The FBI insisted it never planned to use the program to trhttps://www.foxnews.com/ack Americans

The FBI has come under scrutiny in recent months after it purchased a license to use the highly effective spyware program. FBI officials have insisted they did not end up using the program and had intended to only use it for research. Nevertheless, internal documents suggest they had plans to expand its use–including for tracking Americans. The FBI now tells Fox News it will drop the program.

Director Wray faced a grilling from members of Congress on the issue in hearings earlier this year, when he stated that his organization had never used to program.

 

“The Director’s testimony was accurate when given and remains true today – there has been no operational use of the NSO product to support any FBI investigation,” the FBI told Fox.

Sen. Ron Wyden, D-OR, accused Wray of essentially lying – or at least fudging the truth – in testimony earlier this year. Wray was asked about the FBI’s purchase of the spyware and bureau plans to use it in criminal investigations, including tracking Americans. Wray insisted the FBI would only use Pegasus for “research,” but the New York Times soon obtained internal FBI documents indicating this was not accurate – the FBI had hoped to use Pegasus more broadly.

Pegasus has already proven capable of infiltrating the phones of U.S. officials working overseas, something Rep. Adam Schiff, D-Calif., highlighted in a spyware hearing this summer.

“Late last year, multiple news organizations reported that mobile phones used by U.S. diplomats in Uganda had been compromised by NASA’s Pegasus tool,” Schiff said at the time. “It is my belief that we are very likely looking at the tip of the iceberg and that other U.S. government personnel have had their devices compromised, whether by a nation state using NSA services or tools offered by one of its lesser known but equally potent competitors.”

Experts say the spyware has legitimate uses but is also a powerful tool for authoritarian governments. Mexico used Pegasus in its effort to track down El Chapo, and Saudi Arabia also used it to track journalist Jamal Khashoggi prior to orchestrating his murder, according to cyber defense expert Jason Blessing.

The Spy Factories: NSA’s XKeyscore Isn’t the Only Program Tracking You

When whistleblower Edward Snowden revealed his NSA files in 2013, one sneaky program stood out: XKeyscore, a secret system that spies can use to search and analyze nearly everything you do on the internet in real-time.

XKeyscore is still hoovering up your internet searches, passwords, user names, emails, and personal messages a decade later. In fact, it’s not the only tool governments used to spy on your personal data. Here are five ways the US, Britain, Israel, Canada, and others may be spying on you right now.

CIA snooping on Americans‍

The CIA is vacuuming up data in bulk so spies can sift through it, according to two members of the US Senate Intelligence Committee.

If the data collec­tion happens over­seas or falls into a statutory black hole, it comes under Exec­ut­ive Order 12333 which means there’s little over­sight. “What stops the CIA from poring through the data look­ing for Amer­ic­ans’ inform­a­tion? Let’s be honest: noth­ing,” according to the Brennan Center for Justice.

Senator Ron Wyden said he is also concerned the US Defense Intelligence Agency is buying consumer smartphone location data from a third-party broker and the Department of Homeland Security is helping to compile money transfer records.

Pegasus software‍

The Israeli company NSO Group developed Pegasus spyware to target terrorists but governments have used it to track at least 180 journalists, political dissidents, activists, and heads of state including French President Emmanuel Macron.

More than 50,000 phone numbers targeted for surveillance by Pegasus’ customers were leaked to Amnesty International, revealing a massive global privacy breach. Once installed, the software operator can receive text messages, contact lists, and calendar events, and can turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.

Who uses it? The FBI ‘tested’ Pegasus spyware but said they haven’t used it in investigations. Canada’s CitizenLab linked Pegasus to operations in 45 countries including Mexico, Bahrain, Kazakhstan, Morocco, Saudi Arabia, and the UAE. Israeli police used the spyware to scrutinize citizens’ phones. The son of ex-Israeli PM Benjamin Netanyahu was one such target. Not all countries have access to Pegasus software. Israel reportedly blocked Ukraine from buying a license, fearing Russia would be angry if Pegasus was sold to a regional foe.

Codename Tempora: Britain’s GCHQ cyberspies ‍

The European Court of Human Rights ruled in 2021 that GCHQ spies were acting unlawfully when they intercepted online communications in bulk. Judges also criticized GCHQ’s regime for sharing sensitive digital intelligence with foreign governments.

The data included information from passports, travel records, financial data, telephone calls, emails, and open or covert sources.

The court case revealed that Britain’s spies had secretly collected bulk personal data since the late 1990s and gathered information on people ‘unlikely to be of intelligence or security interest’. UK lawyers argued that the information was needed for national security.

Vault 7: CIA hacking techniques‍

In 2017, WikiLeaks published what it described as thousands of pages of internal CIA discussions about Agency hacking techniques. CIA spies could apparently access Apple iPhones, Google Android devices, and other gadgets to capture text and voice messages before they were encrypted with software.

By the end of 2016, the CIA’s Center for Cyber Intelligence had more than 5,000 registered users and produced more than 1,000 hacking systems, trojans, viruses, and other ‘weaponized’ malware, creating, in effect, its own NSA with less accountability, according to WikiLeaks.

The House Intelligence committee was ‘looking into the report’ by Yahoo! News in 2021 that claimed the CIA allegedly plotted revenge for the WikiLeaks revelations by targeting founder Julian Assange.

CSIS: Canada’s spies creep forward‍

Canada’s CSE – the signals intelligence group that collects data much like the NSA does in the US – received new powers in 2019 under a law designed to crack down on terrorists. Privacy advocates worry the law is an invitation for mass surveillance and see potential problems.

Critics have long complained about CSE which, in 2012, spied on Canadians using public WiFi networks in Canadian airports. The agency – and its watchdog – argued that they were only collecting metadata (for example, an IP or email address and phone number) rather than the content of messages.

“But we (and they) know that metadata can reveal tons of private information about a person and their life: where they have been, what they believe, who they talk to, etc,” according to Canada’s International Civil Liberties Monitoring Group.

• NSA-backdoored equipment info found OFF this website
• U.S. Government Catalogue of Cellphone Surveillance Devices
• Backdoors on Wikipedia
• National Security Agency
• Central Intelligence Agency
• NSA EXTRACTED INFO
• CRYPTO MUSEUM
• Edward Snowden
• Stingray
• Pegasus Spyware
• X-Keyscore

 XKeyscore gives ‘widest-reaching’ collection of online data  NSA analysts require no prior authorization for searches  Sweeps up emails, social media activity and browsing history

A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.

The NSA boasts in training materials that the program, called XKeyscore, is its “widest-reaching” system for developing intelligence from the internet.

The latest revelations will add to the intense public and congressional debate around the extent of NSA surveillance programs. They come as senior intelligence officials testify to the Senate judiciary committee on Wednesday, releasing classified documents in response to the Guardian’s earlier stories on bulk collection of phone records and Fisa surveillance court oversight.

The files shed light on one of Snowden’s most controversial statements, made in his first video interview published by the Guardian on June 10.

“I, sitting at my desk,” said Snowden, could “wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email”.

US officials vehemently denied this specific claim. Mike Rogers, the Republican chairman of the House intelligence committee, said of Snowden’s assertion: “He’s lying. It’s impossible for him to do what he was saying he could do.”

But training materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed.

 

XKeyScore – the NSA’s secret tool that collects and reveals ‘nearly everything a user does on the internet’

 

XKeyscore, the documents boast, is the NSA’s “widest reaching” system developing intelligence from computer networks – what the agency calls Digital Network Intelligence (DNI). One presentation claims the program covers “nearly everything a typical user does on the internet”, including the content of emails, websites visited and searches, as well as their metadata.

Analysts can also use XKeyscore and other NSA systems to obtain ongoing “real-time” interception of an individual’s internet activity.

Under US law, the NSA is required to obtain an individualized Fisa warrant only if the target of their surveillance is a ‘US person’, though no such warrant is required for intercepting the communications of Americans with foreign targets. But XKeyscore provides the technological capability, if not the legal authority, to target even US persons for extensive electronic surveillance without a warrant provided that some identifying information, such as their email or IP address, is known to the analyst.

One training slide illustrates the digital activity constantly being collected by XKeyscore and the analyst’s ability to query the databases at any time.

The purpose of XKeyscore is to allow analysts to search the metadata as well as the content of emails and other internet activity, such as browser history, even when there is no known email account (a “selector” in NSA parlance) associated with the individual being targeted.

Analysts can also search by name, telephone number, IP address, keywords, the language in which the internet activity was conducted or the type of browser used.

One document notes that this is because “strong selection [search by email address] itself gives us only a very limited capability” because “a large amount of time spent on the web is performing actions that are anonymous.”

The NSA documents assert that by 2008, 300 terrorists had been captured using intelligence from XKeyscore.

Analysts are warned that searching the full database for content will yield too many results to sift through. Instead they are advised to use the metadata also stored in the databases to narrow down what to review.

A slide entitled “plug-ins” in a December 2012 document describes the various fields of information that can be searched. It includes “every email address seen in a session by both username and domain”, “every phone number seen in a session (eg address book entries or signature block)” and user activity – “the webmail and chat activity to include username, buddylist, machine specific cookies etc”.

Email monitoring

In a second Guardian interview in June, Snowden elaborated on his statement about being able to read any individual’s email if he had their email address. He said the claim was based in part on the email search capabilities of XKeyscore, which Snowden says he was authorized to use while working as a Booz Allen contractor for the NSA.

One top-secret document describes how the program “searches within bodies of emails, webpages and documents”, including the “To, From, CC, BCC lines” and the ‘Contact Us’ pages on websites”.

To search for emails, an analyst using XKS enters the individual’s email address into a simple online search form, along with the “justification” for the search and the time period for which the emails are sought.

The analyst then selects which of those returned emails they want to read by opening them in NSA reading software.

The system is similar to the way in which NSA analysts generally can intercept the communications of anyone they select, including, as one NSA document put it, “communications that transit the United States and communications that terminate in the United States”.

One document, a top secret 2010 guide describing the training received by NSA analysts for general surveillance under the Fisa Amendments Act of 2008, explains that analysts can begin surveillance on anyone by clicking a few simple pull-down menus designed to provide both legal and targeting justifications. Once options on the pull-down menus are selected, their target is marked for electronic surveillance and the analyst is able to review the content of their communications:

Chats, browsing history and other internet activity

Beyond emails, the XKeyscore system allows analysts to monitor a virtually unlimited array of other internet activities, including those within social media.

An NSA tool called DNI Presenter, used to read the content of stored emails, also enables an analyst using XKeyscore to read the content of Facebook chats or private messages.

An analyst can monitor such Facebook chats by entering the Facebook user name and a date range into a simple search screen.

Analysts can search for internet browsing activities using a wide range of information, including search terms entered by the user or the websites viewed.

As one slide indicates, the ability to search HTTP activity by keyword permits the analyst access to what the NSA calls “nearly everything a typical user does on the internet”.

The XKeyscore program also allows an analyst to learn the IP addresses of every person who visits any website the analyst specifies.

The quantity of communications accessible through programs such as XKeyscore is staggeringly large. One NSA report from 2007 estimated that there were 850bn “call events” collected and stored in the NSA databases, and close to 150bn internet records. Each day, the document says, 1-2bn records were added.

William Binney, a former NSA mathematician, said last year that the agency had “assembled on the order of 20tn transactions about US citizens with other US citizens”, an estimate, he said, that “only was involving phone calls and emails”. A 2010 Washington Post article reported that “every day, collection systems at the [NSA] intercept and store 1.7bn emails, phone calls and other type of communications.”

The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: “At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours.”

