On Thursday, Amnesty International published a new report detailing the hacking attempts against two Serbian journalists allegedly carried out at NSO group Spyware Pegasus.
Two journalists working for the Serbia-based Balkan Investigation Reporting Network (BIRN) received suspicious text messages containing links, according to the nonprofit. In one case, Amnesty said that researchers can click on the secure environment link to confirm that they have previously linked to a domain they identified as belonging to the NSO group's infrastructure.
“Amnesty International has been tracking the NSO group's Pegasus spyware and the methods used to target activists and journalists,” Don Chase Abyle, head of Amnesty's security lab, told TechCrunch. “This technical research allowed Amnesty to identify malicious websites used to provide Pegasus Spyware that contain the specific Pegasus domains used in this campaign.”
Until his claim, security researchers like ÓCearbhaill, who have been monitoring NSO activities for years, are so good at finding signs of company spyware, there are things that all researchers have to do.
In other words, the NSO group and its customers are losing the fight to stay in the shadows.
“There's a fundamental problem with NSOs. They're not as good at hiding as their customers think,” John Scott-Railton, a senior researcher at Citizen Lab, a human rights organization that has been investigating Spyware's abuses since 2012, told TechCrunch.
There is harsh evidence to prove what Cearbhaill and Scott-Railton believe.
In 2016, Citizen Lab released its first technical report documenting Pegasus attacks against UAE opposition. Less than a decade later, the researchers have identified at least 130 people worldwide who targeted or hacked spyware from NSO groups, according to a running tally by security researcher Runa Sandvik.
The vast number of victims and targets can be explained in part by the Pegasus Project, a collective journalistic initiative to investigate spyware abuse in NSO groups based on a leaked list of over 50,000 phone numbers allegedly entered into the targeting system of NSO groups.
However, there were also dozens of casualties identified by Amnesty, Citizen Lab and Access Now. This is another nonprofit organization that helps protect civil society from spyware attacks that don't rely on leaked lists of phone numbers.
Contact Us Do you have any more information about NSO Glop or other spyware companies? From unprocessed devices and networks, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or by email. You can also contact TechCrunch via SecureDrop.
An NSO Group spokesman did not respond to questions about Pegasus' invisibility or lack of it or requests for comment on whether NSO Group customers are concerned about it.
Apart from nonprofits, NSO Group's Spyware continues to get caught up in Apple. Apple sends notifications to spyware victims around the world, urging those who received notifications that have been accessed, those who received support from Amnesty and Citizen Lab. These findings have led to more technical reports recording spyware attacks made on Pegasus and spyware created by other companies.
Perhaps the problem with the NSO group is dependent on the fact that it sells it to countries that use spyware indiscriminately, including reporters and other members of civil society.
“The OPSEC mistakes that the NSO group is making here continue to target journalists and sell to countries that will expose themselves,” Cearbhaill, using technical terms for operational security.