[Translated by {Iikka}{Yli-Kuivila}
(ITKST56 course assignment at JYU.FI)]

Herald: Good morning from C-Base, the
space station beyond or under Berlin,

welcomes you to day 2 of the RC3
streaming, we are starting in a few

seconds with the "Catching the NSO Group's
Pegasus spyware". This is something that

has caught attention among the security
and hacker communities over the world in

the last, I would guess, two years or so.
There have been some spectacular cases of

murder, kidnappings, journalists being
threatened, other things. The infamous

software doing this is called Pegasus,
it's marketed by a company known by the

three-letter acronym NSO, whatever this
stands for. And actually, Amnesty

International and its I.T. department, so
to say, has invested quite some effort

into detecting whether a device has been
infected by Pegasus or not. NSO marketed

this, among other things, as so-called
"undetectable", well undetectable as in

software on a device, as we will see, and
our speaker today, Donncha, Donncha O'Cearbhaill

from Ireland and from Amnesty
International, will be presenting how they

developed detection tools for this nasty
piece of spyware that has become so

popular among secret actors, state actors
and others around the world. OK, enough

for the introduction, Donncha, the scene
and the stream is yours. Good morning

Donncha: Good morning, and thank you for
that introduction. So as the intro said,

today I'd like to talk to you about NSO
group's Pegasus spyware, in particular I'd

like to explain a little bit about how we
at Amnesty have investigated Pegasus over

the past few years and I'll also explain and
demonstrate some of the tools we have

developed and published, that others also
investigate and detect Pegasus spyware

potentially on their devices and the
devices of other people in civil society.

So my name is Donncha O'Cearbhaill and I
am a technologist based at the Amnesty

International Security Lab in Berlin with
a small team who focuses on investigating

targeted digital threats such as spyware,
phishing and other kinds of surveillance

that's directed against civil society and
human rights defenders around the world.

So as the intro said, Pegasus has got a
lot of attention in the past few months.

So you may have seen the Pegasus Project
revelations that were published in July

during the summer. The Pegasus Project was
a global investigation into abuses linked

to NSO group's Pegasus spyware. This
investigation was based on a leaked

dataset of 50,000 potential Pegasus
targets, which Amnesty International and

Forbidden Stories had access to, and so
this global media investigation was

coordinated by Forbidden Stories, with the
participation of about 80 journalists from

17 different media organisations around
the world. During the Pegasus Project,

Amnesty International took the role of a
technical partner, and the focus for

Amnesty International was to perform
detailed innovative forensic analysis on

the devices of potential targets, and
through this kind of forensic analysis and

this technical work we were able to
identify traces of Pegasus, either

targeting or infecting online devices. So
over a multi-month project Amnesty

Security Lab analyzed about 67 devices,
and from these 67 devices of potential

targets at least 37 showed clear traces of
Pegasus targeting or infection. So this is

really quite quite a high number of
infected devices, and these devices

included journalists, activists,
opposition political figures, all kinds of

people who were being unlawfully
surveilled using Pegasus. Overall, of the

phones we have checked, which were iPhones
and which hadn't been replaced, which took

data of the targeting, more than 80
percent of the phones that were on this

list of potential targets showed traces of
Pegasus. So in July these stories came out

and they highlighted cases of of civil
society being targeted, such as

journalists in Hungary, activists in
Morocco, activist Saudi Arabian

dissidents, also family members of Jamal
Khashoggi, which the investigation showed

had been targeted with Pegasus spyware
both before and after his his brutal

murder. So, yeah, you can. You can go and
read many of these stories online. Today

I'd like to focus on and get to how we got
there, how we developed these, these

tools, how we developed this methodology
for finding Pegasus. And also to explain

about how you can also go and do this kind
of searching for - for Pegasus and for

other mobile spyware. So let's take a step
back for a second and ask, so what exactly

is Pegasus? Its name is well known, but
what exactly is the software and how does

it work? OK, so first thing to remember is
that actually, while Pegasus have been

gotten more well known in the last two
years, it's not actually a new - a new

tool or a new product. So we know Pegasus
has been around and then developed by NSO

Group since at least 2010. And on the left
hand side here, the diagram, you can see a