To solve this problem, the NSA has created a multi-tiered system that allows analysts to store “interesting” content in other databases, such as one named Pinwale which can store material for up to five years.

It is the databases of XKeyscore, one document shows, that now contain the greatest amount of communications data collected by the NSA.

In 2012, there were at least 41 billion total records collected and stored in XKeyscore for a single 30-day period.

Legal v technical restrictions

While the Fisa Amendments Act of 2008 requires an individualized warrant for the targeting of US persons, NSA analysts are permitted to intercept the communications of such individuals without a warrant if they are in contact with one of the NSA’s foreign targets.

The ACLU’s deputy legal director, Jameel Jaffer, told the Guardian last month that national security officials expressly said that a primary purpose of the new law was to enable them to collect large amounts of Americans’ communications without individualized warrants.

“The government doesn’t need to ‘target’ Americans in order to collect huge volumes of their communications,” said Jaffer. “The government inevitably sweeps up the communications of many Americans” when targeting foreign nationals for surveillance.

An example is provided by one XKeyscore document showing an NSA target in Tehran communicating with people in Frankfurt, Amsterdam and New York.

In recent years, the NSA has attempted to segregate exclusively domestic US communications in separate databases. But even NSA documents acknowledge that such efforts are imperfect, as even purely domestic communications can travel on foreign systems, and NSA tools are sometimes unable to identify the national origins of communications.

Moreover, all communications between Americans and someone on foreign soil are included in the same databases as foreign-to-foreign communications, making them readily searchable without warrants.

Some searches conducted by NSA analysts are periodically reviewed by their supervisors within the NSA. “It’s very rare to be questioned on our searches,” Snowden told the Guardian in June, “and even when we are, it’s usually along the lines of: ‘let’s bulk up the justification’.”

In a letter this week to senator Ron Wyden, director of national intelligence James Clapper acknowledged that NSA analysts have exceeded even legal limits as interpreted by the NSA in domestic surveillance.

Acknowledging what he called “a number of compliance problems”, Clapper attributed them to “human error” or “highly sophisticated technology issues” rather than “bad faith”.

However, Wyden said on the Senate floor on Tuesday: “These violations are more serious than those stated by the intelligence community, and are troubling.”

In a statement to the Guardian, the NSA said: “NSA’s activities are focused and specifically deployed against – and only against – legitimate foreign intelligence targets in response to requirements that our leaders need for information necessary to protect our nation and its interests.

“XKeyscore is used as a part of NSA’s lawful foreign signals intelligence collection system.

“Allegations of widespread, unchecked analyst access to NSA collection data are simply not true. Access to XKeyscore, as well as all of NSA’s analytic tools, is limited to only those personnel who require access for their assigned tasks … In addition, there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse from occurring.”

“Every search by an NSA analyst is fully auditable, to ensure that they are proper and within the law.

“These types of programs allow us to collect the information that enables us to perform our missions successfully – to defend the nation and to protect US and allied troops abroad.”

X-Keyscore:
Allows the NSA and Allies to Monitor Emails,
Web Browsing, Internet Searches and Social Media

XKeyscore 

XKeyscore (XKEYSCORE or XKS) is a secret computer system used by the United States National Security Agency (NSA) for searching and analyzing global Internet data, which it collects in real time. The NSA has shared XKeyscore with other intelligence agencies, including the Australian Signals Directorate, Canada’s Communications Security Establishment, New Zealand’s Government Communications Security Bureau, Britain’s Government Communications Headquarters, Japan’s Defense Intelligence Headquarters, and Germany’s Bundesnachrichtendienst.^[1]

In July 2013, Edward Snowden publicly revealed the program’s purpose and use by the NSA in The Sydney Morning Herald and O Globo newspapers. The code name was already public knowledge because it was mentioned in earlier articles, and, like many other code names, it appears in job postings and online résumés of employees.^[2][3]

On July 3, 2014, German public broadcaster Norddeutscher Rundfunk, a member of ARD, published excerpts of XKeyscore’s source code.^[4] A team of experts analyzed the source code.^[5] cited

XKEYSCORE

NSA’s Google for the World’s Private Communications

Morgan Marquis-Boire, Glenn Greenwald, Micah Lee cited theintercept.com

ONE OF THE National Security Agency’s most powerful tools of mass surveillance makes tracking someone’s Internet usage as easy as entering an email address, and provides no built-in technology to prevent abuse. Today, The Intercept is publishing 48 top-secret and other classified documents about XKEYSCORE dated up to 2013, which shed new light on the breadth, depth and functionality of this critical spy system — one of the largest releases yet of documents provided by NSA whistleblower Edward Snowden.

The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.

These servers store “full-take data” at the collection sites — meaning that they captured all of the traffic collected — and, as of 2009, stored content for 3 to 5 days and metadata for 30 to 45 days. NSA documents indicate that tens of billions of records are stored in its database. “It is a fully distributed processing and query system that runs on machines around the world,” an NSA briefing on XKEYSCORE says. “At field sites, XKEYSCORE can run on multiple computers that gives it the ability to scale in both processing power and storage.”

XKEYSCORE also collects and processes Internet traffic from Americans, though NSA analysts are taught to avoid querying the system in ways that might result in spying on U.S. data. Experts and privacy activists, however, have long doubted that such exclusions are effective in preventing large amounts of American data from being swept up. One document The Intercept is publishing today suggests that FISA warrants have authorized “full-take” collection of traffic from at least some U.S. web forums.

The system is not limited to collecting web traffic. The 2013 document, “VoIP Configuration and Forwarding Read Me,” details how to forward VoIP data from XKEYSCORE into NUCLEON, NSA’s repository for voice intercepts, facsimile, video and “pre-released transcription.” At the time, it supported more than 8,000 users globally and was made up of 75 servers absorbing 700,000 voice, fax, video and tag files per day.

The reach and potency of XKEYSCORE as a surveillance instrument is astonishing. The Guardian report noted that NSA itself refers to the program as its “widest reaching” system. In February of this year, The Intercept reported that NSA and GCHQ hacked into the internal network of Gemalto, the world’s largest provider of cell phone SIM cards, in order to steal millions of encryption keys used to protect the privacy of cell phone communication. XKEYSCORE played a vital role in the spies’ hacking by providing government hackers access to the email accounts of Gemalto employees.

Numerous key NSA partners, including Canada, New Zealand and the U.K., have access to the mass surveillance databases of XKEYSCORE. In March, the New Zealand Herald, in partnership with The Intercept, revealed that the New Zealand government used XKEYSCORE to spy on candidates for the position of World Trade Organization director general and also members of the Solomon Islands government.

These newly published documents demonstrate that collected communications not only include emails, chats and web-browsing traffic, but also pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation (CNE) targeting, intercepted username and password pairs, file uploads to online services, Skype sessions and more.

Bulk collection and population surveillance

XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited. For instance, one slide displays the search “germansinpakistn,” showing an analyst querying XKEYSCORE for all individuals in Pakistan visiting specific German language message boards.

As sites like Twitter and Facebook become increasingly significant in the world’s day-to-day communications (a Pew study shows that 71 percent of online adults in the U.S. use Facebook), they become a critical source of surveillance data. Traffic from popular social media sites is described as “a great starting point” for tracking individuals, according to an XKEYSCORE presentation titled “Tracking Targets on Online Social Networks.”

When intelligence agencies collect massive amounts of Internet traffic all over the world, they face the challenge of making sense of that data. The vast quantities collected make it difficult to connect the stored traffic to specific individuals.

Internet companies have also encountered this problem and have solved it by tracking their users with identifiers that are unique to each individual, often in the form of browser cookies. Cookies are small pieces of data that websites store in visitors’ browsers. They are used for a variety of purposes, including authenticating users (cookies make it possible to log in to websites), storing preferences, and uniquely tracking individuals even if they’re using the same IP address as many other people. Websites also embed code used by third-party services to collect analytics or host ads, which also use cookies to track users. According to one slide, “Almost all websites have cookies enabled.”

The NSA’s ability to piggyback off of private companies’ tracking of their own users is a vital instrument that allows the agency to trace the data it collects to individual users. It makes no difference if visitors switch to public Wi-Fi networks or connect to VPNs to change their IP addresses: the tracking cookie will follow them around as long as they are using the same web browser and fail to clear their cookies.

Apps that run on tablets and smartphones also use analytics services that uniquely track users. Almost every time a user sees an advertisement (in an app or in a web browser), the ad network is tracking users in the same way. A secret GCHQ and CSE program called BADASS, which is similar to XKEYSCORE but with a much narrower scope, mines as much valuable information from leaky smartphone apps as possible, including unique tracking identifiers that app developers use to track their own users. In May of this year, CBC, in partnership with The Intercept, revealed that XKEYSCORE was used to track smartphone connections to the app marketplaces run by Samsung and Google. Surveillance agency analysts also use other types of traffic data that gets scooped into XKEYSCORE to track people, such as Windows crash reports.

In a statement to The Intercept, the NSA reiterated its position that such sweeping surveillance capabilities are needed to fight the War on Terror:

“The U.S. Government calls on its intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats. These threats include terrorist plots from al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression against the United States and our allies; and international criminal organizations.”

Indeed, one of the specific examples of XKEYSCORE applications given in the documents is spying on Shaykh Atiyatallah, an al Qaeda senior leader and Osama bin Laden confidant. A few years before his death, Atiyatallah did what many people have often done: He googled himself. He searched his various aliases, an associate and the name of his book. As he did so, all of that information was captured by XKEYSCORE.

XKEYSCORE has, however, also been used to spy on non-terrorist targets. The April 18, 2013 issue of the internal NSA publication Special Source Operations Weekly boasts that analysts were successful in using XKEYSCORE to obtain U.N. Secretary General Ban Ki-moon’s talking points prior to a meeting with President Obama.

XKEYSCORE for hacking: Easily collecting user names, passwords and much more

XKEYSCORE plays a central role in how the U.S. government and its surveillance allies hack computer networks around the world. One top-secret 2009 NSA document describes how the system is used by the NSA to gather information for the Office of Tailored Access Operations, an NSA division responsible for Computer Network Exploitation (CNE) — i.e., targeted hacking.

Particularly in 2009, the hacking tactics enabled by XKEYSCORE would have yielded significant returns as use of encryption was less widespread than today. Jonathan Brossard, a security researcher and the CEO of Toucan Systems, told The Intercept: “Anyone could be trained to do this in less than one day: they simply enter the name of the server they want to hack into XKEYSCORE, type enter, and are presented login and password pairs to connect to this machine. Done. Finito.” Previous reporting by The Intercept revealed that systems administrators are a popular target of the NSA. “Who better to target than the person that already has the ‘keys to the kingdom?’” read a 2012 post on an internal NSA discussion board.

This system enables analysts to access web mail servers with remarkable ease.

The same methods are used to steal the credentials — user names and passwords — of individual users of message boards.

Hacker forums are also monitored for people selling or using exploits and other hacking tools. While the NSA is clearly monitoring to understand the capabilities developed by its adversaries, it is also monitoring locations where such capabilities can be purchased.

Other information gained via XKEYSCORE facilitates the remote exploitation of target computers. By extracting browser fingerprint and operating system versions from Internet traffic, the system allows analysts to quickly assess the exploitability of a target. Brossard, the security researcher, said that “NSA has built an impressively complete set of automated hacking tools for their analysts to use.”

Given the breadth of information collected by XKEYSCORE, accessing and exploiting a target’s online activity is a matter of a few mouse clicks. Brossard explains: “The amount of work an analyst has to perform to actually break into remote computers over the Internet seems ridiculously reduced — we are talking minutes, if not seconds. Simple. As easy as typing a few words in Google.”

