SOC Incident Toolkit
Back to Campaigns
The Pegasus Project

The Pegasus Project

PegasusNSO

The Pegasus Project is a collaborative investigation into NSO Group, an Israeli “cyber intelligence” company that sells sophisticated spyware to governments around the world.

Indicators of Compromise

Domains (1441)

myfreecharge.onlineinstangram.com.mxthe-only-way-out.comtheshopclub.orgmcel.infointernetmobilespeed.comhracingtips.comweb-config.orgigiheonline.comnouvelles247.comineediscounts.commybrightidea.copoliticalpress.orginvestigationews.comrockstarpony.commykaspi.comtelecom-info.comnewsportal24.onlineclubmovistar.comindrive.info+1421 more

IPv4 (6)

82.80.202.20454.251.49.21452.8.153.4482.80.202.200162.209.103.6852.8.52.166

APT Groups

Stealth Falcon

United Arab Emirates

Notes

<p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font>Pegasus is a hacking program, or spyware, which is developed, sold and licensed to governments around the world by the Israeli company NSO Group. It is capable of infecting billions of phones running iOS or Android operating systems.</font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font><br></font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font>The spyware can be installed on devices running certain versions of iOS, Apple's mobile operating system, as well as some Android devices. Rather than being a specific exploit, Pegasus is a suite of exploits that uses many vulnerabilities in the system. Infection vectors include clicking links, the Photos app, the Apple Music app, and iMessage. Some of the exploits Pegasus uses are zero-click—that is, they can run without any interaction from the victim. Once installed, Pegasus has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings,[29] as well as gather information from apps including but not limited to communications apps iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype.</font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font><br></font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font>In April 2017, after a Lookout report, Google researchers discovered Android malware "believed to be created by NSO Group Technologies" and named it Chrysaor (Pegasus' brother in Greek mythology). According to Google, "Chrysaor is believed to be related to the Pegasus spyware". At the 2017 Security Analyst Summit held by Kaspersky Lab, researchers revealed that Pegasus was available for Android in addition to iOS. Its functionality is similar to the iOS version, but the mode of attack is different. The Android version tries to gain root access (similar to jailbreaking in iOS); if it fails, it asks the user for permissions that enable it to harvest at least some data. At the time Google said that only a few Android devices had been infected.</font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font><br></font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font>Pegasus hides itself as far as is possible and self-destructs in an attempt to eliminate evidence if unable to communicate with its command-and-control server for more than 60 days, or if on the wrong device. Pegasus also can self-destruct on command. If it is not possible to compromise a target device by simpler means, Pegasus can be installed by setting up a wireless transceiver near a target device, or by gaining physical access to the device.</font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font><br></font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font>A leak of a list of more than 50,000 telephone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 became available to Paris-based media nonprofit organisation Forbidden Stories and Amnesty International. They shared the information with seventeen news media organisations in what has been called Pegasus Project, and a months-long investigation was carried out, which reported from mid-July 2021. The Pegasus Project involved 80 journalists from the media partners including The Guardian (UK), Radio France and Le Monde (France), Die Zeit and Süddeutsche Zeitung (Germany), The Washington Post (United States), Haaretz (Israel), Aristegui Noticias, Proceso (Mexico), the Organized Crime and Corruption Reporting Project, Knack, Le Soir, The Wire, Daraj, Direkt36 (Hungary), and Frontline. Evidence was found that many phones with numbers in the list had been targets of Pegasus spyware.However, The CEO of NSO Group categorically claimed that the list in question is unrelated to them, the source of the allegations can't be verified as reliable one. "This is an attempt to build something on a crazy lack of information... There is something fundamentally wrong with this investigation".</font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font><br></font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font>French intelligence (ANSSI) confirmed that Pegasus spyware had been found on the phones of three journalists, including a journalist of France 24, in what was the first time an independent and official authority corroborated the findings of the investigation.</font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font><br></font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font>On 26 January 2022, the reports revealed that mobile phones of Lama Fakih, a US-Lebanese citizen and director of crisis and conflict at Human Rights Watch, were repeatedly hacked by a client of NSO Group at a time when she was investigating the catastrophic August 2020 explosion that killed more than 200 people in Beirut.</font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font><br></font></p><p style="margin-top: 0.5em; margin-bottom: 0.5em;"><font>In July 2021, a joint investigation conducted by seventeen media organisations, revealed that Pegasus spyware was used to target and spy on heads of state, activists, journalists, and dissidents, enabling "human rights violations around the world on a massive scale". The investigation was launched after a leak of 50,000 phone numbers of potential surveillance targets. Amnesty International carried out forensic analysis of mobile phones of potential targets. The investigation identified 11 countries as NSO clients: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates. The investigation also revealed that journalists from multiple media organizations including Al Jazeera, CNN, the Financial Times, the Associated Press, The New York Times, The Wall Street Journal, Bloomberg News and Le Monde were targeted, and identified at least 180 journalists from 20 countries who were selected for targeting with NSO spyware between 2016 and June 2021.</font></p>

Mitigation

<div><p style="box-sizing: border-box; border: 0px; margin-bottom: 1.75em; outline: 0px; padding: 0px; vertical-align: baseline; color: rgb(0, 0, 0); font-family: &quot;"><span style="box-sizing: border-box; font-weight: 700;">MITRE ATT&amp;CK® Techniques</span>&nbsp;</p><table style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; border-top-color: ; border-top-style: ; border-width: 1px 0px 0px 1px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ; margin: 0px 0px 1.5em; width: 1120px;"><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><span style="box-sizing: border-box; font-weight: 700;">Tactic</span>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;">Technique ID&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;">Technique Name&nbsp;</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><span style="box-sizing: border-box; font-weight: 700;">Initial Access</span>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><a href="https://attack.mitre.org/techniques/T1566/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1566</a>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;">Phishing&nbsp;</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><span style="box-sizing: border-box; font-weight: 700;">Execution</span>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><a href="https://attack.mitre.org/techniques/T1203/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1203</a>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;">Exploitation for Client Execution&nbsp;</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><span style="box-sizing: border-box; font-weight: 700;">Persistence</span>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><a href="https://attack.mitre.org/techniques/T1546/015/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1546.015</a>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;">Event Triggered Execution: Component Object Model Hijacking&nbsp;</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><span style="box-sizing: border-box; font-weight: 700;">Privilege Escalation</span>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><a href="https://attack.mitre.org/techniques/T1574/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1574</a>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;">Hijack Execution Flow&nbsp;</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><span style="box-sizing: border-box; font-weight: 700;">Defense&nbsp;Evasion</span>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><a href="https://attack.mitre.org/techniques/T1574/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1574</a>&nbsp;<a href="https://attack.mitre.org/techniques/T1574/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1574</a>&nbsp;<a href="https://attack.mitre.org/techniques/T1055/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1055</a>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;">Hijack Execution Flow&nbsp;Masquerading&nbsp;Process Injection&nbsp;</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><span style="box-sizing: border-box; font-weight: 700;">Credential Access</span>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><a href="https://attack.mitre.org/techniques/T1555/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1555</a>&nbsp;<a href="https://attack.mitre.org/techniques/T1003/001/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1003.001</a>&nbsp;<a href="https://attack.mitre.org/techniques/T1539/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1539</a>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;">Credentials from Password Stores&nbsp;OS Credential Dumping: LSASS Memory&nbsp;Steal Web Session Cookie&nbsp;</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><span style="box-sizing: border-box; font-weight: 700;">Exfiltration</span>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;"><a href="https://attack.mitre.org/techniques/T1041/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1041</a>&nbsp;</td><td style="box-sizing: border-box; padding: 8px; border-top-color: ; border-top-style: ; border-width: 0px 1px 1px 0px; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ;">Exfiltration Over C2 Channel&nbsp;<br><br></td></tr></tbody></table></div><div><div><br></div><div><br></div></div>