[Translated by {Iikka}{Yli-Kuivila}
(ITKST56 course assignment at JYU.FI)]
Herald: Good morning from C-Base, the
space station beyond or under Berlin,
welcomes you to day 2 of the RC3
streaming, we are starting in a few
seconds with the "Catching the NSO Group's
Pegasus spyware". This is something that
has caught attention among the security
and hacker communities over the world in
the last, I would guess, two years or so.
There have been some spectacular cases of
murder, kidnappings, journalists being
threatened, other things. The infamous
software doing this is called Pegasus,
it's marketed by a company known by the
three-letter acronym NSO, whatever this
stands for. And actually, Amnesty
International and its I.T. department, so
to say, has invested quite some effort
into detecting whether a device has been
infected by Pegasus or not. NSO marketed
this, among other things, as so-called
"undetectable", well undetectable as in
software on a device, as we will see, and
our speaker today, Donncha, Donncha O'Cearbhaill
from Ireland and from Amnesty
International, will be presenting how they
developed detection tools for this nasty
piece of spyware that has become so
popular among secret actors, state actors
and others around the world. OK, enough
for the introduction, Donncha, the scene
and the stream is yours. Good morning
Donncha: Good morning, and thank you for
that introduction. So as the intro said,
today I'd like to talk to you about NSO
group's Pegasus spyware, in particular I'd
like to explain a little bit about how we
at Amnesty have investigated Pegasus over
the past few years and I'll also explain and
demonstrate some of the tools we have
developed and published, that others also
investigate and detect Pegasus spyware
potentially on their devices and the
devices of other people in civil society.
So my name is Donncha O'Cearbhaill and I
am a technologist based at the Amnesty
International Security Lab in Berlin with
a small team who focuses on investigating
targeted digital threats such as spyware,
phishing and other kinds of surveillance
that's directed against civil society and
human rights defenders around the world.
So as the intro said, Pegasus has got a
lot of attention in the past few months.
So you may have seen the Pegasus Project
revelations that were published in July
during the summer. The Pegasus Project was
a global investigation into abuses linked
to NSO group's Pegasus spyware. This
investigation was based on a leaked
dataset of 50,000 potential Pegasus
targets, which Amnesty International and
Forbidden Stories had access to, and so
this global media investigation was
coordinated by Forbidden Stories, with the
participation of about 80 journalists from
17 different media organisations around
the world. During the Pegasus Project,
Amnesty International took the role of a
technical partner, and the focus for
Amnesty International was to perform
detailed innovative forensic analysis on
the devices of potential targets, and
through this kind of forensic analysis and
this technical work we were able to
identify traces of Pegasus, either
targeting or infecting online devices. So
over a multi-month project Amnesty
Security Lab analyzed about 67 devices,
and from these 67 devices of potential
targets at least 37 showed clear traces of
Pegasus targeting or infection. So this is
really quite quite a high number of
infected devices, and these devices
included journalists, activists,
opposition political figures, all kinds of
people who were being unlawfully
surveilled using Pegasus. Overall, of the
phones we have checked, which were iPhones
and which hadn't been replaced, which took
data of the targeting, more than 80
percent of the phones that were on this
list of potential targets showed traces of
Pegasus. So in July these stories came out
and they highlighted cases of of civil
society being targeted, such as
journalists in Hungary, activists in
Morocco, activist Saudi Arabian
dissidents, also family members of Jamal
Khashoggi, which the investigation showed
had been targeted with Pegasus spyware
both before and after his his brutal
murder. So, yeah, you can. You can go and
read many of these stories online. Today
I'd like to focus on and get to how we got
there, how we developed these, these
tools, how we developed this methodology
for finding Pegasus. And also to explain
about how you can also go and do this kind
of searching for - for Pegasus and for
other mobile spyware. So let's take a step
back for a second and ask, so what exactly
is Pegasus? Its name is well known, but
what exactly is the software and how does
it work? OK, so first thing to remember is
that actually, while Pegasus have been
gotten more well known in the last two
years, it's not actually a new - a new
tool or a new product. So we know Pegasus
has been around and then developed by NSO
Group since at least 2010. And on the left
hand side here, the diagram, you can see a
Pegasus brochure from 2010 where it
describes how Pegasus can be installed on
a BlackBerry devices. And we believe the
original version of Pegasus was focused on
BlackBerry because back in 2010,
smartphones were less prevalent than they
are now. BlackBerry is kind of a key
target for some of the - the security
agencies who may want to buy this kind of
spyware. So it developed over time here on
the right hand side, we can see some
diagrams that were from a leaked Pegasus
brochure that was published in 2014. In
the first diagram, here it talks about how
Pegasus is installed on a phone. In this
example, it's showing how a Pegasus kind
of infection link can be sent over SMS to
the target device. And then if opened how
the data can be collected and passed back
to the - the operator of the Pegasus
software. That's just one example of -
from their own diagrams. Here in the
circle below, you'll see a little bit of
what Pegasus claims to be able to monitor.
