After the recent espionage scandal, a look at the technology used in the world's most famous Israeli spying program "Pegasus"

The controversy surrounding the Israeli spyware program "Pegasus" has renewed after the uproar caused by press reports about the program's targeting of Western journalists and institutions. In this report, we highlight the technology used in this program.

The American newspaper "New York Times" reported that the Israeli company "NSO" (NSO) shut down - this July - the "Pegasus" spying system, which was developed and used by hacking the phones of journalists in the Al Jazeera media network.

The New York Times quoted a source in the Israeli company as saying that its decision to close the "Pegasus" spying system came after it was exposed.

Europe scandal

The President of the European Commission said - on Monday - that the use of spyware to target journalists is totally unacceptable, after reports that spyware produced by an Israeli company was used to penetrate the mobile phones of a group of journalists, government officials and human rights activists around the world.

"If this were to happen, it is totally unacceptable," Ursula von der Leyen added. "It violates any kind of EU rule."

An investigation - conducted by 17 media organizations and its results were published last Sunday - revealed that the "Pegasus" spy program - produced by the Israeli company "NSO" - was used to hack the phones of journalists, officials and activists in different parts of the world.

The investigation - conducted by 17 international media outlets, including the French newspapers Le Monde, the German Süddeutsche Zeitung, the British Guardian and The Washington Post, is based on the investigation. Post) to a list obtained by Forbidden Stories and Amnesty International.

The list includes the numbers of at least 180 journalists, 600 politicians, 85 human rights activists and 65 businessmen, according to the analysis conducted by the group. It was confirmed that 37 phones were hacked or attempted to penetrate the Israeli group's spyware program.

So what is this program?

And how dangerous is it?

More importantly, what technique does he use to inflict his victims?

NSO Group

NSO is an Israeli company specializing in developing cyber espionage tools. It was established in 2010 and employs about 500 people and is headquartered near Tel Aviv.

The company has been the subject of much controversy in recent years, with Canadian internet monitoring lab Citizen Lab saying the company's Pegasus system is being used by countries with "suspicious human rights records and histories of abusive behavior by state security services".

And “Pegasus” is an expensive spyware. According to the 2016 price list - according to the “Fast Company” website, NSO is asking $ 650,000 from customers for penetrating 10 devices;

Plus half a million dollars in software installation fees.

discover it

“Pegasus” is considered one of the most dangerous and “most complex” spyware programs, and it specifically targets smart devices running the “iOS” operating system of Apple, but there is a version for Android devices that differs somewhat from the “iOS” version. .

Researchers discovered this program for the first time in August 2016 after a failed attempt to install it on the iPhone of a human rights activist in the United Arab Emirates named Ahmed Mansour, through a suspicious link in a text message. The investigation revealed details about the program, its capabilities, and the security holes it exploits. .

how dangerous it is

Kaspersky, which specializes in antivirus software, explains that Pegasus is a "modular malware".

That is, it is modular, as it first “scans” the target device, then installs the necessary unit to read user messages and emails, listen to calls, take screenshots, record keystrokes, pull browser history, and contacts.

It can also listen to encrypted audio files, and read encrypted messages thanks to its keystroke recording and audio recording capabilities, which steal messages before they are encrypted (and incoming messages after they are decrypted).

Lab John Scott Rayton, a researcher at Citizen Lab, says the software can do just about anything users can do, including reading text messages, turning on the camera and microphone, adding and removing files, and processing data.

The building of the Israeli NSO Group in Herzliya, Tel Aviv (French)

How it works?

Phishing is the most common method of infecting the device with this spyware. An email is sent to the victim with a suspicious link, and when you click on it, the virus is installed in the device.

When the virus was first detected, the target was an iPhone running a non-jailbroken iOS version;

That is why researchers describe it as the most sophisticated attack they have seen.

The program relies on 3 previously unknown vulnerabilities in the "iOS" system;

Starting from version "7" to version "9.3.4", these vulnerabilities are called "Zero-Day", and allow the virus to penetrate the operating system silently and install spyware.

Targeted

Because Pegasus is a very costly targeted spyware, actors use it to attack "high value" individuals who are political activists or others who have access to important, sensitive and confidential information.

But it can also potentially be used to attack specific targets for various purposes, including spying on major corporations, and CEOs, CFOs, executives and financial teams are often in the line of attack because they usually have access to confidential data, especially via their mobile devices.

iOS and Android

The Android version, which was discovered in 2017, is not much different from the iOS version, but it does not depend on “Zero-Day” vulnerabilities to penetrate the device, but rather relies on a well-known method to break the device’s protection called “Framaroot”.

Another difference is that if the iOS version fails to jailbreak the device, the entire attack fails, but in the case of the Android version, even if the virus fails to reach the root of the phone to install the spyware, it will still try to ask the user to obtain Permissions needed to retrieve at least some data.

Pegasus from costly spyware;

So actors use it to attack "high value" individuals (French)

protection

Usually, when a new version of the Pegasus software is released for iOS, Apple moves quickly to address it, and the company has released a security update that fills all the mentioned vulnerabilities.

As for Google, it resorts to another method, which is to alert the targets of this virus directly.

If you have updated your iOS operating system to the latest version, and you do not receive a warning message from Google, then you are most likely safe from Pegasus, according to Kaspersky, and you should always update your device with the latest security patches and install good security solutions.

Spread size

Over the past two years, Citizen Lab has scanned the Internet for servers linked to Pegasus, and found its traces in 45 countries, including 17 Arab countries;

They are Algeria, Bahrain, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Saudi Arabia, Tunisia, UAE and Yemen.

Along with countries such as the United States, United Kingdom, Canada, France, Israel and Turkey.

The laboratory says - in the report published on its website last September - that it has identified what appears to be a significant expansion in the use of Pegasus in the Gulf Cooperation Council countries.

and that in total, at least 6 operators have been identified with significant operations in the GCC countries;

Among them are two operators that appear to focus mostly on the UAE, one focusing mostly on Bahrain, and another focusing on Saudi Arabia.

the future

No one can confirm that the Israeli company that developed the Pegasus program is stopping the program completely. This software can be used to develop other new programs that can hide and work more effectively than the old ones, and the only way to find out is, unfortunately, to catch new victims to repeat the same cycle. .