The World of Hacking and Pegasus

By Isabelle John

Introduction

The NSO Group is facing major international criticism and backlash after reporters obtained a list that contained alleged targets for the spyware to be used on including activists, advocates, governments, and government officials. This has caused turmoil on the global level and shaken the tech-world.

This has caused breaches to individuals’ fundamental rights, their right to privacy, and data privacy. The situation proves to be grave and cause an increase in protests against this issue on a global scale.

What is hacking?

Hacking refers to the actions that compromises any digital device, for example: smartphones, computers, and possibly even entire networks.

Hacking is not necessarily always done with malicious intentions, however nowadays there is a stigma around hacking and hackers as they are characterized to be unlawful activities conducted by cybercriminals who are motivated by spying, protesting, financial gain, or perhaps just as a challenge.^[1]

What is Pegasus?

Pegasus is a spyware software that was developed by a private contractor for government agencies’ purposes. This software has the ability to infect a target individuals’ phone and can send back any data they require such as messages, audio/video recordings, and messages.

The company, Pegasus’ developer is an Israeli company called the NSO Group. They say that this software is untraceable, meaning that the government using it cannot be traced. This is an essential feature for covert operations.^[2]

It can also activate the device’s microphone which allows anyone to listen in on conversations clandestinely, the Guardian notes.^[3]

Who is the NSO Group?

The NSO Group creates products that enables governments of countries to spy on their citizens. The company itself describes the products’ roles on their websites as aiding “government intelligence and law-enforcement agencies use technology to meet the challenges of encryption” in the midst of criminal and terrorism investigations.

The company has stated to The Washington Post that they only work with government agencies. They have also ensured that they will cut off any agency’s access to the software if they found out that there is evidence of abuse or foul play.

They claim that they have done this before however, in an Amnesty International statement, they raised valid concerns on the fact that this company is still providing this software to oppressive governments. These governments and their agents should not be and cannot be trusted to be doing what is right by their citizens.^[4]

What was the Hack that Occurred?

17 media outlets commissioned a sweeping investigation and the results were that Pegaus, the NSO Groups’ software had been attempted to hack 37 smartphones, whose owners were journalists and human rights activists, as per The Washington Post’s reports.

Paris journalism nonprofit, Hidden Stories, and a human rights group, Amnesty International discovered that the phones were on a leaked list of numbers. These numbers present on the list were distinguished for potential scrutiny by several countries who are known to be clients of the NSO Group.

The list that was acquired dated back to 2016, as per the Post’s reports which includes reporters from the Associated Press, Voice of America, Post, CNN, the Wall Street Journal, Bloomberg News, the New York Times, Le Monde, Al Jazeera, and the Financial Times.

There was a statement that was emailed to The Verge on Sunday, where an NSO spokesperson denied all the claims that were present in the report in The Wire published in India.

They mentioned that it was “full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources,” while continuing to question the sources of the provided information.

The statement by the spokesperson continues to state that, “After checking their claims, we firmly deny the false allegations made in their report.” The company is also considering a defamation lawsuit, as according to their statement it says, “these allegations are so outrageous and far from reality.”^[5]

• What is Defamation?

Defamation constitutes the written or oral communication of a statement that is false about another that unjustly harms their reputation and is usually considered to be a tort or a crime, depending on the nature.

The NSO can pursue their claim for defamation, however as they are an Israeli based company and the Wire was published in India, they would have to ask the Indian government to take action. They would have grounds for slander and proceed to sue for damages and monetary compensation.

History of Pegasus Hacks

This recent accusation is not the first time the NSO’s spyware, Pegasus, has been accused of being part of a greater surveillance campaign. In the year 2019, Whatsapp sued NSO bringing the claim that Pegasus had been used to hack Whatsapp’s encrypted chat service.

Between the months of July and August of the year 2020, Citizen Lab, a research organization, found that 36 phones with the owners being Al Jazeera journalists had been hacked using the technology. The theory was that the hackers were potentially working for governments present in the Middle East.

Important Individuals who were Hacked

Le Monde reported that the French president, Emmanuel Macron, and 14 French ministers had been flagged for potential scrutiny by Morocco. The Moroccan authorities, however, have denied any use of the software, Pegasus, and have stated that the allegations against there are “unfounded and false”.