These facts bolster one of Snowden’s most controversial statements, made in his first video interview published by The Guardian on June 9, 2013. “I, sitting at my desk,” said Snowden, could “wiretap anyone, from you or your accountant, to a federal judge to even the president, if I had a personal email.”

Indeed, training documents for XKEYSCORE repeatedly highlight how user-friendly the program is: with just a few clicks, any analyst with access to it can conduct sweeping searches simply by entering a person’s email address, telephone number, name or other identifying data. There is no indication in the documents reviewed that prior approval is needed for specific searches.

In addition to login credentials and other target intelligence, XKEYSCORE collects router configuration information, which it shares with Tailored Access Operations. The office is able to exploit routers and then feed the traffic traveling through those routers into their collection infrastructure. This allows the NSA to spy on traffic from otherwise out-of-reach networks. XKEYSCORE documents reference router configurations, and a document previously published by Der Spiegel shows that “active implants” can be used to “cop[y] traffic and direc[t]” it past a passive collector.

XKEYSCORE for counterintelligence

Beyond enabling the collection, categorization, and querying of metadata and content, XKEYSCORE has also been used to monitor the surveillance and hacking actions of foreign nation states and to gather the fruits of their hacking. The Intercept previously reported that NSA and its allies spy on hackers in order to collect what they collect.

Once the hacking tools and techniques of a foreign entity (for instance, South Korea) are identified, analysts can then extract the country’s espionage targets from XKEYSCORE, and gather information that the foreign power has managed to steal.

Monitoring of foreign state hackers could allow the NSA to gather techniques and tools used by foreign actors, including knowledge of zero-day exploits—software bugs that allow attackers to hack into systems, and that not even the software vendor knows about—and implants. Additionally, by monitoring vulnerability reports sent to vendors such as Kaspersky, the agency could learn when exploits they were actively using need to be retired because they’ve been discovered by a third party.

Seizure v. searching: Oversight, audit trail and the Fourth Amendment

By the nature of how it sweeps up information, XKEYSCORE gathers communications of Americans, despite the Fourth Amendment protection against “unreasonable search and seizure” — including searching data without a warrant. The NSA says it does not target U.S. citizens’ communications without a warrant, but acknowledges that it “incidentally” collects and reads some of it without one, minimizing the information that is retained or shared.

But that interpretation of the law is dubious at best.

XKEYSCORE training documents say that the “burden is on user/auditor to comply with USSID-18 or other rules,” apparently including the British Human Rights Act (HRA), which protects the rights of U.K. citizens. U.S. Signals Intelligence Directive 18 (USSID 18) is the American directive that governs “U.S. person minimization.”

Kurt Opsahl, the Electronic Frontier Foundation’s general counsel, describes USSID 18 as “an attempt by the intelligence community to comply with the Fourth Amendment. But it doesn’t come from a court, it comes from the executive.”

If, for instance, an analyst searched XKEYSCORE for all iPhone users, this query would violate USSID 18 due to the inevitable American iPhone users that would be grabbed without a warrant, as the NSA’s own training materials make clear.

Opsahl believes that analysts are not prevented by technical means from making queries that violate USSID 18. “The document discusses whether auditors will be happy or unhappy. This indicates that compliance will be achieved by after-the-fact auditing, not by preventing the search.”

Screenshots of the XKEYSCORE web-based user interface included in slides show that analysts see a prominent warning message: “This system is audited for USSID 18 and Human Rights Act compliance.” When analysts log in to the system, they see a more detailed message warning that “an audit trail has been established and will be searched” in response to HRA complaints, and as part of the USSID 18 and USSID 9 audit process.

Because the XKEYSCORE system does not appear to prevent analysts from making queries that would be in violation of these rules, Opsahl concludes that “there’s a tremendous amount of power being placed in the hands of analysts.” And while those analysts may be subject to audits, “at least in the short term they can still obtain information that they shouldn’t have.”

During a symposium in January 2015 hosted at Harvard University, Edward Snowden, who spoke via video call, said that NSA analysts are “completely free from any meaningful oversight.” Speaking about the people who audit NSA systems like XKEYSCORE for USSID 18 compliance, he said, “The majority of the people who are doing the auditing are the friends of the analysts. They work in the same office. They’re not full-time auditors, they’re guys who have other duties assigned. There are a few traveling auditors who go around and look at the things that are out there, but really it’s not robust.”

In a statement to The Intercept, the NSA said:

“The National Security Agency’s foreign intelligence operations are 1) authorized by law; 2) subject to multiple layers of stringent internal and external oversight; and 3) conducted in a manner that is designed to protect privacy and civil liberties. As provided for by Presidential Policy Directive 28 (PPD-28), all persons, regardless of their nationality, have legitimate privacy interests in the handling of their personal information. NSA goes to great lengths to narrowly tailor and focus its signals intelligence operations on the collection of communications that are most likely to contain foreign intelligence or counterintelligence information.”

XKeyscore: NSA tool collects ‘nearly everything a user does on the internet’

• XKeyscore gives ‘widest-reaching’ collection of online data
• NSA analysts require no prior authorization for searches
• Sweeps up emails, social media activity and browsing history

• NSA-backdoored equipment info found OFF this website
• U.S. Government Catalogue of Cellphone Surveillance Devices
• Backdoors on Wikipedia
• National Security Agency
• Central Intelligence Agency
• NSA EXTRACTED INFO
• CRYPTO MUSEUM
• Edward Snowden
• Stingray
• Pegasus Spyware
• X-Keyscore

Check out our article on the NSA SPYING SOFTWARE for CELL PHONES called Pegasus – Pegasus spyware: FBI vows not to use after grilling from Capitol Hill

The infamous Pegasus spyware created by Israeli firm NSO can turn any infected smartphone into a remote microphone or camera. Here’s how to stay safe and know if you’ve been hacked

        "ROWID": 97,
        "guid": "9CCE3479-D446-65BF-6D00-00FC30F105F1",
        "text": "",
        "replace": 0,
        "service_center": null,
        "handle_id": 1,
        "subject": null,
        "country": null,
        "attributedBody": "",
        "version": 10,
        "type": 0,
        "service": "SMS",
        "account": "P:+66********",
        "account_guid": "54EB51F8-A905-42D5-832E-D98E86E4F919",
        "error": 0,
        "date": 718245997147878016,
        "date_read": 720004865472528896,
        "date_delivered": 0,
        "is_delivered": 1,
        "is_finished": 1,
        "is_emote": 0,
        "is_from_me": 0,
        "is_empty": 0,
        "is_delayed": 0,
        "is_auto_reply": 0,
        "is_prepared": 0,
        "is_read": 1,
        "is_system_message": 0,
        "is_sent": 0,
        "has_dd_results": 1,
        "is_service_message": 0,
        "is_forward": 0,
        "was_downgraded": 0,
        "is_archive": 0,
        "cache_has_attachments": 0,
        "cache_roomnames": null,
        "was_data_detected": 1,
        "was_deduplicated": 0,
        "is_audio_message": 0,
        "is_played": 0,
        "date_played": 0,
        "item_type": 0,
        "other_handle": 0,
        "group_title": null,
        "group_action_type": 0,
        "share_status": 0,
        "share_direction": 0,
        "is_expirable": 0,
        "expire_state": 0,
        "message_action_type": 0,
        "message_source": 0,
        "associated_message_guid": null,
        "associated_message_type": 0,
        "balloon_bundle_id": null,
        "payload_data": null,
        "expressive_send_style_id": null,
        "associated_message_range_location": 0,
        "associated_message_range_length": 0,
        "time_expressive_send_played": 0,
        "message_summary_info": null,
        "ck_sync_state": 0,
        "ck_record_id": null,
        "ck_record_change_tag": null,
        "destination_caller_id": "+66926477437",
        "is_corrupt": 0,
        "reply_to_guid": "814A603F-4FEC-7442-0CBF-970C14217E1B",
        "sort_id": 0,
        "is_spam": 0,
        "has_unseen_mention": 0,
        "thread_originator_guid": null,
        "thread_originator_part": null,
        "syndication_ranges": null,
        "synced_syndication_ranges": null,
        "was_delivered_quietly": 0,
        "did_notify_recipient": 0,
        "date_retracted": 0,
        "date_edited": 0,
        "was_detonated": 0,
        "part_count": 1,
        "is_stewie": 0,
        "is_kt_verified": 0,
        "is_sos": 0,
        "is_critical": 0,
        "bia_reference_id": null,
        "fallback_hash": "s:mailto:ais|(null)(4)<7AD4E8732BAF100ABBAF4FAE21CBC3AE05487253AC4F373B7D1470FDED6CFE91>",
        "phone_number": "AIS",
        "isodate": "2023-10-06 00:46:37.000000",
        "isodate_read": "2023-10-26 09:21:05.000000",
        "direction": "received",
        "links": [
            "https://m.ais.co.th/J1Hpm91ix"
        ]
    },

        "attachment_id": 4,
        "ROWID": 4,
        "guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "created_date": 726724286,
        "start_date": "",
        "filename": "~/Library/SMS/Attachments/b8/08/97883E8C-99FA-40ED-8E78-36DAC89B2939/IMG_0005.HEIC",
        "uti": "public.heic",
        "mime_type": "image/heic",
        "transfer_state": 5,
        "is_outgoing": 1,
        "user_info": ",
        "transfer_name": "IMG_0005.HEIC",
        "total_bytes": 1614577,
        "is_sticker": 0,
        "sticker_user_info": null,
        "attribution_info": null,
        "hide_attachment": 0,
        "ck_sync_state": 0,
        "ck_server_change_token_blob": null,
        "ck_record_id": null,
        "original_guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "is_commsafety_sensitive": 0,
        "service": "iMessage",
        "phone_number": "*",
        "isodate": "2024-01-12 03:51:26.000000",
        "direction": "sent",
        "has_user_info": true
    }

{
        "domain_id": 22,
        "registrable_domain": "sitecdn.com",
        "last_seen": 1704959295.0,
        "had_user_interaction": false,
        "last_seen_isodate": "2024-01-11 07:48:15.000000",
        "domain": "AppDomain-com.apple.mobilesafari",
        "path": "Library/WebKit/WebsiteData/ResourceLoadStatistics/observations.db"
    }

        "service": "kTCCServiceMotion",
        "client": "com.apple.Health",
        "client_type": "bundle_id",
        "auth_value": "allowed",
        "auth_reason_desc": "system_set",
        "last_modified": "2023-07-11 06:25:15.000000"

To collect data about processes, users can use XCode Instruments.

Note: Developer mode must be enabled on the iOS device.

Image 3: Showcasing XCode instruments profile selection

Process data collection:

Image 4: Process list from iPhone

Overcoming the iOS interception challenge

For the common public

iOS security architecture typically prevents normal apps from performing unauthorized surveillance. However, a jailbroken device can bypass these security measures. Pegasus and other mobile malware may exploit remote jailbreak exploits to steer clear of detection by security mechanisms. This enables operators to install new software, extract data, and monitor and collect information from targeted devices.

Warning signs of an infection on the device include:

• Slower device performance
• Spontaneous reboots or shutdowns
• Rapid battery drain
• Appearance of previously uninstalled applications
• Unexpected redirects to unfamiliar websites

This reinstates the critical importance of maintaining up-to-date devices and prioritizing mobile security. Recommendations for end-users include:

• Avoid clicking on suspicious links
• Review app permissions regularly
• Enable Lockdown mode for protection against spyware attacks
• Consider disabling iMessage and FaceTime for added security
• Always install the updated version of the iOS

For businesses: Protect against Pegasus and other APT mobile malware

Securing mobile devices, applications, and APIs is crucial, particularly when they handle financial transactions and store sensitive data. Organizations operating in critical sectors, government, and other industries are prime targets for cyberattacks such as espionage and more, especially high-level employees.

Researching iOS devices presents challenges due to the closed nature of the system. Group-IB Threat Intelligence, however, helps organizations worldwide identify cyber threats in different environments, including iOS, with our recent discovery being GoldPickaxe.iOS – the first iOS Trojan harvesting facial scans and using them to potentially gain unauthorized access to bank accounts. Group-IB Threat Intelligence provides a constant feed on new and previously conducted cyber attacks, the tactics, techniques, and behaviors of threat actors, and susceptibility of attacks based on your organization’s risk profile— giving a clear picture of how your devices can be exploited by vectors, to initiate timely and effective defense mechanisms.

If you suspect your iOS or Android device has been compromised by Pegasus or similar spyware, turn to our experts for immediate support. To perform device analysis or set up additional security measures, organizations can also get in touch with Group-IB’s Digital Forensics team for assistance. source

HOW TO DEFEND YOURSELF AGAINST THE POWERFUL NEW NSO SPYWARE ATTACKS DISCOVERED AROUND THE WORLD

Even iPhones were vulnerable to the surveillance software, which appears to have been used against activists, journalists, and others.

AN INTERNATIONAL GROUP of journalists this month detailed extensive new evidence that spyware made by Israeli company NSO Group was used against activists, business executives, journalists, and lawyers around the world. Even Apple’s iPhone, frequently lauded for its tight security, was found to be “no match” for the surveillance software, leading Johns Hopkins cryptographer Matthew Green to fret that the NSO revelations had led some hacking experts to descend into a posture of “security nihilism.”

Security nihilism is the idea that digital attacks have grown so sophisticated that there’s nothing to be done to prevent them from happening or to blunt their impact. That sort of conclusion would be a mistake. For one thing, it plays into the hands of malicious hackers, who would love nothing more than for targets to stop trying to defend themselves. It’s also mistaken factually: You can defend yourself against NSO’s spyware — for example, by following operational security techniques like not clicking unknown links, practicing device compartmentalization (such as using separate devices for separate apps), and having a virtual private network, or VPN, on mobile devices. Such techniques are effective against any number of digital attacks and thus useful even if NSO Group turns out to be correct in its claim that the purported evidence against the company is not valid.

There may be no such thing as perfect security, as one classic adage in the field states, but that’s no excuse for passivity. Here, then, are practical steps you can take to reduce your “attack surface” and protect yourself against spyware like NSO’s.

Pegasus Offers “Unlimited Access to Target’s Mobile Devices”

The recent revelations concern a specific NSO spyware product known as Pegasus. They follow extensive prior studies of the company’s software from entities like the Citizen Lab, Amnesty International, Article 19, R3D, and SocialTIC. Here’s what we know about Pegasus specifically.

The software’s capabilities were outlined in what appears to be a promotional brochure from NSO Group dating to 2014 or earlier and made available when WikiLeaks published a trove of emails related to a different spyware firm, Italy’s Hacking Team. The brochure’s authenticity cannot be confirmed, and NSO has said it is not commenting further on Pegasus. But the document markets Pegasus aggressively, saying it provides “unlimited access to target’s mobile devices” and allows clients to “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities — whenever and wherever they are.” The brochure also states the Pegasus can:

• Monitor voice and VoIP calls in real-time.
• Siphon contacts, passwords, files, and encrypted content from the phone.
• Operate as an “environmental wiretap,” listening through the microphone.
• Monitor communications through apps like WhatsApp, Facebook, Skype, Blackberry Messenger, and Viber.
• Track the phone’s location via GPS.

For all the hype, Pegasus is, however, just a glorified version of an old type of malware known as a Remote Access Trojan, or RAT: a program that allows an unauthorized party full access over a target device. In other words, while Pegasus may be potent, the security community knows well how to defend against this type of threat.

Let’s look at the different ways Pegasus can potentially infect phones — its various “agent installation vectors,” in the brochure’s own vernacular — and how to defend against each one.

Dodging Social Engineering Clickbait

There are numerous examples in reports of Pegasus attacks of journalists and human rights defenders receiving SMS and WhatsApp bait messages enjoining them to click malicious links. The links download spyware that lodges into devices through security holes in browsers and operating systems. This attack vector is called an Enhanced Social Engineer Message, or ESEM, in the leaked brochure. It states that “the chances that the target will click the link are totally dependent on the level of content credibility. The Pegasus solution provides a wide range of tools to compose a tailored and innocent message to lure the target to open the message.”

“The chances that the target will click the link are totally dependent on the level of content credibility.”

As the Committee to Protect Journalists has detailed, ESEM bait messages linked to Pegasus fall into various categories. Some claim to be from established organizations like banks, embassies, news agencies, or parcel delivery services. Others relate to personal matters, like work or alleged evidence of infidelity, or claim that the targeted person is facing some immediate security risk.

Future ESEM attacks may use different types of bait messages, which is why it’s important to treat any correspondence that tries to convince you to perform a digital action with caution. Here are some examples of what that means in practice:

• If you receive a message with a link, particularly if it includes a sense of urgency (stating a package is about to arrive or that your credit card is going to be charged), avoid the impulse to immediately click on it.
• If you trust the linked site, type out the link’s web address manually.
• If going to a website you frequently visit, save that website in a bookmark folder and only access the site from the link in your folder.
• If you decide you’re going to click a link rather than typing it out or visiting the site via bookmark, at least scrutinize the link to confirm that it is pointing to a website you are familiar with. And remember that it’s possible you will still be fooled: Some phishing links use similar-looking letters from a non-English character set, in what is known as a homograph attack. For example, a Cyrillic “О” might be used to mimic the usual Latin “O” we see in English.
• If the link appears to be a shortened URL, use a URL expander service such as URL Expander or ExpandURL to reveal the actual, long link it points to before clicking.
• Before you click a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
• Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a Faraday bag when not in use — or at least away from where you have sensitive conversations (a good idea even if it’s in a Faraday bag).
• Use nondefault browsers. According to a section titled “Installation Failure” in the leaked Pegasus brochure, installation may fail if the target is running an unsupported browser and in particular a browser other than “the default browser of the device.” But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
• If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.

Thwarting Network Injection Attacks

Another way Pegasus infected devices in multiple cases was by intercepting a phone’s network traffic using what’s known as a man-in-the-middle, or MITM, attack, in which Pegasus intercepted unencrypted network traffic, like HTTP web requests, and redirected it toward malicious payloads. Pulling this off entailed either tricking the phone into connecting to a rogue portable device which pretends to be a cell tower nearby or gaining access to the target’s cellular carrier (plausible if the target is in a repressive regime where the government provides telecommunication services). This attack worked even if the phone was in mobile data-only mode, and not connected to Wi-Fi.

When Maati Monjib, the co-founder of the Freedom Now NGO and the Moroccan Association for Investigative Journalism, opened the iPhone Safari browser and typed yahoo.fr, Safari first tried going to http://yahoo.fr. Normally this would have redirected to https://fr.yahoo.com, an encrypted connection. But since Monjib’s connection was being intercepted, it instead redirected to a malicious third-party site which ultimately hacked his phone.

Typing just the website domain into a browser opens you to attacks, because your browser will attempt an unencrypted connection to the site.

Typing just the website domain (such as yahoo.fr) into a browser address bar without specifying a protocol (such as https://) opens the possibility for MITM attacks, because your browser by default will attempt an unencrypted HTTP connection to the site. Usually, you reach the genuine site, which immediately redirects you to a safe HTTPS connection. But if someone is tracking to hack your device, that first HTTP connection is enough of an opening to hijack your connection.

Some websites protect against this using a complicated security feature known as HTTP Strict Transport Security, which prevents your browser from ever making an unencrypted request to them, but you can’t always count on this, even for some websites that implement it correctly.

Here are some things you can do to prevent these kinds of attacks:

• Always type out https:// when going to websites.
• Bookmark secure (HTTPS) URLs for your favorite sites, and use those instead of typing the domain name directly.
• Alternately, use a VPN on both your desktop and mobile devices. A VPN tunnels all connections securely to the VPN server, which then accesses websites on your behalf and relays them back to you. This means that an attacker monitoring your network will likely not be able to perform a successful MITM attack as your connection is encrypted to the VPN — even if you type a domain directly into your browser without the “https://” part.

If you use a VPN, keep in mind that your VPN provider has the ability to spy on your internet traffic, so it’s important to pick a trustworthy one. Wirecutter publishes a regularly updated, thorough comparison of VPN providers based on their history of third-party security audits, their privacy and terms of use policies, the security of the VPN technology used, and other factors.

Zero-Click Exploits

Unlike infection attempts which require that the target perform some action like clicking a link or opening an attachment, zero-click exploits are so called because they require no interaction from the target. All that is required is for the targeted person to have a particular vulnerable app or operating system installed. Amnesty International’s forensic report on the recently revealed Pegasus evidence states that some infections were transmitted through zero-click attacks leveraging the Apple Music and iMessage apps.

Your device should have the bare minimum of apps that you need.

This is not the first time NSO Group’s tools have been linked to zero-click attacks. A 2017 complaint against Panama’s former President Ricardo Martinelli states that journalists, political figures, union activists, and civic association leaders were targeted with Pegasus and rogue push notifications delivered to their devices, while in 2019 WhatsApp and Facebook filed a complaint claiming NSO Group developed malware capable of exploiting a zero-click vulnerability in WhatsApp.

As zero-click vulnerabilities by definition do not require any user interaction, they are the hardest to defend against. But users can reduce their chances of succumbing to these exploits by reducing what is known as their “attack surface” and by practicing device compartmentalization. Reducing your attack surface simply means minimizing the possible ways that your device may be infected. Device compartmentalization means spreading your data and apps across multiple devices.

Specifically, users can:

• Reduce the number of apps on your phone. The fewer unlocked doors your home has, the fewer opportunities a burglar has to enter; similarly, fewer apps means fewer virtual doors on your phone for an adversary to exploit. Your device should have the bare minimum apps that you need to perform day-to-day function. There are some apps you cannot remove, such as iMessage; in those cases you can often disable them, though doing so will also make text messages no longer work on your iPhone.
• Regularly audit your installed apps (and their permissions), and remove any that you no longer need. It is safer to remove a seldom-used app and download it again when you actually need it than to let it remain on your phone.
• Regularly update both your phone’s operating system and individual apps, since updates close vulnerabilities, sometimes even unintentionally.
• Compartmentalize your remaining apps. If a phone only has WhatsApp installed and is compromised, the hacker will get WhatsApp data, but not other sensitive information like email, calendar, photos, or Signal messages.
• Even a compartmentalized phone can still be used as a wiretap and a tracking device, so keep devices physically compartmentalized — that is, leave them in another room, ideally in a tamper bag.

Physical Access

A final way an attacker can infect your phone is by physically interacting with it. According to the brochure, “when physical access to the device is an option, the Pegasus agent can be manually injected and installed in less than five minutes” — though it is unclear if the phone needs to be unlocked or if attackers are able to infect even a PIN-protected phone.

