Share this page!

Maybe Scrolly?
John Scott-Railton Profile picture
Twitter logo
Jul 18 15 tweets 16 min read
🚨MAJOR INVESTIGATION: uncovering #GeckoSpy.

An espionage operation using #Pegasus spyware against #Thailand's pro-democracy movement.

THREAD on our findings 1/

Our @citizenlab collaborators: @iLawFX & @DigitalReachSEA w/validation by @AmnestyTech
citizenlab.ca/2022/07/geckos… Key Findings We discovered an extensive espionage campaign t
2/ In 2020, #Thailand's government triggered pro-democracy protests by disbanding a popular opposition party.

Protests continued into 2021, and were met with repression & violence.

Key figures were harassed, arrested & jailed.

Now, we know many were hacked, too.
3/ The #GeckoSpy investigation began in Nov 2021... when @Apple notified users likely targeted w/#NSOGroup’s FORCEDENTRY exploit.

Multiple activists in #Thailand received them.

Some got in touch with us @citizenlab & our collaborators including @iLawFX & @DigitalReachSEA
4/ Once notification recipients got in touch, forensic artifacts were consensually collected & analyzed.

The investigation then expanded to associates & other likely #Pegasus targets.

I cannot overstate the importance of @apple's notifications in focusing the initial process.
4/ The #Pegasus hacking came in waves. Some pauses were probably dictated by things outside #Thailand.

Like the #PegasusProject publication, our disclosure of #ForcedEntry & @Apple's patch... and those notifications.

Other sequences of infection have a contextual explanation...
5/ In many cases, #Pegasus infections in #Thailand matched protest & political activities.

Our collaborators @iLawFX & @DigitalReachSEA have a detailed report, including a table juxtaposing infections & protest events.

REPORT: freedom.ilaw.or.th/en/report-para…
6/ Some #Pegasus victims are well known. Like Panusaya Sithijirawattanakul.

She once wore a crop top w/“I have only one father”
written on her skin. Went w/friends the mall for ice cream.

Thai authorities interpreted this as mocking the king, & charged her with lèse-majesté.
7/ High profile activists weren't the only category of #Pegasus victims.

Famous actress @charoenpura & rapper @DechathornHK were also infected.

Both were visible supporters of the pro-democracy movement.
8/ Also infected? Individuals with little public profile, but who played an important support role in protests, or fundraising.

A picture emerges: a #Pegasus operator seeking detailed information about the protest movement... in some cases guided by non public information.
9/ Who is behind the hacking? We @citizenlab aren't making a conclusive attribution.

But it's worth nothing that we've seen #Pegasus operators with a #Thailand nexus since 2014.

And there's a lot of circumstantial evidence...
10/ When you read the @iLawFX & @DigitalReachSEA report, it's clear: the entity responsible for the hacking has a detailed & obsessive focus on voices calling for democracy and reform of the monarchy in #Thailand.
11/ My @citizenlab colleague @billmarczak explains that the #Pegasus hacking in #Thailand relied on zero-click vulnerabilities👇

Translation: *nothing* regular phone users could have done to protect themselves.
12/ This investigation only happened because victims came forward & participated.

#Pegasus can make people feel powerless about digital security, yet they acted to reclaim some agency & are now helping to shed light on the secret mechanics of repression.

It's deeply inspiring.
13/ Special thanks to the team at @AmnestyTech, which independently analyzed a sample of indicators in this case & confirmed Pegasus infections using their distinct tools and methods.
14/ This investigation was a team production, ranging from the incredible work done by our collaborators @iLawFX and @DigitalReachSEA, civil society groups that prefer to remain unnamed, and the @citizenlab team including👇

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
Jul 14
BREAKING: Rep. @RepAnnaEshoo & Sen. @RonWyden call on @FTC to take enforcement actions against problematic players in consumer #VPN industry.

GREAT.

So many shady companies abuse their users' trust & flood the zone with misleading information.👇 1/
eshoo.house.gov/media/press-re…
2/ Everyone is familiar with #VPN ads.

That probably means you've heard their deceptive & hyperbolic marketing.

Perhaps voiced by your favorite @YouTuber or podcaster?

