Journalists, lawyers and human rights activists in the Middle Eastern nation of Jordan face increased surveillance by the controversial spyware app Pegasus, with nearly three dozen civilians targeted in the past four years.
According to a published analysis by digital rights group Access Now, a total of 16 journalists and media workers, eight human rights lawyers and 11 other members of human rights groups and non-governmental organizations (NGOs) were targeted by attackers sponsored by the state (the report implied it was the Jordanian government itself) using the Pegasus rootkit and surveillance tool, the investigation found.
Although the investigation began in 2021, the actual attacks began in 2019, with 30 victims discovered by Access Now and Citizen Lab, part of the University of Toronto’s Munk School of Global Affairs and Public Policy, while another five victims were discovered by Human Rights Watch, Amnesty International and the Organized Crime and Corruption Reporting Project (OCCRP).
Spyware used to intimidate and dissuade
Using surveillance tools to intercept and track the activities of journalists and lawyers undermines free society, Access Now warns.
“Surveillance technologies and cyber weapons such as NSO Group’s Pegasus spyware are used to target human rights defenders and journalists, to intimidate and dissuade them from their work, to infiltrate their networks, and to gather information for use against others goals,” Access Now said in its report. “Targeted surveillance of individuals violates their rights to privacy, freedom of expression, association and peaceful assembly.”
The surveillance revelations come as the Jordanian government is cracking down on cybercrime, amending its statutes with a new law in 2023 that critics say is overly vague and ripe for abuse. Specific articles prohibit speech that promotes or incites “immorality”, demonstrates a “contempt for religion” or “undermines national unity” according to reports.
The law has received criticism from the Office of the United Nations High Commissioner for Human Rights AND non-governmental organizations in the region.
These individuals are the latest to be targeted by governments with NSO Group’s surveillance software. In September, for example, the Pegasus spyware was launched discovered on the phone of a Russian journalist in exile, apparently installed with a zero-click exploit (requiring no user action). In December 2022, a group of nearly two dozen journalists in El Salvador sued NSO Group for its role in the surveillance of journalists.
Governments are using the software to target critics and activists without due process, says Ilia Kolochenko, founder of ImmuniWeb, a penetration testing services provider.
“Journalists and lawyers are commonly protected from overly intrusive investigations by virtue of criminal procedure or other legislation that was not specifically designed to offer robust protection from cyber investigations,” he says, adding: “The Middle East traditionally had less legislation relating to privacy; however, now the situation [is] changing rapidly.”
Pegasus enters multiple markets
In 2016, Citizen Lab and mobile security firm Lookout published an analysis of Pegasus spyware, which targeted iOS devices. A year later, Lookout partnered with Google release an analysis of the Android version. Since then, Israel-based NSO Group has continued to find ways to install its surveillance software on the devices of targeted individuals, sometimes requiring social engineering and other times without any user activity.
In the latest case, both types of attacks occurred, according to Access Now.
“The Pegasus victims we discovered were targeted with both zero-click and one-click attacks,” Access Now said in its report. “We also observed sophisticated social engineering attacks that delivered malicious links to victims via WhatsApp and SMS. In some cases, the perpetrators posed as journalists, seeking a media interview or quote from the targeted victims, while embedding Malicious links to Pegasus spyware in and between their messages.”
In January 2022, Access Now and Front Line Defenders first discovered that Pegasus was being used to hack Jordanian citizens, and by April 2022 the groups had detected at least five lawyers and journalists.
The NSO Group has neither confirmed nor denied Access Now’s findings.
“Due to regulatory and contractual constraints, NSO Group cannot confirm or deny who its government customers are,” a company spokesperson says. “The company sells only to vetted and authorized law enforcement and intelligence agencies for the purpose of investigating and preventing serious crimes and terrorism.”
Policies are needed, but technology can help
This was underlined by the spokesperson of the NSO Group its 2023 Transparency and Accountability Report to highlight its criteria in allowing the sale of software to governments of specific nations.
“We help government intelligence and law enforcement legally address their most pressing national and public security issues,” the report says, pointing to the terrorist attacks on Israel by Hamas as an example of the type of incident that company is trying to prevent. “Cyber intelligence technology is a critical tool for preventing and investigating terrorism and serious crime, and thereby protecting individuals’ fundamental rights to life, liberty and security.”
In most cases, a better policy is needed to curb the use of spyware and exploits against individual users. The targeting of journalists, lawyers and activists for exercising free speech shows that further protections need to be put in place, says ImmuniWeb’s Kolochenko.
“It’s a cat-and-mouse game: Privacy technologies will continually improve, but cybersecurity experts or hackers will continually bypass them,” he says. “I would prefer to implement protection at the legislative level, ensuring transparent and efficient oversight of cyber operations by law enforcement agencies that would protect confidential investigation information and ensure due process.”
Even though the NSO Group has found a way to… and purchased exploits on secondary markets — To bypass smartphone and computer defenses, keeping devices updated and remaining vigilant about links and attachments can make devices much harder to compromise, he says.