Hacked wide open. Israeli spyware Pegasus aids in surveilling journalists and activists worldwide

How Israeli cyber weaponry exports work

Israel is a major hub for spyware producers. Two main reasons contribute to this: the substantial presence of the military sector in the country and its export policy. Many Israeli high tech companies were founded by former high-ranking officers from intelligence agencies such as the Mossad or the renowned Intelligence Unit 8200. Their platforms often replicate military reconnaissance tools but operate without state control and can be sold to countries with any political regime. Despite being advertised as a means of defense against terrorists, these spyware devices frequently target activists and journalists worldwide.

The sale of defense technologies in Israel is governed by the 2007 Defense Export Control Law. Companies are required to register with the Ministry of Defense before seeking a license for marketing and export. However, this law eliminated the option to revoke licenses if the technology is employed to infringe upon human rights, contravene international law, or suppress democratic movements. Highly efficient spyware, initially designed for the Israeli army, can also be reproduced and sold internationally by private enterprises to authoritarian regimes. Nonetheless, the responsibility for such exports is not exclusive to private entities. The Israeli government holds a pivotal role in determining the recipient countries for surveillance systems, and the authorities exploit the sale of specific spy tools to further their interests.

Eitay Mack, an Israeli lawyer, has been advocating for years to halt the export of Israeli surveillance systems to countries with dictatorial regimes. He sends numerous petitions to the Ministry of Defense. “By controlling the issuance of export licenses, the ministry effectively controls the industry itself,” he told The Insider. Mack explains that these companies are akin to subcontractors, and authorities may even pressure them to compel sales to certain countries:

“A year ago, I was invited to speak at an event for all legal advisers of defense companies, and one of their complaints was precisely about the Ministry of Defense. Manufacturers, pressured by authorities, often have to take risks.”

Israel also provides technologies (including Pegasus) to Azerbaijan to maintain close relations with Baku, although it is not a secret that the Azerbaijani authorities persecute journalists and activists.

In certain cases, spyware companies under Israeli control register abroad to evade local regulations. For example, Quadream is accused of selling spyware for hacking mobile devices to Saudi Arabia, with which Israel has no diplomatic relations. Like Pegasus, this software is known for successfully infecting devices without any action from the user (zero-click).

To bypass export barriers, Quadream utilized the services of the Cypriot company InReach. Eitay Mack asserts that de jure the Defense Export Control Law also regulates situations where Israeli companies establish foreign subsidiaries: “If a company is managed by Israelis, it must obtain a license regardless of whether it is registered in Hungary, Cyprus, or Romania. They cannot ignore the regulations.” However, de facto, foreign branches serve as a way for Israeli companies (and authorities) to attempt to circumvent the law.

Who aided in spying on Timchenko?

The NSO Group's Pegasus is the most well-known Israeli surveillance tool, primarily due to the long list of its victims and abuse scandals. The company claims that Pegasus is intended to combat terrorists and criminals, but according to cybersecurity experts, the spyware was installed on the phone of Galina Timchenko, the editor of Meduza, and possibly several other journalists. The phone of the wife of Saudi journalist Jamal Khashoggi was also hacked using Pegasus a few months before he was killed and dismembered in the Saudi Arabian consulate in Istanbul.

Pegasus has been sold to more than 40 countries (including five EU members). In 2021, an international group of investigators found that it had been used for spying on more than 180 journalists, human rights activists, lawyers, and opposition figures in Poland, Hungary, and India.

In early September, the Parliamentary Assembly of the Council of Europe condemned Poland, Hungary, Greece, Spain, and Azerbaijan for using this tool for political purposes. The United States placed the NSO Group on a blacklist, restricting the company's access to U.S. technologies.

The NSO Group regularly identifies and exploits new vulnerabilities for Pegasus. In early September 2023, Apple released updates addressing previously detected weaknesses in devices that could have been used to spy on civil activists in Washington. This vulnerability affected a multitude of Apple devices, including older iPhone models, iPads, Mac computers and laptops, as well as Apple Watches. Nor are Android devices immune to such threats.

In earlier versions of Pegasus, malicious text messages were used, and recipients had to click a link (for example, Mexican investigative journalist Jorge Carrasco received such an SMS in 2016). However, in later versions of this software, it was possible to enter the phone discreetly using “zero-day” vulnerabilities (i.e., those that nobody knows about yet) and without requiring any action from the user. Whether Pegasus can still access correspondence without the user's click remains unknown. Apple and Android continually update their operating systems to patch known vulnerabilities, but no one can guarantee that Pegasus hasn't found new ones.

After installation, Pegasus allows its customers to collect passwords and gain full control over the device, e.g. by turning it into a remote microphone or camera. By controlling the screen, one can read any conversation, regardless of how secure the messaging app is. This might have been be the objective of those who hacked Galina Timchenko's phone: the editor of Meduza was heading to a conference in Berlin when her device was compromised.

According to Access Now, the main suspects in the hacking are Latvia with the support of Estonia, although the organization does not rule out that countries like Azerbaijan, Kazakhstan, or Uzbekistan could have hacked Timchenko on Russia's behalf. Interestingly, the Israeli Ministry of Defense refused to issue a license for the export of Pegasus technology to Estonia and Ukraine on the grounds that they planned to use it against Russian targets.