And if you look at it, you can see it's
basically everything on the device. So
it's talking about collecting email
addresses, collecting SMS messages,
tracking location data, even reading the
calendar, turning on the microphone of the
phone. And so bear in mind while this
diagram is quite old, it's like six or
seven years old, you get an idea of what
kind of data the Pegasus software will try
to collect from the phone. It's basically,
it collected every kind of data on the
phone that might be of interest to
somebody who is carrying out the
surveillance. One important thing to
remember is that the Pegasus spyware is
able to get very kind of deep access to
the phone, so it's fundamentally able to
access everything on the phone that the
user is able to access and more. So even
if you're using a messaging app such as
Signal or Telegram, which may be
encrypted, the Pegasus software is able to
access that data and those messages before
they're encrypted on the device. So even
once their spyware running on the phone
itself, none of these encrypted messaging
apps will help because it has such low
level access to the device. So it's a
little bit about what exactly Pegasus
tries to collect and what it - what it -
what people can do with it using the
Pegasus software. So where exactly did the
investigations into Pegasus start? So we
go back as far as 2016 was when Pegasus
was first kind of identified in the wild,
being a being used to target an activist.
So in this case, in 2016, Pegasus was
first found by Citizen Lab. Citizen lab
is a group of researchers based in the
University of Toronto in Canada, who also
works on investigating spyware targeting
civil society. So in this case, a UAE
based human rights defender named Ahmed
Mansoor began to receive suspicious
messages over SMS. So you can see some
screenshots of the messages on the right.
So Ahmed Mansoor was cautious about these
because in the past he had previously been
targeted with other kinds of spyware
tools, including - including Finfisher.
So when he began to receive these
messages, he - he was cautious about them
and he shared them with Citizen Lab, who
then began to investigate them. So what
Citizen Lab realized is that these looked
to be an attack message, and they opened
these attack links on their own testing
phone. When they did this they're able to
capture the exploit that was being
delivered over these links and also
able to capture a copy of the Pegasus
payload. So what happens when these links
are opened is that the link is opened in a
web browser such as Safari. When the link
is opened, the Pegasus server would return
to some JavaScript, some code that would
exploit an unknown flaw in the Safari web
browser and by kind of manipulating the
Safari web browser and exploit this
unknown flaw - they could then get their
own code to start running inside this web
browser. And eventually, with the help of
some additional flaws, they could then get
more privileged access on the iPhone and
eventually install the full Pegasus
payload. So, yes, Citizen Lab first found
it in 2016, it was it was a very important
discovery and it showed just how how
serious some of the threats facing civil
society were. That there were people
willing to use these kinds of very
expensive exploits to start targeting
human rights defenders who are just doing
their human rights work. Unfortunately,
after this, Ahmed Mansoor continued to get
harassed, and he was sentenced to prison,
and he's currently still in prison from
since 2017. So for about four years now.