The president’s office has also mentioned that President Macron has ordered an increase in security protocols. It has not been confirmed if whether the software had been installed on Macron’s phone, however his number was on the list of 50,000 contacts that were believed to have been targeted by the NSO Group’s clients.

Other numbers are reported to include South Africa’s Cyril Ramaphosa, President Baram Salih of Iraq, as well as the current prime ministers of Egypt, Morocco, and Pakistan.^[6]

What Major Privacy Issues does this Raise?

There is a major breach of an individual’s fundamental rights due to the Pegasus hack. Fundamental rights are a group of rights that the Supreme Court recognizes to require a high degree of protection from government encroachment. This is usually laid out in each country’s constitution and will include something on a right to privacy.

For example, in India, Article 21 of the Constitution states that “No person shall be deprived of his life or personal liberty except according to procedure established by law.” It was also held by the court that a right to privacy is considered to be a part of the right to protection of life and personal liberty.^[7]

This can constitute a violation of a fundamental right as these rights are in place to mitigate government encroachment, and governments were the ones given access to the technology, as per Pegasus’ developers terms.

The Pegasus hack is a clear violation of an individual’s fundamental right, as access was given to private and privileged information, especially when considering individuals of a high stature such as politicians and advocates.

This was also done under unlawful means as it was not to access any information for criminal proceedings or terrorist acts, hence a breach.

What Action has France Taken?

French president, Emmanuel Macron has reportedly been in contact the Naftali Bennett, the Israeli prime minister, to ensure that there are proper investigations being done into the allegations that Macron could have been targeted by Morocco’s security services using Pegasus, the Israeli-made spyware.

Macron had expressed concern that his phone and those of pretty much most of his cabinet could have potentially been infected with the spyware.^[8]

Prosecutors in France’s capital, Paris has said that they have also opened a probe into the allegations that Morocco’s security services and intelligence services have used Pegasus to spy on their journalists and their government officials.

This investigation will examine various charges, including those on whether there was fraudulent access to personal electronic devices, if there was a breach of personal privacy and if there are any criminal associations within those who are involved.^[9]

What Action has Morocco Taken?

Morocco has acted by filing a defamation claim against Amnesty International as well as a French NGO who has claimed that Morocco has used their intelligence services, which does include Pegasus, to spy on lawyers for the government and several French journalists, the French government has stated.^[10]

Algeria’s Actions

There has been an order for an investigation into the media reports on the fact that the North African country could have been the target of the Pegasus spyware.

This investigation was ordered by Algeria’s public prosecutor to further determine what exactly went down.^[11]

Saudi Arabia and the United Arab Emirates

Both countries have been accused of using Pegasus’ spyware software to monitory the activities of dissidents, journalists, and human rights activists. However, both countries have dismissed any allegations against them on this.^[12]

The Actions that India has Taken

India’s central government has proceeded to take no action against the allegations they are facing after the Pegasus situation erupted.

The allegations against them are that they were among other countries that used the software for the means of targeting journalists, activists, and politicians. This in itself has caused internal turmoil as there are major riots and protests against this issue.

However, West Bengal has taken initiative and become the first state to order a probe. While addressing media at the state secretariat, the Chief Minister, Mamta Banarjee says that, “The Cabinet has approved the appointment of a commission of inquiry comprising former Supreme Court Justice, Justice (retd) MB Lokur and retired chief justice of Calcutta high court, Justice (retd) Jyotirmay Bhattacharya in exercise of the power conferred by section 3 of the Commission of Enquiry Act, 1952 in the matter of widely reported illegal hacking, monitoring, putting under surveillance, tracking, recoding etc of mobile phones of various persons in the state of West Bengal.”

In response to this the Bharatiya Janata Party (BJP) has retaliated by launching a counterattack saying that this is all a gimmick by Banerjee and that none of the commissions of enquiry that had been formed earlier by the state ever yielded any results.

BJP vice president in West Bengal, Jay Prakash Majumdar, says that “It appears nothing more than a political gimmick which lacks support of jurisprudence and support of the Indian legal mechanism. Since coming to power in 2011 her government has so far formed innumerable such commissions using public money. But none of the reports were published or placed in the Legislative Assembly. Earlier multiple political leaders had alleged that their phones were tapped by the TMC government. Will the commission also prove all these?”^[13]

Who Else Should be Blamed?

