Citizen Lab has released a report titled Hide and Seek which details the usage of spyware called Pegasus – developed by Israeli company NSO Group.
The report shows that infections of the Pegasus spyware were detected in South Africa on the networks of Vodacom, MTN Business, Telkom (SAIX – likely on ADSL), and Internet Solutions.
Pegasus is a mobile phone spyware suite which requires that the attacker convince their target to click on a exploit link.
When you click the link, it activates a series of zero-day exploits which break your phone’s security and installs Pegasus without your knowledge.
“Once the phone is exploited and Pegasus is installed, it begins contacting the operator’s command and control servers to receive and execute commands,” Citizen Lab reported.
It also sends your private data to the servers including passwords, contact lists, calendar events, text messages, and live voice calls from mobile messaging apps. Pegasus can also remotely activate your phone’s camera and microphone.
NSO Group asserts that it licenses its product exclusively to governments and law enforcement.
“Our business is conducted in strict compliance with applicable export control laws,” the NSO Group told Citizen Lab.
However, Citizen Lab has witnessed the use of Pegasus to target activists, journalists, and politicians of opposition parties.
South African infections
The organisation explained that it developed a technique it calls “Athena” to cluster IP addresses that matched its Pegasus fingerprints into 36 distinct operators. Each operator makes use of multiple IP addresses.
Citizen Lab gave each operator a name drawn from national symbols or geographic features of the country.
“For each IP address used by the operator, we extracted a domain name from its TLS certificate,” Citizen Lab said.
“We coded the domain names to generate a Suspected Country Focus and assessed whether there were political themes in the domains, which might suggest politically-motivated targeting.”
Using DNS cache probing, Citizen Lab generated a list of countries in which there are possible infections associated with the operator.
This process revealed that there are a significant number of Pegasus infections in South Africa, though South Africa does not appear to be specifically targeted by any Pegasus operator.
The Pegasus operators who have infected devices that appear to be active on South African networks are:
- GRANDLACS — active from June 2017 with suspected infections in Kenya, Rwanda, South Africa, and Uganda. Political themes found.
- MULUNGUSHI — active from February 2018 with a suspected focus on Zambia. Suspected infections in South Africa and Zambia. No political themes found.
Infected devices connected to the GRANDLACS operator were found on the networks of Vodacom, MTN Business, and SAIX in South Africa.
MTN’s networks in Uganda and Rwanda, and Vodacom’s operation in Kenya (Safaricom) also had infected devices on them.
The MULUNGUSHI operator had infections on the Internet Solutions network in South Africa, and MTN Zambia.
NSO Group responds
NSO Group provided the following statement to Citizen Lab in response to its report:
There are multiple problems with Citizen Lab’s latest report. Most significantly, the list of countries in which NSO is alleged to sell or where our customers presumably operate the products is simply inaccurate. NSO does not sell its products in many of the countries listed. The product is only licensed to operate in countries approved under our Business Ethics Framework.
Citizen Lab disputed the accuracy of the statement, saying they were able to infect a test device with Pegasus in the United States – a country not listed by NSO Group.
“The list in our report is of suspected locations of NSO infections, it is not a list of suspected NSO customers,” added Citizen Lab.