Researchers say Thai pro-democracy activists, rich foreignness residents, hit by Pegasus spyware
Cybersecurity researchers reported details Monday of cases where Thai activists involved in the country’s pro-democracy protests as well as rich foreign investors and foreign residents had their cell phones or other devices infected and attacked with government-sponsored spyware.
Investigators of the internet watchdog groups Citizen Lab, Thailand’s Internet Law Reform Dialogue, or iLaw, and Digital Reach said at least 30 individuals — including activists, scholars and people working with civil society groups — were targeted by an unnamed government entity or entities for surveillance with Pegasus, a spyware produced by the Israeli-based cybersecurity company NSO Group.
The reports from the two groups named many of those targeted, confirming earlier reports of the surveillance, which John Scott-Railton of Citizen Lab said shows that governments are exploiting their ability to buy technologies designed to fight crime and terrorism to spy on critics and other private citizens.
“Citizen Lab believes there is a fundamental challenge for civil society,” John Scott-Railton of Citizen Lab said in an online presentation at a briefing in Bangkok.
The attacks on the individuals’ devices spanned from Oct. 2020 to Nov. 2021, a timing “highly relevant to specific Thai political events” since they took place over the period of time when pro-democracy protests erupted across the country.
But Scott-Railton said Citizen Lab, which exposes digital espionage campaigns and insecure software, believed there was still an active Pegasus operator in Thailand.
Those whose devices were attacked were either involved in the protests in 2020-2021, or were publicly critical of the Thai monarchy. Lawyers who defended the activists also were under such digital surveillance, the researchers said.
The Pegasus spyware is known for “zero-click exploits,” which means it can be installed remotely onto a target’s phone without the target having to click any links or download software.
The spyware can obtain any data on the devices, including contact lists and group chats, making it highly effective against political groups and movements, Scott-Railton said.
NSO Group’s products, including the Pegasus software, are typically licensed only to government intelligence and law enforcement agencies to investigate terrorism and serious crime, according to the company’s website. Citizen Lab and other cyber security researchers have tracked the spyware to 45 countries.
In a separate report Monday, the human rights group Amnesty International reiterated its call for a global moratorium on the sale of spyware.
“The unlawful targeted surveillance of human rights defenders and civil society is a tool of repression. It is time to clamp down on this industry that continues to operate in the shadows,” Amnesty Tech’s deputy director Danna Ingleton said in a statement.
The company has rejected accusations that its snooping software helped lead to the killing of Saudi journalist Jamal Khashoggi, perhaps the highest-profile case so far. It maintains that its sales undergo a rigorous ethical vetting process and that Pegasus spyware is sold to governments only for security purposes.
In November, the U.S. government blacklisted NSO Group and Apple sued it and notified Pegasus victims. Facebook has sued NSO Group over the use of a somewhat similar exploit that allegedly intruded via its globally popular encrypted WhatsApp messaging app.
The reports by Citizen Lab and iLaw do not accuse any specific government actor but say the use of Pegasus indicates the presence of a government operator. When news that dissidents had been targeted first surfaced in November 2021, the government denied the allegations.
Apple said it sought a permanent injunction to ban NSO Group from using any Apple software, services or devices to “to prevent further abuse and harm to its users.”
Apple’s notifications to customers of spyware infections are a crucial part of a defense strategy against such digital surveillance, Scott-Railton said.
“Apple did something remarkable by notifying the recipients of this suspected targeting. If you look at the infection online, it stopped after Apple’s notification,” he said. “It was a very consequential thing.”
The cybersecurity experts said that turning off and restarting a device can break the spyware’s digital connection. Security updates also have helped to close the loopholes such attackers exploit.
“Layering up defenses on devices is very important,” Scott-Railton said. “Anything is better than nothing.”
But the spyware is constantly being updated and it is designed to be difficult to spot, facilitating surveillance by governments that have found it a useful tool for suppressing dissent.
Thailand’s student-led pro-democracy movement ramped up activities in 2020, largely in reaction to the continuing influence of the military in government and hyper-royalist sentiment.
The movement was able to attract crowds of as many as 20,000-30,000 people in Bangkok in 2020 and had followings in major cities and universities.
“There is longstanding evidence showing Pegasus presence in Thailand, indicating that the government would likely have had access to Pegasus during the period in question,” researchers said in the report. The over 30 individuals targeted were also “of intense interest to the Thai government.”
