Mexican investigative journalists and human rights defenders were the targets of sophisticated attempts to spy on them by hacking their smartphones, an investigation by the press freedom group Article 19 and internet security researchers revealed earlier this month.
The system used in the attack is called Pegasus and it is made by a secretive Israeli company called NSO Group.
It works like this: the target receives a text message that appears personal or might contain an urgent message about a family member. It is accompanied by a link. If the target clicks on the link, the system installs malware – harmful software that operates undetected – on their device that effectively turns it into a weapon against them and those near them.
A digital security expert has told The Electronic Intifada that activists and journalists involved in work in and about Palestine should understand the dangers and take steps to make themselves less vulnerable.
Once infected by the malware, a smartphone can send a frightening amount of data back to those doing the spying, including tracking the person’s movements and location. The malware can take screenshots and turn on the phone’s camera and microphone, retrieve emails, WhatsApp messages and passwords.
Sexual taunts and threats
The University of Toronto’s Citizen Lab documented that the targets in the Mexican case – including 10 journalists and human rights defenders, one child and a US citizen – received text messages with the malware links “paired with troubling personal and sexual taunts, messages impersonating official communications” as well as “warnings of kidnappings and other threats.”
They also included “more mundane tactics, such as messages sending fake bills for phone services and sex lines.”
Carmen Aristegui, one of the most prominent investigative journalists in Mexico, was targeted with messages impersonating the US embassy, instructing her to click on a link to resolve a visa issue. But when repeated messages failed to entice her to click on the links, the operators began targeting her 16-year-old son.
“The only reason they could be going after my son is in the hopes of finding something against me, to damage me,” Aristegui told The New York Times.
Juan E. Pardinas, an activist for anti-corruption legislation, received an upsetting message with a link attached: “My father died at dawn, we are devastated, I’m sending you the details of the wake, I hope you can come.” Suspicious about it, he decided not to click on the link, he told The New York Times.
According to Citizen Lab, the sender of the text messages cannot be positively identified, however, “circumstantial evidence” suggests that one or more of NSO’s government customers in Mexico “are the likely operators.”
Since 2011, according to The New York Times, Mexican government agencies “have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer” – NSO Group.
NSO Group claims that it only sells its services to government clients for legitimate purposes, such as combatting organized crime and “terrorism.”
As part of their sales pitch, company executives reportedly claim that the Mexican government used their spyware to catch notorious drug lord Joaquín “El Chapo” Guzmán, a claim technology website CyberScoop says could not be independently verified.
But Citizen Lab says it has “repeatedly uncovered abuses of NSO’s spyware, demonstrating a failure to control the end-uses of their products.”
“The misuse of NSO’s products is part of a larger problem,” Citizen Lab states, “abuse of government-exclusive spyware to target individuals and organizations who are neither criminal, nor terrorists, but members of civil society.”
Used by the UAE
In August 2016, the United Arab Emirates-based human rights defender Ahmed Mansoor received text messages on his iPhone promising “new secrets” about prisoners tortured in the UAE if he clicked on an included link.
Mansoor forwarded the message to Citizen Lab, which discovered that he had been targeted using NSO Group’s Pegasus malware. Apple released patches for the particular security vulnerabilities identified by Citizen Lab’s investigation into the attempt to hack Mansoor.
Mansoor, who was awarded a major international human rights prize in 2015, was arrested by UAE authorities in March over alleged “cybercrimes,” such as using social media to “publish false and misleading information.”
He was previously arrested and sentenced in 2011 after what Amnesty International calls an “unfair trial.” Amnesty now says Mansoor is a “prisoner of conscience” and is demanding his immediate release.
Who is NSO?
NSO Group is part of a web of Israeli companies, many founded by former spies and military personnel, that sells technologies to break into communications.
The company, based in Herzliya in present-day Israel, is highly secretive; its founders rarely speak to media and former employees have refused to divulge information about its activities, citing fear of reprisals.
In 2014, NSO Group was purchased by US private equity firm Francisco Partners for $120 million, though its headquarters and “intellectual property rights” were to remain in Israel, according to Haaretz.
Are Palestine activists threatened?
Israel has declared an all-out war on the Palestine solidarity movement – especially the boycott, divestment and sanctions (BDS) campaign – an assault that involves black ops and covert action targeting activists.
Given this reality, what do the revelations about NSO Group’s malware mean for the Palestine solidarity movement?
“I think it’s extremely unlikely that Palestine solidarity activists will be targeted by the NSO Group’s products,” she told The Electronic Intifada, “but they will be targeted by exactly the same kinds of products made directly by the Israeli government.”
“Activists should be aware of state-sponsored malware,” she said.
Galperin notes that Palestinians living in territories under Israeli control – especially the occupied West Bank and Gaza Strip – live in a situation where all the internet and communications infrastructure is also under full Israeli control.
“They can intercept your traffic and even push fake traffic to you,” Galperin said, “so this kind of targeting is not even necessary.”
This means that Israel is capable of freely spying on the communications of individuals in the territory it controls without the need to use malware similar to that made by NSO Group.
There is some evidence this is already happening: in 2014, dozens of veterans and reservists of Israel’s Unit 8200 cyberwarfare division revealed that the unit deploys its capabilities to collect intimate personal information on Palestinian civilians living under occupation that is “used for political persecution and to create divisions within Palestinian society by recruiting collaborators and driving parts of Palestinian society against itself.”
According to Galperin, Israel would be more likely to try to use malware “outside of Israel or Palestine, where they don’t control the infrastructure.”
But it is very difficult to tell if it is already happening and to what extent.
“We do not catch them very often,” Galperin said. “That doesn’t necessarily mean that it is rare.”
So far Pegasus, which targets iPhones, has only been detected in the Mexico and United Arab Emirates cases.
Chyrsaor, a similar malware thought to be made by NSO Group to target phones using Google’s Android operating system, has, according to Google, only been found on about three dozen devices worldwide – out of 1.4 billion.
The NSO Group’s system does not come cheap: it is reportedly priced at tens of thousands of dollars per target, on top of a hefty “installation fee” of $500,000 dollars, according to The New York Times.
Galperin said she suspects that the Israeli government does not frequently find it necessary to use malware because the government has so many other options to keep track of people – including monitoring social media or using informants.
Other types of cyberwarfare against the movement have included DDoS (distributed denial of service) attacks that take down websites, and which have been tied to Israel.
Practice good security
There is no way to protect yourself 100 percent, Galperin warns. “If they have decided that you specifically are a target and they are willing to devote serious manpower to you, then the advice I’m giving is woefully insufficient,” she said. “But you can make yourself a harder target.”
Always immediately install security updates on all your devices. Most malware exploits known security flaws that remain open because people don’t install security updates.
Protect your sensitive accounts with long, strong, unique passwords and use a password manager.
Use two-factor authentication for your sensitive accounts. This is a way to let a user identify themselves to a service provider by requiring a combination of two different authentication methods. SMS text messages are frequently used as the second mode of authentication, but the Electronic Frontier Foundation warns that SMS may not be secure and advises on other methods such as a small hardware device called Yubikey.
In general, journalists and activists need to always practice good digital security, not just with smartphones but with all their devices and online activities.