New @citizenlab report, #ProjectTorogoz, documenting the use of NSO's Pegasus spyware in El Salvador, in collab w/ @AccessNow, w/ assistance from @FrontLineHRD @MohdMaskati, @socialtic, and @fundacionacceso, and w/ peer review from @AmnestyTech citizenlab.ca/2022/01/projec…
We confirmed, through forensic analysis, 35 cases of journalists and civil society members whose phones were successfully hacked with NSO Group's Pegasus spyware from July 2020 through November 2021.
The targets included journalists at @_elfaro_, @GatoEncerradoSV, @prensagrafica, @Disruptiva2, @ElMundoSV, @EDHNoticias, and 2 independent journalists. Also NGOs @fundaciondtj, @cristosal, and another (anonymous) NGO.
Since early 2020, we've been tracking a Pegasus operator, TOROGOZ (whose first infrastructure was apparently registered in late 2019) that appeared to be spying primarily in El Salvador, but we hadn't documented any targets.
We documented the first confirmed targets in El Salvador when some independent journalists in El Salvador became suspicious of their phones, ran @AmnestyTech's mvt tool (github.com/mvt-project/mvt), and contacted @AccessNow for assistance.
The phones were hacked using at least two different zero-click iMessage exploits: the KISMET iOS13 zero-click (deployed starting in early-to-mid July 2020), and the FORCEDENTRY iOS14 zero-click (deployed starting in ~Feb 2021).
All iOS devices running iOS14 versions up to and including 14.7.1 are believed to be vulnerable to FORCEDENTRY, and the exploit was deployed from ~Feb 2021 thru at least Nov 23, 2021, when Apple sued NSO Group and notified some FORCEDENTRY targets. apple.com/newsroom/2021/…
One journalist was additionally targeted with one-click Pegasus SMSes, in early July 2020 and again in early September 2020. The domain names in the SMSes matched one of our fingerprints for Pegasus URL shortener websites (image via @_elfaro_).
The Pegasus SMSes contained El Salvador-themed bait content, including "District attorney’s office against journalists from El Faro" and "Nuevas Ideas [the political party of El Salvador Pres. Nayib Bukele] eclipses their opponents".
We conclude that the KISMET zero-click was also used because thirteen of the phones contained the KISMET FACTOR, which we believe is a forensic artifact left behind when the KISMET exploit runs on a phone.
(Note that the KISMET zero-click has not yet been captured and publicly disclosed, but appeared to involve JPEG attachments, as well as iMessage launching a WebKit instance for further exploitation).
We conclude that the FORCEDENTRY zero-click was also used, because many of the targets were notified by Apple, and we also recovered a copy of NSO Group's FORCEDENTRY exploit that had been fired at one of the phones.
Interesting tidbit: the exploit we recovered had been fired at a *non-vulnerable* version of iOS (14.8.1), and thus did nothing to the phone... Perhaps it's hard for threat actors to accurately fingerprint a target's iMessage version (esp. minor version) before firing a 0-click?
One thing that is striking about the targets in El Salvador: quite a few appear to have been selected for long-term "persistent" surveillance, meaning that zero-clicks were fired again and again after targets rebooted their devices.
Also interesting: based on dates we observed, it looks like the Pegasus campaign in El Salvador was put on pause amidst the #PegasusProject revelations in mid-Jul 2021, but the hacking quietly resumed around late Aug 2021.
In response to #ProjectTorogoz, a "person familiar with [NSO] operations" said that El Salvador does not have an "active [Pegasus] system".
However, NSO does not appear to have (yet) incremented their "number of clients we've kicked off of Pegasus" counter beyond 5, so it's unclear if El Salvador has been kicked off Pegasus, voluntarily left Pegasus, or is on a temporary Pegasus pause, or something else...
Also, this is our first report where we have a "featured animated GIF" for the report!!! (designed by @rizhouto) Our GIF doesn't contain FORCEDENTRY, we swear 😀. You can check out our GIF here on our homepage (citizenlab.ca).

