As the need to avoid government surveillance in authoritarian states worldwide, activists and whistleblowers leaned heavily on end-to-end encryption in hopes of evading reprisals for speaking truth to power. 

Pegasus can break into most messaging systems including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others. This means it can spy on almost all of the world’s population. 

Investigation Reveals The Israeli Made Pegasus Spyware Used To Track Over 50,000 Phones

Who was targeted?

The leaked database contains a list of more than 50,000 phone numbers believed to be those of persons of interest by multiple government clients of NSO since 2016. About 1,000 individuals from 50 countries were able to be identified by media outlets participating in the project as potential clients for NSO. More than 85 human rights activists, 189 journalists, and more than 65 business executives, more than 600 politicians and government officials were targeted. 

The list of targeted journalists dates back to 2016 and includes reporters from the Post, CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde, the Financial Times, and Al Jazeera from all over the world.

How do Zero-Click Exploits work?

From a crude system relying on social engineering, Pegasus has evolved from malware that compromises phones simply by clicking on a link to no longer requiring a target’s direct involvement. Hacking attacks using Pegasus once required active participation from a target. Pegasus operators sent text messages containing a malicious link to their target’s phone. When the user clicked on it, a malicious page appeared on their web browser for downloading and executing the malware, infecting their system.

Over time the public and targets became aware of the social engineering techniques used to lure them. As a result ‘zero-click exploits’ were created. These vulnerabilities do not rely on the target doing anything at all in order for Pegasus to compromise their device. Zero-click exploits target popular apps like iMessage, WhatsApp, and FaceTime, which all receive and sort data from unknown sources.

Once a vulnerability is found, Pegasus can infiltrate a device using the protocol used by the app. No link has to be clicked, no message to be read, and no call has to be answered, and the target may not even see a missed call or message.

Nigerian government using Circles’ product

According to a report from aljazeera, Nigeria’s Defence Intelligence Agency has acquired equipment that it can use to spy on its citizens’ calls and text messages, according to a report by the University of Toronto’s Citizen Lab, which researches digital surveillance, security, privacy and accountability.

The report, titled Running in Circles: Uncovering the Clients of Cyber-espionage Firm Circles, said a telecom surveillance company by the name of Circles has been helping state security apparatuses across 25 countries, including Nigeria, to spy on the communications of opposition figures, journalists, and protesters.

Circles, on the other hand, is known for selling systems to exploit Signalling System 7 (SS7) vulnerabilities and claims to have sold the technology to several countries, according to the report.

SS7 is a system that allows one mobile network to connect with another.

“Unlike NSO Group’s Pegasus spyware, the SS7 mechanism by which Circles’ product reportedly operates does not have an obvious signature on a target’s phone,” explained the report.

The report indicated that Pegasus and Circles products could possibly be integrated.

But there is limited information on how the Circles system integrates with NSO Group’s flagship Pegasus spyware, though a former NSO Group employee told Motherboard that Pegasus had an “awful integration with Circles” and that Circles had “exaggerated their system’s abilities,” according to the report.

According to the report, at least two entities in Nigeria have deployed Circles’ product.

“One system may be operated by the same entity as one of the Nigerian customers of the FinFisher spyware that we detected in December 2014,” said the report.

“The other client appears to be the Nigerian Defence Intelligence Agency (DIA), as its firewall IPs are in AS37258, a block of IP addresses registered to “HQ Defence Intelligence Agency Asokoro, Nigeria, Abuja,” it added.

The report also referred to an investigation by online newspaper Premium Times, which concluded that the governors of two Nigerian states “had purchased systems from Circles to spy on their political opponents”.

“In Delta State, Premium Times reports that the system was installed … and operated by employees of the governor, rather than police,” said the report.

What’s in it for NSO group?

The New York Times reported in 2016 that an NSO tool to spy on 10 iPhone users would cost $650,000 and a $500,000 installation fee, but it is likely more today. In 2020, the company reported revenues of $243 million.

Legal battles

A lawsuit was filed in 2019 in the United States by WhatsApp against the NSO Group, claiming that the Israeli company had exploited a vulnerability to infect more than 1,400 devices. The WhatsApp lawsuit reports that those targeted included journalists, lawyers, religious leaders, and political dissidents. Microsoft and Google are among other prominent companies that have filed supporting arguments in the case.

Amnesty International (which sued the Israeli Ministry of Defense, which must approve all NSO Group sales to foreign governments), activists and journalists targeted by NSO Group’s technology have also filed suits.