According to Israeli cybersecurity expert Omer Benjakob, Timchenko may not be the only Russian journalist who has fallen victim to Pegasus. A typical NSO Group contract usually involves multiple simultaneous hacks.

Pegasus's victims

According to a recent investigation by Citizen Lab and Access Now, from October 2020 to December 2022, up to 12 Armenian citizens fell victim to Pegasus. In their cases, it's also unclear which country was behind the hacking, but investigators suspect the attack is related to the conflict between Armenia and Azerbaijan. Although Azerbaijan is a close ally of Israel and is known to have made deals with the NSO Group, it's unclear whether Armenia possesses such spying capabilities. The victims of Pegasus shared their experiences with The Insider.

Karlen Aslanyan, a journalist with the Armenian service of Radio Liberty (Radio Azatutyun), hosts a popular political show where he invites guests to discuss the Nagorno-Karabakh conflict. His phone was infected with Pegasus around April 2021:

“I didn't receive any malicious links, emails, or anything of the sort. However, it turned out that one of my colleagues was being spied on, and Amnesty International experts conducted checks on Radio Liberty staff's phones. They found out that my phone was infected with Pegasus around April 2021. I wouldn't have known about it if it hadn't been for random checks. Interestingly, they spied on people from different sectors—politicians in government, political opposition, journalists, and opposition journalists. Given this diversity, many suspect Azerbaijan, but we can't tell for sure.

Even Amnesty International cannot definitively determine the country behind the attack. However, we know that Azerbaijan had acquired Pegasus, and the Armenian government, at least based on public documents, had not. Of course, considering the current tension between Armenia and Azerbaijan, I'm afraid they might attempt surveillance again.”

Ruben Melikyan is another victim of Pegasus in Armenia:

“My phone was infected in late May 2021, around the time of the parliamentary elections in Armenia. I didn't notice any signs; this spyware is so sophisticated that it's impossible to detect without a special investigation. I was working in the election monitoring commission.

We published a lot of important information; for example, a candidate from the ruling party was forced to withdraw his candidacy because we revealed he had dual citizenship. Thus, I was dealing with Armenia's internal affairs, not Azerbaijan, when my phone was hacked. But I was also the Human Rights Ombudsman of the Republic of Artsakh from 2016 to 2018, which could have played a role. Nevertheless, the Armenian government did not conduct any investigation in this case, and it raises suspicion because if a citizen of one country becomes a victim of espionage, it would logically warrant an inquiry.”

Russia's Choice: UFED Spyware

Pegasus is officially unavailable in Russia, but the Kremlin has been actively employing another Israeli data extraction software, UFED, developed by Cellebrite. While some basic Cellebrite products do not require export licenses, Israeli authorities have the ability to control the sale of more advanced versions of UFED to government institutions. UFED differs from such platforms as Pegasus: it is not remote spyware but a device that needs to be physically placed against the phone to gain access.

In 2020, Alexander Bastrykin of the Investigative Committee of Russia stated that his agency had used UFED over 26,000 times to hack various phones. The device was utilized in drug cases, bribery cases, and against activists like Lyubov Sobol. In one instance, a lawyer claimed that a Tula investigator gained access to WhatsApp and Viber messages on an iPhone 7 belonging to a suspect using UFED and deleted information that could have confirmed the suspect's innocence.

In late 2021, Cellebrite announced that it would cease sales of its services to clients in Russia and Belarus under pressure from Israel. The user agreement for UFED systems mentions a “Deactivation Code,” stating that Cellebrite can remotely turn off its devices. However, even after February 2022, the Investigative Committee of Russia and Belarus continued to use these devices, including operations in Chechnya. UFED training sessions for law enforcement officers were also conducted in Krasnodar at the end of 2022. Eitay Mack explains that while Cellebrite stated it would halt the sale of its systems, nothing was said about terminating existing contracts.

Statements were also made by authorities that the Russian army uses UFED devices in occupied Ukrainian territories to unlock phones and check if citizens support the Ukrainian army. However, experts say it's difficult to confirm the specific purposes of Russians in using spy technologies. Russian investigators presented a Cellebrite device in September 2022.

How to protect yourself

Pegasus and other zero-click spyware are undeniably some of the most sophisticated spy programs that allow an attacker to infect your phone without any action or knowledge on your part. While it is extremely difficult to fully protect yourself from such spyware, here are the following steps you can take:

• Install the latest software updates for all your devices and apps as soon as they become available as manufacturers regularly patch vulnerabilities exploited by spyware companies like NSO Group in their newest updates.
• If you are an Apple user, enable Apple Lockdown Mode which is currently one of the most effective ways to project your Apple device from sophisticated spyware like Pegasus.
• Enable disappearing messages on all your apps to ensure if the attacker hacks your devices, they will not have access to your communications history.
• Watch out for official threat notifications from Apple and other tech platforms that may notify you if your phone has been targeted by spyware.
• If you are a journalist, human rights defender, activist, or a dissident who is suspecting your phone is infected with spyware, please contact Access Now Digital Security Helpline (also available in Russian).