NSO Group Spyware Operations Exposed Repeatedly

Report Details Pegasus Spyware Attempts on Serbian Journalists

A new report released by Amnesty International on Thursday details alleged hacking attempts targeting two journalists in Serbia. These attempts reportedly utilized Pegasus spyware, developed by the NSO Group.

Phishing Attacks Used as Entry Point

The journalists, both affiliated with the Balkan Investigative Reporting Network (BIRN) based in Serbia, were sent suspicious text messages. These messages contained links designed to initiate a phishing attack, according to the nonprofit organization.

Researchers at Amnesty International were able to safely analyze one of these links. Their investigation revealed it directed to a domain previously identified as part of the NSO Group’s infrastructure.

Growing Expertise in Identifying Pegasus

Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, explained to TechCrunch that Amnesty International has been meticulously tracking Pegasus spyware for years. This ongoing research has enabled them to identify malicious websites used for spyware delivery.

Security researchers, including Ó Cearbhaill, have become highly proficient at recognizing indicators of the company’s spyware. Often, a simple examination of a domain involved in an attack is sufficient for identification.

Loss of Cover for NSO Group

This increasing detectability suggests that NSO Group and its clientele are struggling to maintain operational secrecy. Their efforts to operate undetected are becoming less effective.

John Scott-Railton, a senior researcher at The Citizen Lab, stated to TechCrunch that NSO Group faces a fundamental issue: its customers overestimate their ability to remain hidden.

Documented Evidence of Pegasus Use

Substantial evidence supports the concerns raised by Ó Cearbhaill and Scott-Railton.

In 2016, Citizen Lab published the initial technical report documenting an attack utilizing Pegasus. The target was a dissident from the United Arab Emirates. Since then, researchers have identified at least 130 individuals worldwide who have been targeted or compromised by the NSO Group’s spyware, as tracked by security researcher Runa Sandvik.

The Pegasus Project and Beyond

The large number of victims is partly attributable to the Pegasus Project, a collaborative journalistic investigation. This initiative examined abuses of NSO Group’s spyware, based on a leaked list of over 50,000 phone numbers allegedly entered into an NSO Group targeting system.

However, Amnesty International, Citizen Lab, and Access Now – another nonprofit dedicated to protecting civil society – have also identified numerous victims independently, without relying on the leaked phone number list.

NSO Group's Silence

An NSO Group spokesperson did not respond to requests for comment regarding the increasing visibility of Pegasus. Questions about customer concerns regarding this lack of stealth were also unanswered.

Apple's Role in Detection

Apple has also been instrumental in uncovering Pegasus spyware. The company has been sending notifications to potential victims globally. These notifications often lead individuals to seek assistance from Access Now, Amnesty, and Citizen Lab.

These discoveries have contributed to further technical reports detailing attacks carried out with Pegasus, as well as spyware from other developers.

Indiscriminate Use of Spyware

A key issue may be NSO Group’s sales practices, specifically its provision of spyware to nations that employ it without restraint. This includes targeting journalists and other members of civil society.

Ó Cearbhaill emphasized that NSO Group’s operational security (OPSEC) is compromised by its continued sales to countries that repeatedly expose themselves through targeting journalists.