As phones were at the heart of the scandal, Google and Apple are facing a lot of backlashes for not making their software secure enough. The CEO of Telegram is at the frontlines of the backlash. The founder, Pavel Durov said that both these companies have left their backdoors open in their systems to allow such attacks to take place.

As both these companies are part of the global surveillance program, they need to implement backdoors into their mobile operating systems.

However, the problem that arises is that these backdoors are never exclusive to just one party. As a result anybody has the opportunity to exploit them, and so governments should take action against these two companies in addition to the others responsible for the Pegasus scandal.^[14]

What are Other Hacking Tactics?

Phishing. This is a social engineering attack which is often used to steal a user’s data. This could include credit card numbers or login credentials. This happens when an attacker disguises as a trusted entity, and then proceeds to dupe them into opening a text message or an email.

Fake WAP. A hacker could easily use software to be able to create a fake wireless access point, which is connected to an official public place WAP. Once an individual is connected to the fake WAP, the hacker can access all your data. They can rename it to something legitimate such as “Starbucks WiFi” or use an airport’s name.

Bait and Switch. This is where a hacker can buy ad spaces on websites and when an individual clicks on an ad they could get directed to a page that is completely infected with malware. This then allows the hacker to install more malware or adware onto your computer.

These ads are attractive to the user and made to ensure that the user will click on these ads. The hacker is enabled to run a malicious program and after the installation they have access to all information present on the device.^[15]

Reference-

1. “Hacking definition: What is hacking?”, MalwareBytes, available at: malwarebytes.com (last visited on July 26, 2021). ↑
2. Mitchell Clark, “NSO’s Pegasus spyware: here’s what we know”, The Verge, July 23 2021, available at: theverge.com(last visited on July 26, 2021). ↑
3. Kim Lyons, “Pegasus spyware used to target phones of journalists and activists, investigation finds”, The Verge, July 18 2021, available at: theverge.com. (last visited on July 26, 2021). ↑
4. Mitchell Clark, “NSO’s Pegasus spyware: here’s what we know”, The Verge, July 23 2021, available at: theverge.com (last visited on July 26, 2021). ↑
5. Kim Lyons, “Pegasus spyware used to target phones of journalists and activists, investigation finds”, The Verge, July 18 2021, available at: theverge.com. (last visited on July 26, 2021). ↑
6. “Pegasus spyware: French President Macron changes phone after hack reports”, BBC, July 23 2021, available at: bbc.com (last visited n July 26, 2021. ↑
7. Hinailiyas, “Right To Privacy Under Article 21 and the Related Conflicts”, Legal Service India, available at: .legalservicesindia.com (last visited on July 26, 2021). ↑
8. Bethan McKernan, “Emmanuel Macron ‘pushes for Israeli inquiry’ into NSO spyware concerns”, The Guardian, July 25 2021, available at: theguardian.com. (last visited on July 26, 2021). ↑
9. “Pegasus Affair: Macron changes phone, reinforces security in wake of spyware allegations”, FRANCE24, July 22 2021, available at: france24.com(last visited on July 26, 2021). ↑
10. “Morocco files French libel suit over Pegasus spyware claim”, The Times of India, July 23 2021, available at: timesofindia.indiatimes.coms. (last visited on July 26, 2021). ↑
11. “Pegasus: Israel’s NSO Group Behind Spyware Considers Defamation Suit Against ‘Offensive’ Report”, Outlook, July 19 2021, available at: outlookindia.com. (last visited on July 26, 2021). ↑
12. AFP & TOI Staff, “Algeria launches probe of NSO software claim; Saudi Arabia, UAE deny allegations”, July 23 2021, available at: timesofisrael.com (last visited on July 26, 2021). ↑
13. HT Correspondent, “Pegasus: West Bengal becomes first state to order probe”, Hindustan Times, July 26 2021, available at: hindustantimes.com. (last visited on July 26, 2021). ↑
14. “Telegram CEO says Apple, Google also to be ‘blamed’ for Pegasus hack”, The Times of India, July 26 2021, available at: timesofindia.indiatimes.com (last visited on July 26, 2021). ↑
15. Amar Shekhar, “Top 10 Common Hacking Techniques You Should Know About”, FOSSBYTES, April 14 2021, available at: fossbytes.com(last visited on July 26, 2021). ↑