Pegasus Project investigation uncovers the reach and implications of NSO Group spyware

On Sunday, the first reports were published under the banner of the Pegasus Project, revealing the results of an investigation into how NSO Group’s military-grade spyware has been used to hack the smartphones of business leaders, heads of state, activists, journalists, politicians and more. The findings of this investigation, compiled by a consortium of media organizations across the globe, capture the implications of this commercially available spyware.

Why is the Pegasus Project important?

  • While Pegasus has been reported on before, the Pegasus Project is based on a leaked list of over 50,000 phone numbers believed to belong to individuals identified as “persons of interest” by NSO Group’s clients, thereby offering the first holistic view of Pegasus’s global operations.
  • 80 journalists from 17 international media outlets worked for months on the project, enabling a range of fresh perspectives on the world of commercial surveillance tools to a broader array of readers.

What is Pegasus?

  • Pegasus is advanced mobile spyware designed to surreptitiously capture information through the victim’s smartphone.
  • Infection methods include phishing (the victim opens a malicious link contained within a text/iMessage/WhatsApp message) and zero-click (the victim’s smartphone is compromised without any interaction required by the victim).
  • Key capabilities include the ability to extract photos, recordings, location records, communications, passwords, call logs and social media posts from the device, as well as the ability to activate the smartphone’s cameras and microphones for real-time surveillance.

What are the key findings?

  • The scale of surveillance is massive: While Pegasus was previously estimated to have been targeted at perhaps hundreds of victims, the Pegasus Project has revealed a much bigger scale of surveillance – more than 50,000 victims in over 50 countries. The picture gets even darker when you consider that Pegasus is merely one tool offered by one of dozens of cyberarms vendors around the world.
  • Anybody can become a target: Though commercial spyware is ostensibly used to catch terrorists and criminals, the Pegasus Project shows how easily such tools can be turned against members of civil society. The list of potential victims includes 189 journalists, over 600 politicians and government officials, at least 65 business executives, 85 human rights activists and several heads of state.
  • iOS security still has holes: Even with Apple’s sterling security reputation and its recent introduction of a security feature known as BlastDoor intended to beef up defense against sophisticated spyware like Pegasus, the most recent version of iOS was nonetheless found to be vulnerable. The cat-and-mouse game between smartphone manufacturers and cyberarms dealers is poised to continue into the foreseeable future.
  • The problem isn’t going away: Three trends indicate that Pegasus and similar tools will plague smartphone users for years to come: smartphones continue to grow in importance to users, giving malicious actors additional incentives to attack these devices; with each additional product and OS release, smartphone manufacturers like Apple continue to add complexity that can potentially be exploited by actors looking for an entry; and the holes in the global regulatory environment for commercial hacking tools are nowhere close to being filled.

What can I do to protect myself from Pegasus?

We strongly recommended that potential targets of Pegasus and other advanced mobile threats use SafeCase, which couples with a user’s smartphone to prevent the device from being turned into a surveillance tool against its user. SafeCase utilizes audio masking and camera blocking to keep the coupled smartphone’s cameras and microphones from picking up sensitive conversations, important visuals and other key data.

Where can I get more information on the Pegasus Project?

For more information on the Pegasus Project, we recommend starting with the following articles:

Back to Blog