
Researchers discovered that devices belonging to Armenia-based individuals had been compromised in November 2021 as a result of the notifications that Apple began sending out around that time. The Guardian reports that one government official, Anna Naghdalyan, had been “hacked at least 27 times between October 2020 and July 2021” while she was serving as a spokesperson for the Armenian foreign ministry.
In her role, Naghdalyan was heavily involved in sensitive discussions and negotiations related to the conflict, “including the ceasefire mediation attempts by France, Russia, and the US and official visits to Moscow and Karabakh.” She told the team at Access Now that she had “all the information about the developments during the war on [her] phone” at the time of her hacking, and that she now feels there is no way for her to feel fully safe.”
This raises important questions about the safety of international organisations, journalists, humanitarians, and others working around conflict. It should also send a chill down the spine of every foreign government whose diplomatic service has been engaged around the conflict.
John Scott-Railton, senior researcher at Citizen Lab
Naghdalyan was far from the only victim who found their iPhone had been compromised by Pegasus. Others included a radio journalist covering the political crisis and at least one guest who appeared on their show, along with several other journalists, professors, and human rights defenders “whose work centered on the military conflict.”
According to Access Now, a total of 12 individuals have been identified as having compromised iPhones during the time of the conflict, although five have chosen to remain anonymous. This includes a UN representative who is unable to come forward due to UN regulations.
As in other recent cases, Pegasus’ fingerprints were found on the iPhones in question, but researchers could not “conclusively” link the data to a specific client of NSO Group. The government of Azerbaijan is the most likely culprit, and researchers have found evidence that it’s a customer of NSO Group, including Pegasus one-click infections linked to Azerbaijan domains and political websites.
Researchers acknowledged that it’s also possible that Armenia’s government may have had an interest in hacking at least some of the individuals. However, Armenia appears to be only a customer of Cytrox, which develops the rival Predator spyware.
Protecting Yourself Against Pegasus
Fortunately, as dangerous as Pegasus and Predator are, the good news is that these tools are only available to governments, and they’re used for highly targeted and specific attacks. That means most of us aren’t likely to find ourselves falling victim to military-grade spyware such as this. We’re simply not that interesting.
Further, Apple continues to play a cat-and-mouse game with the gray-hat security experts that work for companies like NSO Group and Cytrox. Almost every new release of iOS these days includes patches for security exploits, resulting in the need for spyware developers to discover new ones to take advantage of.
Apple has also provided tools for journalists and other high-risk individuals to help mitigate the risk, including a high-security Lockdown mode in iOS 16 and iMessage Contact Key Verification that will likely arrive in iOS 16.6. While these are features that most folks won’t ever need to enable, they offer tighter security for anyone who thinks they’re likely to fall prey to spyware such as Pegasus or Predator.