Pegasus brochure from 2010 where it
describes how Pegasus can be installed on

a BlackBerry devices. And we believe the
original version of Pegasus was focused on

BlackBerry because back in 2010,
smartphones were less prevalent than they

are now. BlackBerry is kind of a key
target for some of the - the security

agencies who may want to buy this kind of
spyware. So it developed over time here on

the right hand side, we can see some
diagrams that were from a leaked Pegasus

brochure that was published in 2014. In
the first diagram, here it talks about how

Pegasus is installed on a phone. In this
example, it's showing how a Pegasus kind

of infection link can be sent over SMS to
the target device. And then if opened how

the data can be collected and passed back
to the - the operator of the Pegasus

software. That's just one example of -
from their own diagrams. Here in the

circle below, you'll see a little bit of
what Pegasus claims to be able to monitor.

And if you look at it, you can see it's
basically everything on the device. So

it's talking about collecting email
addresses, collecting SMS messages,

tracking location data, even reading the
calendar, turning on the microphone of the

phone. And so bear in mind while this
diagram is quite old, it's like six or

seven years old, you get an idea of what
kind of data the Pegasus software will try

to collect from the phone. It's basically,
it collected every kind of data on the

phone that might be of interest to
somebody who is carrying out the

surveillance. One important thing to
remember is that the Pegasus spyware is

able to get very kind of deep access to
the phone, so it's fundamentally able to

access everything on the phone that the
user is able to access and more. So even

if you're using a messaging app such as
Signal or Telegram, which may be

encrypted, the Pegasus software is able to
access that data and those messages before

they're encrypted on the device. So even
once their spyware running on the phone

itself, none of these encrypted messaging
apps will help because it has such low

level access to the device. So it's a
little bit about what exactly Pegasus

tries to collect and what it - what it -
what people can do with it using the

Pegasus software. So where exactly did the
investigations into Pegasus start? So we

go back as far as 2016 was when Pegasus
was first kind of identified in the wild,

being a being used to target an activist.
So in this case, in 2016, Pegasus was

first found by Citizen Lab. Citizen lab
is a group of researchers based in the

University of Toronto in Canada, who also
works on investigating spyware targeting

civil society. So in this case, a UAE
based human rights defender named Ahmed

Mansoor began to receive suspicious
messages over SMS. So you can see some

screenshots of the messages on the right.
So Ahmed Mansoor was cautious about these

because in the past he had previously been
targeted with other kinds of spyware

tools, including - including Finfisher.
So when he began to receive these

messages, he - he was cautious about them
and he shared them with Citizen Lab, who

then began to investigate them. So what
Citizen Lab realized is that these looked

to be an attack message, and they opened
these attack links on their own testing

phone. When they did this they're able to
capture the exploit that was being

delivered over these links and also
able to capture a copy of the Pegasus

payload. So what happens when these links
are opened is that the link is opened in a

web browser such as Safari. When the link
is opened, the Pegasus server would return

to some JavaScript, some code that would
exploit an unknown flaw in the Safari web

browser and by kind of manipulating the
Safari web browser and exploit this

unknown flaw - they could then get their
own code to start running inside this web

browser. And eventually, with the help of
some additional flaws, they could then get

more privileged access on the iPhone and
eventually install the full Pegasus

payload. So, yes, Citizen Lab first found
it in 2016, it was it was a very important

discovery and it showed just how how
serious some of the threats facing civil

society were. That there were people
willing to use these kinds of very

expensive exploits to start targeting
human rights defenders who are just doing

their human rights work. Unfortunately,
after this, Ahmed Mansoor continued to get

harassed, and he was sentenced to prison,
and he's currently still in prison from

since 2017. So for about four years now.
So when did we at Amnesty start

investigating this. So our team has been
investigating these kinds of threats for a

while, but really we started focusing on
NSO and investigating NSO in 2018 after an

