How Does Pegasus Work?

The Pegasus Project
Investigation

Traces of NSO Group’s Pegasus software have been found on the mobile phones of journalists and human rights activists around the world. What can it do?

Banner: Eddie Gerald/Alamy

July 18, 2021

Edward Snowden’s bombshell revelations about mass U.S. government surveillance set off alarms about digital security across the globe.

Once of interest mainly to spies and IT security geeks, end-to-end encryption became commonplace as messaging moved onto encrypted email and apps like WhatsApp and Signal.

The trend left governments unable to listen in — and desperate for a solution.

To meet that need, Pegasus was born.

Pegasus is the flagship product of Israeli cyber-surveillance company NSO Group, perhaps the best known of the new spyware companies. NSO Group’s technology allows its clients — which the company says are always governments, never private individuals or companies — to target specific phone numbers and infect the associated devices with Pegasus code.

But instead of trying to listen in on data flowing between two devices — which will probably be encrypted — Pegasus allows its users to commandeer the device itself, gaining access to everything on it.

Pegasus also monitors the keystrokes on an infected device – all written communications and web searches, even passwords – and returns them to the client, while also providing access the phone’s microphone and camera, turning it into a mobile spying device that the target unwittingly carries with them.

“When a phone is compromised, it’s done in such a way that allows the attackers to obtain administrative privileges on the device. That allows virtually anything to be done on the phone,” said Claudio Guarnieri from Amnesty International’s Security Lab, which has developed a methodology for analyzing infected devices.

Governments around the world are desperate for what Pegasus can give them, ostensibly to allow them unfettered access to the communications and movements of terrorists and criminals. Yet The Pegasus Project also shows how NSO Group has almost certainly sold its technology to governments with dubious human rights records — and how it has been used to target journalists and human rights activists. Evidence collected by The Pegasus Project indicates that governments from India to Azerbaijan and Rwanda to Mexico have successfully used NSO’s spyware.

To maintain their lucrative access, NSO Group’s team must continually update its technology to outpace companies like Apple and Google as they apply patches to fix vulnerabilities. Over the last half decade, Pegasus has evolved from a relatively crude system reliant on social engineering to a piece of software that can compromise a phone without the user having to click on a single link.

Zero-Click Exploits

Pegasus hacking attacks once required a target’s active participation. Pegasus operators sent text messages containing a malicious link to their target’s phone. If the target clicked, a malicious page would open on their web browser to download and execute the malware, infecting the device.

Various tactics helped NSO Group’s clients increase the chances of a click.

“[Clients] would send spam messages just to frustrate the target, then send another message telling them to click on the link to stop receiving the spam,” said Guarnieri.

Social engineering techniques helped manipulate targets into clicking by embedding the link in messages designed to appeal to their fears or interests.

“Messages might include news of interest to [the target], or promotions for things they know you want – maybe a gym membership or online sales,” said Guarnieri.

Eventually, the public became more aware of these tactics and better able to spot malicious spam. Something more subtle was required.

The solution was the use of so-called ‘zero-click exploits.’ These vulnerabilities do not rely on the target doing anything at all in order for Pegasus to compromise their device. This, according to Guarnieri, has been the preferred attack method of governments using Pegasus over the last few years.

Zero-click exploits rely on bugs in popular apps like iMessage, WhatsApp, and FaceTime, which all receive and sort data, sometimes from unknown sources.

Once a vulnerability is found, Pegasus can infiltrate a device using the protocol of the app. The user does not have to click on a link, read a message, or answer a call — they may not even see a missed call or message.

“These zero-click exploits constitute the majority of cases we’ve seen since 2019,” said Guarnieri, whose team published a technical report on The Pegasus Project methodology.

“This is nasty software – eloquently nasty,” Timothy Summers, a former cyber engineer at a U.S. intelligence agency, told reporters. “It hooks into most messaging systems including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple's built-in messaging and email apps, and others. With a line-up like this, one could spy on almost the entire world population. It's apparent that NSO is offering an intelligence-agency-as-a-service.”

Fighting Back

Despite a solid mainstream reputation, Apple’s iMessage is known by experts to be vulnerable to attack. Matt Green, a cryptographer and security expert at Johns Hopkins University, told reporters that iMessage has become increasingly susceptible since Apple made its software more complex. This has inadvertently introduced more ways to find exploitable coding errors. Apple regularly releases updates intended to patch such vulnerabilities, but the spyware industry always seems to be at least one step ahead.

