NSO Group is operating from Israel where they produce and sells a mobile phone spyware named as Pegasus to governments and private entities to perform massive Surveillance operation in order to gain sensitive information from the targeted victims.
Pegasus spyware previous operation launched against UAE activist Ahmed Mansoor in Aug 2016 which contains a Zero-day exploit for the Apple iPhone along with Spyware that targets his iPhone 6 to spying his Phone activities.
Researchers believe that at least 10 Pegasus operators appear to be actively engaged behind this Surveillance operation across the 45 countries.
Pegasus spyware is one of the most sophisticated and powerful spyware that perform various malicious activities in both android and iPhone such as stealing private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.
As of now, researchers discovered 36 distinct Pegasus systems and each one perhaps run by a separate operator and they suspect the Pegasus infections associated with 33 of the 36 Pegasus operators and they Surveillance 45 Following Countries.
Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia
Pegasus Spyware Surveillance Operation
Researchers developed a new technique called Athena found 1,091 IP addresses matched with the fingerprint and 1,014 domain names are pointed to the NSO Group.
Later on, the countries that are under Surveillance was identified by conducting a global DNS Cache Probing study on the matching domain names which helps to find in which countries each operator was spying.
According to citizen lab research, To monitor a target, a government operator of Pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission.
After the successful exploitation of the phone, it starts communicating with the operator via command & controls sever in order to receive further operation command.
Communication is established to the Pegasus spyware via HTTPS request and it requires operators to register and maintain domain names.
Domain names that used to exploit links mimic as mobile providers, online services, banks, and government services
An operator may have several domain names that they use in exploit links they send, and also have several domain names they use for C&C. The domain names often resolve to cloud-based virtual private servers (we call these front-end servers) rented either by NSO Group or the operator. Researchers said.
NSO Group Denied
In this case, NSO Group Denied the citizen lab findings and said, “There are multiple problems with Citizen Lab’s latest report. Most significantly, the list of countries in which NSO is alleged to operate is simply inaccurate.”
“NSO does not operate in many of the countries listed. The product is only licensed to operate in countries approved under our Business Ethics Framework and the product will not operate outside of approved countries”