The Citizen Lab researchers identified 45 different countries in which operators of NSO Group’s Pegasus spyware may be conducting operations some of which targeting human rights advocates.

The malware uses social engineering to encourage targets to click a specially crafted exploit link that will leverage a host of zero day exploits to penetrate a device’s security features and allow access without the user’s knowledge or permission.

Once the malware is activated it can be used to conduct surveillance by targeting private data including passwords, contact lists, calendar events, text messages, and live voice calls as well as activate phone’s camera and microphone to capture activity in the phone’s vicinity.

Between August 2016 and August 2018 researchers designed and conducted a technique to scan for the malware and at least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates, according to the firm’s Hide and Seek report.

In addition researchers found indications of possible political themes within targeting materials in several countries, which they said casts doubt on whether the technology is being used as part of “legitimate” criminal investigations.

Pegasus, flying horse
Pegasus, flying horse

“We found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia. As our findings are based on country-level geolocation of DNS servers, factors such as VPNs and satellite Internet teleport locations can introduce inaccuracies,” researchers said in the report.

Researchers spotted a campaign in Mexico which targeted lawyers, journalists, human rights defenders, opposition, politicians, anti-corruption advocates and an internal investigation.

In addition to, researchers noted what appeared to be an expansion of the spyware’s usage in the Gulf Cooperation Council (GCC) countries in the Middle East which included at least six operators including at least two that appear to predominantly focus on the UAE.

NSO groups said that its uses a NSO’s Business Ethics Committee consisting of outside experts from various disciplines including law and foreign relations that review and approve transactions and is authorized to reject agreements or cancel existing agreements in cases of misuse.

On 18 September 2018, NSO emailed The Citizen Lab and addendum to their previous public statement:

“There are multiple problems with Citizen Lab’s latest report,” the NSO group responded. “Most significantly, the list of countries in which NSO is alleged to sell or where our customers presumably operate the products is simply inaccurate. NSO does not sell its products in many of the countries listed. The product is only licensed to operate in countries approved under our Business Ethics Framework and the product will not operate outside of approved countries. As an example, the product is specifically designed to not operate in the USA.”

The Citizen Lab researchers maintained that continued supply of NSO Group’s services to contreversail governments raises doubts about the effectiveness of the vendor’s own internal mechanism, if it exists at all.