“There’s no doubt that [Pegasus] is capable of infecting the most recent versions of iOS,” said Guarnieri. “There’s much more investment, of time and money, in finding these bugs than probably is placed preventing them from being created in the first place and rooted out. It’s a cat and mouse game, and the cat is always ahead because there is an economic incentive.”

An Apple spokesman, who talked with reporters from the Washington Post, denied spyware companies were ahead of them.

“iPhone attacks, like the one NSO Group builds, are targeted, cost millions to develop, and often have a limited shelf-life because we discover them and patch the issue. We have therefore made it economically prohibitive to attack iPhone users at scale,” said Ivan Krstic, head of Apple Security Engineering and Architecture.

The business is clearly lucrative. In 2016, the New York Times reported that an NSO tool to spy on 10 iPhone users would cost $650,000 and a $500,000 installation fee – likely for much less advanced technology than what’s available today. The company reported revenues of US243 million in 2020.

On the back foot when it comes to digital security, tech companies are now fighting back in the courts. In 2019, WhatsApp sued NSO Group in the United States, claiming that the Israeli firm had exploited a vulnerability to infect over 1,400 devices. WhatsApp claims that those targeted included journalists, lawyers, religious leaders, and political dissidents. Several other high-profile companies, including Microsoft and Google, have filed supporting arguments in the ongoing case.

The suit follows others brought by Amnesty International (against Israel’s Ministry of Defense, which must approve all NSO Group’s sales to foreign governments) or by activists and journalists allegedly targeted by NSO Group’s technology.

‘Network Injection’

Apart from zero-click exploits, NSO Group’s clients can also use so-called “network injections” to quietly access a target’s device. A target’s web browsing can leave them open to attack without the need for them to click on a specifically-designed malicious link. This approach involves waiting for the target to visit a website that is not fully secured during their normal online activity. Once they click on a link to an unprotected site, NSO Group’s software can access the phone and trigger an infection.

“There’s nothing you can do about it,” said Guarnieri. “The delay [between accessing an unsecured website and infection by Pegasus] can be a matter of milliseconds.”

However, this technique is more difficult to accomplish than attacking a phone using a malicious URL or a zero-click exploit, since the target’s cellphone use must be monitored until the moment at which its internet traffic is unprotected. This is normally done through the target’s mobile operator, which some governments can access or control.

This reliance makes it difficult or impossible for governments to target people outside their jurisdiction, however. Zero-click exploits face no such limitations, which underpins their popularity.

From 'Patient Zero,' a Trail of Evidence

Amnesty International’s technology team analyzed data from dozens of cellphones suspected to have been targeted by clients of NSO Group. To spot Pegasus on a device, the team first looks for the most obvious giveaway – the presence of malicious links in text messages. These links would lead to one of a series of domains used by NSO Group to download the spyware onto the phone – what’s known as the company’s infrastructure.

“NSO made mistakes operationally in setting up the infrastructure that they use for conducting the attacks,” said Guarnieri. In the first case on record – the so-called “patient zero” – that network infrastructure “linked back to [NSO’s] corporate infrastructure.”

NSO Group also appears to have originally used a series of fake email accounts to set up much of its infrastructure. Finding one of those accounts linked to a domain is additional evidence that it belongs to NSO Group.

“Patient zero” was a human rights activist from the United Arab Emirates named Ahmed Mansoor. In 2016, Citizen Lab discovered that Mansoor’s phone had been hacked through malicious links offering “new secrets” about torture carried out by UAE authorities. Citizen Lab was able to show that the messages came from Pegasus.

“There will always be a trail of evidence that will link back to the very first patient zero,” said Guarnieri.

As well as spotting links to NSO’s network infrastructure, Amnesty’s team saw similarities in the malicious processes executed by an infected device. There are only a few dozen of them, and one in particular – called Bridgehead, or BH – appears repeatedly throughout the malware, right back to Mansoor’s phone.

Guarnieri says he downloaded every version of iOS released since 2016 to see if the processes he was finding on infected devices were legitimate. Not one of the processes his team found was actually released by Apple.

“We know these processes are not legitimate – they’re malicious. We know they are Pegasus processes because they connect to the network infrastructure that we’ve seen,” said Guarnieri. On infected devices, the Amnesty team was seeing a clear sequence: “a website was being visited, an application crashed, some files were modified and all of these processes executed in a matter of seconds or even milliseconds. There is a continuity of the uniqueness of processes that we see in all of these cases that we have analyzed. There’s no doubt in my mind that what we’re looking at is Pegasus.”