An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, on August 28, 2016, in Herzliya, near Tel Aviv. NSO Group has been accused of facilitating surveillance of journalists through sales of its Pegasus spyware. (AFP/Jack Guez)
An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, on August 28, 2016, in Herzliya, near Tel Aviv. NSO Group has been accused of facilitating surveillance of journalists through sales of its Pegasus spyware. (AFP/Jack Guez)

CPJ Safety Advisory: Journalist targets of Pegasus spyware

Updated July 19, 2021

Pegasus is a spyware created for mobile devices which transforms a cellphone into a mobile surveillance station. Researchers have documented it being used to spy on journalists around the world, and investigative reporters identified at least 180 journalists as possible targets in 2021. This raises significant implications for journalists’ own security and that of their sources.

Contents

Whereas previous attacks involved tricking users into installing the spyware on their devices through clicking on links included in messages, more recent attacks focus instead on using vulnerabilities in apps or software on the phone requiring no interaction from the user at all, according to Amnesty International reports from June 2020 and July 2021.

Once on the device, the spyware gives the attacker the ability to monitor, record, and collect existing and future data from the phone. This includes calls and information from messaging applications and real-time location data. The spyware is able to remotely activate the camera and microphone to surveil the target and their surroundings.

The Israel-based NSO Group, which produces Pegasus, markets tools for investigating crime and terrorism to government agencies. (NSO Group has repeatedly told CPJ that it will not comment on individual cases, but investigates reports that its products were misused in breach of contract.)

Guidance for journalists and newsrooms

Pegasus is designed to be installed on phones running Android, BlackBerry OS, and iOS without alerting the target to its presence. Journalists will likely only know if their phone has been infected if the device is inspected by a trusted tech expert. Journalists who are concerned may wish to share this guide with them.

If you have reason to believe you have been targeted and have spyware on your device:

  • Stop using the device immediately.
  • Put the device somewhere that does not compromise you or your surroundings.
  • Log out of all accounts and unlink them from the device.
  • From a different device, change all your account passwords.
  • Seek expert digital security advice. If you are a freelance journalist or do not have access to tech support, contact the Access Now Helpline.
  • If it is essential to use the device before you can replace it, carry out a factory reset and ensure that your operating system, apps, and browsers are updated to the latest version. This does not guarantee that the spyware will be removed from the device. However Amnesty International noted in July 2021 that Pegasus appears to be removed when devices are rebooted.
  • The same report said 700 domain names had been used by Pegasus to infect devices and recommended that media outlets check their network telemetry and DNS logs for these sites as an indication that they may have been targeted by the spyware.
  • Amnesty’s Mobile Verification toolkit for tech experts can help confirm whether a device has been infected by Pegasus.

Background research

  • In 2018, Citizen Lab said it had detected Pegasus in over 45 countries. Pegasus could have been deployed against journalists and civil society actors in Mexico, Saudi Arabia, Bahrain, Morocco, Togo, Israel, the U.S., and the United Arab Emirates, the report found.
  • In May 2019, a vulnerability was identified in the messaging app WhatsApp that, before it was patched, infected some of its users’ phones with spyware, including over 100 human rights defenders and journalists in at least 20 countries, according to Citizen Lab. WhatsApp, which is owned by Facebook, later identified that spyware was Pegasus or a variant.
  • In June 2020, an investigation by Amnesty International found that a Moroccan journalist’s phone had become infected after internet traffic on the phone was rerouted to a malicious website controlled by the attackers. Once the phone’s internet browser was connected to the site, attackers likely exploited vulnerabilities in the software to compromise the device, the report found. The report states that this attack was either carried out by rerouting cell phone internet traffic using a rogue cell tower, a device that mimics the job of a cell phone tower, or through gaining access to the target’s cell phone provider.
  • In December 2020, an extensive investigation by Citizen Lab detected Pegasus on the personal iPhones of 36 journalists and media executives; most worked at Al-Jazeera, but an Al-Araby TV journalist was among the targets. The investigation attributed the attacks to government agents, probably from Saudi Arabia and the United Arab Emirates, and said it was likely that only a fraction of targets had been detected.
  • In July 2021, a consortium of global media outlets investigated a leaked document containing more than 50,000 phone numbers of people around the world they said appeared to be of interest to NSO clients, including those of more than 180 journalists. Amnesty International in partnership with Forbidden Stories carried out a forensic analysis of the phones of more than a dozen of those journalists and showed recent infections affecting iPhone 12 version 14.6. 

Advice for different types of attack

Pegasus can be installed in a number of ways. Journalists should keep up to date on these methods and take appropriate steps to protect themselves and their sources.