There seem to be no known cases of physically launched Pegasus attacks, though such exploits may be difficult to spot and distinguish from online attacks. Here’s how you can mitigate them:

• Always maintain a line of sight to your devices. Losing sight of your devices opens the possibility of physical compromise. Obviously there is a difference between a customs agent taking your phone at the airport versus you leaving your laptop behind in a room in your residence when you go to the bathroom, but all involve some risk, and you will have to calibrate your own risk tolerance.
• Put your device in a tamper bag when it needs to be left unattended, particularly in riskier locations like hotel rooms. This will not prevent the device from being manipulated but will at the least provide a ready alert that the device has been taken out of the bag and might have been tampered with, at which point the device should no longer be used.
• Use burner phones and other compartmented devices when entering potentially hostile environments such as government buildings, including embassies and consulates, or when going through border checkpoints.

Generally:

• Use Amnesty International’s Mobile Verification Toolkit if you suspect your phone is infected with Pegasus.
• Regularly back up important files.
• And finally, there’s no harm in regularly resetting your phone.

Although Pegasus is a sophisticated piece of spyware, there are tangible steps you can take to minimize the chance that your devices will be infected. There’s no foolproof method to eliminate your risk entirely, but there are definitely things you can do to lower that risk, and there’s certainly no need to resort to the defeatist view that we’re “no match” for Pegasus. source

How to Check if Your Cellphone Is Infected With Pegasus Spyware

NSO Group’s Pegasus spyware can turn any infected smartphone into a remote microphone and camera, spying on its own owner while also offering the hacker – usually in the form of a state intelligence or law enforcement agency – full access to files, messages and, of course, the user’s location.

Pegasus is one of a number of proprietary tools sold as part of the hacker-for-hire industry – and one found at the very high-end of that dark market. Other companies offer less expensive services – for example, only providing geolocation services for its clients. So how can you protect yourself? And how can you check to see if your phone has been targeted in the past or is infected now?

Haaretz offers a simple, nontechnical explanation on how to check and stay safe…

The weakest link

Most cellphone spyware operates in a similar fashion: a message is sent to a phone with a nefarious message. The message usually contains a link that will either download the malware onto your device directly, or refer it to a website that will prompt a download – all unbeknown to the phone’s owner.

There are other ways to get your phone to download something that don’t involve a message. However, from the moment of infection, most spyware tools follow a similar protocol: once installed, the spyware contacts what is called a “command-and-control” server, which provides it with instructions remotely.

“Let’s say the Israel Police are the ones who installed Pegasus on your smartphone and they want to know where you – or, more precisely, your phone – has been in the previous 24 hours. To get that information, instructions to obtain that data are sent to a C&C server connected to the phone,” explains Dr. Gil David, a researcher and cybersecurity consultant.

Many times, the links sent to you will appear innocent. It may look like a message from the Post Office or Amazon. But don’t be fooled: Through some simple social engineering and a process called “DNS spoofing,” even an official-looking URL may be a trap.

Sadly, staying safe is not always possible.

What makes Pegasus so expensive is its ability to not just potentially infect any smartphone selected for targeting remotely, but to do so with a “zero click” infection. This means your phone can be infected without you even having to click on a link – for example, with the code instructing your phone to reach out to the server secretly encoded into a WhatsApp message or even in a file like a photo texted to you via iMessage.

These “zero click” attacks make use of what is called “zero-day” exploits: unknown loopholes in your phone’s defenses that allow these hidden bits of code to kick into action without the victim doing anything.

So, another good practice is to make sure your phone’s operating system is as updated as possible: As new exploits are discovered, they are quickly “patched” by the likes of Apple and Google.

According to digital forensics experts Amnesty International and Citizen Lab, Pegasus’ zero click infections have only been found on iPhones. “Most recently, a successful ‘zero-click’ attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021,” Amnesty notes in its instructive report “How to Catch NSO Group’s Pegasus.”

It seems Pegasus’ ability to infect iPhones was based on a previously unknown loophole in the iMessage service, and this too has subsequently been patched. However, other Israel firms, for instance QuadDream, reportedly have such abilities as well.

“From 2019, an increasing amount of vulnerabilities in iOS, especially iMessage and FaceTime, started getting patched thanks to their discoveries by vulnerability researchers, or to cybersecurity vendors reporting exploits discovered in-the-wild,” Amnesty writes – so make sure your phone is updated.

Indicators of compromise

Groups like Amnesty and Citizen Lab find NSO’s spyware on phones using two different methods. Both involve searching for what is termed “indicators of compromise,” or IOCs.

Amnesty maintains a database of nefarious domains used by NSO’s clients. The list is constantly updating as more bogus URLs are found. Citizen Lab, meanwhile, also maintains a database of so-called vectors: messages sent to victims containing nefarious code or URLS. The two groups each maintain updated lists of Pegasus’ related processes that together permit attribution.

The only thing that has changed with Pegasus over the years is the way your phone is referred to the server, and the way the so-called payload is delivered.

“While SMS messages carrying malicious links were the tactic of choice for NSO Group’s customers between 2016 and 2018, in more recent years they appear to have become increasingly rare,” Amnesty wrote in its July 2021 report.

The newer trend, discovered in the case of Moroccan journalist Omar Radi, who was infected with Pegasus in 2020, is what is known as “packet injection.” This means that the download order is delivered not through a message but instead through your network, in the form of a hidden command “injected” into the phone through what Amnesty describes as “tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator.

“The discovery of network injection attacks in Morocco signaled that the attackers’ tactics were indeed changing. Network injection is an effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators,” it explained.

As NSO’s clients are state agencies, they can easily make use of the mobile infrastructure to infect phones.

Therefore, and though such injection infections can also be forced upon you, other good practices include never using free Wi-Fi; never connecting to wireless networks you do not absolutely know are secure – as these networks can easily be hacked so they infect your phone and refer it to the snooping server. Not using so-called VPNs is also advisable for the same reason.

Chances are you have not been infected with Pegasus. However, if you have cause for concern and are scared you are or were infected, there are a few options:  Amnesty offers a useful, free and open source tool called the Mobile Verification Toolkit that can check a backup of your device or its logs for any IOC. The MVT will scan your iPhone’s logs for Pegasus-related processes or search your Android’s messages for nefarious links. The tool can be downloaded here. The bad news is that it requires some technical know-how and is currently devoid of a simple-to-use interface. To get it to work, you first need to make a specific type of backup of your phone, and then you need to download the program and run the code on your computer so it can scan the file you created. Running the program requires you to download Python. Luckily, the tool comes with very clear instructions, and even those unskilled in code can make use of it with a bit of effort. Furthermore, it also allows you to conduct the test yourself. A similar product is iMazing, a phone-backup platform that runs on your desktop and provides a MVT-like analysis of your device. It does not prevent infections but can check your phone for IOCs. If the best offense is defense, there’s also a growing cellphone security market. Cyberdefense firms like ZecOps offer organizations like the BBC and Fortune 2000 companies a platform that inspects phones for current infections or traces of historic attacks. ZecOps also provides this service pro bono for journalists involved in the Pegasus Project. Private users can also buy such services. For example, the Israeli-Indian security firm SafeHouse Technologies offers an app called “BodyGuard” that provides defenses for your phone, for a small price. It already has more than a million users, mostly in India. If you can’t get the Mobile Verification Toolkit to work and are reluctant to use an app, and you genuinely fear you have been targeted, you can also drop us a tip here and we at Haaretz will get you checked. source

HOW TO DETECT PEGASUS SPYWARE

As one of the leading commercial spyware programs, Pegasus has been used by a host of companies, governments, and other entities to collect sensitive data from individuals’ smartphones. If Pegasus is deployed on your smartphone, your sensitive data could be at risk.

Read on to learn how to detect Pegasus spyware on your smartphone.

How to Detect Pegasus Spyware on Your Smartphone

The data privacy demands of today’s IT landscape call for robust mobile security, as more individuals rely on smartphone applications for essential day-to-day tasks.

Safeguarding your smartphone data from threats like Pegasus starts with knowing how to:

• Scan for and detect Pegasus spyware on your smartphone
• Identify Pegasus spyware installed on your smartphone
• Remove Pegasus spyware from your Android or iPhone
• Prevent Pegasus spyware from compromising your smartphone data 

Dealing with advanced mobile security risks like Pegasus spyware is much easier with the help of a managed security services provider (MSSP), who can advise on how to detect pegasus spyware on iPhone or Android.

What is Pegasus Spyware?

Developed by the NSO group in Israel, Pegasus is signature spyware that has been implicated in the secret surveillance of individuals worldwide. Pegasus spyware is considered dangerous because it allows an attacker to control a victim’s smartphone.

Using Pegasus spyware, a perpetrator can:

• Wiretap and listen to conversations
• Access photos and videos
• Control applications on a smartphone

It is difficult and often impossible for antivirus solutions to detect Pegasus spyware because it exploits zero-day vulnerabilities, which are unknown to the developers of these solutions.

How to Detect Pegasus Spyware

Over years of extensive research, Amnesty International has developed a methodology to detect Pegasus spyware on smartphones, providing it to the public as a resource on Github.

Using Amnesty International’s methodology, you can find a list of:

• Domain names of Pegasus infrastructure
• Email addresses identified in previous attacks
• Process names associated with Pegasus

Beyond the indicators of Pegasus compromise methodology, Amnesty International also released a Mobile Verification Toolkit (MVT) to help support users interested in detecting Pegasus spyware on their smartphones. With the help of Amnesty International’s spyware detection tools, you can learn how to detect pegasus spyware on Android or iPhone.

How to Detect Pegasus Spyware on iOS

Here’s how to check for pegasus spyware on iOS devices such as iPhones:

• Create a backup of encrypted data on a device other than your smartphone
• Once your smartphone is securely backed up, download the MVT tool onto your iPhone and follow Amnesty International’s instructions for detecting Pegasus.

Whereas other apps can detect Pegasus on iOS, it’s best to follow Amnesty International’s instructions or work with a qualified MSSP to avoid running into any issues while detecting the spyware.

How to Detect Pegasus Spyware on Android

Although the MVT mostly caters to iOS devices, it can still detect Pegasus on Android.

If you are wondering how to detect Pegasus spyware on Android with the MVT, the first places to start looking are potentially malicious text messages and APKs on your smartphone.

How Pegasus Works

For most Pegasus infections, the spyware is installed remotely on victims’ smartphones. However, Pegasus can be installed physically, and, in some cases, it can use the victim’s smartphone for data storage prior to transmitting data to a remote server.

Pegasus Remote Installation

Pegasus spyware can be remotely installed on a smartphone via:

• Zero-click attacks – Zero-click exploits typically leverage applications such as Apple Music or iMessage to send requests to the victim’s smartphone. Here, the victim does not interact with the spyware and is clueless about the download of Pegasus spyware.
• Malicious text messages –  A victim receives a text message containing an exploit link for a Pegasus spyware download. Clicking the link deploys spyware on the victim’s smartphone.
• Network injection attack – While browsing the Internet, a victim is redirected from a clear-text HTTP website to a decoy of a legitimate business. Unknowingly, a victim may then provide access credentials or other sensitive information.

In most cases, remote installation of Pegasus spyware on victims’ phones via zero-click attacks leverages zero-day vulnerabilities, of which the smartphone manufacturer may not be aware.

This makes Pegasus spyware very dangerous to its victims, who may not realize their sensitive data is being surveilled until it is too late.

Pegasus Physical Installation

While it is uncommon, Pegasus can be installed by connecting a victim’s smartphone to another device such as a computer to deploy the spyware. However, this would involve the difficult task of accessing a victim’s smartphone without their knowledge.

Pegasus Data Management

According to NSO, the spyware will transmit data from a victim’s smartphone to a server where the attacker can access the data. However, if Pegasus is unable to send data to a server, it will transmit the data to a “hidden and encrypted buffer” within the phone’s storage.

