Spanish PM’s Phone Hacked with Pegasus Spyware
What the worrying trend in advanced mobile malware means for mobile threat defense
On 2 May 2022, the Spanish government announced that Prime Minister Pedro Sanchez along with Defense Minister Margarita Robles had been hacked with Pegasus software. Pegasus is the notorious spyware developed by the Israeli firm NSO. First identified in 2016 it has been used by numerous governments to snoop on the phone communications of political opponents, civil rights activists, and foreign officials. However, Pedro Sanchez is the first EU head of state confirmed to have been hacked using Pegasus.
The revelation is a surprising twist in the Pegasus story as just weeks after researchers at Citizen Lab, an internet privacy research organization based at the University of Toronto, revealed that Pegasus had been used to target 65 members of the Catalan independence movement. The Madrid government denied any involvement in the ‘CatalanGate’ incident but, given the political tensions around Catalan independence, suspicions remain. In disclosing the hack of the Prime Minister’s phone the government stated that the hacks were “illegal and external”, “alien to state agencies” and did not have “judicial authorization from any official agency.”
Notwithstanding multiple reports of the misuse of digital spying tools, EU governments have been slow to act forcefully to restrict their use by police and security services. Their reluctance is no doubt tied to their value in tackling “legitimate” targets such as criminals and hostile states. Their attractiveness to repressive regimes is even more obvious.
What’s also obvious is why mobile phones are being targeted. Mobile phones transmit, receive, and store some of the most sensitive personal and professional information imaginable including our personal communications, our location and schedules, official records, and financial transactions. A bad actor with access to our phones can wreak unimaginable havoc. This is why organizations insist phones have passcodes, that data is transmitted securely and that devices can be remotely wiped when lost. But advanced spyware like Pegasus undermines all of these precautions. And it’s particularly disturbing because without advanced mobile security software it’s impossible to detect that your phone has been infected.
Unlike classic mobile malware, Pegasus does not appear as an app on your phone. Nor does it require the user to explicitly download and install the software. In most documented cases the malware has been delivered via a link sent in a message to the phone. Initially, it was necessary for the end-user to click on the link to cause the infection to take place. Later versions of the hack could be executed without any user action – a message was received by phone and the software installed itself. The fact that the first publicly disclosed hack targeted iPhones was what surprised the Information Security community most when the hack was initially revealed. Prior to this, it was a common perception that iPhones weren’t vulnerable to this kind of remote exploit.
But it’s not just civil rights activists and senior government figures who have been targeted with sophisticated spyware. It is generally believed that Jeff Bezos’s phone was hacked using mobile spyware at the instigation of the Saudi government. In this case, the infection was triggered by a video sent over WhatsApp. NSO Group, the makers of Pegasus, denied involvement.
It would be naive to believe that such advanced spyware is only available to nation-states. The history of cyber-security teaches us that tools initially the preserve of spy agencies eventually fall into the hands of criminal actors. This is even more likely in an environment where some governments treat their cybercriminals as a geopolitical tool. Cyber security professionals need to adopt the precautionary principle when it comes to the use of sophisticated spyware to target your organization, in particular high-value targets such as your senior executives and privileged users. Now is the time to procure and deploy advanced mobile threat defense tools that reveal the threats that lurk within devices used to access and store critical data.
What should you look for?
The first thing to understand is that many of the techniques used to identify malware on desktops and laptops can’t be used on iOS and Android devices because of operating system level restrictions. For example, it’s not possible to remotely monitor system processes on mobile devices; iOS does not allow its file system to be scanned. Corrata’s security experts advise that the only effective mechanism to identify advanced mobile malware is to monitor network traffic. Monitoring network traffic allows security software to identify the digital fingerprint of malware infection – communications with Command and Control infrastructure.
An effective mobile threat defense tool will take care of the basics including malware scanning, passcode enforcement, device status monitoring, and web filtering. But it must also provide advanced capabilities built around deep visibility of network traffic. Only covering the basics means you’re only protected against basic attacks – raising your game will mean you’re defended from attacks that make the wrong sort of headline.