Amnesty colleague of ours started to
receive some suspicious messages. So this

- this colleague received in May 2018
received this message you can see here on

the left. The message is written in
Arabic. But it this it claims that there

is going to be a protest happening shortly
outside the Saudi Arabian Embassy. And

they asked the Amnesty staff member, to to
support the protest and then to click on

this link for for more information. So
fortunately, our Amnesty colleague, when

they received this message, they got quite
suspicious. They were like, this is just

weird, I don't know this person. And so
they shared a screenshot of this message

with us at the Amnesty Security Lab, and
we began to investigate. So quite quickly

when we started looking at this domain
name and the server, and we agreed it

looked kind of suspicious. And we also
managed to identify some additional

domains and servers that were related to
this original akhbar-arabia domain. And

quite quickly, it started to appear to us
that this was indeed something suspicious,

and maybe it was some kind of an attack
message. So at the time, we didn't know it

was necessarily NSO Group. By looking at
the original and initial servers here. We

managed to create kind of a fingerprint,
so some way of identifying the particular

configuration of the domain name and the
server sent inside of this message. With

the aid of this fingerprint, we then began
to do what's called an internet scan. So

we connect it to every single server on
the Internet, send a particular request

and then find any other server on the
Internet that matched this particular

fingerprint, this particular configuration
from this server. So by doing this

internet scanning, what we found was 600
different domains all across the Internet

that matched this fingerprint and that
appeared to be related to the same kinds

of attacks. So what was really was really
key is that we found that these these

domains were actually related to Pegasus
because NSO Group had made one kind of key

mistake or key flow when they were setting
up this infrastructure. So what happened

is that as described earlier Citizen Lab
had previously identified servers being

used by NSO Group in 2016 after the
expose in 2016 NSO shut down all of

these domains and infrastructure. And then
began to set up new kind of infrastructure

that would not be related to NSO or not
linkable to NSO. Fortunately they made a

mistake because they had reused one domain
name from the previous set of

infrastructure and also being used in this
new infrastructure. So by finding this one

domain out of 600 that had previously been
in - in use by NSO, we're able to show

that these 600 domains were also related
to Pegasus. And so we're able to show that

this message that was sent to our Amnesty
International colleague was indeed related

to Pegasus and was an attempt to to
compromise their device. So we published

these findings in August 2018, and at that
time we also identified that another set

Saudi-Arabian activists had similarly been
targeted, with a Pegasus exploit message

over WhatsApp. Following this, Amnesty
International also supported a legal

action in Israel, which asked the Israeli
Ministry of Defense to revoke NSO's export

licenses. To prevent this Pegasus software
being sold to countries that would abuse

it to target Amnesty and also target other
human rights activists. Unfortunately

later the Israeli court rejected the legal
complaint and said that the Israeli

Ministry of Defense had adequate
safeguards in place to prevent NSO's

exports being sold to countries who would
abuse it. Here in the bottom on the left,

you can see that. You can see a chart
which shows the number of Pegasus servers

online at the time. I mean, see here that
when we published this report NSO acted

quite quickly to shut down all 500 or 600
servers that were being used to deliver

Pegasus. So this just shows that, you
know, NSO is kind of reading these

researches and paying attention to it. It
is trying to avoid getting their

infrastructure and servers discovered by
by researchers who are investigating these

kinds of abuses. So this is back in in
2018, so after discovering this attack

against an Amnesty staff member we at
Amnesty continued trying to investigate

Pegasus to try to find more cases of
abuse. We next found Pegasus targeting

happening in Morocco in 2019. So you can
see here on the right. This time, we found

that a Moroccan human rights defender
named Maati Monjib was being targeted

repeatedly with Pegasus. When we checked
his phone, we found that he had some

suspicious messages there, saying that the
messages claimed that there is some, some

scandal or some news story, and they're
asking the target to click on these links

to find out more information. So when we
looked at these these links, we knew

immediately that they were Pegasus links,
because we had previously identified these

domains as one of the 600 domains, that
were being used in 2018. So for example,

you can see that in the second message on
the right, we see the domain

videosdownload.co. We knew it was Pegasus
because we'd previously identified and

published this domain in 2018. So this
time we knew Maati was being targeted with

Pegasus, but we realized we needed to do
some more investigation to see if his

phone was indeed compromised that we could
collect more information from his device.

So when we did this, we actually found
something quite interesting on Maati's

phone because we found what we believed
was evidence of a new type of a targeting

on his phone. Instead of relying on the
target being tricked into clicking on a

link which is maybe not reliable, or maybe
the target can - can see something is

suspicious. We instead saw them using an
what's called a network injection attack.

