Pegasus exploit links and C&C servers use HTTPS, which requires operators to register and maintain domain names. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.įigure 2: Diagram from purported NSO Group Pegasus documentation showing the range of information gathered from a device infected with Pegasus. Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services.At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates. Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation.At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying.We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. Between August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s Pegasus spyware.In this post, we develop new Internet scanning techniques to identify 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |