Transfin.
HomeNewsGuidesReadsPodcastsTRANSFIN. EOD
  1. News
  2. Explained

The Pegasus Project Explained: What the Spyware Does, Who were Allegedly Targeted, and the India Angle

Editor, TRANSFIN.
Jul 19, 2021 4:58 PM 6 min read
Editorial

Yesterday, a global consortium of over 80 journalists from 17 media platforms across 10 countries released a report alleging that more than 50,000 phone numbers may have been selected for surveillance by way of the Pegasus software.

The alleged targets include government critics, members of opposition and journalists from countries such as Bahrain, Morocco, Saudi Arabia, Azerbaijan, Rwanda, Hungary, Mexico - and India.

The Pegasus “intrusive software” has been around for years, and has frequently elicited hue and cry over its potential for - and allegations of - aiding state surveillance. Yesterday’s report was the latest in a series of exposes on the software’s usage by governments around the world.

What is Pegasus?

It’s a spyware: a type of malware designed to gain administrative control over your phone and essentially turn it into a tracking device.

It was developed by Israeli cyberarms company NSO Group, which claims to sell its technology only to “law enforcement and intelligence agencies of vetted governments”, supposedly to be used against criminals and terrorists.

 

How Does the Pegasus Spyware Work?

The malware was first identified in 2016. Back then, it employed “spear-phishing” to infect. This involved sending text messages or emails with a malicious link, tricking the victim into clicking the same and then infecting their device.

Over time, this technology has evolved. It now employs “zero-click” attacks. These target systemic security loopholes in a mobile phone’s operating system (Android or iOS) that the manufacturer may not have fixed, in order to infect the device.

This is what makes Pegasus so dangerous. You can take all the precautions in the world and remain vigilant 24x7, but if there’s a minor “zero-day” vulnerability (i.e. Vulnerability unknown to those interested in mitigating it) within your device, the spyware can exploit it, invade your phone, and spy on you day and night. All without you even realising it.

What does “spy” mean? Pegasus has been designed to extract messages, photos and emails, record calls, activate microphones, secretly turn on the front camera and pin-point your location. Basically, it can do anything you can do with your phone.

FYI: The spyware industry is unsurprisingly a coy one. Not much is known about the operations of the main players, which include NSO, Gamma Group and Memento Labs.

 

What is the Pegasus Project?

The investigative coalition that released Sunday’s report has been dubbed the “Pegasus Project”. It includes journalists from outlets like The Washington Post, Le Monde, The Guardian, Haaretz, and The Wire in India. It was coordinated by Paris-based nonprofit Forbidden Stories and Amnesty International, which first received the leaked list of 50,000+ potentially targeted phone numbers from an unidentified source.

For its part, the NSO Group has come out with a statement stating that the Pegasus Project’s report “has no factual basis and [is] far from reality”.

It is now considering a defamation suit.

Now, just because a number has appeared on this list doesn’t mean they were definitely infected with Pegasus.

For instance, around 1,000 of the numbers (which were unattributed) were first identified. They spanned more than 50 countries across four continents, including “65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials”. Some of these people were then contacted and independent forensic analyses were conducted on their devices. So far, 37 have been found to have been infected, some of them as early as this month. Further details are expected to be released in the coming days including possibly details of further investigations and analyses of more devices.

 

Who Were Targeted?

The targets as per the analysis so far (again, only some phones could be personally analysed; there may be many more) include journalists, politicians, dissidents, activists, businesspeople and academicians.

The journalistic targets who have so far been identified include reporters, editors and executives at platforms like CNN, The New York Times, The Economist, AP, Reuters and Financial Times.

Coming to India, the phones of at least 38 journalists from outlets like Hindustan Times, The Hindu, The Wire, The Indian Express, News18, India Today and Pioneer, aside from freelancers, columnists and regional media, were apparently targeted. 

 

A Little Bit of History

Pegasus’s existence has been known for years. Canada-based cybersecurity group Citizen Lab reported it to be operational in India as early as June 2017.

In 2018, a Saudi dissident filed a lawsuit against the NSO Group saying it had enabled the Saudi government to spy on journalist Jamal Kashoggi and those close to him. Kashoggi had been brutally assassinated that year (recent revelations seem to confirm these claims).

FYI: Kashoggi isn’t the only journalist who was targeted before he was murdered. Mexican freelance reporter Cecilio Pineda Birto was killed in 2017 following his reporting on an alleged corrupt police-politician nexus. His phone number was among those leaked to the Pegasus Project. (A forensic analysis was not possible since his phone was never found after his death.)

In 2019, WhatsApp filed a lawsuit against the Israeli company alleging that the latter's Pegasus spyware had targeted some 1,400 WhatsApp users using zero-day attacks, including at least two-dozen "Indian journalists and human rights activists".

 

The India Angle

Of the 37 phones confirmed to have been infected (and not merely targeted) with the spyware, 10 were Indian.

Of c. 1,000 numbers identified in the 50,000-strong leaked list, about 300 belong to Indians. Besides 38 journalists, according to The Wire, this list includes “three major opposition figures, one constitutional authority, two serving ministers, current and former heads and officials of security organisations and scores of businesspersons''. It was revealed today that opposition party leader Rahul Gandhi, poll strategist Prashant Kishor and former Chief Justice Ranjan Gogoi were also targeted.

On Saturday, responding to a questionnaire sent by the Pegasus Project, the Ministry of Electronics and Information Technology dismissed allegations that Pegasus was used in India to conduct illegal surveillance. Following the release of the report, the Government released a statement saying the same has “no concrete basis or truth associated with it whatsoever”.

Unfortunately, the proposition that the Government of the “world’s largest democracy” spied on its critics is not really a far-fetched one.

India is becoming increasingly unsafe for journalists. Four were killed in relation to their work in 2020 alone. But the severity of the situation goes beyond murder. It takes the form of state coercion, self-censorship, death threats, online abuse, and dubiously broad anti-terror legislation and sedition laws engineered for misuse and criticised by the likes of the UN and the Supreme Court itself.

The country’s ranking in the World Press Freedom Index has fallen consistently over recent years. Currently, it stands at 142 out of 180 countries - an all-time low. To a great degree, this was enabled by state-sponsored online abuse and trolling to silence criticism, enforce self-censorship, and sway public opinion. A study (pdf) by the Oxford Internet Institute listed the present Government as one that has employed “cyber troops” for organised social media manipulation. In fact, in some areas of digital propaganda and coercion, the Government shares the unflattering company of countries like China, Iran, Pakistan, Russia and Venezuela.

Like a Black Mirror episode come to life, the Pegasus spyware is any big-government proponent’s dream-come-true. With further information expected to surface in the coming days, the Pegasus Papers, to use Edward Snowden’s words, may very well become “the story of the year”.

FIN.
 

The cut-throat world of Business and Finance means that there is fresh News everyday. But don't worry, we got you. Subscribe to TRANSFIN. E-O-D and get commentaries like the one above straight to your inbox.