So how are network injection attack works
is like this: So network injection

involves having some kind of equipment or
software running on the what access to the

internet connection of the mobile device.
So this can either be at the mobile phone

network or potentially having some - some
software or hardware running on the same

Wi-Fi network as the target. And what it
does is when the target is browsing the

web on their phone, eventually, the target
browses and clicks on link that goes to a

regular http website. So without https. So
when this regular http request is made,

the software that's running on the
upstream network can see this http

request. And when the http request
happens, it can instead, instead of

returning the correct response to correct
content, instead it returns a http

redirect. And the http redirect will then
send the browser of the phone to a

malicious exploit site, which can then
hack the phone. So in the case of Maati,

we found that he had tried to go and check
his email and typed in Yahoo.fr on his

browser when he typed in Yahoo.fr - the
software running on the on the upstream

network saw this cleartext connection and
then redirected his phone to this exploit

link we see above. So you see the domain
is quite suspicious:

"get1tn0w.free247downloads.com". And
again, it has some random characters at

the end, which looks like a kind of an
exploit link. So at the time, we suspected

that this was was Pegasus, and it was a
new way of delivering Pegasus without

tricking the user into clicking on a link.
But we weren't certain that it was

Pegasus, potentially it was some other
kind of spyware. Fortunately for us NSO

helped to confirm that this really was
Pegasus, because before we published this

report, Amnesty wrote to NSO Group sharing
our findings and interestingly one day

after we shared the findings with NSO this
spyware server got shut down and went

offline. And this is already a week before
the report was made publicly available. So

that kind of confirmed to us that NSO
really was controlling this infrastructure

and were able to get it shutdown even when
we'd only privately shared this

information with with NSO. A bit later, we
found some more information about how this

attack may have been done - NSO at a trade
fair was demonstrating some new type of

hardware they had developed, which you can
see here on the photo on the right. And we

believe this this photo is of some kind of
IMSI catcher or fake base station, which

can run a fake mobile phone network. And
then target's phone: so Maati could

connect to this fake mobile phone base
station. And from that position, it could

be possible for NSO to redirect the phone
to a malicious - a malicious exploit link.

So we're not sure what happened in this
case if this was the device that was used.

But we believe the NSO is demonstrating
or testing these kinds of what are called

tactical infection methods. So this was
where our findings were in Morocco - we

started to realize that actually relying
on checking for SMS messages, checking for

links or relying on people coming to us
with something suspicious wasn't going to

work anymore because we began to see what
were called zero-click attacks. And so all

a Zero-click attack is is any way of
infecting a device that doesn't rely on

some interaction from the user. Doesn't
rely on the user clicking on a link. So we

can see here are some examples of other
zero-click attacks that have been

discovered over the past couple of years.
I guess one of the first ones here was in

2019, where NSO Group developed an exploit
for a for WhatsApp, and it was then used

by their customers to target at least 1400
different people around the world. All of

this - how it worked is that the - the
target was simply to receive a call over

WhatsApp, even a missed call and the
exploit would be able to compromise their

phone without the use of clicking
anything. As I described earlier, we saw

these kinds of network injection attacks
happen, and then later in 2020, Citizen

Lab also found an iMessage zero-day being
used to again compromise iPhone users

without any interaction in 2020. So from
our own investigations, we have found that

NSO has been using various zero-click
exploits since at least summer 2017 until

July of this year. So we know it's not
something that's quite new for NSO

but at least it's something we've
started only recently discovering in the

past few years. And we've seen, NSO
putting a lot of focus into developing

these kinds of complicated but very
powerful zero-click exploits. So now that

we know that NSO and their customers are
using these kind of zero-click attacks, we

realized we needed to do something kind of
more advanced to try and find these cases

of cases of - of surveillance. The big
problem with mobile devices is a lack of

visibility, whereas on desktop or laptop
computers, we have antivirus available or

we have EDR systems available. There
really is nothing similar that was

available for mobile devices. So these
kinds of attacks, especially zero-click

attacks, are often going undetected. We
got to investigate this. We realized that

it was difficult to perform forensics on
mobile devices. It's actually not

impossible. We were somewhat surprised to
realize that iPhones actually allow a

significant amount of relevant data to be
extracted from the phones themselves in