What Data Can Pegasus Access?

Once deployed on a smartphone, Pegasus spyware can access a range of data, including:

• Text messages
• Emails
• Photos and videos
• Personal contacts
• Location
• Audio messages and recordings

Detecting Pegasus spyware on your smartphone is critical to minimizing the risks of your sensitive data being exposed by perpetrators.

Can Pegasus be Removed?

You can remove Pegasus from your smartphone by attempting the following actions:

• Restarting your smartphone, to put a temporary stop to Pegasus
• Resetting your smartphone to its factory settings, which may remove Pegasus
• Updating your smartphone’s system software and apps to current versions
• Removing any unknown device connections to social media platforms

When removing Pegasus from your smartphone, it is always best to work with the MVT resource provided by Amnesty International. If Pegasus spyware removal becomes difficult, consider consulting an MSSP for help.

What to Do if You Have Pegasus

According to Reporters Without Borders (RSF), here’s what to do if you have Pegasus:

• Buy a new smartphone and stop using the one infected with Pegasus, ensuring the compromised smartphone is not close to you or your work environment.
• Change passwords for all accounts on the new smartphone and remember to sign out of the accounts on the compromised one.

If you have Pegasus, it is best to contact an experienced MSSP, who will point you to Pegasus spyware removal tools that will help remove Pegasus and keep your data safe.

Other Spyware like Pegasus

Besides Pegasus, other types of spyware include:

• Trojans, which can steal a victim’s funds or credentials to make fraudulent purchases.
• Stealware, which can intercept traffic from online shopping sites like those offering credits or rewards for purchases.

With everyone using smartphones or tablets to store sensitive information like account passwords, securing these devices from spyware and other forms of malware is paramount.

In an organizational setting, it is critical for leadership to emphasize the importance of mobile security in defending sensitive data stored on smartphones from various types of spyware.

How to Protect From Pegasus and Other Spyware

Protecting your organization from Pegasus and other spyware revolves around implementing mobile device security best practices such as:

• Encrypting any communication of sensitive data with industry-standard algorithms
• Keeping up-to-date with the latest phishing and malware attempts
• Updating your smartphone or mobile device with the latest security patches
• Using strong passwords and multi-factor authentication on all mobile devices
• Conducting routine penetration testing on mobile devices that contain sensitive data

If you are wondering how to block Pegasus spyware, some of the mobile security best practices above can help. However, it’s best to implement them with the guidance of a leading MSSP. source

Journalists, lawyers and activists hacked with Pegasus spyware in Jordan, forensic probe finds

The NSO File: A Complete (Updating) List of Individuals Targeted With Pegasus Spyware

The Israeli-made Pegasus spyware is suspected of infecting over 450 phones targeted by clients of NSO, who range from Saudi Arabia to Mexican drug lords. Here’s a list of the confirmed Pegasus victims.

The Israeli-made Pegasus spyware, sold by the cyberoffense firm NSO to state intelligence agencies around the world, has become infamous in recent years. Exploiting unknown loopholes in WhatsApp, iMessage and Android has allowed the group’s clients to potentially infect any smartphone and gain full access to it – in some cases without the owner even clicking or opening a file.

Digital forensics groups such as Amnesty International and the University of Toronto’s Citizen Lab have revealed numerous potential targets with traces of the spyware on their phones. Last summer, Project Pegasus – led by Paris-based NGO Forbidden Stories with the help of Amnesty’s Security Lab – organized an international consortium of journalists, including Haaretz and its sister publication TheMarker, to investigate thousands of additional potential targets selected for possible surveillance by NSO Group clients worldwide.

So far, targets have been found across the world: from India and Uganda to Mexico and the West Bank, with high-profile victims including U.S. officials and a New York Times journalist.

Now, for the first time, Haaretz has assembled a list of confirmed cases involving Pegasus spyware.

Though there have been over 450 suspected hacking cases, this list, which was put together with the help of Amnesty’s Security Lab, includes only the cases in which infections were confirmed either by Amnesty or another digital forensics group like Citizen Lab (which also helped construct this list). It also includes a few instances where official bodies such as French intelligence agencies or private firms like Apple or WhatsApp have publicly confirmed attacks.

The list does not include those suspected of being targeted – for example, Amazon’s Jeff Bezos, who was reportedly sent the spyware via a WhatsApp message from no less than Saudi Crown Prince Mohammed bin Salman. Rather, it is those who have actually been found with Pegasus on their phones.

The NSO Group, which refuses to confirm the identity of its clients and claims it has no knowledge of their targets, has denied most of these cases and says digital forensic analysis cannot fully identify its software.

• How to Check if Your Cellphone Is Infected With Pegasus Spyware
• Police Use NSO’s Pegasus to Spy on Israelis Without Warrant, Report Says
• Israeli NSO Spyware Found on Phones of Jordanian, Bahraini Women’s Rights Activists

The gap between the massive list of potential targets and those who were actually infected highlights how hard it is to confirm the presence of Pegasus spyware on phones. For instance, a private investigation commissioned by Bezos himself found that his phone had received a strange message from Crown Prince Mohammed, after which the tycoon’s device began sending out a lot of data. However, Bezos was reluctant to hand his phone over to anyone other than the handpicked investigators he had hired; they said it was very likely his phone had been infected.

Here is the list of most, if not all, known and confirmed Pegasus cases. They are sorted by the nationality of the victims or their country of residence when they were targeted.

The list of confirmed cases is followed by an additional list of names of those who have been confirmed to have been targeted but whose actual infection has not been verified.

Open gallery view

The NSO Group logo on one of its Israeli offices.Credit: AMIR COHEN/REUTERS

AZERBAIJAN

Khadija Ismayilova
The Azerbaijani investigative journalist based in Baku was targeted repeatedly for over three years as part of government persecution as a result of her work, the Project Pegasus investigation revealed.

Sevinc Vaqifqizi
Freelance Azerbaijanii journalist Vaqifqizi was found by Amnesty and Forbidden Stories to have had their phone infected with Pegasus in 2019 and 2020.

BAHRAIN

Moosa Abd-Ali
Moosa Abd-Ali is a Bahraini activist living in exile in London who was found to have been targeted in the past, with the Bahraini government hacking his personal computer in 2011. According to Citizen Lab, Abd-Ali’s iPhone 8 appears to have been hacked with Pegasus at some point prior to September 2020.

Yusuf al-Jamri
A Bahraini blogger who says he was tortured by his government, Yusuf al-Jamri was granted asylum in the U.K. in 2018. According to Citizen Lab, Jamri’s iPhone 7 appears to have been hacked with Pegasus at some point prior to September 2019.

Seven rights activists
At least three members of the Bahrain Centre for Human Rights, another three from the nonprofit Waad and one from the group Al Wefaq were also infected, Citizen Lab found. At least another seven members of BCHR and the other groups were actually targeted, but their infection was not confirmed by Citizen Lab.

EL SALVADOR

Carlos Martínez
A reporter for El Faro, he was one of over 35 journalists and members of civil society groups infected by the Pegasus spyware between July 2020 and November 2021.

Daniel Lizárraga
A Mexican journalist and the editor of El Faro, who was expelled from El Salvador. Citizen Lab found that his phne had been infected.

Nine El Faro journalists
The following journalists with El Faro were all found by Citizen Lab to have been infected by the Pegasus spyware: Gabriela Cáceres, Carlos Dada, Carlos Ernesto Martínez D’aubuisson, Julia Gavarrete (who had two phones hacked), Valeria Guzmán, Ana Beatriz Lazo, Rebeca Monge, Víctor Peña, Nelson Rauda.

El Salvadorian journalists
Citizen Lab discovered that the following journalists were also infected with Pegasus: Efren Lemus, Gabriel Labrador, José Luis Sanz, María Luz Nóchez, Mauricio Ernesto Sandoval Soriano, Óscar Martínez, Roman Gressier, Roxana Lazo, Sergio Arauz, Beatriz Benitez, Ezequiel Barrera, Xenia Oliva, an unnamed journalist from Diario El Mundo, and Daniel Reyes.

Noah Bullock
The head of Cristosal, a human rights organization based in El Salvador, who was also found by Citizen Lab to have been infected.

Ricardo Avelar
A journalist with El Diario de Hoy, Citizen Lab confirmed that his device had been infected.

Jose Marinero
An official with the activism group Fundación DTJ in El Salvador whose phone was found by Citizen Lab to have been infected.

Xenia Hernandez
Another official with the activism group Fundación DTJ in El Salvador whose phone was found by Citizen Lab to have been infected.

Oscar Luna
An activist with the digital rights group Revista Digital Disruptiva. Citizen Lab found that their phone had been infected.

Mariana Belloso
An independent journalist whose phone was found by Citizen Lab to have been infected by the Pegasus spyware.

Carmen Tatiana Marroquín
An economist and columnist whose phone was found by Citizen Lab to have been infected by the Pegasus spyware.

FINLAND

Finnish diplomats
An unknown number of Finnish diplomats stationed abroad were found to have been infected, the Finnish Foreign Ministry confirmed. Their identity was not disclosed, nor was the suspected operator.

FRANCE

Bruno Delport
The phone of the director of Parisian radio station TSF Jazz was found by Citizen Lab to have been infected in 2019, just as he was applying for the presidency of Radio France.

Lénaïg Bredoux
The investigative journalist and general editor of Mediapart was confirmed to have been infected by Pegasus. The confirmation was made by France’s computer security agency following Project Pegasus. Bredoux was involved in a story about the head of Morocco’s intelligence agency, a known NSO client.

Edwy Plenel
The investigative journalist with Mediapart was confirmed to have been infected by Pegasus. The confirmation was made by France’s computer security agency following Project Pegasus.

Unnamed France 24 journalist
A senior journalist with France 24 was confirmed to have been infected by Pegasus in May 2019, September 2020 and January 2021. That was confirmed by France’s computer security agency after Project Pegasus.

Claude Mangin
French national whose husband, Naama Asfari, is jailed in Morocco for advocating for Western Saharan independence. As part of Project Pegasus, it was found that at least two of her phones were infected.

Arnaud Montebourg
A former minister in the government of Manuel Valls, Montebourg was targeted in 2019, most likely by Morocco, an analysis by Amnesty found. Montebourg has given testimony to ANSSI and its investigation into NSO in France.
Suspected operator: Morocco

HUNGARY

Dániel Németh
A Hungarian photojournalist involved in covering President Viktor Orbán and the country’s elites, two of his phones were infected in 2021. Direkt36, working with Citizen Lab and Amnesty’s Security Lab, confirmed the infections.

Zoltán Páva
The former Hungarian politician, now the publisher of an opposition news website, was also infected by Pegasus in March and May 2021.

Adrien Beauduin
A gender studies student at Central European University in Hungary, Beauduin was confirmed to have had his phone infected after being arrested in a protest against Orbán’s policies.

Szabolcs Panyi
The journalist with Direkt36, which was a partner in the Pegasus Project, was infected a number of times in 2019. The confirmation was made by Amnesty as part of the global investigation.

András Szabó
An investigative journalist with Direkt36, Szabó’s phone was infected a number of times in 2019. The confirmation was made by Amnesty as part of the global investigation.

Brigitta Csikász
A Hungarian journalist covering crime stories, Csikász’s phone was infected in 2019 – which was confirmed by Direkt36 and Amnesty.

INDIA

Jagdeep Singh Randhawa
Human rights lawyer and activist from Punjab had his phone hacked in July and August 2019.

