Press release: New Citizen Lab report tracks NSO Group’s Pegasus spyware to operations in 45 countries

Toronto, Canada (18 September, 2018) -- In a new report released today by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy, researchers have identified 45 countries where operators of NSO Group’s Pegasus spyware may be conducting operations. This research includes two novel techniques used to identify servers where Pegasus is present and builds on mounting evidence of NSO’s products being used by countries around the world, some of which have concerning histories of human rights abuses.

Between August 2016 and August 2018, researchers scanned the Internet for servers associated with Israeli-based NSO Group’s Pegasus spyware. They found 1,091 IP addresses that matched a fingerprint developed to identify Pegasus and discovered 1,014 domain names that pointed to them. They further developed and used Athena, a novel technique to cluster some of the matches into 36 distinct Pegasus systems, each one of which appears to be run by a separate operator.

They then designed and conducted an innovative global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. The technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. Of particular significance, at least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.

“Our findings show an alarming proliferation of the most sophisticated and stealthy surveillance tools to some of the world’s most repressive regimes,” says Bill Marczak, Citizen Lab Senior Research Fellow and report author. “While spyware can be used to fight crime and terrorism, it is likely that some of the governments we identify are more interested in fighting those who tell truth to power.”

At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.

The report further demonstrates that Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, researchers found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.

This reports adds to the emerging picture being painted of the worldwide proliferation of commercial spyware. While purportedly sold under the justification of assisting in law enforcement or national security investigations, research demonstrates that the targets are often political dissidents, journalists, and civil society organizations. 

Additionally, growing evidence demonstrates that export controls are weak, flawed, or in some cases non existent. As a consequence, there is little disincentive for the companies to control the abuse of their technology. Although the Israeli government has claimed it has strong export controls in this area, Citizen Lab research and other reporting shows clearly there are major gaps.

“It is ultimately up to Israeli policymakers, and Israeli citizens, to determine whether the continued harms caused by the abuse of commercial spyware that we document warrant new and more stringent export controls,” says Citizen Lab Founder and Director Ronald Deibert. “We believe they do.”

For Media Inquiries

Guide on Citing in Media