South Africa

SPIES UNLIKE US

Pegasus and the NSO Group: The dark world of cyber mercenaries

Pegasus software has been discovered on the phones of numerous journalists in advance of potential surveillance of NSO's international government clients. (Image: Adobe Stock)

Revelations that President Cyril Ramaphosa’s smartphone was potentially a target of a highly sophisticated cyber attack is just the tip of the iceberg. Like the hacking of Transnet’s system, spyware installed on a president’s phone is an onslaught on national security. Increasingly, these attacks are happening in cyberspace, conducted by a different kind of gun-for-hire — the cyber mercenary.

Heidi Swart is a journalist who reports on surveillance and data privacy. This report was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s Department of Journalism, Film and TV and Unisa’s Department of Communication Science.

It’s virtually impossible to detect — or deter. It can access everything on your smartphone — messages, emails or location data: who you’re talking to, what you’re saying, and where you’re going. It can even secretly turn on your phone’s microphone or camera. Encryption on your WhatsApp or Signal conversations means nothing.

Not even Apple and Google can protect you. 

That’s Pegasus, the highly sophisticated spyware developed by the Israeli company, NSO Group. The Guardian reported on what’s believed to be a list of some 50,000 people who were potentially targeted by governments using Pegasus. Notably, 14 heads of state (including presidents Cyril Ramaphosa and Emmanuel Macron of France) were also on the list leaked to Amnesty International and the French non-profit media organisation Forbidden Stories. There were also journalists, academics, and activists on the list. Forensic examination of a handful of listed people’s phones found traces of Pegasus.

NSO Group denies claims that the leaked names are targets of their spyware. The company said it is considering a defamation suit.

Government and corporate espionage through spyware is nothing new. But Pegasus is very different from the spyware hackers use to steal your banking details, or the software you can purchase online to keep tabs on a cheating spouse. To see why, Daily Maverick spoke to Bill Marczak of the Canadian non-profit Citizen Lab. Marczak was the first to spot Pegasus, in 2016, and he’s been keeping a close eye on NSO Group ever since.

 Marczak explains: “The main thing is that they sell only to governments and they charge a lot of money.” (Although the amounts have not been confirmed, Marczak says the best available information puts the price at anywhere from $50-million to $200-million.) 

“So the company has a lot of resources they can invest in the development of the spyware. They invest that mainly in finding what are called exploits — in other words a way to get around the security precautions on your iPhone or Android…”

Your phone can be sitting on the table and get hacked because the hacker pushes a malicious message at the phone which the phone automatically processes, resulting in its infection.”

Roughly speaking, an exploit refers to software that hackers use to secretly “break into” a smartphone or computer. An exploit takes advantage of what’s known as a vulnerability — an error, or weak spot — in the code of the software that runs in the background of your smartphone. When you get a notice to update your iPhone or Google Android phone, they usually come with what’s called “patches”. A patch is updated code that fixes a vulnerability. Usually, companies won’t make vulnerabilities and exploits publicly known until they’ve developed a patch. They then release the news about the exploit and the patch simultaneously so that consumers can protect themselves. That’s why it’s important to update your phone as soon as it tells you to do so.

But, in the case of Pegasus, those updates and patches won’t help you.

That’s because companies like NSO Group specialise in finding zero-day vulnerabilities — those that not even Apple or Google know about. Once they’ve found a zero-day vulnerability, they develop an accompanying zero-day exploit to break through that vulnerability. This means even if an app has been verified by Google or Apple, it could still contain an exploit. These zero-day exploits can be sold to governments or criminal syndicates. Sometimes, a lone individual can peddle exploits. But in the case of NSO Group, indications are the whole organisation is formally geared for it.

‘Zero-click’

The other aspect that makes Pegasus so powerful, says Marczak, is that it’s installed on a victim’s phone “in a way that’s as unobtrusive as possible, or in a way that requires very little or in some cases no interaction from the person being targeted. We’re used to this idea that you click on a dodgy link and you open a malicious attachment and get infected by spyware. But with Pegasus, they have developed this “zero-click” technology, which means the target doesn’t have to click on any link or open any attachment. Your phone can be sitting on the table and get hacked because the hacker pushes a malicious message at the phone which the phone automatically processes, resulting in its infection.”

Another strength of Pegasus is that it completely bypasses a smartphone’s best defence: encrypted communications. Applications like WhatsApp and Signal boast end-to-end encryption, meaning that while your messages or voice conversations are making their way across the internet, they’re scrambled. That means a hacker will have to unscramble — or decrypt — your communications before they can understand them. The hope is that a potential eavesdropper won’t be able to decrypt anything. Once your message reaches the person on the other phone, the phone decrypts it and that person can understand the message.

None of this matters with Pegasus. Says Marczak: “The spyware allows the operator to see or hear anything you can see or hear on your phone. The encryption is meant to protect signals that are sent or received. But once a message is displayed on your screen, once the audio is played over your speaker, you can obviously hear it — it’s not encrypted anymore. So that is the level at which spyware intercepts things.”

