ArchiveOODA Original

Project Pegasus: Global news organizations reveal expansive investigation of NSO Group “zero click” surveillance software

Seventeen news organizations around the globe have launched Project Pegasus, a hard-hitting investigative report of the Israel-based NSO group.  The news project is eponymously concerned with Pegasus, the cyberespionage tool developed by the NSO Group.

What Is The Pegasus Software?

The NSO Group Pegasus software is designed to give the license holder of the software complete control of the smartphone that has the malware installed. This includes control of the camera and microphone and access to all data on the device and any cloud-based account permissions configured on a device. Reports are that this software is so advanced that it required very little user action, in most cases just a simple clicking of a link or viewing of page.

What Has The Investigation Revealed?

At the center of the investigation are licensing agreements (approved by the Israeli government) to countries such as Saudi Arabia and the successful hacks of 37 smartphones belonging to reporters, social activists, business leaders and the two women closest to murdered Saudi journalist Jamal Khashoggi.

Although NSO Group denies just about everything in the media reports, investigators claim that the spyware is so advanced that it will exploit multiple vulnerabilities including, it is assumed, many that no one knows about yet.

The Guardian summarized the attack paths as:

Pegasus attack is very simplistic in its transmission and silent in releasing its payload. The attack begins when the intruder sends a website URL (through SMS, email, social media, or any other information) to a classified target. The user only has to take one action click on the link. Once the user clicks the link, the software silently transfers out a series of exploits towards the victim’s device to remotely jailbreak it so that the surveillance software packages can be installed. The user’s only sign that anything appeared will be that the browser terminates after the link is clicked.

OODA Assessment:

The NSO Group is not the only company operating in this space, another which has received media attention is Cellibrite. It is interesting that media reports on both NSO Group and Cellibrite do not indicate that China and Russia are customers. We only mention that because it is logical to assume that both China and Russia have their own capabilities to do these types of attacks.

Experience indicates that this will not be the last time this type of story is in the news. As underscored in Nicole Perlroth’s book This Is How The Tell Me The World Ends, there are a number of organizations seeking to create and profit from exploits of technologies. We should assume this type of dynamic will always be with us.

Project Pegasus may be the tipping point of what has been a growing trend in both the frequency and scale of cybersecurity breaches (read: SolarWinds and Kaseya, amongst many others) and emerging cyberthreats (US Accuses Chinese Officials of Running Data Theft Ring) and the frequency and scale of the mainstream media coverage of the same.

Long term, it is safe to assume Project Pegasus will light a fire under policymakers regarding the growing specter of cybersecurity and cyberthreats worldwide.

What To Do Now:

Security and risk management professionals should be able to determine immediate risks from this initial round of coverage. Some of the most important things to do are probably already on your list. This includes:

  • Always keep your OS and all applications up to date, turn on automatic OS updates.
  • Be suspicious of any link that comes in from any source
  • Switch your DNS to a DNS service that offers a dynamic DNS level firewall (like Quad9.net)
  • Put Two Factor authentication on everything
  • Protect executive communications using Wickr
  • Enterprises should bring all mobile devices under enterprise management using top tier capabilities (ask us for recommendations, which will vary depending on your environment).
  • Ensure you use the appropriate threat model for executive travel (see the Traveling Executive’s Guide to Cybersecurity )

For more reading:

The Project Pegasus news organizations are:

Aristegui Noticias (Mexico) | Daraj (Lebanon) | Die Zeit  (Germany) | Direkt36 (Hungary)

Forbidden Stories (France) | Haaretz (Israel) | Knack  (Belgium) | Le Monde (France)

Le Soir (France) | Organized Crime and Corruption Reporting Project (OCCRP) (Global Network)

Proceso (Mexico) | Radio France (France) | Suddeutschezeitung (Germany) |

The Guardian (United Kingdom) |  The Washington Post (United States) | The Wire (India)

FRONTLINE – PBS (United States)

 

The following list captures a portion of the exhaustive investigative coverage provided by Project Pegasus upon launch of the investigation’s findings by all seventeen news organizations on July 18th.  The information provided in this coverage should assist OODALoop.com readers to evaluate the countries and organizations which the Project Pegasus investigation alleges are using the surveillance tool as well as the global regions and countries where Pegasus may be in operation at this time.

The Project Pegasus Reportage (as of July 19, 2021)
(Source: The Pegasus Project media index)

The Guardian (UK)
The Washington Post (US):
Aristegui Noticias (MÉXICO):
The Organized Crime and Corruption Reporting Project (overview page) (EASTERN EUROPE, THE CAUCASUS, CENTRAL ASIA AND CENTRAL AMERICA):
  • Voices of the Hacked:
Haaretz (ISRAEL):
PBS FRONTLINE (USA):
Radio France (FRANCE):
Proceso (MEXICO):

Daniel Pereira

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.