So when did we at Amnesty start
investigating this. So our team has been
investigating these kinds of threats for a
while, but really we started focusing on
NSO and investigating NSO in 2018 after an
Amnesty colleague of ours started to
receive some suspicious messages. So this
- this colleague received in May 2018
received this message you can see here on
the left. The message is written in
Arabic. But it this it claims that there
is going to be a protest happening shortly
outside the Saudi Arabian Embassy. And
they asked the Amnesty staff member, to to
support the protest and then to click on
this link for for more information. So
fortunately, our Amnesty colleague, when
they received this message, they got quite
suspicious. They were like, this is just
weird, I don't know this person. And so
they shared a screenshot of this message
with us at the Amnesty Security Lab, and
we began to investigate. So quite quickly
when we started looking at this domain
name and the server, and we agreed it
looked kind of suspicious. And we also
managed to identify some additional
domains and servers that were related to
this original akhbar-arabia domain. And
quite quickly, it started to appear to us
that this was indeed something suspicious,
and maybe it was some kind of an attack
message. So at the time, we didn't know it
was necessarily NSO Group. By looking at
the original and initial servers here. We
managed to create kind of a fingerprint,
so some way of identifying the particular
configuration of the domain name and the
server sent inside of this message. With
the aid of this fingerprint, we then began
to do what's called an internet scan. So
we connect it to every single server on
the Internet, send a particular request
and then find any other server on the
Internet that matched this particular
fingerprint, this particular configuration
from this server. So by doing this
internet scanning, what we found was 600
different domains all across the Internet
that matched this fingerprint and that
appeared to be related to the same kinds
of attacks. So what was really was really
key is that we found that these these
domains were actually related to Pegasus
because NSO Group had made one kind of key
mistake or key flow when they were setting
up this infrastructure. So what happened
is that as described earlier Citizen Lab
had previously identified servers being
used by NSO Group in 2016 after the
expose in 2016 NSO shut down all of
these domains and infrastructure. And then
began to set up new kind of infrastructure
that would not be related to NSO or not
linkable to NSO. Fortunately they made a
mistake because they had reused one domain
name from the previous set of
infrastructure and also being used in this
new infrastructure. So by finding this one
domain out of 600 that had previously been
in - in use by NSO, we're able to show
that these 600 domains were also related
to Pegasus. And so we're able to show that
this message that was sent to our Amnesty
International colleague was indeed related
to Pegasus and was an attempt to to
compromise their device. So we published
these findings in August 2018, and at that
time we also identified that another set
Saudi-Arabian activists had similarly been
targeted, with a Pegasus exploit message
over WhatsApp. Following this, Amnesty
International also supported a legal
action in Israel, which asked the Israeli
Ministry of Defense to revoke NSO's export
licenses. To prevent this Pegasus software
being sold to countries that would abuse
it to target Amnesty and also target other
human rights activists. Unfortunately
later the Israeli court rejected the legal
complaint and said that the Israeli
Ministry of Defense had adequate
safeguards in place to prevent NSO's
exports being sold to countries who would
abuse it. Here in the bottom on the left,
you can see that. You can see a chart
which shows the number of Pegasus servers
online at the time. I mean, see here that
when we published this report NSO acted
quite quickly to shut down all 500 or 600
servers that were being used to deliver
Pegasus. So this just shows that, you
know, NSO is kind of reading these
researches and paying attention to it. It
is trying to avoid getting their
infrastructure and servers discovered by
by researchers who are investigating these
kinds of abuses. So this is back in in
2018, so after discovering this attack
against an Amnesty staff member we at
Amnesty continued trying to investigate
Pegasus to try to find more cases of
abuse. We next found Pegasus targeting
happening in Morocco in 2019. So you can
see here on the right. This time, we found
that a Moroccan human rights defender
named Maati Monjib was being targeted
repeatedly with Pegasus. When we checked
his phone, we found that he had some
suspicious messages there, saying that the
messages claimed that there is some, some
scandal or some news story, and they're
asking the target to click on these links
to find out more information. So when we
looked at these these links, we knew
immediately that they were Pegasus links,
because we had previously identified these
domains as one of the 600 domains, that
were being used in 2018. So for example,
you can see that in the second message on
the right, we see the domain
videosdownload.co. We knew it was Pegasus
because we'd previously identified and
published this domain in 2018. So this
time we knew Maati was being targeted with
Pegasus, but we realized we needed to do
some more investigation to see if his
phone was indeed compromised that we could
collect more information from his device.
So when we did this, we actually found
something quite interesting on Maati's
phone because we found what we believed
was evidence of a new type of a targeting
on his phone. Instead of relying on the
target being tricked into clicking on a
link which is maybe not reliable, or maybe
the target can - can see something is
suspicious. We instead saw them using an
what's called a network injection attack.
