Thai activists involved in the country’s pro-democracy protests have had their smartphones infected with NSO Group’s infamous Pegasus government-sponsored spyware.
At least 30 individuals, spanning activists, academics, lawyers, and NGO workers, are believed to have been targeted between October 2020 and November 2021, many of whom have been previously detained, arrested and imprisoned for their political activities or criticism of the government.
“The timing of the infections is highly relevant to specific political events in Thailand, as well as specific actions by the Thai justice system,” the Citizen Lab said in a Sunday report. “In many cases, for example, infections occurred slightly before protests and other political activities by the victims.”
The findings are the result of threat notifications sent by Apple last November to alert users it believes have been targeted by state-sponsored attackers.
The attacks entailed the use of two zero-click exploits — KISMET and FORCEDENTRY — to compromise the victims’ phones and deploy Pegasus, a spyware that’s capable of intercepting calls and texts as well as amassing other information stored in a phone. It can also turn it into a remote listening device.
Google Project Zero researchers have described the iOS zero-click attacks as “a weapon against which there is no defense,” adding “there is no way to prevent exploitation by a zero-click exploit.”
The earliest cases of infections using the KISMET exploit occurred in October 2020 against out-of-date iPhones, with the FORCEDENTRY exploit deployed against Apple devices running iOS versions 14.4, 14.6, and 14.7.1 starting in February 2021.
It’s worth pointing out that Apple fixed KISMET in iOS 14 with what’s called the BlastDoor sandbox system. FORCEDENTRY was patched by the tech giant in September 2021 with iOS 14.8.
Apple, earlier this month, also announced that it’s architecting a new security measure called Lockdown Mode to counteract mercenary spyware and safeguard high-risk users against “highly targeted cyberattacks.”
Citizen Lab noted that there is currently at least one Pegasus customer active in Thailand, although it’s not immediately known if it’s connected to a specific government agency.
NSO has long claimed that its spyware is used by government clients to tackle serious crime, but evidence gathered so far has pointed to repeated instances of abuse of the surveillance tool to snoop on members of the civil society. The Israeli firm has since been blocklisted by the U.S.
“The hacking points to a sophisticated understanding of non-public elements of the Thai activist community, including funding and roles of specific individuals,” Citizen Lab researchers said.
“This finding is part of a broader trend seen in Thailand where the government has been engaged in increased efforts to monitor or control information since the 2014 coup.”
The development also comes as Amnesty International reiterated that the lack of a global moratorium on the sale of spyware is enabling the surveillance industry to function unchecked.
“We can now officially add Thailand to the growing list of countries where people peacefully calling for change, expressing an opinion, or discussing government policies may trigger invasive surveillance with a profound toll on an individual’s freedom of expression, privacy, and sense of security,” said Amnesty International’s Etienne Maynier.