Mangalam Kesavan Venu
Founding editor of The Wire – a nonprofit Indian investigative journalism outlet that was part of the Project Pegasus investigation – was found to have been infected with the spyware.

Paranjoy Guha Thakurta
Investigative journalist who was looking into how the Modi government used Facebook to spread disinformation; Amnesty confirmed his phone had been infected by NSO’s spyware as part of the Project Pegasus investigation.

Prashant Kishor
Political pollster working with a number of opposition parties in India, his phone was infected in 2018, Amnesty confirmed, months before an election – in what critics say was an attempt by Modi’s party to use the spyware to collect political information.

Rona Wilson
An activist focused on minorities and prisoners’ rights, digital forensics firm Arsenal Consulting found that his phone had been infected in July 2017 and April 2018. His phone number appeared in the Project Pegasus leaks.

Syed Abdul Rahman Geelani
Geelani (also known as SAR Geelani), a Delhi University professor serving time in India for ties to an outlawed Maoist group and prisoners’ rights activist, was found by Amnesty to have been infected between 2017 and 2019.

Sushant Singh
A journalist who covered defense issues for The Indian Express, and was investigating a massive deal between India and France, was found by Amnesty to have been infected as part of Project Pegasus.

S.N.M. Abdi
Journalist for India’s Outlook had his phone infected by Pegasus in April 2019, May 2019, July 2019, October 2019 and December 2019, Amnesty found as part of Project Pegasus.

Bela Bhatia
An Indian human rights lawyer whose phone was found to have been infected in 2019, and is one of five victims who are part of WhatsApp suit against NSO.

Siddharth Varadarajan
An Indian investigative journalist who is the former editor of The Hindu and founding editor of The Wire, a Pegasus Project partner. He had his phone targeted with NSO-made spyware in April 2018. Forbidden Stories and Amnesty International’s Security Lab’s forensic analysis revealed he was successfully infected.

Unnamed legal officer
The legal officer was also confirmed to have been hacked with spyware following the Project Pegasus investigation.

Ankit Grewal
The lawyer and so-called anti-caste activist was found to have been targeted in 2019 – one of a large group of victims named by WhatsApp in its suit against NSO.

Read our full story on Pegasus in India

ISRAEL

Shai Babad
A former director general of the Finance Ministry who was also a politician and also served in a senior position in Israel’s public broadcaster. Israeli business daily Calcalist said his phone had been infected with Pegasus by the Israel Police. All of the Israeli cases listed below are based on Calcalist reporting that has yet to be confirmed or reviewed by Haaretz or international bodies.

Avi Berger
The former director general of the Communications Ministry and a witness in the ongoing Case 4000 trial against former Prime Minister Benjamin Netanyahu. Calcalist reported that Berger’s phone had been infected with Pegasus by the Israel Police.

Aviram Elad
The former editor of Walla, which allegedly provided Netanyahu with better coverage in a quid pro quo involving its parent company, the telecom giant Bezeq, in Case 4000. Calcalist said his phone was infected by the Israel Police.

Iris Elovitch
The wife of Bezeq owner Shaul Elovitch; both are defendants in Case 4000. Her phone was infected with Pegasus by the Israel Police, Calcalist reported.

Iris Elovitch looking at her iPhone in court with husband Shaul Elovitch last year. Credit: Reuben Castro

Keren Terner-Eyal
A former director general of the transportation and finance ministries, Terner-Eyal assumed the latter position after Babad left the role. Calcalist said her phone was infected with Pegasus by the Israel Police.

Shlomo Filber
A former director general of the Communications Ministry, who was appointed by Netanyahu in 2015 and now serves as a key state’s witness in the Bezeq quid pro quo case. Filber was the first Israeli whose name was published by Calcalist as having been infected with Pegasus by the Israel Police.

Miriam Feirberg
The mayor of Netanya, who was suspected of corruption and investigated by the police until her case was closed in 2019. Calcalist said her phone had been infected with Pegasus by the Israel Police.

Stella Handler
The former CEO of Bezeq, was said by Calcalist to have been infected with Pegasus by the Israel Police. Handler is part of Case 4000.

Yair Katz
The chairman of the workers union at Israel Aerospace Industries and son of former Likud lawmaker Haim Katz was said by Calcalist to have been infected with Pegasus by the Israel Police.

Rami Levy
A prominent Israeli businessman famous for his low-cost supermarket chain who also owns a small telecom firm. Calcalist reported that his phone was infected with Pegasus by the Israel Police. He was investigated by the police in the past.

Topaz Luk
A former adviser to Netanyahu who is considered close to his son, Yair Netanyahu, and served a number of roles in past campaigns. He is also credited with key aspects of the then-prime minister’s media strategy. Calcalist said Luk’s phone had been infected with Pegasus by the Israel Police.

Dudu Mizrahi
The CEO of Bezeq, who took over the telecom company after Handler. Calcalist said his device was infected with Pegasus by the Israel Police.

Avner Netanyahu
The youngest son of former Prime Minister Benjamin Netanyahu. Calcalist reported that Avner Netanyahu’s phone had been infected with Pegasus by the Israel Police.

Emi Palmor
A jurist and former director general of the Justice Ministry who currently serves on Facebook’s Advisory Board. Calcalist reported that his phone had been infected with Pegasus by the Israel Police.

Yaakov Peretz
The mayor of Kiryat Ata, who was suspected of corruption in 2019 and investigated by the police until the case was closed in 2020. Calcalist reported that his phone had been infected with Pegasus by the Israel Police.

Moti Sasson
The six-term mayor of the Tel Aviv suburb of Holon was another mayor whose phone was infected with Pegasus by the Israel Police, according to Calcalist.

Ilan Yeshua
The CEO of the news website Walla, which allegedly provided Netanyahu with better coverage in a quid pro quo involving its parent company Bezeq. Yeshua is also part of Case 4000 and was infected with Pegasus by the Israel Police. Calcalist reported.

Jonatan Urich
A former adviser to Benjamin Netanyahu and considered close to his son, Yair. He served a number of roles in various electoral campaigns and is credited with key aspects in Netanyahu’s media strategy. Urich, whose phone was hacked by Israeli police as part of an investigation, was also said by Calcalist to have been infected with Pegasus by the Israel Police.

Walla journalists
As part of Case 4000, a number of journalists with the news site were said by Calcalist to have been infected with Pegasus by the Israel Police.

Protest leaders
The leaders of three protest movements were said by Calcalist to have been infected with Pegasus by the Israel Police. The protest movements targeted were: Israelis with disabilities; Israelis of Ethiopian descent; and heads of the anti-Netanyahu protests. The first were fighting for better rights, the second demonstrated against police violence and the third sought to oust Netanyahu.

Extreme settlers
A number of extreme settlers were said by Calcalist to have been infected with Pegasus by the Israel Police ahead of the evacuations of illegal outposts.

Read our full story on Pegasus in Israel

JORDAN

Hala Ahed Deeb
Jordanian human rights lawyer, unionizer and feminist activist was found by Front Line Defenders to have been infected with Pegasus since March 2021.

Ahmed al-Neimat
A rights activist focused on workers rights and combating corruption. He works with a reform group called Hirak and has been targeted in the past, facing arrest for “insulting the king” and even a travel ban. Front Line Defenders and Citizen Lab found his phone was hacked at the end of January 2021, likely through the FORCEDENTRY exploit, making him the earliest victim of that particular method. His phone was likely hacked using the exploit’s zero-click capabilities.

Suhair Jaradat
A rights activist and journalist focused on women’s rights in Jordan and the Arab world who serves on the executive committee of the International Federation for Journalists. She was hacked six times between February and December 2021, through the FORCEDENTRY exploit in iPhones. The last hack took place after Apple had patched the breach, informed potential victims across the world and sued NSO. Jaradat did not update her phone and was thus still exposed.

Malik Abu Orabi
A rights lawyer who works with prominent Jordanian unions and was previously arrested by the state for his efforts. He was hacked at least 21 times between August 2019 and July 2021.

Anonymous journalist
A female journalist was also hacked, Front Line Defenders and Citizen Lab found. She requested to remain anonymous.

Read our full story on Pegasus in Jordan

KAZAKHSTAN

Aizat Abilseit, Dimash Alzhanov and Tamina Ospanova
Three members of the opposition group Wake Up, Kazakhstan whose phones were found by Amnesty’s Security Lab to have been infected by Pegasus in June 2021. Apple also warned them about the hack, which it attributed to a “state-sponsored attacker.”

Darkhan Sharipov
The Kazakh activist’s phone was also found by Amnesty to have been infected by Pegasus in June 2021.
Suspected operator: Kazakhstan

Read our full story on Pegasus in Kazakhstan

LEBANON

Lama Fakih
Human Rights Watch’s crisis and conflict director also heads the group’s Beirut office. She was targeted with Pegasus spyware at least five times between April and August 2021, HRW and Amnesty International’s Security Lab found.
Suspected operator: Unknown

Read our full story

MOROCCO

Hicham Mansouri
Freelance investigative journalist and co-founder of the Moroccan Association of Investigative Journalists had his iPhone infected with Pegasus more than 20 times between February and April 2021, the Project Pegasus investigation revealed. Mansouri fled Morocco in 2016 and is now based in Paris.

Mahjoub Mleiha
Human rights activist from Western Sahara who is active in the Collective of Sahrawi Human Rights Defenders, now lives in Belgium, where he is also a citizen. Amnesty found that his phone had been infected.

Joseph Breham
A French lawyer who is involved in a lawsuit against Saudi Crown Prince Mohammed over claims of torture and inhumane treatment in Yemen. Amnesty confirmed that his phone had been infected with Pegasus using the same type of messages other alleged victims in Morocco also received.

Oubi Buchraya Bachir
Sahrawi diplomat who has served as its representative in a number of African countries. Amnesty confirmed as part of Project Pegasus that his phone was infected.

Maati Monjib
Founder of the Moroccan Association for Investigative Journalism and the NGO Freedom Now (dedicated to protecting the rights of journalists and writers), Amnesty found that his phone had been infected in 2019.

Open gallery view

Shawan Jabarin, director of the al-Haq human rights group. One of the Palestinian NGO’s workers’ phones was infected by Pegasus.Credit: Majdi Mohammed/AP

Omar Radi
An independent, award-winning Moroccan journalist whose phone was found by Amnesty to have been infected in 2019.

Aboubakr Jamaï
Jamaï is a journalist who has long inspired the ire of Morocco’s royal family. Citizen Lab together with Access Now found his phone had been infected with Pegasus after materials on it were leaked online in an attempt to tarnish Jamaï and his associates.

Fouad Abdelmoumni
A Moroccan human rights and democracy activist who works with Human Rights Watch and Transparency International Morocco, Abdelmoumni’s phone was found to have been infected, most likely by the Moroccan intelligence services. Citizen Lab investigated the hacking after being commissioned by WhatsApp.
Suspected operator: Morocco

PALESTINIAN TERRITORIES (WEST BANK)

Ghassan Halaika
Human rights activist working for Al-Haq, a Palestinian NGO blacklisted by Israel, whose phone was infected in July 2020. The confirmation was made by human rights organization Front Line Defenders.

Ubai Aboudi
The phone of the director of the Bisan Center for Research and Development, a Palestinian NGO blacklisted by Israel, was infected in 2020 and confirmed by Front Line Defenders.

Salah Hammouri
Lawyer and researcher with the Addameer Prisoner Support and Human Rights Association, a Palestinian NGO blacklisted by Israel, whose phone was infected in 2020, according to Front Line Defenders.

Three unnamed activists
Phones of three activists working with Palestinian NGOs blacklisted by Israel were infected in 2020, and confirmed by Front Line Defenders.

