Cyber Security

Pegasus – Still a Threat to the UK?

Benedict Pignatelli

The Pegasus spyware, the most famous (or infamous) product sold by Israeli/US company NSO Group, has been making headlines since 2019. Designed to combat terrorism and investigate criminal activity, the technology was made famous first for its innovative and impressive ability to gather information, then for concerns around its legality and availability.

There have been countless examples of malpractice and use of the spyware for illegal practices, as well as concerns over who has access to the technology.

What is Pegasus Spyware?

NSO Group is an Israeli technology firm founded in 2010, that was acquired by a California-based private equity company in 2014, for $110 million. Francisco Partners own several cybersecurity vendors, and NSO Group was their latest acquisition.

Pegasus is NSO Group’s most notorious spyware. The spyware is designed to collect data from private devices, mostly mobile phones. The spyware can be installed remotely, often through simple phishing texts or emails. However, it can supposedly get onto a device without any action from its owner. Once installed, Pegasus can take complete control and has full access to the device, and full visibility. This includes encrypted apps such as Whatsapp – NSO is currently being sued by Whatsapp for targeting its users in 2019. It can also turn the phone into a listening device and the technology can be active for prolonged periods of time. Szabolcs Panyi, a Hungarian reporter, had his phone compromised for a seven-month period in 2019.

Although the NSO Group claim they have a rigorous vetting process for who they sell to, arguing their target market is governing bodies or law enforcement, they are quick to argue they ‘cannot be held liable’ for how the software is used once in the hands of their clients.

Controversy with Pegasus

The controversy began when it became apparent the spyware was being used maliciously and for reasons other than national security. Journalists from Forbidden Stories and The New Yorker both uncovered shocking cases where the tech had been used to spy on law-abiding citizens.

It became apparent that the signature spyware was being deployed against dissidents or critics of government regimes, rather than criminals. This included journalists, diplomats, members of the clergy, and human rights lawyers.

Notable targets include Pere Aragonès, president of the Catalan government, whose office was targeted along with his legislators, several European Parliament members, and their families. Tensions arose within Spain following calls for Catalonia to become its own independent country. It is believed the Catalan government began to be targeted following the October referendum (which the Spanish government deemed unconstitutional). Aragonès is quoted saying the ‘operation of mass espionage is… a serious attack on fundamental rights and democracy’.

Another case is award winning journalist Javier Valdez Cárdenas, who was gunned down in cold blood for his work investigating Mexican cartels and corruption. Several days after the assassination, Citizen Lab discovered Pegasus was targeting several of his colleagues. The NSO Group client, who was linked to the Mexican government, had been publicly exposed for abusing Pegasus months before, which suggests the NSO Group failed to take effective action against them – their failure to act became a factor in the death of Cárdenas.

It was revealed French President Emmanuel Macron and his entire cabinet were targeted for surveillance. Although denying the allegations, the Israeli government and NSO Group have been in talks with the French since to discuss the matter.

Most shockingly, perhaps, was the evidence brought forward proving Pegasus was a key factor in the death of journalist Jamal Khashoggi. Sources indicate the Saudi government utilised the spyware to steal information sent between Khashoggi and fellow activist Omar Abdulaziz, and that this led directly to the death of Khashoggi. Following his death, his associates and family members were also targeted.

USA acts, UK stalls

Since the allegations against the NSO Group emerged, the Israeli government began to distance itself from the private company.

In November 2021, the US government blacklisted NSO Group, declaring it was ‘contrary to the foreign policy and national security interests of the US.’ The Deputy Director of Amnesty Tech commented: ‘the US government has acknowledged… NSO Group’s spyware is a tool of repression which has been used around the world to violate human rights.’

Although NSO Group was against the blacklisting, it is a positive step towards safeguarding the public from the spyware.

There was not an immediate response from Britain after the US ban. In late 2021, NSO Group reported they had blocked UK numbers from being targeted after it was revealed Princess Haya’s phone had been targeted after she had fled to London from Dubai.

In April of this year, Citizen Lap discovered the spyware was present in the UK and had even penetrated No. 10 Downing Street. This came after NSO Group had allegedly stopped UK numbers from being vulnerable. Like the killing of Cárdenas, a lack of response from NSO Group, either from mere incompetence, or something more malicious, has allowed organisations to misuse Pegasus with dire repercussions for safeguarding and security.

Members of the NCSC (National Cyber Security Centre) tested Downing Street phones extensively but were unable to find the infected device. Scott-Railton, a lead researcher at Citizen Lab, expressed his surprise at just how much of a threat Pegasus was to even the leading countries of the world and used the case of No. 10 as proof that it had been grossly underestimated.

Is the UK still at risk?

Amnesty International identified new ways Pegasus can be installed on a phone, including through common security flaws in the iPhone – flaws that are still detected today. Forbidden Stories reported that the iMessage service has vulnerabilities within it that make it susceptible to attack, and that these have gotten worse over time. As can be expected with all this bad press, NSO Group has begun to move away from Pegasus, and into new fields of spyware.

They have been expanding their product line since the start of the controversy. Maestro is an AI-based technology, which studies data through surveillance, and monitors the victim’s routine, alerting the user if there is a deviation that could indicate criminal activity. Think J. Edgar Hoover meets Orwell’s Big Brother. Maestro is already on the market and several countries are already utilising the spyware.

There is a lot that is still unknown about the workings of NSO Group, and their constantly developing tech. Like much of cyber crime, cyber espionage and cyber security, technology in general is evolving exponentially, with new, more devastating threats being developed every day. AI-augmented, zero-day and machine speed attacks are becoming more and more common, leaving traditional security tools behind.

The fact that Pegasus has been found not only in the UK but in the home and office of the Prime Minister demonstrates it is still a serious threat, and the threat of cyber crime will not be going anywhere soon.

About the author: Benedict Pignatelli is a contributing writer from Dublin, Ireland. He studied World Religions and Arabic Language, and has an interest in Middle Eastern politics. He also writes fiction and was longlisted for the 2019 Bridport Prize.