- Pegasus: The story of the world's most dangerous spyware, by Laurent Richard & Sandrine Rigaud. Macmillan, $36.99.
The messy divorce between Mohammed bin Rashid Al Maktoum, the Vice President and Prime Minister of the United Arab Emirates, and his then wife, Princess Haya bint Hussein, was notable for many reasons, not least of which was the staggering £540 million settlement the sheikh was ordered to pay in 2021. However, there was one particular detail that elevated the case from Tatler-type fodder to a story of international significance.
During the bitter custody battle for the couple's two children, it emerged that mobile phones belonging to the princess, her lawyer Baroness Fiona Shackleton, and four other people within their circle had been attacked by Pegasus, the world's most sophisticated cybersurveillance system. Or should I say, the most sophisticated cybersurveillance system we know of? The judge presiding over the case in the Family Division of the UK's High Court determined that it was likely the surveillance was carried out by servants or agents of the sheikh, and that it occurred with the sheik's "express or implied authority".
At the time, not much was known about Pegasus outside cybersecurity circles, where there was growing concern about the rise of the for-profit "Intrusion as a Service" industry. That all changed in 2020 with the coverage of the sheik's divorce and, more significantly, the contemporaneous leak of some 50,000 phone numbers to Forbidden Stories, a Paris-based not-for-profit.
Founded by the investigative reporter Laurent Richard, Forbidden Stories is a network of journalists dedicated to publishing stories by reporters facing threats, imprisonment and murder. As Richard puts it in Pegasus: The Story of the World's Most Dangerous Spyware, Forbidden Stories is on a mission to put "bad actors and repugnant governments on notice that killing the messenger will not kill the message". Pegasus is the story of the network's most ambitious endeavour to date, The Pegasus Project.
Not long after being offered "the List", Richard and his colleague and co-author Sandrine Rigaud travelled to Berlin to meet with Claudio Guarnieri and Donncha Cearbhaill, two technologists with Amnesty International's Security Lab. It was a cloak-and-dagger stuff. Guarnieri asked that everyone shut down their devices and stow them in another room before he'd discuss their mind-blowing discovery: an extensive list of phone numbers from all over the world with time stamps going back five years. What was most shocking about the discovery was that amongst phone numbers belonging to criminals, drug lords and terrorists were numbers linked to businessmen, doctors and journalists. In fact, prior to the Berlin meeting, Guarnieri had identified more journalists on the list than anyone else.
Pegasus, which reads like a fine piece of longform journalism (as opposed to a book that only a diehard cybersecurity nerd could enjoy), charts Forbidden Stories' investigation of "the List". Richard and Rigaud take us to a climate-controlled Pegasus control room in Mexico, a gaudy hotel room in Budapest ("a disgusting interior, like a cheap rip-off of a Trump hotel"), a PR agency's Tel Aviv offices, and the Saudi consulate in Istanbul, scene of Jamal Khashoggi's assassination. Along the way, we not only discover how Pegasus works, we're also forced to confront the ethical questions posed by development and distribution of spyware that has proven to be highly prone to misuse.
If there's a key takeaway here, it's this: Pegasus is frighteningly easy to use and abuse. The spyware arrives without warning in the form of a text message. At least that's how Jose, the Mexican Pegasus terminal operator the authors convinced to talk on the record, said the early versions worked. The case of Ahmed Mansoor bears this out.
In 2016, Mansoor received a text promising information about torture in UAE prisons. The Emirati human rights activist sent the link to The Citizen Lab at the University of Toronto, where staff quickly learned the link would have jailbroken Mansoor's phone and silently installed Pegasus on it. Once installed, Pegasus would have given the attacker access to whatever was on Mansoor's phone - text messages, call logs, locations, passwords.
Today, Pegasus operates in complete stealth mode. The world's most notorious spyware uses "xero-click exploits", which allow users to gain access to a phone's data without any user interaction whatsoever. Who could resist the temptation to spy on one's critics, detractors and enemies with such ease? Evidently not the peeping Tom's on NSO's books.
It's impossible to say how and where and by whom Pegasus is being used at this very moment, but "the List" provides some clues. So too do NSO's repeated claims that Pegasus cannot be used to spy on phones with a +1 country code, and that it can only be used outside the U.S. Incidentally, those claims were rubbished by a New York Times report last year, which revealed the FBI had been testing Pegasus (only on foreign SIM cards, apparently) and was looking into the legality of using Phantom, another version of the infamous spyware.
What one can say with confidence is that Pegasus reveals a stark North-South divide. To put it more bluntly, NSO seems to prefer doing business with governments whose actions betray a casual disregard for democratic principles. And that alone is cause for concern.