Folks like @ConsumerReports & Prof @royaensafi have been calling this out.
consumerreports.org/vpn-services/v…
3/ Rot in #BigVPN goes deep.

Companies scare consumers by warning of tracking.

True, it's bad news.

Yet we know some VPNs actually track & monetize users.

The secrecy of the industry means that the full picture may be much worse.

By @CraigSilverman
buzzfeednews.com/article/craigs…
Read 5 tweets
John Scott-Railton Profile picture
Jul 10
WHOA: Deal for 🇺🇸 defense contractor @L3HarrisTech to acquire #NSOGroup tanked.

Counterintelligence problems reportedly played big role.

Thoughts: Well, $LHX exit helps explain recent signs of desperation from the spyware company.

1/🧵

By @skirchy
theguardian.com/us-news/2022/j… The American defence contractor L3 Harris has abandoned talkA US official appeared to question that characterisation and
2/ I've been vocal about why I believe that a cleared 🇺🇸American defense contractor acquiring a demonstrably- uncontrollable purveyor of insecurity would be bad for human rights & counterintelligence.👇
3/ Competing narratives around @L3HarrisTech #NSOGroup deal.

Narrative A: 🇺🇸US intelligence signaled some kind of support.

(this just happens to still serve NSO & L3's interests)

Narrative B: any support was overstated, big counterintelligence concerns, IC not supportive. A person familiar with the talks said L3 Harris had vetted a
Read 6 tweets
John Scott-Railton Profile picture
Jul 6
NEW: @Apple's #LockdownMode is radical reduction of the threat surface of an iPhone.

Cannot overstate how big a change this is for Apple.

So important that people at higher digital risk have the option to harden their phones.

Some thoughts 1/
apple.com/newsroom/2022/…
2/ When you notify users that they've been targeted with sophisticated threats, they inevitably ask:

'How can I make my phone safer?'

We haven't had many great, honest answers that really make an impact.

Hardening a consumer handset is really out of reach.
3/There's a common mental barrier among big platforms & OS developers around mainstreaming high-security features.

A lot of inevitable considerations, like:

- Worse user experience (esp. vs. the competition!)
- Breaking features
- More customer support resources required, etc.
Read 9 tweets
John Scott-Railton Profile picture
Jul 3
Death, glory or... slurp juice?

Looks like the @BritishArmy's social media team missed the OPSEC course.
UPDATE: scammers also breached the @britisharmy's @YouTube account, deleted the vids, and are now running Musk-themed live crypto scams w/ thousands of viewers.

Everything is fine.
The @britisharmy YouTube & Twitter scams are a helpful reminder: governments still struggle to secure their accounts.

And tech platforms have a *hard time* detecting these compromises in anything like real time.

This has been going on for hours.
Read 6 tweets
John Scott-Railton Profile picture
Jun 30
The sheer velocity at which SCOTUS is taking away rights & pulling the country backwards feels unprecedented.
Decades of progress wiped out overnight.

There's a lot to be angry about.

It may sound petty, but I can't forgive the big name legal scholars who assured the rest of us that we were being unnecessarily alarmist about these justices.

I hope they feel some shame.
He's right. The sum of these regressive changes is actually a brave new era of awfulness.
Read 7 tweets
John Scott-Railton Profile picture
Jun 28
BREAKING: Saudi operative in Mississippi caught harassing dissidents in USA, Canada.

Also had images of Khashoggi's tweets on his phone.

Dissidents have warned about *transnational repression* by dictators in 🇺🇸& 🇨🇦 for *years*

Thread 1/

Warrant: documentcloud.org/documents/2207…
2/ At @citizenlab we've investigated Saudi hacking with #Pegasus.

The Saudis were infecting people around the world.

A lot of dissidents were infected.

Like @oamaz7, a 🇨🇦 resident who was a close friend of Jamal Khashoggi.

Report citizenlab.ca/2018/10/the-ki…
3/ WATCH: using harassment & hacking, dictators export fear & repression into democracies.

Yet, the 🇺🇸US and 🇨🇦Canada have done little to help victims & hold perpetrators accountable.

Same for EU governments, sadly.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(