Pegasus Data Theft Tool

Pegasus is the flagship product of Israel's NSO Group. NSO's technology allows its customers, who company officials say are always governments rather than private traders, to select specific phone numbers and infect relevant devices with the Pegasus code.

But instead of trying to listen to data transmitted between two devices most likely to be encrypted, Pegasus allows users to hijack the device itself, gaining access to everything on it.

Pegasus tracks keystrokes on the infected device - all written messages and web searches, even passwords - and returns them to the client, as well as providing access to the phone's microphone and camera, turning it into a mobile tracking device that the victim unwittingly carries with him.

When the phone is hacked, it is done in such a way that NSO Group clients and specialists receive administrative privileges on the device. This allows you to do almost anything on your phone.

A tool such as Pegasus, which allows unlimited access to communications and movements of subscribers of infected devices, is in great demand by governments. Among the clients of NSO Group for 2023, the governments of such countries as Mexico Saudi Arabia UAE Morocco Spain India Panama:,,,,,,,,,,,,. Togo Rwanda Azerbaijan Bahrain Hungary Kazakhstan Kenya

To preserve the ability to access infected devices, the NSO Group team must constantly update its technologies to stay ahead of companies such as Apple and Google, which release patches to fix vulnerabilities. Gradually, Pegasus evolved from a relatively crude system based on social engineering to a program capable of compromising the phone without the need to follow the link.

2023: Use in the war between Armenia and Azerbaijan

The spy software Pegasus, developed by an Israeli company, was NSO Group actively used during a large-scale armed conflict between and. Azerbaijan Armenia This is stated in the report of the non-profit organization Access Now, which was released on May 25, 2023.

The investigation began after Apple in November 2021 sent warnings to users that they could be victims of spyware distributed at the state level. It turned out that the smartphones of at least twelve public figures and officials in Armenia were hacked using the Pegasus tool. The Access Now document, in particular, says that the victims of espionage included journalists, human rights activists, activists, scientists and a UN representative.

Pegasus was actively used during the conflict between Azerbaijan and Armenia

The authors of the report emphasize that this is the first documented evidence of the use of Pegasus spyware in the context of an international armed conflict. The NSO Group claims that their technology is sold exclusively to governments: this is generally consistent with the conclusions obtained during the investigation. At the same time, experts do not associate this espionage campaign with any specific state structure.

It is said that the provision of the Pegasus spy tool to the authorities of any country in the context of armed confrontation entails a significant risk of violation of the rights of citizens. In addition, experts warn, this may contribute to the commission of war crimes.

The context in which the Pegasus malware was used is particularly disturbing. The investigation suggests that such cyber weapons are used against civil society and humanitarian organizations in a violent conflict, the Access Now document says.[1]

2022: Spanish Premier's phone hacking case through Pegasus stalled

The case of the hacking of the mobile phones of Prime Minister Spain Pedro Sanchez and the Ministers of Defense and Internal Affairs of the Iberian Kingdom Margarita Robles and Fernando Grande-Marlaschi with the help of the Pegasus program by December 2022 has reached a dead end, the investigation cannot get off the ground due to silence. Israel

Tel Aviv ignored all requests from the Spanish court (and there were three of them in the last seven months), and also did not give the go-ahead for the arrival of a team of Spanish investigators in Israel to take testimony from the CEO of NSO Group, which developed the Pegasus program.

It is speculated that Morocco may have been behind the hacking of Sanchez, Robles and Grande-Marlaschi's mobile phones. At a time when their devices were being hacked, relations between Spain and Morocco were tense. However, it is impossible to prove this without cooperation with Israel, and he has never helped in investigations when similar scandals arose in other countries.

2021

France suspects the country's president's phone may have been tapped with Pegasus software

In July 2021, France is studying a report that the phone of President Emmanuel Macron could be tapped using spy software developed by the Israeli group NSO. The Moroccan surveillance agency tried to access his private conversations in 2019.

Other heads of state and members of government, including former French Prime Minister Edouard Philippe, his wife, as well as incumbent Foreign Minister Jean-Yves Le Drian and Finance Minister Bruno Le Maire, could also audition.

The Pegasus program, sold to individual governments and law enforcement agencies, can hack cellphones at a link and secretly record emails, calls and text messages.

Using software to spy on thousands of journalists and activists

In mid-July 2021, it became known that the Pegasus spyware, which is the development of the Israeli company NSO Group, was used to spy on activists, journalists and officials around the world. The results of the study were presented by the Forbidden Stories project with the support of 16 world media.

The authors of the investigation gained access to a database of 50 thousand mobile numbers from states that spy on their citizens and are clients of the NSO Group. The base included at least 180 journalists from all over the world, there were also found the numbers of 65 businessmen, 85 human rights activists and more than 600 politicians, including presidents, prime ministers, diplomats, security officers.

