Security researchers say they have found traces of an infamous iPhone and Android government spyware program in 45 countries around the world over the last two years.
Citizen Lab, a digital rights watchdog at the University of Toronto's Munk School of Global Affairs, published a report on Tuesday detailing a new scanning technique to identify systems used by governments who have purchased the so-called “Pegasus” spyware, made by the Israel-based NSO Group. Thanks to this technique, Citizen Lab’s researchers said they were able to identify 1,091 IP addresses that matched their fingerprint for NSO’s spyware. Then, the researchers clustered the IP addresses into 36 separate operators with traces in 45 countries where these government agencies “may be conducting surveillance operations” between August 2016 and August 2018.
Some of the countries where the researchers spotted Pegasus in democratic countries, such as the United States, France, and the UK, but there’s also countries with questionable human rights records such as the United Arab Emirates, Bahrain, Mexico, Turkey, and Yemen. There’s a caveat though. In some cases, the researchers aren’t sure if the traces they found indicate an infection—thus a target that may have been hacked from a foreign country—or an operator.
“Sometimes it feels like we’re shouting in the dark. Cases of spyware abuse keep piling up, and evidence keeps mounting that spyware is sold to governments that shouldn’t have it,” Bill Marczak, one of the authors of the report, told Motherboard in an online chat. “I can only hope that our research is causing these companies to think twice about sales where there is the potential for spyware abuse, causing potential customers to think twice about being associated with a company dealing with repressive governments, and causing potential investors to think twice about the inherently risky business of selling spyware to dictators.”
Mobile security firm Lookout could not confirm all the countries Citizen Lab identified but said that it is also tracking NSO and that it have detected “three digits” Pegasus infections around the world, meaning more than 100.
“We know NSO is continuing to expand their operations, they’re getting lots of customers,” Lookout’s vice president of security intelligence Mike Murray said in a telephone interview.
In a statement, an NSO spokesperson said that “the list of countries in which NSO is alleged to operate is simply inaccurate.”
“NSO does not operate in many of the countries listed [in the report],” the spokesperson said.
Digital human rights researchers have been studying companies in the government spyware business—so-called “lawful intercept” in industry parlance—for years. These are companies such as the Italian Hacking Team, the Anglo-German FinFisher, and NSO itself, which produce surveillance software and market it exclusively to government agencies around the world. Over the years, Citizen Lab and other organizations have documented several cases of countries abusing these tools to target journalists, dissidents, and human rights workers.
Citizen Lab in particular has also been able to trace and map the proliferation of tools like Hacking Team’s Remote Control System spyware and FinFisher’s product. In 2014, Citizen Lab found Hacking Team in 21 countries. And the organization found FinFisher in 25 and 32 countries during scans conducted in 2013 and 2015, respectively.
In 2016, Citizen Lab and Lookout found that the government of the United Arab Emirates had attempted to hack the iPhone of well-known human rights activist Ahmed Mansoor with NSO’s spyware. (Mansoor is now imprisoned.) Israel and the UAE have officially no diplomatic relations, but according to an Israeli tech entrepreneur who has visited Dubai multiple times, this doesn’t stop Israeli companies from doing business there.
“Don’t scream on the street that you’re Israeli and it’s OK,” the entrepreneur told Motherboard. He spoke under condition of anonymity not to strain his relationship with the Israeli government.
“Three times I was there, I was there with Israeli phone, I used my Israeli phone,” he told me “And I know that they have all kinds of technology that once I landed they know that there is an Israeli in the country. No way that they don't know. They don't care.”
Neither does Israel, he said, adding that companies like NSO, which sell sensitive tech like spyware, need to apply for an export license before each sale.
Representatives of the Israeli government in the US did not respond to a request for comment.
“The company works in full compliance with all applicable laws, including export control laws,” NSO’s statement read. “Our products have saved the lives of thousands of people.”
Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.