So how are network injection attack works
is like this: So network injection
involves having some kind of equipment or
software running on the what access to the
internet connection of the mobile device.
So this can either be at the mobile phone
network or potentially having some - some
software or hardware running on the same
Wi-Fi network as the target. And what it
does is when the target is browsing the
web on their phone, eventually, the target
browses and clicks on link that goes to a
regular http website. So without https. So
when this regular http request is made,
the software that's running on the
upstream network can see this http
request. And when the http request
happens, it can instead, instead of
returning the correct response to correct
content, instead it returns a http
redirect. And the http redirect will then
send the browser of the phone to a
malicious exploit site, which can then
hack the phone. So in the case of Maati,
we found that he had tried to go and check
his email and typed in Yahoo.fr on his
browser when he typed in Yahoo.fr - the
software running on the on the upstream
network saw this cleartext connection and
then redirected his phone to this exploit
link we see above. So you see the domain
is quite suspicious:
"get1tn0w.free247downloads.com". And
again, it has some random characters at
the end, which looks like a kind of an
exploit link. So at the time, we suspected
that this was was Pegasus, and it was a
new way of delivering Pegasus without
tricking the user into clicking on a link.
But we weren't certain that it was
Pegasus, potentially it was some other
kind of spyware. Fortunately for us NSO
helped to confirm that this really was
Pegasus, because before we published this
report, Amnesty wrote to NSO Group sharing
our findings and interestingly one day
after we shared the findings with NSO this
spyware server got shut down and went
offline. And this is already a week before
the report was made publicly available. So
that kind of confirmed to us that NSO
really was controlling this infrastructure
and were able to get it shutdown even when
we'd only privately shared this
information with with NSO. A bit later, we
found some more information about how this
attack may have been done - NSO at a trade
fair was demonstrating some new type of
hardware they had developed, which you can
see here on the photo on the right. And we
believe this this photo is of some kind of
IMSI catcher or fake base station, which
can run a fake mobile phone network. And
then target's phone: so Maati could
connect to this fake mobile phone base
station. And from that position, it could
be possible for NSO to redirect the phone
to a malicious - a malicious exploit link.
So we're not sure what happened in this
case if this was the device that was used.
But we believe the NSO is demonstrating
or testing these kinds of what are called
tactical infection methods. So this was
where our findings were in Morocco - we
started to realize that actually relying
on checking for SMS messages, checking for
links or relying on people coming to us
with something suspicious wasn't going to
work anymore because we began to see what
were called zero-click attacks. And so all
a Zero-click attack is is any way of
infecting a device that doesn't rely on
some interaction from the user. Doesn't
rely on the user clicking on a link. So we
can see here are some examples of other
zero-click attacks that have been
discovered over the past couple of years.
I guess one of the first ones here was in
2019, where NSO Group developed an exploit
for a for WhatsApp, and it was then used
by their customers to target at least 1400
different people around the world. All of
this - how it worked is that the - the
target was simply to receive a call over
WhatsApp, even a missed call and the
exploit would be able to compromise their
phone without the use of clicking
anything. As I described earlier, we saw
these kinds of network injection attacks
happen, and then later in 2020, Citizen
Lab also found an iMessage zero-day being
used to again compromise iPhone users
without any interaction in 2020. So from
our own investigations, we have found that
NSO has been using various zero-click
exploits since at least summer 2017 until
July of this year. So we know it's not
something that's quite new for NSO
but at least it's something we've
started only recently discovering in the
past few years. And we've seen, NSO
putting a lot of focus into developing
these kinds of complicated but very
powerful zero-click exploits. So now that
we know that NSO and their customers are
using these kind of zero-click attacks, we
realized we needed to do something kind of
more advanced to try and find these cases
of cases of - of surveillance. The big
problem with mobile devices is a lack of
visibility, whereas on desktop or laptop
computers, we have antivirus available or
we have EDR systems available. There
really is nothing similar that was
available for mobile devices. So these
kinds of attacks, especially zero-click
attacks, are often going undetected. We
got to investigate this. We realized that
it was difficult to perform forensics on
mobile devices. It's actually not
impossible. We were somewhat surprised to
realize that iPhones actually allow a
significant amount of relevant data to be
extracted from the phones themselves in
the form of an iPhone backup. And so it's
actually quite - quite possible to start
doing a forensic analysis on iPhones.