Their business model

It’s powerful stuff, but, on the upside, it seems unlikely that the average mobile phone user will be targeted with Pegasus. That’s largely down to the business model used by companies like NSO Group. According to Adam Oxford, veteran technology and cybersecurity journalist, organisations that sell zero-day exploits exclusively to governments thrive by keeping their exploits under wraps. 

“Very sophisticated actors like NSO who trade with states try to protect their proprietary hacking applications or techniques in a way that more common threat actors don’t,” says Oxford. “Their value, what they sell to governments, is that even the manufacturers don’t know that these bugs [vulnerabilities] in the code exist. So if the application is used too widely, if NSO’s Pegasus is installed on everybody’s smartphone, we’d pretty soon find out about it and suddenly their business model is gone.”

A source in the intelligence sector, who preferred to remain anonymous, agrees: “This isn’t bulk surveillance. It’s targeted. The general consumer needn’t fear this — unless they’re a human rights activist really getting up the grill of the intelligence community, or if they’re being targeted by a nation state.”

It’s this targeting of activists by authoritarian governments that’s got up Amnesty International’s grill. But the NSO Group says it only sells to vetted governments. The company says the software is there to assist governments to better public safety. This includes preventing acts of terror (like suicide bombers at transportation hubs, public parks, markets, concert venues and sporting events). They say their tech is also used to stop child, sex and drug trafficking, and money-laundering operations. According to their website, it’s used in finding kidnapped children and helps emergency workers to find survivors buried by debris when buildings collapse due to natural disasters or faulty construction.

Our intelligence source says that software such as Pegasus is indeed used for legal law enforcement when it’s not in the hands of authoritarians: “These technologies have legitimate uses. It’s how they catch terrorists and criminals.” 

It is, however, not possible to independently verify how often the tech is used (and to what extent successfully so) to combat crime and terrorism. That’s because government intelligence and law enforcement agencies typically do not report statistics on their use of such technology to the public. Due to contractual obligations, the NSO Group doesn’t make its client list available.

But there’s another side to NSO’s marketing that’s meant for their clients only. In 2016 Marczak and his colleagues published a detailed exposé on Pegasus. Along with it, came NSO’s marketing material that was posted on the website of the International Defence Cooperation Directorate of Israel’s Defence Ministry. It clearly states NSO’s business: cyber warfare. The advert says that NSO “works with military and homeland security organisations” in “both offensive and defensive cyber warfare arenas”. It calls Pegasus a “unique monitoring tool” allowing “remote and stealth monitoring and full data extraction from remote targets [sic] devices via untraceable commands”.

Israeli Defence Ministry
Marketing material published by the Israeli Defence Ministry. (Source: Citizen Lab)

Indications that Pegasus is being used to spy on activists are clear. In June 2018, an Amnesty International researcher, as well as a Saudi activist, were sent dodgy SMS and WhatsApp messages. Amnesty researchers found that the messages looked like an attempt to penetrate the smartphones with Pegasus spyware. Marczak and his colleagues audited Amnesty’s findings and reached the same conclusion.

The wrong hands

There are different ways that software like Pegasus can land in the hands of authoritarian governments, or even private entities. Noëlle van der Waag-Cowling, a security researcher and specialist on cyber warfare, explains that Pegasus is military-grade software. “It’s espionage surveillance software. And that is why they only sell to governments and nobody else. This could potentially be classified as a form of cyber weapon.”

Van der Waag-Cowling says that, like all other weapons that are smuggled and sold illegally, weapons-grade software can be sold illegally too — with or without the manufacturer’s knowledge and consent. But, relative to other weapons of war, software products are easily traded illegally. While guns and ammunition are serious cargo, software can fit into your pocket or be delivered via a cloud. 

Van der Waag-Cowling explains: “There’s a whole shadowy world where arms brokers also access these types of things and sell them on. Throughout Africa, observers know when a private military company or mercenary group lands somewhere. The guys land, offload, and people see them moving around. Cyber mercenaries and cyber weapons are completely different. When it comes to exporting physical weapons, manufacturers have got to get a special clearance. That’s a far more visible process than when one person passes a hard drive on to another.”

There is some modicum of control on cross-border trade in conventional weapons and so-called dual-use technologies, like spyware. (Dual-use items have commercial uses, but can also serve military purposes.) They range from toxins and microorganisms to nuclear material and software. Known as the Wassenaar Arrangement and with 42 countries as signatories (including South Africa), it aims to stop the sales of military gear to authoritarian regimes. But Israel isn’t a signatory, and it’s only an arrangement — adherence is voluntary. “In the absence of international regulation,” says Van der Waag-Cowling, “how does one even start to police this? These are the difficulties that we are dealing with.”

