The Pegasus Project, a coordinated investigative-journalism effort led by Forbidden Stories with technical support from Amnesty International's Security Lab and Citizen Lab at the University of Toronto, has been publishing findings since the 18th of July (forbiddenstories.org/case/the-pegasus-project, amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus). The project's central evidence is a list of approximately 50,000 phone numbers identified as targets of NSO Group's Pegasus mobile-implant tooling between 2016 and 2021, with forensic analysis of devices belonging to a substantial subset of the listed individuals confirming actual deployment of the implant against many of them.
The targeting population is the part of the disclosure that has produced sustained political response. The list includes journalists at major international news organisations (the Washington Post, the New York Times, Le Monde, the Guardian, the Wire, and many others), human-rights advocates (including identifiable activists in Mexico, India, Saudi Arabia, the United Arab Emirates, and other jurisdictions), political opposition figures (across multiple countries), and senior government and political leaders (including, on the public reporting, several heads of state). The targeting against journalists in particular includes figures whose subsequent murder or imprisonment is connected to the targeting through the documented investigative work — Jamal Khashoggi's circle of contacts in particular, whose targeting is documented in the case-study material.
The technical content of the Amnesty Security Lab forensic methodology is the operational contribution that the security-research community has been building toward for several years. The mobile-implant detection methodology — examining iOS and Android devices for the specific artefacts that Pegasus deployment leaves behind, and the indicator-of-compromise content that the Amnesty team has published (Amnesty MVT mobile verification toolkit, GitHub) — is the most substantive public methodology for detecting commercial-offensive-market implants on consumer mobile devices. The methodology is open-sourced and has produced subsequent detection work by other research groups across the global civil-society ecosystem.
The commercial-offensive-market accountability conversation has shifted substantively this week. NSO Group's commercial model — selling Pegasus to government customers under contractual restrictions that, on the documented evidence, are not operationally enforced — is now under sustained political and regulatory pressure that previous documentation efforts have not produced. The US Commerce Department's addition of NSO Group to the Entity List in November 2021 (post-dated for the file's continuity but contemporaneous with the political response chain that the July disclosure started) represents a substantive regulatory action that the previous several years' research disclosures had not produced. The litigation environment around NSO Group — Apple's lawsuit against NSO in November 2021, WhatsApp's continuing litigation from 2019, and various national-security-driven investigations across multiple jurisdictions — represents a substantively more difficult operational environment for the company.
For the customer-organisation conversations, the Pegasus Project has produced several specific threads. First, the executive-protection question that the WhatsApp / Pegasus disclosure of May 2019 raised has been compounded — the targeting demonstrated against high-profile individuals across multiple sectors makes the executive-mobile-device-protection conversation more concrete. The defensive measures available remain limited (keep mobile OSes patched, prefer hardware-token-based MFA, segregate executive communications onto dedicated devices, accept that consumer-grade mobile-device security is not adequate against this threat model) but the customer-organisation engagement with the conversation is more substantive than at any previous point. Second, the broader threat-model conversation about commercial-offensive-market capability against ordinary consumer infrastructure is being raised at customer-organisation board level in ways that previous research disclosures had not produced.
The wider ethical and policy conversation is going to continue developing for several years. The international export-control framework for cyber-surveillance products — the Wassenaar Arrangement amendments of 2013 and subsequent updates — is the principal regulatory mechanism, and the Pegasus Project demonstrates the operational gap between the framework's intent and its actual enforcement. The legislative output across multiple jurisdictions over the next several years will, in part, be shaped by the Project's documentation.
I will return to this. The longer-form essay on the commercial-offensive-market structure — which I have been not-quite-writing since the Hacking Team leak in 2015 — has gained additional material from this week and may, finally, be drafted in 2022.