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Bill Marczak

Bill Marczak Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @billmarczak

24 Oct 21
New @citizenlab report "BREAKING THE NEWS", in which we show how New York Times journalist Ben Hubbard was hacked with Pegasus twice (July 2020 and June 2021), both after he complained to NSO about previous hacking attempts against him citizenlab.ca/2021/10/breaki…
We attribute the spyware to NSO Group with high confidence. NSO Group says that it couldn't have been them for "technical and contractual reasons," but it's quite likely they're wrong. We conclude it was their spyware with high confidence, as we show in our report.
Our confidence is bolstered by the fact that Hubbard's case has excellent evidence: he regularly took backups of his iPhones, so we can compare the before-and-after cases, and notice the telltale signs of Pegasus introduced onto (or deliberately cleaned up from) the phone.
Read 4 tweets
13 Sep 21
Stop and UPDATE your iPhones to iOS 14.8 NOW!!! We @citizenlab recovered NSO Group's FORCEDENTRY zero-click exploit (CVE-2021-30860) from the phone of a Saudi activist, and shared w/ Apple, who released iOS 14.8 today with a fix. citizenlab.ca/2021/09/forced…
We found the exploit and shared w/ Apple last Tuesday (Sep 7), and they released a fix today (six days later), underscoring the urgency of the update.
The exploit is invisible to the target, but in our forensic analysis, we found 31 files with the ".gif" extension on a target's phone. Of course, they weren't GIFs at all! 27 of them were the same 748-byte Adobe PSD file, and four were PDFs.
Read 4 tweets
18 Jul 21
THREAD with a couple of interesting bits from @AmnestyTech's new report on what they learned from looking for NSO Group's spyware on phones amnesty.org/en/latest/rese…
@AmnestyTech (1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.
Read 20 tweets
18 Jul 21
BREAKING: Major new investigation from @FbdnStories into a leaked list of 50,000+ phone numbers that are said to have been looked up by NSO Group's customers, perhaps as a prelude to the customers hacking into the phones washingtonpost.com/investigations…
The leaked number lists show data going back to 2016, and are believed to come from a subset of NSO clients in 10 countries (Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the UAE).
.@FbdnStories worked with @AmnestyTech to investigate 67 phones on the leaked list, and discovered that 37 showed signs of hacking. We @citizenlab peer-reviewed the forensic methodology, and also examined four of the phones four of the phones: citizenlab.ca/2021/07/amnest…
Read 4 tweets
15 Jul 21
NEW @citizenlab joint-report with @MsftSecIntel: "Hooking Candiru," in which we provide an interesting look into the global proliferation of spyware from Candiru: another big player that sells hacking tools to govts, including known surveillance abusers citizenlab.ca/2021/07/hookin…
Our analysis is based on a "patient zero", a Western European politically active individual. We extracted a copy of Candiru's spyware from their computer, after identifying that their computer was communicating with Candiru spyware servers. So how did we find our "patient zero"?
Well, first, @citizenlab found a 2017 OPSEC mistake by Candiru, where six of their supposedly "hidden" spyware servers accidentally returned a TLS certificate (seen here on @censysio) with "candirusecurity[.]com" (oops!!!) Image
Read 9 tweets
20 Dec 20
🚨BIG @citizenlab report on an NSO Group hacking bonanza. In late 2019 and in July 2020, NSO Group clients appear to have used an invisible 0-click exploit in iMessage to break into the latest, up-to-date iPhones. Some of the first target were journalists citizenlab.ca/2020/12/the-gr…
At least 36 personal phones belonging to journalists, producers, executives, and presenters at Al Jazeera, and one journalist at Al Araby, were hacked in July by four operators, two of which we attribute to the UAE and Saudi. One journalist hacked was @AJArabic's @TamerMisshal.
Tamer's hard-hitting investigative programs have focused on possible UAE Gov linked financial corruption (), the Khashoggi killing (), and Bahrain's alleged hiring of Al Qaeda to kill opposition members ().
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(