Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

by Laurent Richard

the most potent cybersurveillance weapon on the market: a malware called Pegasus, which had been developed, marketed, and supplied to law enforcement and national security agencies in more than forty countries around the world by the alpha dog in the burgeoning industry—the Israeli tech company NSO.

THE FINAL BLOW to Vincenzetti—a live-by-the-sword, die-by-the sword blow—was heralded by an unexpected message posted on Hacking Team’s own Twitter account in the first dark hours of July 5, 2015. “Since we have nothing to hide,” read the tweet, “we’re publishing our emails, files, and source code.” This hijacked tweet was almost two months in the making. A very patient and cautious hacker who called himself “Phineas Fisher” (he had already hacked the rival Gamma Group) would eventually take credit, publishing a technical explanation of how he found a vulnerability in the system software that pried open a back door into Hacking Team’s internal network. Once through that door, Phineas lived undetected inside the network for weeks, sniffing out passwords, listening in on audio, viewing webcam images, even watching one of the system administrators spend hours of his workday playing World of Warcraft. When he discovered an under-protected server used by the company’s software developers, its sales team, and its key executives, Phineas mounted the server remotely and accessed a mother lode of company backup files. Within those backups were passwords that gave him access to the live server, as well as the domain admin password, which gave him access to the company’s internal emails. He downloaded the emails to his own server, a stealth exfiltration executed against the kings of exfiltration. Phineas continued to live and learn on the network, dancing around and through firewalls...

The now legendary hacker had already published, along with his how-to guide, a kind of manifesto reminding his fellow travelers in tech that they were the best guardians against cyberintrusion. “There’s plenty of hackers better than me,” Phineas Fisher wrote, “but they misuse their talents working for ‘defense’ contractors, for intelligence agencies, to protect banks and corporations, and to defend the status quo. Hacker culture was born in the US as a counterculture, but that origin only remains in its aesthetics—the rest has been assimilated.

“For any person who sits in the chair where decisions have to be made in the use of this type of tool, it is attractive—with a certain morbid curiosity to get into people’s lives.… These kinds of tools generate in [public servants] who have them within their reach a feeling of supremacy, of power, of control. And its use becomes perverse; it can become a means of personal satisfaction and not for the benefit of the public interest.”

Looking inside the message and the link, they were able to isolate a signature quirk in the way the domain and server were configured. This WhatsApp message and link were painstakingly engineered to hide any information about the attack and any information about the identity of the attacker. The link and the final server were configured in a particularly locked-down manner. Any attempt to open a nonexistent page on the server did not return the typical “Not Found” message; the server simply did not reply to the request at all, so as not to alert the victim. This already suggested to Claudio and Donncha that they were not dealing with a common spam or cybercrime attack.

The Security Lab duo made an even more remarkable discovery in the forensic image of Maati’s phone. When Claudio and Donncha combed through the Safari browsing history database and its Session Resource logs, they began to note and then reconstruct certain strange digital detours they were seeing. While trying to determine if Maati’s phone had opened any known Pegasus links, they discovered that the phone (having already been subjected to eighteen months of Pegasus’s standard SMS message attack) was navigating to strange and previously unknown websites in the spring and summer of 2019. Claudio and Donncha weren’t sure just what they were seeing in the databases, but it “looked suspicious,” Donncha says, “and the timing was right.” When Maati had tried to make a routine visit to the Yahoo home page one day in July 2019, for instance, he was redirected, in less than three milliseconds, to a suspicious-looking web page named Free247downloads.com at https://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz. Seconds later, Free247downloads dropped a bomb of malicious code into the phone without anything to alert Maati that something out of the ordinary might have happened.

“Remember, when you say, ‘I want one iMessage exploit, it’s never one exploit,” he explained. “When an iPhone gets compromised with an iMessage exploit, they are using maybe three, four, five different exploits packaged in one. “There’s so many things that [NSO technicians] have to compromise with an iPhone that make it a lot more complicated. They need to compromise a number of [different] security measures that Apple put into place purposely to add layers of complications before you can successfully get complete ownership of the device. “The difficulty with compromising an iPhone is that you have to have a functioning exploit for all of these different security layers and all of it be reliable and working at once. They have to subvert all these other components of the operating system. One of them might get patched in the night, and they need to find something else to replace that one. So it’s just not that straightforward. It’s a pretty complex process.”