Zero-day attacks

Zero-day attacks, also known as zero-click attacks, exploit vulnerable software, not people. They require no interaction from the user.

  • Reports from the WhatsApp hack stated that the attack took the form of calls from unknown numbers to users which resulted in the app crashing. The numbers disappeared from the call log, leaving no record of a missed call or who had made it.
  • The December 2020 Citizen Lab report found that attackers deployed spyware via a vulnerability in the iMessenger app, and required no interaction from the device’s owner. The vulnerability appears to have been fixed in the iOS 14 update.
  • In July 2021, Amnesty International reported identifying traces of repeated infection attempts via the iMessage app on iPhone 12 version 14.6. The report also flagged concern that other built-in apps, such as the iTunes Store app, could be vulnerable to attack.

Protecting yourself against a zero-day attack is difficult. Journalists who may be targeted by a sophisticated adversary such as a government should: 

  • Consider changing cheap, burner phones every few months as a precaution.
  • Update your phone’s operating system regularly, as well as apps and browsers.
  • Review the apps on your phone regularly and delete ones that you are not using.
  • If possible, contact a digital security expert for one-to-one support.

Network injection attacks

A network injection attack does not require any interaction with the user; instead, it involves the automatic redirecting of browsers or apps to sites controlled by attackers. This is also known as a Man in the Middle Attack (MITM). Once connected to the malicious site, attackers infect the device through vulnerabilities in the software.

A journalist is highly unlikely to know whether they have been the target of this type of network injection attack and protecting against it can be difficult.

To minimize risk:

  • Use a virtual private network (VPN) on both cell phones and computers.
  • Check the law with regards to the use of a VPN in the country you live in or are traveling to.
  • Research the VPN company to ensure that it does not store data on users, including browser history and log in details, as this could be accessed by governments.
  • Check whether the VPN provider has close links to government bodies or is owned by governments.
  • Choose a service that is located outside the country you live in and that has a good track record of privacy.

Spear-phishing attacks

Attackers create tailor-made messages that are sent to a specific journalist. These messages convey a sense of urgency and contain a link or a document which the journalist is encouraged to click on. The messages come in a variety of forms, including SMS, email, through messaging apps such as WhatsApp, or via messages on social media platforms. Once the journalist has clicked on the link, then the spyware is installed on their phone.

Research by Citizen Lab and Amnesty International found that messages tend to take the following forms:

  • Messages purporting to be from a known organization such as an embassy or a local news organization.
  • Messages that warn the target may be facing an immediate security threat.
  • Messages that raise any work-related issue, such as covering an event that the target usually reports on.
  • Messages that make appeals on personal matters, such as those relating to compromising photos of partners.
  • Financial messages that reference purchases, credit cards, or banking details.

The suspect messages may also arrive from unknown numbers.

Attackers can target personal and work phones. To better protect themselves and their sources, journalists should:

  • Verify the link with the sender through a different channel of communication. This should preferably be through video or voice.
  • If the sender is not previously known to you, secondary channels may not provide successful verification of the links, as such channels may be set up by the adversary as part of an elaborate cover identity.
  • If the link utilizes a URL shortener service like TinyURL or Bitly, input the link into a URL expander service such as Link Expander or URLEX. If the expanded link looks suspicious, for instance mimicking a local news website but not being quite the same, do not click on the link.
  • If you feel you need to open the link, do not use your primary device. Open the link on a separate, secondary device that does not have any sensitive information or contact details, and is used solely for viewing links. Carry out a factory reset on the device regularly (keeping in mind that this might not remove the spyware). Keep the secondary device turned off, with the battery removed, when not in use.
  • Use a non-default browser for the phone. Pegasus is believed to target default browsers. The default browser for Android is Chrome and the default browser for iOS is Safari. Use an alternative browser such as Firefox Focus and open the link in that. However, there is no guarantee that Pegasus will not, or has not, already targeted other browsers.

Physical installation by an adversary

Pegasus can also be installed on your phone if an adversary gains physical access to the device. To reduce risk:

  • Do not leave your device unattended and avoid handing over your phone to others.
  • When crossing a border or checkpoint ensure that you can see your phone at all times Turn off the phone before arriving at the checkpoint, and have a complex passphrase consisting of both letters and numbers. Be aware that if your phone is taken then the device may be compromised.

For more information to protect yourself and your sources, consult CPJ’s Digital Safety Kit.

With thanks to Citizen Lab for valuable insight.

[EDITOR’S NOTE: The advice on zero-day attacks has been updated to include security updates.]