Apart from stealthy intermediaries conducting cyber weapon sales, there’s another, somewhat more “white-collar” approach, as our intelligence source explains: “Russian companies, for example, cannot sell to certain countries because of Russian laws. So they set up an office in Germany and sell from there. It’s Russian technology white-labelled as a different product. But under the bonnet it’s still the same thing.”

However, NSO has emphasised that it sells “technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives”. The company said it doesn’t operate the system it sells to clients, and that it can’t see clients’ data. NSO added that it would “thoroughly investigate any credible proof of misuse of its technologies, as we always had, and will shut down the system where necessary”.

Even though NSO said the latest accusations were part of a “vicious and slanderous campaign”, the Israeli government still sent a team of investigators to NSO Group’s offices on July 28. But Marczak says there’s a chance it’s just for show since NSO is likely seen as an asset by the Israeli government:

“I think the Israeli government very much want to have companies like NSO Group because it gives them an advantage in intelligence cooperation with other countries. If you look at NSO Group’s government customers, it appears they are all very close allies of the Israeli government, or countries where the Israeli government is hoping to improve intelligence ties or diplomatic ties, perhaps. For example, we saw NSO Group appear to sell to the United Arab Emirates long before there was any sort of normalisation of relations with Israel. They appear to have sold to Bahrain in 2017, and again normalisation of Bahrain’s relations with Israel came much later. So I think it’s somewhat unlikely that the Israeli government would ever do a serious investigation into who NSO customers are targeting.”

NSO Group could also benefit from being an Israeli asset. Our intelligence source explains that it would not be unusual for a company like NSO Group to receive funding from the Israeli government. The Israeli government has good reason to fund spyware developers. For one, Israel keeps a close watch on Palestinians. Additionally, says the source, “They have a lot of enemies out there. There is a constant feud between Iran and Israel. They do what South Africa did during apartheid — develop technologies and sell it to the rest of the world via agents for foreign currency.”

Added to potential government funding is a rich supply of human resources that companies like NSO need. Says Marczak: “There’s a pipeline of highly educated, well trained… essentially hackers coming out of the Israeli intelligence services, from the mandatory military services. And this is something that all cybersecurity companies in Israel can take advantage of because there are very smart people looking for jobs in the cyber field.”

The result, as Van der Waag-Cowling puts it: “Israel’s cyber ecosystem is unparalleled.” 

We are going to get hit

Ultimately, defending against spyware like Pegasus is a Sisyphean undertaking, because, as Oxford explains, it boils down to resources: the spies — whether they are backed by governments or criminal syndicates, will always have more money than their targets. 

“The way the world is, the criminal organisations that are creating malware and ransomware that are getting into your PC and locking up your files until you pay a ransom — they make more money than the cyber security firm. Then you have malware that is state-sponsored, or exclusively sold to governments, whether it’s state-sponsored hacking groups looking for weaknesses in physical infrastructure, or trying to take nuclear reactors offline, those kinds of things. Again, they have the same resources, but their objective is not to make money. So they don’t have to proliferate their malware far and wide. They are looking to absolutely target one specific device or one specific operating system for a specific reason. They have huge resources.”

Escaping Pegasus, even for Ramaphosa, is close to impossible. Our anonymous source says that Ramaphosa uses a dedicated phone for work-related calls and that the Presidency has spent millions on securing the device: “When he’s talking to another country’s president, he doesn’t do it on WhatsApp…” But, says Marczak, people still have personal phones which makes things hard despite having a sophisticated cyber defence posture:

“One of the targets mentioned in the Pegasus project was France’s Emmanuel Macron. The reporting mentioned some sensible mitigations that Macron had. He had a separate secure phone he used for confidential calls. Still, he had a personal phone. People have personal phones, it’s just a fact of life. You can’t ask everyone in government to give up their personal phones. So, that’s always going to be a way in and a vulnerability. For example, you can turn on someone’s personal phone and turn on the microphone with conversations happening near the device. It allows you to really get a lot of information.”

And information on a head of state, as the intelligence source explains, “is golden” in the hands of the enemy: “You can drive foreign policy, determine strategies, you can launch a disinformation campaign… destabilise the region.”

It may seem hopeless, but the Pegasus revelations, along with the hacking of Transnet that put their ports out of commission for several days in July, point to something that the SA government can actually change: our national cyber posture.

Says Van der Waag-Cowling: “We need defence in depth, we need to spend significantly more. We need a national cyber security agency, which reports to Parliament, and it’s got to be well-staffed and well-resourced. Aside from housing a robust Computer Emergency Response capability, which supports both the public and private sectors, it would need to process threat intelligence as well map data on our attack surface and attack vectors. Currently there is insufficient data available on what is happening in South African cyberspace. We’re a developing digital state, and we know we’re going to get hit. Most states get hit all the time. This needs to be addressed with serious intent.” DM 

Gallery

Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

All Comments 1

  • The message is in the very last sentence “This needs to be addressed with serious intent”.

    But having cyber security and disaster recovery systems in place is not the end of it. All organisations also need to have periodic drills and cyber attack exercises to maintain readiness.