the form of an iPhone backup. And so it's
actually quite - quite possible to start

doing a forensic analysis on iPhones.
Unfortunately, Android devices we found

were much more limited because of
restrictions on the Android operating

system. It isn't possible to extract much
data in an Android backup, and so all

we've really been able to do on Android is
to simply check the SMS messages and maybe

the browser history for some traces of -
of targeting. But again, it's just it's

much less data is available on Androids
compared to iPhones. The other big problem

we realized is that there's there's a lack
of any kinds of public tools for

consensual mobile forensics. All of the
forensic tools that are out there are

designed for - for people to extract data
from phones that they don't want or their

phones have been seized or phones that are
somehow otherwise obtained. There's no

there's no tools available to really check
your own phone for signs of spyware. So

this is where the Mobile Verification
Toolkit comes into play. So - MVT - it is

a public tool developed by Amnesty
International and designed to simplify the

process of analyzing mobile devices for
traces of spyware. And here it's available

on GitHub, you can go check it out. And
just to highlight all of the

cases of Pegasus targeting I've described
previously in all the cases and traces

that are present for the rest of the
presentation, all of these have been found

using MVT. So MVT really works to - to
detect advanced spyware, including spyware

using zero-click, zero-day exploits and
really sophisticated stuff such as

Pegasus. So while all of these different
spyware vendors try to say: "Our thing is

undetectable": It is definitely advanced,
they definitely spent a lot of money in

developing this stuff, but it's not magic.
And if you're careful and diligent about

checking the traces, there's always
mistakes that are made. There's always

ways of identifying potential suspicious
behavior on these devices. And MVT it is

written in Python, it's a very easy to
install, and if you have PIP, you can just

go a "pip3 install mvt" . And here's how
it's how it's used. Again, it's very

straightforward. To check an iPhone, you
simply make a backup of the iPhone and you

run this one command so it'll be "mvt-ios
check-backup" and then you provide the

backup folder. In the command here we also
see what's called a stix-file. So a .stix

file is simply a file containing
indicators. This maybe like domain names

or IP addresses, or process names that are
known to be linked to a spyware tool. And

so the MVT is a generic tool. It can be
used with Pegasus indicators, but it also

can be used with indicators for other
spyware tools and could be used to detect

other spyware. So MVT is a modular
framework, it has modules for parsing

different kinds of databases such as SMS
messages or browser history or other kinds

of files on the device. I'm going to go
through and explain a few of the modules

that are available in MVT and show how
this can be used to - to find traces of

Pegasus or other similar spyware tools. So
one module that is quite useful is the SMS

module, which is quite straightforward, it
simply reads the SMS database in iPhone

backup to extract all of the links from
the SMS messages and check if any of those

SMS messages contain links to known
malicious domains. So in this case, we're

checking a backup that is targeted with
Pegasus, and we see that - we see that

there's multiple domains that are found
and are tied to Pegasus. We see this

revolution-news.co, stopsms.biz and
from what we know of NSO we've seen these

kinds of exploit SMS used primarily
between 2016 and 2018. We've also seen

Pegasus links as far back as 2014, and as
recently as 2020. So this has been quite

common and I - if these zero-click attacks
are not available, I think we'll still see

these kinds of exploit links being sent in
SMS. So another data source that's quite

useful and quite helpful for finding
traces of targeting is the Safari browser

history. So what we've seen is we've seen
some as we identify traces of exploit

being recorded in Safari browser history,
especially after a network injection

attack. So in this case, while there's no
link in SMS when a network injection

attack happens the exploit server domain
will be recorded in the browser history.

And so by checking the browser history, we
may be able to find evidence that this

attack happened. So on the right here you
can see a screenshot and this screenshot

was actually taken by Moroccan journalist
Omar Radi when he was being targeted with

one of these network injection attacks in
Morocco. So when he was browsing the web

he clicked the link and then instantly
redirected into this web page. And when

this screenshot was taken, it was actually
running the JavaScript trying to exploit

his phone. So unfortunately, following the
publication of this research Omar Radi was

repeatedly harassed by the Moroccan
authorities and then he was eventually

jailed after an unfair trial, and he's
currently - currently in jail.

