While all organizations or individuals that use digital technologies are at risk of a cyber-attack, malign actors and repressive governments target journalists more. The mobile devices, including laptops and smartphones, journalists use in their line of work often contain sensitive data and communications that are of particular interest to large and small businesses, law enforcement, government agencies, and numerous kinds of organizations. Therefore, journalists need to take cybersecurity as an important component of factual but safe reporting. In most cases, reporters working on exposes or investigative stories are at elevated risks of being targeted since mobile data can be a matter of life and death. A number of scandals involving the Pegasus spyware and various governments worldwide demonstrated why secure communications are crucial to the safety and security of journalists.
For the better part of July 2021, international media outlets aired story after story concerning spyware known as Pegasus and the Israeli organization behind it, NSO Group. According to The Washington Post, Pegasus can hack a fully updated phone with one text only. A consortium of media outlets, including The Guardian, Le Monde, and The Washington Post, conducted investigations into what has been dubbed as the Pegasus Project. Also, a forensics investigation by Amnesty International found that the Pegasus spyware had infected 37 out of 67 smartphones.
Pegasus is a spyware tool created to enable government agencies to perform clandestine operations. According to NSO, the Israeli private organization that develops products for use in government intelligence operations, Pegasus cannot be traced back to the agency using it. NSO creates products for law enforcement and government intelligence agencies to counter encryption challenges in fighting terrorism.
That said, NSO indicated to the Washington Post that it develops products for governments only and has every intention of cutting ties if there is evidence that a government agency has misused Pegasus. Still, a write-up by Forbidden Stories of NSO's controversies spanning several years has inspired lawsuits from activists and journalists alike, arguing governments have used Pegasus inappropriately.
An investigation involving 17 media groups revealed that various actors had attempted to hack 37 smartphones belonging to journalists and human rights activists. According to the investigations, Amnesty International discovered the smartphones from a list of leaked mobile numbers. The numbers on the leaked list were investigated for possible surveillance by governments that use the NSO spyware.
In a report by The Guardian, operators can use the Pegasus software to extract data from a mobile phone, including photos, text messages, and call logs, or activate a device's microphone to spy on conversations secretly. The list of journalists found to have been targeted using the Pegasus spyware dates back to 2016 and includes reporters from international media organizations. These include the Associated Press, CNN, Blomberg News, Al Jazeera, the Financial Times, the New York Times, the Wall Street Journal, Le Monde, Voice of America, and the Washington Post.
However, via email communication with The Verge, a spokesperson from NSO refuted the claims, stating that the report was "full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources." The spokesperson went on to question the validity and authenticity of the sources that provided the information. The email statement continued to argue that the claims made in the report were false and that NSO was considering slapping the media outlets with a defamation lawsuit since the "allegations are so outrageous and far from reality."
However, NSO's Pegasus has been mentioned in other spying allegations as it has been accused of contributing to surveillance campaigns. For instance, research done by Citizen Lab between July and August 2020 found that the Pegasus technology had been used to hack at least 36 smartphones of Al Jazeera journalists. The hackers that executed the alleged hack were reportedly working for various governments within the Middle East.
While the total number of individuals spied on using the Pegasus spyware is still unclear, the Pegasus Project centered around a list of 50,000 phone numbers. After analysis, the Pegasus Project linked more than 1,000 numbers to their owners and found a significant number of individuals that should not be under government spying and surveillance. These included hundreds of government agents and politicians, among them, being a king, ten prime ministers, and three presidents. Additionally, the list also included 85 human activists and more than 189 journalists.
Although the Pegasus Project did not mention whether forensic specialists were targeted, they require secure communication devices and channels. In addition, forensic experts are responsible for gathering evidence from a crime scene using various tools to solve a crime. As such, criminal parties may attempt to hack forensic professionals in an attempt to know if evidence exists and whether they are at risk of being caught.
Therefore, activists, journalists, and forensic examiners require to be extra cautious regarding their mobile security. The following tips can protect their digital identities, data, and communications by offering increased protection against surveillance and spying:
Various Pegasus attack reports show that human rights activists received WhatsApp and SMS bait messages urging them to click malicious links. However, clicking the links downloads the spyware that exploits vulnerabilities in operating systems and browsers to infect the devices. Victims are more likely to click the malicious links since they may claim to be from established institutions like news agencies and embassies. As a preventive measure, it is essential to consider the following points:
Pegasus also infected multiple devices through man-in-the-middle attacks by intercepting unencrypted network traffic, such as HTTP requests, and redirecting the traffic to malicious payloads. For the attack to work, victims must connect to rogue access points. Still, the attacks also worked on devices using mobile data only, especially in countries where the governments control telecommunication services. The malicious payloads would hack the device and install the spyware. The following measures can protect against network injection attacks:
According to the forensic report by Amnesty International, the Pegasus spyware infected some devices through zero-click exploits. Zero-day exploits occur when a hacker exploits a vulnerable application or operating system before a user can install the patches and updates released to mitigate the vulnerability. For example, the forensic report indicated that some Pegasus infections occurred with zero-exploit attacks on iMessage and Apple Music apps. Measures for protecting against zero-click exploits include: