Pegasus and the Digital Arms Trade

A high-profile divorce case has shown that the elite can indeed deploy government-level espionage spyware tools for their own personal use, and it's more common than you think. So, how did we get here?

First Published 9th November 2021 |  Latest Refresh 30th November 2021

Pegasus and the Digital Arms Trade

You too can now keep an eye on your ex (or anyone, really) with military-grade spyware. Giddy up! 

5 min read  |  Reflare Research Team

Divorce court

You have probably read or heard about the spyware scandal involving the Dubai royal family. According to news reports, a senior high court judge in the UK has ruled that the ruler of Dubai, Sheikh Mohammed bin Rashid al-Maktoum, hacked the phone of his ex-wife, Princess Haya, using spyware developed by the Israeli company NSO Group. 

The Dubai ruler is currently battling his wife in court for child custody of their two children. As a result of this ruling, the NSO had restricted its software from being able to target UK numbers.

A friend of a friend

Haya's phone was not the only one hacked by the Dubai ruler, though. Her close associates, including two of her lawyers, were also targeted.

They only became aware that they had been spied on when Cherie Blair, the wife of the former UK Prime Minister Tony Blair, who is also an advisor to the NSO Group, informed Fiona Shackleton - one of Haya’s lawyers who happened to be a member of the UK’s House of Lords - that she and others had been targeted.

Spyware as a weapon

You are not alone if you think that the only reason the event unfolded is because Cherie Blair (upon learning that a senior British politician had been targeted) probably decided to come forward to avoid an even bigger national security scandal had she kept quiet about it. As you could reasonably imagine, the story of the ruler of Dubai ordering spyware on a member of the House of Lords would have created quite the geopolitical crisis.

As a matter of fact, many spyware victims do not know they are hacked until they are made aware by third parties. Case in point: It is believed that around 50,000 people had either been targeted or listed as targets by NSO clients. Many of them are journalists, activists, lawyers, politicians, and even family members of state leaders. The majority of those who become aware they have been targeted only do so because it has been brought to their attention by someone else. Without being tipped off, many targets go about their days completely unaware of what is happening to them.

Arabs and their horses

The NSO spyware suite, aptly named Pegasus, first became known to the general public in 2016 after an Arab human rights defender, Ahmed Mansoor, received a text message asking him to follow a link promised to contain new information about torture happening in the United Arab Emirates prisons. Instead of clicking, Mansoor sent the messages to cybersecurity and human rights researchers at the Citizen Lab - an interdisciplinary laboratory based at the University of Toronto’s Munk School of Global Affairs and Public Policy.

Collaborating with cybersecurity experts at Lookout Security, the researchers determined that the link led to a series of zero-days that would lead to the installation of sophisticated spyware on Mansoor’s phone. A zero-day is a cyber weapon that exploits software vulnerabilities that are not yet known to the public, therefore, there are no security fixes available to stop them.

Zero click

There are two types of exploits normally used to target mobile phones; the first one requires user interaction such as clicking on a link, while the second type, often referred to as ‘zero click’, does not need the victim to do anything at all other than having their mobile phone switched on and having the vulnerable operating system or application installed on it. Pegasus is known to utilize both types of exploits to gain initial access to the targeted mobile phones.

Once the phones are compromised, the perpetrators would have complete access to them. That means they would be able to extract contacts, call logs, messages, photos, web browsing history and more. They could also use their victim’s mobile phone to send text messages containing malicious links to other targets, exploiting the victim’s social-trust network.

Lords of war

So why is the NSO Group allowed to exist, then? Well, that is like asking why defence companies like Lockheed Martin, BAE, Thales, and others that sell both conventional and non-conventional weapons are permitted to run their businesses.  Arms manufacturing is a lucrative business, and the NSO Group is just another weapon manufacturer - one that produces the weapons of the 21st century, weapons that do not exist physically, but as bits and bytes.

The NSO Group is not the first and would not be the last cyberweapon manufacturer, and the trading of digital weapons has been going on for at least a decade. The Grugq, a well-known South African hacker who is based in Thailand, was once the poster boy of the zero-days black market. Like a true Lord of War, he would often meet his clients - he said mostly representatives of government agencies - at a restaurant in Bangkok, and head home with bags full of cash.

According to The Grugq in an article published by Forbes in 2012, a zero-day that exploits widely used applications or operating systems could easily sell for millions. At the time he was interviewed, he was on track to earn more than one million USD in annual commissions for his role as a broker, taking a 15% cut from the sales.

Are you the next target?

Courtesy of their newfound public notoriety, NSO Group now finding itself being added to an increasingly growing list of trade bans, so you might feel a little calmer. Even Apple has lodged an injunction to stop NSO from using any Apple software, service or device. However, NSO is just one company, and Pegasus is just one product. New players will continue to enter this marketplace, and companies just like NSO will not be going anywhere anytime soon. There will always be demands for cyberweapons, and like conventional weapons - it is really hard if not impossible to stop them from being misused.

So, what can you do about it?

Well, the good news is, as we mentioned above - these cyberweapons are expensive and therefore, very unlikely to be used against random targets to avoid the risk of them getting discovered by security researchers. However, if you think you are one of such people likely to be targeted, don’t panic, there are several things that you can do such as:

-  Share your private phone number with only those closest to you and have a separate number and phone for everyone else (a cheap burner phone will do).

-  Do not click on links that you don’t trust, especially those shared by strangers. If someone you trust shares a link with you, call the person to confirm that they’re indeed the one who sent it to you.

-  Make sure to always update your applications and operating systems especially if they are related to security.

-  Install mobile antivirus software and other security tools that can help prevent exploits from executing successfully and detect those that are running on your phone.

-  If you suspect your phone has been compromised or you’re being targeted, contact cybersecurity experts such as those at Citizen Lab or Reflare for help. 

Additionally, although this is not traditional cybersecurity advice, it may be wise not to pick too many fights against powerful people who have infinite piles of money at their disposal, unless it’s extremely necessary.

Being forewarned is being forearmed, and tech users everywhere should rebel against their own poor IT security practices. To quote the Nobel Prize-winning Algerian-born, French philosopher Albert Camus - "With rebellion, awareness is born". Even a little bit of IT security awareness training (especially for those not experienced in tech) can significantly slow down attackers (just ask Ahmed!). Furthermore, knowledge is power. To stay on top of the latest cyber security trends, subscribe to the Reflare Research Newsletter and explore the related reports below.

Subscribe by email