So another file quite useful in our
investigations is something called the ID

status cache file. So the ID status cache
file is a file on iPhones, and it can

track traces of any iCloud accounts
which interacted with the device. This can

be interacting with the device over a
bunch of different Apple services,

including iMessage, AirDrop, Apple Photos.
And so what is really useful about this

file, because it showed us which malicious
accounts, which kind of Pegasus related

accounts had been targeting a particular
device. So what we know about Pegasus - we

believe that these malicious accounts are
- have been set up and have been used by

one individual Pegasus customer. So you
can see here in the first row, we see this

email address linakeller and we saw this -
this account being used to deliver a

iMessage zero-day to quite a number of
different activists. So we've seen it

used to deliver exploits to two different
Moroccan activists and a couple of French

political figures. So by - by looking at
which individuals have been targeted by

the same, the same account, by the same
customer we were able to kind of get a

better idea of who that customer might be
and have some idea about the attribution

for that attack. The same in these other -
in these other cases, for example we see

the jessicadavies1345 email. This was
found on the phone of two different

Hungarian journalists. Same for the
emmadavies' address and again for this

final address here: williams enny. We
found this on the phone of two different

Hungarian individuals, hungarian
activists. So this is really useful for us

in our investigation because it really
helped us get a better idea of who might

be behind some of the attacks that we were
seeing. So the previous logs

I showed about SMS, data and browser
history. These show kind of traces of

targeting. They showed some of these had
been sent a malicious link, but they don't

necessarily prove that a phone has been
successfully compromised. So what I will

show now is some of the logs we can use to
show that a device was indeed compromised.

One of these files that was very useful
for us in our investigations was the so-

called data usage file. So the data usage
file in an iPhone is a file that records

information about how much mobile data
traffic each process on the phone has

used. So this may be used to, like help
the iPhone keep track of, you know, which

apps on your phone are using the most of
your mobile data. But what is really

helpful for this is that it actually
recorded the names of some of the Pegasus

processes and how much data each of these
pegasus processes were using. So for all

we know about NSO's Pegasus, we believe
that when Pegasus is installed on a phone,

it will kind of pick a random name that it
uses to kind of hide itself in running on

the system. Throughout our investigation
we found about 50 different process names

that the Pegasus process was using to try
and hide itself. And once we identified

these process names, then we could go and
look for these Pegasus known Pegasus

process names on devices of potential
targets. What's happened, this database

also shows a timestamp of when this
process name was first kind of started on

the device, when it was last seen on the
device. And also it gives you some kind of

information about how much data this
process transferred. In some cases, this

has been gigabytes of data which shows
that really the Pegasus spyware was

extracting a lot of data from the device.
And again, this is all automated in MVT

so if you check a phone using MVT with the
Pegasus indicators, it'll show quite

clearly if any of these processes have
been found on the device. Another feature

that's been very helpful for us and in our
analysis is the timeline feature of MVT.

So how the Timeline feature works is it
takes all of the different indicators and

modules on the phone, so it checks the -
the SMS messages, it check the - the file

system and every - every event, like every
SMS message, every web browser lookup will

all be recorded in a single file with the
date that it happened. So by looking at

this timeline, we can often see what
different events happened around the same

time as each other, and this can give us
some idea - some idea about how attacks

were actually delivered on this device. So
I want to give you just one example of -

of how this timeline can be used. Just so
you know how to use this timeline in your

own investigations. So this is actually a
demonstration of the phone of a Rwandan

activist who was targeted in June 2021
using the forcedentry, iMessage zero-day.

So we can see here on the timeline that on
8:00 p.m. 8:45, we see the phone began to

receive some push notifications over
iMessage. So it seems it receives like 46

push notifications. And then what we saw
was that SMS attachments began to be

written to the phone. So in the final line
here, we see that a file is written -

written to the SMS attachments directory.
And if you look at the end of the line, we

see that the - the file being written to
disk actually had a .GIF attachment. So at

the time we thought this was something to
do with the exploit somehow. NSO was

delivering their exploit in that GIF file.
If we look a little bit later in the

timeline, we see that about 10 minutes
later, on the same day, a Pegasus process

starts running on the phone. This otpgrefd
process. Shortly afterwards, some

additional files are written on disk and
some more Pegasus processes start. So by

looking at this timeline together, we can
see quite clearly that the phone began to

receive iMessage messages. These GIF
attachments start to be written on the

disk and then about 10 minutes later, the
phone was compromised with the Pegasus. So

remember here like - there was no
interaction from the user - they didn't

click on any link. As far as we are aware
they I didn't even notice anything

happening on the device. This simply
silently these messages were being

delivered and after 10 or 20 minutes,
Pegasus began to gain access to the

device. So we've shared some of these
findings with Apple, and then later in

September 2021, Apple - Citizen Lab
identified a copy of this exploit on

another - phone of an another activist and
they shared it with Apple and Apple

patched this vulnerability in September
2021. So that's a little bit of how MVT

works and how some of this methodology
works to identify Pegasus on a

device. So since we published our forensic
methodology and our tools, many other

groups and organisations have been using
these tools and methodology to check other

devices for signs of Pegasus and found
quite a number of new cases. Here on the

top right you're going to see an example
of another NGO "Frontline Defenders", who

identified six Palestinian human rights
defenders who had their devices hacked

using Pegasus. And other case we see
that the Belgian military intelligence

services use a similar methodology to
check the phones of journalists in

Belgium, and they found that a journalist,
Belgian journalist, Peter Verlinden, had

his iPhone hacked who they suspected by
Rwanda. Again, we see another case where

French intelligence services confirmed
that a number of French journalists had

their phones hacked using using Pegasus
again using a similar methodology. So what

I'd like to highlight is MVT can really be
useful in identifying traces of Pegasus, but also

MVT is designed as a kind of generic
mobile forensic tool. So when used with

Pegasus indicators it will find Pegasus,
but it also can be used to go and

proactively search for new kinds of
spyware. So I really recommend that if

you're suspicious that phones may be
targeted with this kind of spyware, you

can use MVT to extract some data and then
dig into it. If the person is a member of

civil society or an activist then Amnesty
and other organisations will be happy to

help support these investigations. And
also, MVT is an open source tool. It's

based on different modules, and so we're
always open to ideas for - for new modules

and new detection ideas to help make this
tool better and better able to detect new

kinds of threats. One thing to remember
about MVT it is - it's designed to detect

some kind of spyware. Unfortunately, the
people who develop these spyware, they're

- they're smart people and they read these
reports and they watch these kind of

presentations. And every time we publish
information about how to detect these

kinds of spyware targeting civil society,
the different spyware vendors and actors

will try to improve their tools to avoid
them being detected. They'll try to kind

of upgrade their infrastructure to hide it
again or to the better obscure their

activities. So just to give an example,
here's some of the development of NSO's

own infrastructure over time. We see that
after we published - Amnesty published the

report in 2018 NSO infrastructure was shut
down and then later over the next two

years, it began to run more
infrastructure, which was again shut down

after discovery in - in 2021. So it's a
constant arms race. And so while - while

this - these tools are useful to detect
Pegasus now, it's not always going to be

just automatic, and it's important to do
further research to try and identify new

traces of new kinds of attacks. So what is
the future for mobile spyware? So one

thing I'd like to reiterate is that while
we focus a lot on NSO Group and Pegasus in

this research and in this
talk and also there's been a lot of focus

on NSO Group. It's not the only mobile
spyware out there, and there's definitely

many other players who are trying to get
into the space and trying to also develop

similar kinds of spyware tools, which are
then sold to - to different customers.

We've seen that from this investigation.
We found at least 180 journalists who are

potential targets of Pegasus and many
other human rights activists and

opposition politicians who have been
targeted with these tools over the last number

of years. So far, these threat actors and
these - these state agencies are able to

target activists and civil society with
impunity due to a lack of visibility and

telemetry on mobile platforms. They've
just been getting away with it because

they haven't been detected. So tools such
as MVT can help expose some of these

threats, but they need to be used more
widely and need to be used with more civil

society to really understand the full
scope of these kinds of threats. And it's

also important that industry, the tech
industry and the security industry work

closely with civil society to help detect
and expose these threats because

unfortunately, the people most at risk
from these kinds of really serious attacks

are some of the people who are the least
equipped, both financially and technically

to defend against them. So to conclude,
I think we're going to continue to see

attackers focusing on mobile. Mobile is
where all the data is. No other place

gives you as much insight into somebody's
life and all their most innermost

thoughts. Even just having a microphone in
everybody's pocket in someone's pocket is

such a powerful position to be in that we
think companies and states will continue

trying to develop these kinds of tools. We
know - I think that zero-click exploits

are going to be highly, highly desirable.
So while Apple and others have done a

great job in making attacks against
iMessages more difficult, it's almost

certain that these kinds of cyber
surveillance companies will continue

trying to develop zero-click exploits. If
not for iMessage then maybe for other chat

platforms. I don't know like Signal or
Telegram or WhatsApp, they're going to try

and attack other applications that
activists are using. Unfortunately it's

not possible for activists and civil
society to protect themselves from these

kinds of zero-day attacks from a technical
sense. So we definitely need more active

collaboration between civil society and
key platform vendors to help identify and

defend against these threats. And also, we
urgently need better regulation to prevent

these kinds of really sophisticated
spyware tools being sold to states and

agencies which have a long history of
abusing them to target civil society and

opposition. So thank you all for
listening, and I'm happy to answer some

questions now. If you have some questions
or if you're concerned about, you are a

member of civil society or an activist 
or are concerned about surveillance please

feel free to contact us at share@amnesty.tech 
Thank you.

Herald: Thank you Donncha. Thank you from
C-Base. We have already taken some

overtime this early hacker morning. There
have been popping up some small questions

on our internal here from our tiny
audience at C-Base. We don't have that

much time left. Just can you give us an
indication: What is the pace of this

ongoing war? Do you feel that NSO group is
actively fighting MVT and your tool

development or did - didn't you get this
honor yet?

D: Definitely. We've seen, even in the
past year, we saw NSO starting to be more

careful about cleaning up their forensic
traces, and since 2020, they've begun to

already clean some of the traces that
we've been using. And it's clear they've

realized that people are investigating
that there is a risk of people discovering

this stuff, and I feel like after the
revelations of this summer, they're going

to have a much more proactively trying to
to clean up some of these traces. But as I

said, NSO is one company out there,
there's also many other companies trying

to compete in the same space. So even if
NSO gets better than, you know, other

companies are still out there and can
still be caught using MVT and

fundamentally, even if they - they clean
up some traces for any kind of failed

attacks, these traces are still going to
be left around because it won't be

possible to for the spyware to clean up
their traces.

H: Uhm-Hmm. So one could still after an
attack eventually, eventually on an old

device years later discover that there had
been some spyware activity, which may be

in the long run interesting information
about dark campaigns and things. So NSO is

not the only actor, there will be more. Do
you feel that there are just copycats in

the market or do you think there will be
completely new threats in the future?

D: So I guess there's always there's lots
of smart people who work for these

companies who are trying to develop these
tools. Just last - earlier this month,

Citizen Lab published a report about
another cyber surveillance vendor called

Cytrox based in North Macedonia, and they
were selling similar spyware, which is

using kind of one-click attacks using
links to help compromise iPhones and

Android phones. So that's one company
that's competing in this space. There's

other companies doing doing similar kinds
of targeting, but we believe, you know,

NSO was definitely the biggest company in
this space, and they had a lot of money to

invest in, especially in these kind of
zero-click attacks. So for now, we don't

know if they're a company that's as big or
sophisticated as NSO, but I think many

others will be trying to take their place
if NSO becomes less popular.

H: I see. I see. OK, thank you very much.
We have to go over to the - RC3 morning

show in a few seconds. Thank you very much
for this interesting talk this morning.

Again, share@amnesty.tech is the address
to go to. And this is probably one of the

talks you want to watch again on
media.ccc.de in a few days when it has

been published. So greetings to Ireland.
Thank you very much and we will meet and

see again in real, I hope. Thank you.
D: Thank you very much. Have a good day.

Everything is licensed under CC by 4.0.
And it is all for the community, to download

Subtitles created by c3subtitles.de
in the year 2022. Join, and help us!

[Translated by {Iikka}{Yli-Kuivila} (ITKST56 course assignment at JYU.FI)]