Thai activists involved in the country’s pro-democracy protests have had their smartphones infected with the infamous Pegasus government-sponsored spyware from the NSO Group.
Between October 2020 and November 2021, at least 30 individuals, including activists, academics, lawyers and NGO workers, are believed to have been targeted, many of whom have previously been detained, arrested and imprisoned for their political activities or criticism of the government.
“The timing of the infections is highly relevant to specific political events in Thailand, as well as to specific actions by the Thai justice system,” the Citizen Lab said. said in a Sunday message. “In many cases, for example, infections occurred just before protests and other political activities of the victims.”
The findings are the result of threat alerts Apple sent out last November to warn users it believes are being targeted by state-sponsored attackers.
The attacks involve using two zero-click exploits – KISMET and FORCEDENTRY – to compromise victims’ phones and deploy Pegasus, a spyware capable of intercepting calls, text messages and other information a phone is stored. It can also turn it into a remote listening device.
Researchers at Google Project Zero have described the iOS zero-click attacks as “a weapon against which there is no defense”, adding “there is no way to prevent exploitation by a zero-click exploit.”
The first cases of infections using the KISMET exploit occurred in October 2020 against outdated iPhones, with the FORCEDENTRY exploit being deployed against Apple devices running iOS versions 14.4, 14.6 and 14.7.1 as of February 2021.
It’s worth pointing out that Apple fixed KISMET in iOS 14 with what’s called the BlastDoor sandbox system. FORCEDENTRY was patched by the tech giant with iOS 14.8 in September 2021.
Apple also announced earlier this month that it is designing a new security measure called Lockdown Mode to counter mercenary spyware and protect high-risk users from “highly targeted cyberattacks”.
Citizen Lab noted that at least one Pegasus customer is currently operating in Thailand, although it is not immediately known if it is affiliated with any specific government agency.
NSO has long claimed that its spyware is used by government customers to target serious crime, but evidence gathered so far points to repeated abuses of the surveillance tool to eavesdrop on members of civil society. The Israeli company has since been blocked by the US
“The hacking points to a sophisticated understanding of non-public elements of the Thai activist community, including funding and roles of specific individuals,” Citizen Lab researchers said.
“This finding is part of a broader trend in Thailand, where the government has stepped up its efforts to monitor or control information since the 2014 coup.”
The development also comes as Amnesty International repeated that the lack of a global moratorium on the sale of spyware allows the surveillance industry to operate unchecked.
“We can now officially add Thailand to the growing list of countries where people peacefully requesting change, expressing opinions or discussing government policies can cause invasive surveillance with a heavy toll on freedom of expression, privacy and sense of security. of an individual.” said Etienne Maynier of Amnesty International.