Spyware vendor defends hacking journalists, continues to embolden abusive governments

camillefassett

Reporter

CitizenLab
The Citizen Lab

The founder of of spyware vendor NSO Group appeared to defend targeting journalists, activists, and human rights defenders with its malicious software Pegasus in an interview days ago with CBS.

NSO Group has been back in the headlines again when it was uncovered that the wife of a murdered Mexican journalist was targeted with the company’s spyware after her husband’s assassination. What’s more, a Saudi dissident alleged in a December 2018 lawsuit that Pegasus was used in an attempt to spy on journalist Jamal Khashoggi before he was murdered by the Saudi Arabia government, a claim which CBS’s 60 Minutes explored on Sunday.

What is clear is that Pegasus, supposedly intended for government use only against “terrorists,” has been used against people who may pose headaches for their governments. NSO Group has failed to cut off relationships with authoritarian governments found to have targeted their critics, and it’s seems from CBS’s interview that NSO’s leadership has no intention to do so.

Used against journalists by their own governments
In 2016, Mexican journalist Sebastián Barragán received a text message that read: “I have credible evidence against public servants”. Beneath it was a link that researchers would later determine contained malware to remotely take over the device.

Citizen Lab, a technical lab and digital rights organization based in Toronto, has been researching Pegasus — malware used to hack people’s phones — for years. It has found that Barragán is one of an unknown number of media workers targeted with malware by their own government. Others include investigative journalist Carmen Aristegui and her son, Mexican journalist Rafael Cabrera, and Televisa anchor Carlos Loret de Mola. And due to the secret nature of spyware, it’s possible there are numerous other members of the Mexican press yet to be identified who have been targeted.

Compromising a journalist’s mobile device could threaten their sensitive reporting processes, privacy, and families. It can put sources and whistleblowers in serious danger.

What is Pegasus and how does it work?
Journalists — especially those covering sensitive subjects like corruption or national security — frequently receive messages, email attachments, and documents that promise to contain tips and useful reporting materials. Pegasus works by exploiting journalists who are doing their jobs following through on potential news or messages that appear to come from whistleblowers. Once a user clicks on a malware infected attachment, Pegasus can take over a device, essentially letting an attacker see everything that is happening on a phone.

Freedom of the Press Foundation Director of Newsroom Security Harlo Holmes said that a device becoming infected usually starts with a link received over SMS, or even through an end-to-end encrypted messaging service like WhatsApp.

“The language is crafted to lure a journalist specifically, by mentioning personal details or by sending them at times that are contextually appropriate, like in response to a real life incident. These tactics maximize the chance that the journalist will actually click through.”

“Modern software is incredibly complex, and sometimes bugs go undiscovered by their developers,” said David Huerta, a digital security trainer at Freedom of the Press Foundation. “Some bugs can break a device’s security safeguards. Companies like NSO Group find these security-breaking bugs and turn them into weapons.”

(For a more technical explanation of Pegasus’ pathology, see Citizen Lab’s reports.)

What can journalists do to protect themselves from spyware?
Malware like Pegasus can run in the background, and it’s possible journalists could remain unaware that their devices have been compromised and are being remotely controlled once they’ve clicked on an inflected attachment. Holmes emphasized that this is by design. “It’s made to be as stealthy as possible, and there are other factors that are dependent on the individual device that could make it very difficult for someone without a forensic background to know definitively.”

Journalists can minimize their risk of infection by malware through basic digital security hygiene, and, in particular, installing software updates.

“Pegasus works by taking advantage of security holes in your mobile device,” said Digital Security Trainer Olivia Martin. “The only way to patch these vulnerabilities is by applying system updates, which often contain security fixes.”

If journalists or activists suspect their devices have already been compromised, numerous digital rights and press freedom groups may be able to help or facilitate a connection to someone who can, including Freedom of the Press Foundation, Electronic Frontier Foundation, Committee to Protect Journalists, CitizenLab, and Reporters without Borders.

While no digital security practices are infallible, there are numerous resources are available for journalists to proactively protect their devices and sensitive reporting materials to minimize risks of malware infection before it happens. Check out Freedom of the Press Foundation’s digital security guides, and the Electronic Frontier Foundation’s surveillance self-defense kit.

“That’s a decision intelligence agencies should get…”
In an interview with CBS’ 60 Minutes on Mar. 24, NSO Group CEO Shalev Hulio and co-president Tami Shachar were presented with an opportunity to categorically denounce the unconscionable use of Pegasus against targets such as journalists.

Shachar disputed whether many of these abuses had ever occurred at all. “Nothing has been proven,” Shachar told CBS when asked about them, despite Citizen Lab’s public research showing that Pegasus has been used against journalists and human rights defenders.

When confronted with the reports that NSO Group sold Pegasus to Saudi Arabia in connection with the murder of Jamal Khashoggi, Hulio refused to “talk about specific customer." When asked to clarify whether he would not sell Pegasus to a country known for human rights and press freedom abuses, he only reiterated that Pegasus is sold to “prevent crime and terror.”

But governments like Saudi Arabia are quick label dissidents and free speech advocates as terrorists, too. While he claimed there were “a hundred” governments they wouldn’t sell to, apparently Saudi Arabia—one of the most repressive regimes in the world—wasn’t on that alleged “do not sell” list.

“They consider anybody who is a threat to their regime is a terrorist,” Saudi comic Ghanem Almasarir, who was also allegedly targeted by the Saudi government using Pegasus told CBS.

And perhaps most disturbingly, Hulio appeared to justify government targeting of journalists in the process of stopping “terrorism.” “...[I]f [journalists] are in touch with a drug lord… and in order to catch them, you need to intercept them, that’s a decision intelligence agencies should get.”

NSO Group’s answers show that the company has no intention of taking responsibility for its technology, breaking off its relationships with abusive governments, or categorically preventing the use of Pegasus spyware against journalists and activists. Companies like NSO Group continue to empower authoritarian governments to hack their critics, and in doing so, put countless journalists at severe risk.