Unfortunately, Android devices we found
were much more limited because of
restrictions on the Android operating
system. It isn't possible to extract much
data in an Android backup, and so all
we've really been able to do on Android is
to simply check the SMS messages and maybe
the browser history for some traces of -
of targeting. But again, it's just it's
much less data is available on Androids
compared to iPhones. The other big problem
we realized is that there's there's a lack
of any kinds of public tools for
consensual mobile forensics. All of the
forensic tools that are out there are
designed for - for people to extract data
from phones that they don't want or their
phones have been seized or phones that are
somehow otherwise obtained. There's no
there's no tools available to really check
your own phone for signs of spyware. So
this is where the Mobile Verification
Toolkit comes into play. So - MVT - it is
a public tool developed by Amnesty
International and designed to simplify the
process of analyzing mobile devices for
traces of spyware. And here it's available
on GitHub, you can go check it out. And
just to highlight all of the
cases of Pegasus targeting I've described
previously in all the cases and traces
that are present for the rest of the
presentation, all of these have been found
using MVT. So MVT really works to - to
detect advanced spyware, including spyware
using zero-click, zero-day exploits and
really sophisticated stuff such as
Pegasus. So while all of these different
spyware vendors try to say: "Our thing is
undetectable": It is definitely advanced,
they definitely spent a lot of money in
developing this stuff, but it's not magic.
And if you're careful and diligent about
checking the traces, there's always
mistakes that are made. There's always
ways of identifying potential suspicious
behavior on these devices. And MVT it is
written in Python, it's a very easy to
install, and if you have PIP, you can just
go a "pip3 install mvt" . And here's how
it's how it's used. Again, it's very
straightforward. To check an iPhone, you
simply make a backup of the iPhone and you
run this one command so it'll be "mvt-ios
check-backup" and then you provide the
backup folder. In the command here we also
see what's called a stix-file. So a .stix
file is simply a file containing
indicators. This maybe like domain names
or IP addresses, or process names that are
known to be linked to a spyware tool. And
so the MVT is a generic tool. It can be
used with Pegasus indicators, but it also
can be used with indicators for other
spyware tools and could be used to detect
other spyware. So MVT is a modular
framework, it has modules for parsing
different kinds of databases such as SMS
messages or browser history or other kinds
of files on the device. I'm going to go
through and explain a few of the modules
that are available in MVT and show how
this can be used to - to find traces of
Pegasus or other similar spyware tools. So
one module that is quite useful is the SMS
module, which is quite straightforward, it
simply reads the SMS database in iPhone
backup to extract all of the links from
the SMS messages and check if any of those
SMS messages contain links to known
malicious domains. So in this case, we're
checking a backup that is targeted with
Pegasus, and we see that - we see that
there's multiple domains that are found
and are tied to Pegasus. We see this
revolution-news.co, stopsms.biz and
from what we know of NSO we've seen these
kinds of exploit SMS used primarily
between 2016 and 2018. We've also seen
Pegasus links as far back as 2014, and as
recently as 2020. So this has been quite
common and I - if these zero-click attacks
are not available, I think we'll still see
these kinds of exploit links being sent in
SMS. So another data source that's quite
useful and quite helpful for finding
traces of targeting is the Safari browser
history. So what we've seen is we've seen
some as we identify traces of exploit
being recorded in Safari browser history,
especially after a network injection
attack. So in this case, while there's no
link in SMS when a network injection
attack happens the exploit server domain
will be recorded in the browser history.
And so by checking the browser history, we
may be able to find evidence that this
attack happened. So on the right here you
can see a screenshot and this screenshot
was actually taken by Moroccan journalist
Omar Radi when he was being targeted with
one of these network injection attacks in
Morocco. So when he was browsing the web
he clicked the link and then instantly
redirected into this web page. And when
this screenshot was taken, it was actually
running the JavaScript trying to exploit
his phone. So unfortunately, following the
publication of this research Omar Radi was
repeatedly harassed by the Moroccan
authorities and then he was eventually
jailed after an unfair trial, and he's
currently - currently in jail.
So another file quite useful in our
investigations is something called the ID
status cache file. So the ID status cache
file is a file on iPhones, and it can
track traces of any iCloud accounts
which interacted with the device. This can
be interacting with the device over a
bunch of different Apple services,
including iMessage, AirDrop, Apple Photos.
And so what is really useful about this
file, because it showed us which malicious
accounts, which kind of Pegasus related
accounts had been targeting a particular
device. So what we know about Pegasus - we
believe that these malicious accounts are
- have been set up and have been used by
one individual Pegasus customer. So you
can see here in the first row, we see this
email address linakeller and we saw this -
this account being used to deliver a
iMessage zero-day to quite a number of
different activists. So we've seen it
used to deliver exploits to two different
Moroccan activists and a couple of French
political figures. So by - by looking at
which individuals have been targeted by
the same, the same account, by the same
customer we were able to kind of get a
better idea of who that customer might be
and have some idea about the attribution
for that attack. The same in these other -
in these other cases, for example we see
the jessicadavies1345 email. This was
found on the phone of two different
Hungarian journalists. Same for the
emmadavies' address and again for this
final address here: williams enny. We
found this on the phone of two different
Hungarian individuals, hungarian
activists. So this is really useful for us
in our investigation because it really
helped us get a better idea of who might
be behind some of the attacks that we were
seeing. So the previous logs
I showed about SMS, data and browser
history. These show kind of traces of
targeting. They showed some of these had
been sent a malicious link, but they don't
necessarily prove that a phone has been
successfully compromised. So what I will
show now is some of the logs we can use to
show that a device was indeed compromised.
One of these files that was very useful
for us in our investigations was the so-
called data usage file. So the data usage
file in an iPhone is a file that records
information about how much mobile data
traffic each process on the phone has
used. So this may be used to, like help
the iPhone keep track of, you know, which
apps on your phone are using the most of
your mobile data. But what is really
helpful for this is that it actually
recorded the names of some of the Pegasus
processes and how much data each of these
pegasus processes were using. So for all
we know about NSO's Pegasus, we believe
that when Pegasus is installed on a phone,
it will kind of pick a random name that it
uses to kind of hide itself in running on
the system. Throughout our investigation
we found about 50 different process names
that the Pegasus process was using to try
and hide itself. And once we identified
these process names, then we could go and
look for these Pegasus known Pegasus
process names on devices of potential
targets. What's happened, this database
also shows a timestamp of when this
process name was first kind of started on
the device, when it was last seen on the
device. And also it gives you some kind of
information about how much data this
process transferred. In some cases, this
has been gigabytes of data which shows
that really the Pegasus spyware was
extracting a lot of data from the device.
And again, this is all automated in MVT
so if you check a phone using MVT with the
Pegasus indicators, it'll show quite
clearly if any of these processes have
been found on the device. Another feature
that's been very helpful for us and in our
analysis is the timeline feature of MVT.
So how the Timeline feature works is it
takes all of the different indicators and
modules on the phone, so it checks the -
the SMS messages, it check the - the file
system and every - every event, like every
SMS message, every web browser lookup will
all be recorded in a single file with the
date that it happened. So by looking at
this timeline, we can often see what
different events happened around the same
time as each other, and this can give us
some idea - some idea about how attacks
were actually delivered on this device. So
I want to give you just one example of -
of how this timeline can be used. Just so
you know how to use this timeline in your
own investigations. So this is actually a
demonstration of the phone of a Rwandan
activist who was targeted in June 2021
using the forcedentry, iMessage zero-day.
So we can see here on the timeline that on
8:00 p.m. 8:45, we see the phone began to
receive some push notifications over
iMessage. So it seems it receives like 46
push notifications. And then what we saw
was that SMS attachments began to be
written to the phone. So in the final line
here, we see that a file is written -
written to the SMS attachments directory.
And if you look at the end of the line, we
see that the - the file being written to
disk actually had a .GIF attachment. So at
the time we thought this was something to
do with the exploit somehow. NSO was
delivering their exploit in that GIF file.