Israeli spyware used to spy on thousands of journalists and activists

Among the journalists who ended up in the base are representatives of such media as CNN, The New York Times, Associated Press, The Wall Street Journal, Bloomberg, Le Monde, Financial Times, among others. Pegasus software may have been used to hack into devices that belong to two women close to murdered journalist Jamal Khashoggi, according to Forbidden Stories.

Amnesty cyber security inspected 67 that smartphones may have been hacked, with 23 devices infected with spyware and virus 14 devices showing signs of attempted hacking. Pegasus is software that is activated when you click on a virus link, the software can also start acting without any action from the user. Pegasus is focused on capturing and copying the main functions, in smartphone particular, it is possible to collect information from cameras and microphones, as well as collect geolocation data. Viral spyware ON is licensed by the NSO Group as anti-terrorist software.

The NSO Group denies accusations of using its surveillance software and calls the investigation "unconfirmed theories." However, company representatives promised to organize an investigation into the misuse of Pegasus software. The NSO Group notes that their technology has prevented terrorist attacks, gun violence, car bombings and suicide bombers.^[2]

2020: How much Pegasus software costs

According to the New York Times, a tool that allows you to monitor 10 iPhone users will cost $650 thousand and $500 thousand per installation. This is the minimum package of services. One standard Pegasus module during the year can track up to 500 phones, but only 50 at a time. A license for such a module costs about $7-8 million per year. These are estimated figures, since the technology is constantly being improved and the cost of new add-ons developed for customer tasks is understandably not disclosed.

According to NSO Group, in 2020 its revenue amounted to $243 million. That's about 25-30 customers.

2019: Using to steal data from Apple, Google and Microsoft cloud services

On July 19, 2019, it became known about the expansion of the capabilities of software Pegasus, developed by an Israeli technology company. NSO Group Now this tool can steal data from cloud services,,, and Apple Google. Facebook Amazon Microsoft

Financial Times journalists got documentation intended for internal use in the NSO Group. It follows from it that infected smartphones can transfer authentication keys to the NSO program for cloud services, including Google Drive, Facebook Messenger and iCloud, which can be accessed using the device.

WhatsApp wiretap software developer creates tool to steal data from Apple, Google and Microsoft clouds

It is noted that the transfer of confidential information, such as a complete history of the location of users, archives of correspondence and photos, occurs without "a request for two-stage verification or sending warnings by e-mail." In addition , hackers may have limited access to data uploaded to the cloud, even if they remove spyware from the device.

Amazon said that at the moment there is no evidence of successful Pegasus attacks, but the corporation has promised to investigate. They said about the same on Facebook.

Business Insider contacted NSO and received the following comment:

The license for our products is issued to a small range of government intelligence and law enforcement agencies for the sole purpose of preventing and investigating serious crimes, including terrorism.

The NSO spokeswoman stressed that it is the company's tools that are aimed at combating crime, and not the ability to collect data and access the cloud.

Earlier in 2019, it became known about the appearance in Pegasus of the WhatsApp call wiretapping function. It allows you to install malware on devices in one call to spy on users.^[3]

Zero click exploits

The solution to the problem of reducing the effectiveness of malicious links was the use of so-called zero-click exploits. These vulnerabilities do not require the user to act in order for Pegasus to compromise his device. It was this method of attack that was preferred for governments using Pegasus.

Zero-click exploits rely on bugs in popular apps such as iMessage, WhatsApp and FaceTime, which receive and sort data, sometimes from unknown sources.

Having discovered the vulnerability, Pegasus can penetrate the device using the application protocol. At the same time, the user does not need to follow the link, read the message or answer the call - he may not even see a missed call or message.

Zero-click exploits account for the majority of device compromise cases recorded since 2019. Pegasus connects to most messaging systems, including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram and Apple's built-in messaging and email apps, according to Timothy Summers, a former cyber engineer with one of the U.S. intelligence agencies.

2016: Infection of devices through malicious links

At one time, Pegasus hacker attacks required the active participation of the victim. Pegasus operators sent text messages with a malicious link to the victim's phone. Clicking on it in the browser opened a page on which malware that infects the device was downloaded and executed.

NSO Group customers used various tactical techniques to increase the likelihood of a click.

For example, customers sent spam to unsettle the target and then sent another message asking them to follow the link to stop receiving spam.

Social engineering techniques helped manipulate the target into clicking on the link. The links themselves were developed based on the fears or interests of the victim.

Messages could contain news of interest to the addressee or promotions that might interest him - perhaps a gym pass or links to sales.

This crude approach quickly exhausted itself. Targets quickly learned to recognize malicious spam.

Notes