Pegasus spyware targets journalist’s mobile devices, raising questions about state surveillance

Enlightened rogues, beware.

Pegasus spyware was deployed against journalists and human rights watchdogs in Mexico between 2019–2021, despite the government promising that they would stop using it.

The hacks came after President Andrés Manuel López Obrador promised that the Mexican government would not use Pegasus to intimidate critics, in direct contrast to the actions of his predecessor, Enrique Peña Nieto.

According to Citizen Lab—which helped Mexican digital rights group R3D verify the attacks it detected on human rights defender Raymundo Ramos, journalist Ricardo Raphael, and an anonymous contributor to media outlet Animal Politico—“each of the victims would be of intense interest to entities within the Mexican government and in some cases, troublingly, to cartels.”

Taking aim. Pegasus attacks mobile devices. One of the exploits used against Raphael used a text shared link, similar to a spam email, that installed malware on his phone.

“Today, as we’ve all moved our worlds onto our phones, one of the biggest and most hard-to-defend-against threats against high-risk people of any sort are threats around mobile phone security and mobile malware,” said Citizen Lab Senior Researcher John Scott-Railton.

Railton told IT Brew that Citizen Lab has begun to see an increase in “zero-click exploits”—hacks of mobile phones that don’t require clicking on a link or the user taking any action. Instead, the attack uses an existing vulnerability to gain access and install malware.

The extent to which the malware can infiltrate your mobile device goes beyond just reading messages and emails and downloading data. With keychain apps, it’s possible that adversaries could use the cloud to access the totality of your information from laptops and other devices.

And if you don’t catch it in time, you could never detect it.

“The attacker can set it to self-destruct,” Heather Mahalik, digital forensics and incident response lead at the SANS Institute, told IT Brew.

High-level regulations. Developed by Israeli company NSO Group, Pegasus is a notorious and dangerous piece of tech that can get in your phone simply by being delivered in a message—you don’t even have to open it—and once there, the person behind the attack has near-total control of your mobile device. In Mahalik’s view, the totality of the threat of Pegasus is hard to overstate.

“This is the most intimidating thing that can happen on a mobile device,” Mahalik said, stressing that even the threat of the use of the malware can have a chilling effect on free speech.

The expense of deploying a Pegasus attack makes the spyware cost prohibitive and largely the domain of nation states aiming to suppress dissent and high-level corporate espionage. But it’s not out of the question that the super rich—think billionaires with an ax to grind—could also access the technology, one way or another.

The Mexico report is a reminder of how dangerous Pegasus—and spyware in general—can be. Rand Hammoud, a surveillance campaigner with digital civil rights campaign group Access Now, told IT Brew that the “new revelations are proof to us all that we cannot rely on the goodwill or promises of governments, or even companies, and that we need official international regulation.”

“The global community needs to be focusing on regulating the spyware industry rather than just trying to find ways to protect ourselves from it,” Hammoud said. “Because there will always be billion-dollar companies trying to find ways to crack those protections.”

Hammoud said that Pegasus and other spyware needs “large-scale accountability and large-scale regulation.”

“Spyware is cyber arms and it has been weaponized and is at this point weaponry, and it’s time to regulate it as such,” she said.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.