Suspected operator in all six cases: Israel

Open gallery view

Polish prosecutor Ewa Wrzosek holding her phone outside her Warsaw office last month.Credit: Czarek Sokolowski/AP

Read our full story on Pegasus in the West Bank

POLAND

Krzysztof Brejza
Polish senator and member of the opposition party Civic Platform whose phone was confirmed to have been infected over 30 times in 2019. The confirmation was made by Citizen Lab and reported by AP.

Roman Giertych
A lawyer who has represented leaders of Brejza’s Civic Platform party in sensitive cases, and was confirmed to have been infected over 10 times in 2019. The confirmation was made by Citizen Lab.

Ewa Wrzosek
The phone of the prosecutor and critic of the ruling Law and Justice party’s attempt to undermine Poland’s judiciary was confirmed to have been infected a number of times in 2019. The confirmation was made by Citizen Lab after she received a notification from Apple warning that her phone had been hacked.

Michal Kolodziejczak
The agrarian social movement leader was hacked several times in May 2019 ahead of a fall election in which Kolodziejczak was hoping to have his group, AGROunia, become a formal political party. Courts have so far blocked his efforts to form a political party.

Tomasz Szwejgiert
An author and collaborator with Polish secret services who found himself at odds with powerful figures was hacked while co-authoring a book about the head of Poland’s secret services, Mariusz Kaminski. He was hacked 21 times with Pegasus from late March to June 2019.

Suspected operator in all cases: Poland

Read our full story on Pegasus in Poland

RWANDA

Carine Kanimba
A U.S.-Belgian citizen, Kanimba is the daughter of Rwandan activist Paul Rusesabagina, who was arrested and forcibly returned to the country. Her father’s plight inspired the 2004 movie “Hotel Rwanda” and she was confirmed by Amnesty to have been hacked at the start of 2021.

Open gallery view

Hatice Cengiz, fiancee of the murdered Saudi journalist Jamal Khashoggi, talking to the media last year.Credit: MURAD SEZER/REUTERS

Peter Verlinden
The Belgian journalist stationed in Africa has worked for the national Flemish broadcaster VTR. Belgian intelligence services and Amnesty found that his phone had been infected in September, October and November 2020.

Marie Bamutese
The phone of Peter Verlinden’s wife was also found to have been hacked. This was confirmed by Belgium’s General Intelligence and Security Service.

Placide Kayumba
A Rwandan activist and member of the opposition in exile, Kayumba was found to have been targeted as part of an investigation by Citizen Lab commissioned by WhatsApp into hacking of its clients.
Suspected operator: Rwanda

SAUDI ARABIA

Hatice Cengiz
The Turkish national was the fiancée of the late Washington Post columnist Jamal Khashoggi, and her phone was infected a few days after her partner was murdered at the Saudi Embassy in Istanbul in October 2018 – as revealed by Amnesty as part of Pegasus Project.

Omar Abdulaziz
A close friend of Khashoggi’s, Abdulaziz’s phone was infected with Pegasus in the months before the Saudi dissident’s murder in 2018, CItizen Lab found. Based in Canada, he has filed a lawsuit against NSO in Israel.

Wadah Khanfar
Al Jazeera’s former director general and another close friend of Khashoggi, Amnesty found that his phone was infected as recently as July 2021.

Ragip Soylu
A Turkish journalist who heads Middle East Eye’s bureau in Ankara. Amnesty confirmed that his phone was infected several times between February and July 2021.

Ben Hubbard
The phone of the New York Times journalist was confirmed by Citizen Lab to have been infected between June 2018 to June 2021 while he was based in Lebanon, reporting on Saudi Arabia and writing a book about Crown Prince Mohammed.

Suspected operator in all cases: Saudi Arabia

Read our full story on Pegasus in Saudi Arabia

TOGO

Open gallery view

Egyptian dissident Ayman Nour speaking in Istanbul in 2019. Credit: Burhan Ozbilici/AP

Father Pierre Marie-Chanel Affognon
A Catholic priest from Togo who is an anti-corruption activist fighting for constitutional and electoral reform in the West African country. An investigation by Citizen Lab commissioned by WhatsApp into the hacking of its clients found his phone was infected.

UNITED ARAB EMIRATES

Alaa al-Siddiq
Executive director of ALQST, a nonprofit advocating for human rights in the UAE and the Gulf region. Her phone was found to have been infected a number of times from 2015, when she was living in Qatar (where she had moved to flee persecution), and up until 2019, when she had relocated to Britain. She died in a car crash in 2021. Citizen Lab made the hacking confirmation.

Abdulaziz Alkhamis
The former editor of Al Arab, Alkhamis was hacked as part of a showcase NSO organized for the UAE. According to a lawsuit filed on behalf of Alkhamis, the UAE, which were already NSO clients from 2014, were offered an expensive upgrade of the Pegasus spyware. To show the new product’s value, NSO emailed two audio recordings of Alkhamis to Emerati officials, the New York Times reported in 2018.

Ayman Nour
Egyptian dissident, 2005 Egyptian presidential candidate and opposition activist. Citizen Lab found his phone had been infected by Pegasus, as well as an additional spyware called Predator – which was developed by NSO competitor Cytrox.
Suspected operator: UAE

Rania Dridi
A journalist with Alaraby TV, she had her phone infected at least six times during 2020, as confirmed by Citizen Lab.

Tamer Almisshal
Investigative journalist for Al Jazeera in Arabic who has covered the Gulf region extensively, including the Khashoggi killing. His phone was infected in 2020, Citizen Lab confirmed.

Ebtisam al-Saegh
Bahraini human rights activist focused on women’s rights. Front Line Defenders found that her phone was hacked at least eight times between August and November 2019. Saegh had been arrested in Bahrain for her activism in the past and has faced persecution for her work.

34 Al Jazeera staffers
The phones of 34 other journalists, producers, anchors and executives at Al Jazeera were confirmed to have been infected in 2020, Citizen Lab reported.
Suspected operator: Saudi Arabia, Bahrain and/or the UAE

Open gallery view

Mexican President Andres Manuel Lopez Obrador speaking last July about being targeted by the previous administration of President Enrique Pena Nieto after it purchased Pegasus spyware from NSO.Credit: MEXICO’S PRESIDENCY / REUTERS

UNITED KINGDOM

David Haigh
The human rights lawyer and LGBTQ activist who represented Princess Latifa of Dubai was the first British target confirmed to have been infected by Pegasus. He supplied Amnesty with his phone in the wake of Project Pegasus.

Anas Altikriti
Muslim anti-war activist based in the U.K. whose phone was confirmed to have been infected with Pegasus. His interfaith thinktank, the Cordoba Foundation, has been accused of maintaining ties with the Muslim Brotherhood and Hamas. Suspected operator: UAE

UNITED STATES

11 unnamed U.S. officials
Eleven officials with the U.S. State Department in Uganda were confirmed to have been hacked with Pegasus. The revelation led to a U.S. Department of Commerce decision last November to blacklist NSO.
Suspected operator: Uganda or Rwanda

LIST OF THOSE WHO HAVE ALSO BEEN TARGETED BY PEGASUS:

Ahmed Mansoor (Emirati human rights activist)

Rafael Cabrera (Mexican journalist)

Dr. Simon Barquera (Mexican researcher)

Alejandro Calvillo (Mexican whistleblower)

Luis Encarnación (Mexican activist)

Karla Micheel Salas (Mexican human rights lawyer)

David Peña (Mexican human rights lawyer)

Carmen Aristegui (Mexican journalist)

Emilio Aristegui (son of Carmen Aristegui)

Sebastián Barragán (Mexican journalist)

Carlos Loret de Mola (Mexican journalist)

Salvador Camarena (Mexican journalist)

Daniel Lizárraga (Mexican journalist)

Mario E. Patrón (Mexican human rights activist)

Stephanie Brewer (U.S. human rights activist working in Mexico)

Santiago Aguirre (Mexican human rights activist)

Juan Pardinas (Mexican anti-corruption activist)

Juan Pardinas’s wife

Alexandra Zapata (Mexican journalist)

Azam Ahmed (Former New York Times bureau chief for Mexico)

Open gallery view

Family members and supporters of 43 missing college students from Guerrero state. Mexico, carrying pictures of the disappeared, during an event in April 2016.Credit: AP Photo/Rebecca Blackwell

Ricardo Anaya Cortés (Mexican lawyer/politician)

Sen. Roberto Gil Zuarth (Mexican senator)

Fernando Rodríguez Doval (Mexican politician)

Claudio X. González (Mexican anti-corruption activist)

GIEI investigation (Mexican probe into mass disappearances)

Ghanem Almasarir (Saudi dissident)

Yahya Assiri (Saudi activist)

Unnamed Amnesty International employee

Abdessadak El Bouchattaoui (Moroccan journalist)

Griselda Triana (Mexican journalist)

Nihalsing Rathod (Indian human rights lawyer)

Priyanka Gandhi Vadra (General secretary, Indian National Congress)

Santosh Bhartiya (Indian journalist)

Shubhranshu Choudhary (Indian peace activist)

Unnamed U.K. lawyer

Shalini Gera (Indian lawyer)

Degree Prasad Chauhan (Indian human rights activist)

Anand Teltumbde (Indian activist)

Ashish Gupta (Indian activist)

Seema Azad (Indian activist)

Vivek Sundara (Indian activist)

Saroj Giri (Indian activist)

Sidhant Sibal (Indian journalist)

Rajeev Sharma (Indian journalist)

Rupali Jadhav (Indian activist)

Jagdish Meshram (Indian lawyer)

Alok Shukla (Indian activist)

Ajmal Khan (Indian research scholar)

Balla Ravindranath (Indian lawyer/activist)

Mandeep Singh (Indian activist)

P. Pavana (Indian, daughter of activist P. Varavara Rao)

Arunank (Indian law graduate)

Smita Sharma (Indian journalist)

Hanan Elatr (wife of Jamal Khashoggi)

Jorge Carrasco (Mexican journalist)

Álvaro Delgado Gómez (Mexican journalist)

Princess Latifa al Maktoum (daughter of the prime minister of the UAE)

Princess Haya bint Hussein (estranged wife of the prime minister of the UAE)

Juan Mayer (aerial photographer who recorded Princess Latifa’s skydives)

Lynda Bouchikhi (Princess Latifa’s officially sanctioned chaperone)

Sioned Taylor (friend of Princess Latifa)

Martin Smith (head of U.K. private security firm hired by Princess Haya)

Shimon Cohen (British PR expert)

Ross Smith (head of investigations at U.K. private security firm hired by Princess Haya)

John Gosden (British horse trainer, friend of Princess Haya)

Aisha bint Hussein (half sister of Princess Haya)

Stuart Page (British private investigator)

K.K. Sharma (former Indian Border Security Force chief)

Jagdish Maithani (Indian Border Security Force officer)

Jitendra Kumar Ojha (former Indian espionage officer)

Jitendra Kumar Ojha’s wife

Col. Mukul Dev (former Indian army officer)

Rupesh Kumar Singh (Indian journalist)

Rupesh Kumar Singh’s wife

Devirupa Mitra (Indian diplomatic correspondent)

Vijaita Singh (Indian journalist)

Bishop Benoit Alowonou (Togolese clergyman)

Elliott Ohin (Togolese opposition figure)

Raymond Houndjo (Togolese opposition figure)

Roger Torrent (Catalan parliamentary speaker)

A Complete (Updating) List of Individuals Targeted With Pegasus Spyware Plus 1,400 other potential targets who WhatsApp believes were hacked.

source