“When we found the No. 10 case, my jaw dropped."
John Scott-Railton recalled after finding out on July 7, 2020 that Pegasus, the highly sophisticated flagship spyware of Israel's NSO Group, was used to infect a phone linked to the network at 10 Downing Street, the UK Prime Minister's home and office.
For years, the Citizen Lab, a specialized research group based at the University of Toronto where Scott-Railton works as a senior researcher, has been investigating Pegasus and its misuse by governments—usually authoritarian ones—who bought the spyware from NSO.
The Pegasus infection at Downing Street was unearthed in The New Yorker article entitled "How democracies spy on their citizens," an investigative look at governments’ use of Pegasus. A UK official confirmed the network had been compromised.
The National Cyber Security Centre (NCSC), a British intelligence body, painstakingly but thoroughly tested phones at Downing Street, including Boris Johnson’s, the current UK Prime Minister. However, they were unable to identify the infected device.
Based on the servers this device was said to phone back to, the United Arab Emirates (UAE) may be behind the hacking and spying against Downing Street.
"I'd thought that the US, UK, and other top-tier cyber powers were moving slowly on Pegasus because it wasn’t a direct threat to their national security," Scott-Railton was quoted saying, "I realized I was mistaken: even the UK was underestimating the threat from Pegasus, and had just been spectacularly burned."
Citizen Lab further revealed that phones connected to the Foreign Office, pre- and post-merger, were hacked via Pegasus on at least five more occasions. Again, based on destination servers, the UAE, India, and Cyprus were named potential instigators.
The UAE’s link to the hack only deepened after a British court revealed that Pegasus was used to spy on Princess Haya, former wife of current Prime Minister of Dubai Sheikh Mohammed bin Rashid al-Maktoum. The Sheikh was in a custody dispute with Haya, who fled to the UK with her children. Pegasus was also found to have been used to target Haya’s British attorneys.
David Ruiz, senior privacy advocate, spoke at length about Princess Haya's case—and other Pegasus infections—in an earlier episode of the Malwarebytes podcast Lock and Code, which can be listened to in full here.
After an alert reached the NSO Group regarding the use of Pegasus against Princess Haya, the UAE shut down its spyware system, and NSO announced that its software would no longer target UK phone numbers the same way it has avoided targeting US numbers.
Goodbye, Pegasus. Hello, Maestro?
NSO consistently touted Pegasus as an aid to law enforcement in combating criminal organizations and terrorists. The New Yorker article and many others, however, only detail harrowing accounts of abuse: from hacking government officials’s phones via a WhatsApp zero-day exploit to tracking Loujain al-Hathloul, a women’s rights activist in Saudi Arabia. Her iPhone could easily have been patient zero to a vulnerability that bypasses Apple’s BlastDoor security feature using a malformed PDF.
As Pegasus has become publicly scrutinized, NSO Group has expanded its product line. This latest release is called Maestro, an AI tool that "scrutinizes surveillance data, builds models of individuals' relationships and schedules, and alerts law enforcement to variations of routine that might be harbingers of crime." One of product’s designers was quoted saying, "Turning every life pattern into a mathematical vector."
NSO Group revealed that a handful of countries already use Maestro. Perhaps it’s only a matter of time for Maestro to become another controversy like Pegasus, and one that groups like Citizen Lab will investigate and reveal its potential dangers to the world.