Late Sunday night, the Washington Post in collaboration with 16 other media organisations across 10 countries published an investigative article claiming that the Israeli Group's NSO leased their Pegasus spyware to various governments who tapped into the phones of social activists, journalists, business executives and politicians. This was titled the Pegasus Project.
In collaboration with the 17 media organisations, Amnesty International's Security Lab provided technical support, which examined some of the phones that were said to have been attacked by the Pegasus spyware.
Amnesty International has published a report with a full technical analysis showing how it tracked NSO Group's Pegasus spyware on phones.
Also Read | All you need to know about the Pegasus spyware
While the NSO Group has claimed that their spyware is used 'only to investigate terrorism and crime', and that 'it leaves no trace', the Amnesty report debunked both these points
When did it all start?
As per the report, Amnesty started looking for signs of malware in phones after its staffer and a Saudi activist, Yahya Assiri, were attacked with the malware in 2018. It was in 2019, that they discovered that the attack was occurring through the Safari browser on Apple phones. The browser history had some redirect links after attempts were made to visit websites like Yahoo. The redirect links were suspicious due to similar links in text messages that were documented in relation to Pegasus.
In October 2019, Amnesty detailed how it determined these redirections to be the result of network injection attacks performed either through tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator. When months later, the company analysed the iPhone of Moroccan independent journalist Omar Radi, who was also targeted, it found similar records involving the free247downloads[.]com domain as well.
In November 2019, a new domain urlpush[.]net was registered but it redirected to similar URLs. Infections were not only found in browser history but also, Safari’s Favicon.db database.
Other than browsers, it was discovered that these malwares were also functional when applications such as Twitter were being used. Previewing links on the Twitter timeline was also being redirected to the Safari browser.
"In addition, Safari’s Session Resource logs provide additional traces that do not consistently appear in Safari’s browsing history. It appears Safari does not record full redirect chains, and might only keep history records showing the final page that was loaded," the report said.
Other traces left behind by Pegasus
Amnesty International, Citizen Lab, and others have primarily attributed Pegasus spyware attacks based on the domain names and other network infrastructure used to deliver the attacks. However, forensic evidence left behind by the Pegasus spyware provides another independent way to attribute these attacks to NSO Group’s technology.
iOS maintains records of process executions and their respective network usage in two SQLite database files called “DataUsage.sqlite” and “netusage.sqlite” which are stored on the device. While the former is available in iTunes backup, the latter is not.
The examination of phones showed records of a suspicious process called “bh”. This “bh” process was observed on multiple occasions immediately following visits to Pegasus Installation domains. References to “bh” in the Pegasus iOS sample were also recovered from the 2018 attacks.
Amnesty assumes that this part of the NSO toolkit is called BridgeHead, which is likely the internal name assigned by NSO Group to this component of their toolkit.
iOS Photos
Additional cases were discovered where the "bh" process was yet again seen, but the attack vectors were completely different.
In one instance, a compromised phone showed "bh" processes being executed seconds after iOS Photos app was opened. After a successful exploitation, crash reporting was disabled.
Also Read | Uncorroborated theories: NSO on Pegasus report
Amnesty International was not able to capture payloads related this exploitation but suspects that the iOS Photos app or the Photostream service were used as part of an exploit chain to deploy Pegasus. The apps themselves may have been exploited or their functionality misused to deliver a more traditional JavaScript or browser exploit to the device.
iMessage and FaceTime
While SMS messages carrying malicious links were the tactic of choice for NSO Group’s customers between 2016 and 2018, in more recent years they appear to have become increasingly rare. From 2019 an increasing amount of vulnerabilities in iOS, especially iMessage and FaceTime, started getting patched thanks to their discoveries by vulnerability researchers, or to cybersecurity vendors reporting exploits discovered in-the-wild.
Amnesty's analysis of several devices showed that attacks in July 2021 were similar to those in 2019. It believes tahe Pegasus is attacking via zero-click exploits.
Several iPhones Amnesty International has inspected indicate that Pegasus has recently started to manipulate system databases and records on infected devices to hide its traces and and impede the research efforts of Amnesty International and other investigators. Although most recent records are now being deleted from these databases, traces of recent process executions can also be recovered also from additional diagnostic logs from the system.
While these were some of the ways Pegasus attacked the phones, there are many other ways it continues to seep into the phones such as through music apps and even disguised as pre-installed system apps.