If we look a little bit later in the
timeline, we see that about 10 minutes
later, on the same day, a Pegasus process
starts running on the phone. This otpgrefd
process. Shortly afterwards, some
additional files are written on disk and
some more Pegasus processes start. So by
looking at this timeline together, we can
see quite clearly that the phone began to
receive iMessage messages. These GIF
attachments start to be written on the
disk and then about 10 minutes later, the
phone was compromised with the Pegasus. So
remember here like - there was no
interaction from the user - they didn't
click on any link. As far as we are aware
they I didn't even notice anything
happening on the device. This simply
silently these messages were being
delivered and after 10 or 20 minutes,
Pegasus began to gain access to the
device. So we've shared some of these
findings with Apple, and then later in
September 2021, Apple - Citizen Lab
identified a copy of this exploit on
another - phone of an another activist and
they shared it with Apple and Apple
patched this vulnerability in September
2021. So that's a little bit of how MVT
works and how some of this methodology
works to identify Pegasus on a
device. So since we published our forensic
methodology and our tools, many other
groups and organisations have been using
these tools and methodology to check other
devices for signs of Pegasus and found
quite a number of new cases. Here on the
top right you're going to see an example
of another NGO "Frontline Defenders", who
identified six Palestinian human rights
defenders who had their devices hacked
using Pegasus. And other case we see
that the Belgian military intelligence
services use a similar methodology to
check the phones of journalists in
Belgium, and they found that a journalist,
Belgian journalist, Peter Verlinden, had
his iPhone hacked who they suspected by
Rwanda. Again, we see another case where
French intelligence services confirmed
that a number of French journalists had
their phones hacked using using Pegasus
again using a similar methodology. So what
I'd like to highlight is MVT can really be
useful in identifying traces of Pegasus, but also
MVT is designed as a kind of generic
mobile forensic tool. So when used with
Pegasus indicators it will find Pegasus,
but it also can be used to go and
proactively search for new kinds of
spyware. So I really recommend that if
you're suspicious that phones may be
targeted with this kind of spyware, you
can use MVT to extract some data and then
dig into it. If the person is a member of
civil society or an activist then Amnesty
and other organisations will be happy to
help support these investigations. And
also, MVT is an open source tool. It's
based on different modules, and so we're
always open to ideas for - for new modules
and new detection ideas to help make this
tool better and better able to detect new
kinds of threats. One thing to remember
about MVT it is - it's designed to detect
some kind of spyware. Unfortunately, the
people who develop these spyware, they're
- they're smart people and they read these
reports and they watch these kind of
presentations. And every time we publish
information about how to detect these
kinds of spyware targeting civil society,
the different spyware vendors and actors
will try to improve their tools to avoid
them being detected. They'll try to kind
of upgrade their infrastructure to hide it
again or to the better obscure their
activities. So just to give an example,
here's some of the development of NSO's
own infrastructure over time. We see that
after we published - Amnesty published the
report in 2018 NSO infrastructure was shut
down and then later over the next two
years, it began to run more
infrastructure, which was again shut down
after discovery in - in 2021. So it's a
constant arms race. And so while - while
this - these tools are useful to detect
Pegasus now, it's not always going to be
just automatic, and it's important to do
further research to try and identify new
traces of new kinds of attacks. So what is
the future for mobile spyware? So one
thing I'd like to reiterate is that while
we focus a lot on NSO Group and Pegasus in
this research and in this
talk and also there's been a lot of focus
on NSO Group. It's not the only mobile
spyware out there, and there's definitely
many other players who are trying to get
into the space and trying to also develop
similar kinds of spyware tools, which are
then sold to - to different customers.
We've seen that from this investigation.
We found at least 180 journalists who are
potential targets of Pegasus and many
other human rights activists and
opposition politicians who have been
targeted with these tools over the last number
of years. So far, these threat actors and
these - these state agencies are able to
target activists and civil society with
impunity due to a lack of visibility and
telemetry on mobile platforms. They've
just been getting away with it because
they haven't been detected. So tools such
as MVT can help expose some of these
threats, but they need to be used more
widely and need to be used with more civil
society to really understand the full
scope of these kinds of threats. And it's
also important that industry, the tech
industry and the security industry work
closely with civil society to help detect
and expose these threats because
unfortunately, the people most at risk
from these kinds of really serious attacks
are some of the people who are the least
equipped, both financially and technically
to defend against them. So to conclude,
I think we're going to continue to see
attackers focusing on mobile. Mobile is
where all the data is. No other place
gives you as much insight into somebody's
life and all their most innermost
thoughts. Even just having a microphone in
everybody's pocket in someone's pocket is
such a powerful position to be in that we
think companies and states will continue
trying to develop these kinds of tools. We
know - I think that zero-click exploits
are going to be highly, highly desirable.
So while Apple and others have done a
great job in making attacks against
iMessages more difficult, it's almost
certain that these kinds of cyber
surveillance companies will continue
trying to develop zero-click exploits. If
not for iMessage then maybe for other chat
platforms. I don't know like Signal or
Telegram or WhatsApp, they're going to try
and attack other applications that
activists are using. Unfortunately it's
not possible for activists and civil
society to protect themselves from these
kinds of zero-day attacks from a technical
sense. So we definitely need more active
collaboration between civil society and
key platform vendors to help identify and
defend against these threats. And also, we
urgently need better regulation to prevent
these kinds of really sophisticated
spyware tools being sold to states and
agencies which have a long history of
abusing them to target civil society and
opposition. So thank you all for
listening, and I'm happy to answer some
questions now. If you have some questions
or if you're concerned about, you are a
member of civil society or an activist
or are concerned about surveillance please
feel free to contact us at share@amnesty.tech
Thank you.
Herald: Thank you Donncha. Thank you from
C-Base. We have already taken some
overtime this early hacker morning. There
have been popping up some small questions
on our internal here from our tiny
audience at C-Base. We don't have that
much time left. Just can you give us an
indication: What is the pace of this
ongoing war? Do you feel that NSO group is
actively fighting MVT and your tool
development or did - didn't you get this
honor yet?
D: Definitely. We've seen, even in the
past year, we saw NSO starting to be more
careful about cleaning up their forensic
traces, and since 2020, they've begun to
already clean some of the traces that
we've been using. And it's clear they've
realized that people are investigating
that there is a risk of people discovering
this stuff, and I feel like after the
revelations of this summer, they're going
to have a much more proactively trying to
to clean up some of these traces. But as I
said, NSO is one company out there,
there's also many other companies trying
to compete in the same space. So even if
NSO gets better than, you know, other
companies are still out there and can
still be caught using MVT and
fundamentally, even if they - they clean
up some traces for any kind of failed
attacks, these traces are still going to
be left around because it won't be
possible to for the spyware to clean up
their traces.
H: Uhm-Hmm. So one could still after an
attack eventually, eventually on an old
device years later discover that there had
been some spyware activity, which may be
in the long run interesting information
about dark campaigns and things. So NSO is
not the only actor, there will be more. Do
you feel that there are just copycats in
the market or do you think there will be
completely new threats in the future?
D: So I guess there's always there's lots
of smart people who work for these
companies who are trying to develop these
tools. Just last - earlier this month,
Citizen Lab published a report about
another cyber surveillance vendor called
Cytrox based in North Macedonia, and they
were selling similar spyware, which is
using kind of one-click attacks using
links to help compromise iPhones and
Android phones. So that's one company
that's competing in this space. There's
other companies doing doing similar kinds
of targeting, but we believe, you know,
NSO was definitely the biggest company in
this space, and they had a lot of money to
invest in, especially in these kind of
zero-click attacks. So for now, we don't
know if they're a company that's as big or
sophisticated as NSO, but I think many
others will be trying to take their place
if NSO becomes less popular.
H: I see. I see. OK, thank you very much.
We have to go over to the - RC3 morning
show in a few seconds. Thank you very much
for this interesting talk this morning.
Again, share@amnesty.tech is the address
to go to. And this is probably one of the
talks you want to watch again on
media.ccc.de in a few days when it has
been published. So greetings to Ireland.
Thank you very much and we will meet and
see again in real, I hope. Thank you.
D: Thank you very much. Have a good day.
Everything is licensed under CC by 4.0.
And it is all for the community, to download
Subtitles created by c3subtitles.de
in the year 2022. Join, and help us!
[Translated by {Iikka}{Yli-Kuivila} (ITKST56 course assignment at JYU.FI)]