The army in 2014 overthrew an elected government, and Prayuth Chan-ocha, the coup leader, was named prime minister after a 2019 general election put in power a military-backed political party. Protesters have campaigned for Prayuth and his government to step down and demanded reforms to make the monarchy more accountable and to amend the constitution to make it more democratic.
The reports from the two groups named many of those targeted, confirming earlier reports of the surveillance, which John Scott-Railton of Citizen Lab said shows that governments are exploiting their ability to buy technologies designed to fight crime and terrorism to spy on critics and other private citizens.
“Citizen Lab believes there is a fundamental challenge for civil society,” John Scott-Railton of Citizen Lab said in an online presentation at a briefing in Bangkok.
The attacks on the individuals’ devices spanned from Oct. 2020 to Nov. 2021, a timing “highly relevant to specific Thai political events” since they took place over the period of time when pro-democracy protests erupted across the country.
But Scott-Railton said Citizen Lab, which exposes digital espionage campaigns and insecure software, believed there was still an active Pegasus operator in Thailand.
Those whose devices were attacked were either involved in the protests in 2020-2021, or were publicly critical of the Thai monarchy. Lawyers who defended the activists also were under such digital surveillance, the researchers said.
The Pegasus spyware is known for “zero-click exploits,” which means it can be installed remotely onto a target’s phone without the target having to click any links or download software.
The spyware can obtain any data on the devices, including contact lists and group chats, making it highly effective against political groups and movements, Scott-Railton said.
NSO Group’s products, including the Pegasus software, are typically licensed only to government intelligence and law enforcement agencies to investigate terrorism and serious crime, according to the company’s website. Citizen Lab and other cyber security researchers have tracked the spyware to 45 countries.
In a separate report Monday, the human rights group Amnesty International reiterated its call for a global moratorium on the sale of spyware.
“The unlawful targeted surveillance of human rights defenders and civil society is a tool of repression. It is time to clamp down on this industry that continues to operate in the shadows,” Amnesty Tech’s deputy director Danna Ingleton said in a statement.
The company has rejected accusations that its snooping software helped lead to the killing of Saudi journalist Jamal Khashoggi, perhaps the highest-profile case so far. It maintains that its sales undergo a rigorous ethical vetting process and that Pegasus spyware is sold to governments only for security purposes.
In November, the U.S. government blacklisted NSO Group and Apple sued it and notified Pegasus victims. Facebook has sued NSO Group over the use of a somewhat similar exploit that allegedly intruded via its globally popular encrypted WhatsApp messaging app.
The reports by Citizen Lab and iLaw do not accuse any specific government actor but say the use of Pegasus indicates the presence of a government operator. When news that dissidents had been targeted first surfaced in November 2021, the government denied the allegations.
Apple said it sought a permanent injunction to ban NSO Group from using any Apple software, services or devices to “to prevent further abuse and harm to its users.”
Apple’s notifications to customers of spyware infections are a crucial part of a defense strategy against such digital surveillance, Scott-Railton said.
“Apple did something remarkable by notifying the recipients of this suspected targeting. If you look at the infection online, it stopped after Apple’s notification,” he said. “It was a very consequential thing.”
The cybersecurity experts said that turning off and restarting a device can break the spyware’s digital connection. Security updates also have helped to close the loopholes such attackers exploit.
“Layering up defenses on devices is very important,” Scott-Railton said. “Anything is better than nothing.”
But the spyware is constantly being updated and it is designed to be difficult to spot, facilitating surveillance by governments that have found it a useful tool for suppressing dissent.
Thailand’s student-led pro-democracy movement ramped up activities in 2020, largely in reaction to the continuing influence of the military in government and hyper-royalist sentiment.
The movement was able to attract crowds of as many as 20,000-30,000 people in Bangkok in 2020 and had followings in major cities and universities.
“There is longstanding evidence showing Pegasus presence in Thailand, indicating that the government would likely have had access to Pegasus during the period in question,” researchers said in the report. The over 30 individuals targeted were also “of intense interest to the Thai government.”
The army in 2014 overthrew an elected government, and Prayuth Chan-ocha, the coup leader, was named prime minister after a 2019 general election put in power a military-backed political party. Protesters have campaigned for Prayuth and his government to step down and demanded reforms to make the monarchy more accountable and to amend the constitution to make it more democratic.
