On the last 18th July, a variety of journals - like The Guardian, Le Monde, The Washington Post, Süddeutsche Zeitung and many others from all over the world - primarily published the first results of a journalist investigation on the Israel company NSO Group and on the illegal usages of its spyware Pegasus, which have been collaborating in the so-called “Pegasus Project” for months. The scoop - this is all about, in this case - created a great surprise among the media and strong fears raised in the public opinion, with respect to the risks that the spyware’s development and selling, (hardly ruled) more and more put forward, bring to the health system of our democracies and to the protection of human rights.
16 warheads, coordinated by the French ONG Forbidden Stories (whose aim is “to protect, continue or publish other journalists’ work that are threatened, jailed or that have been murdered) and helped by the Security Lab of Amnesty International are currently collaborating to the investigation. Forbidden Stories and Amnesty International started the project: they gathered a list of 50.000 telephone contacts of those that are said to have been selected, since 2016, as objectives to be monitored through the usage of Pegasus; these two no-profit organizations chose to share data with a network of media organizations by 10 countries and to start an investigation on an international scale.
Pegasus is a spyware - defined by The Guardian as “maybe the most powerful ever created, at least by a private society” - that, “once it enters a phone, it can make it a monitoring device 24h/24, and you don’t even notice that”.
This software, indeed, is able to copy messages (even if they are exchanged through Whatsapp or iMessage), emails, to register calls, to collect photos and videos, to activate the camera or the mic, and the GPS of the device - and therefore able to track the owner. On one hand, in its first version, Pegasus entered into the devices through spear-phishing (the user receives a tricky message or email that contains a link that, once clicked, it installs the spyware on the device); on the other, today, the software can enter mobile phones even through the so-called attacks “zero-click”, which do not require that the user do whatever so that the infection is successful. In 2019, for instance, WhatsApp declared to have checked, through internal investigations, the infection by Pegasus of 1400 devices through a WhatsApp call: using a “zero-day” vulnerability of the app (a vulnerability of IT safety unknown to the developer), only a WhatsApp call was sufficient for Pegasus to be installed on the contacted device, without the need for an answer by the owner. It is understandable, therefore, the reason why it can be considered so dangerous.
Pegasus was born in 2011 and its creator, the NSO Group society, that talks about itself stating that “it creates tech that help agencies to prevent and to look into terrorism and crime, and to save billions of lives all over the world”, claims that it sells its products (Pegasus too) only to law enforcement and intelligence agencies that overcome accurate and detailed evaluations and that are used only to go against criminality and terrorism. This is what the society claimed in a declaration, published on the same 18th July, replying to the prosecutions by the journals involved in the “Pegasus Project”, in addition to the same Amnesty International. Agnés Callamar, the General Secretary of Amnesty International, indeed, declared that “Pegasus Project shows how the spyware of NSO has become the preferred weapon of those repressing governments that want to make journalists shut up, to attack activist people and to hit disagreement, putting a lot of lives at risk”.
As far as the core of the revelations resulted from the investigation process is concerned, within the Pegasus Project, what is challenged to the Israel society is that it sold spyware to poorly reliable governments, under the profile of respecting human rights, which have used it to overlook - clearly illegally - billions of journalists, activists, political dissidents, academies, lawyers, but also ministers, diplomats, first ministers, and so on. The warheads involved in the investigation, indeed, verified the owners’ identity of the 50.000 telephone numbers, cited on the list that Forbidden Stories and Amnesty got hold (through unknown ways), which are believed to have been selected over the years from the NSO’s clients - Pegasus’ buyers - such as targets that have to be controlled trough the spyware of Israel’s origins. The majority of numbers does not belong to murderers or terrorists, but to activists, journalists, politicians etc (some of which well known). Given that, however, the inclusion in the list does not ensure that the given contact is effectively targeted and infected, the Security Lab of Amnesty International carried out digital forensics analysis on (by now) 67 devices, whose number is on the significant list: 23 are infected and signs of an attempted infection are found on 14 of them.
It’s not possible to find, with certainty, the responsible ones (NSO does not make its clients public), but by organizing contacts into clusters - according to the origins or the activity area of the selected people - the Pegasus Project’s members managed to believe that some governments of 10 counties have organized the attacks: Azerbaijan, Bahrein, Kazakistan, Mexico, Morocco, Rwanda, Saudi Arabian, Hungary, India and United Arab Emirates.
With reference to Hungary, 10 lawyers’ contacts, an opposition political and 5 journalists appear on the list. Among them also two journalists of the Direkt36’s editorial staff, among the 16 warheads that collaborate to the Pegasus Project, whose phones have been subjected to analysis, resulting infected.