The notorious Pegasus government-sponsored spyware has been installed on the cellphones of Thai activists taking part in the nation’s pro-democracy demonstrations. It is believed that at least 30 people, including activists, professors, attorneys, and NGO employees, were targeted between October 2020 and November 2021. Many of these people had already been detained, jailed, and imprisoned for political activity or dissent against the government.
“The timing of the infections is highly relevant to specific political events in Thailand, as well as specific actions by the Thai justice system,” said the Citizen Lab. “In many cases, for example, infections occurred slightly before protests and other political activities by the victims.”
The information was gathered due to danger warnings Apple delivered to consumers last November, warning them that it believed they had been the target of state-sponsored attackers. Two zero-click vulnerabilities, KISMET and FORCEDENTRY, were used in the attacks to access the victims’ phones and install Pegasus. This spyware can collect chats and messages as well as gather other data kept on a phone. It can also make it into a device for remote listening.
The iOS zero-click attacks have been dubbed “a weapon against which there is no defense” by Google Project Zero researchers, who also stated that “there is no way to prevent exploitation by a zero-click exploit.” The KISMET vulnerability was first used to infect outdated iPhones in October 2020. Starting in February 2021, the FORCEDENTRY attack was used to infect Apple devices running iOS versions 14.4, 14.6, and 14.7.1.
It’s important to note that Apple corrected KISMET with the BlastDoor sandbox mechanism in iOS 14. The tech juggernaut released iOS 14.8 in September 2021 with a fix for FORCEDENTRY. A new security tool dubbed Lockdown Mode is being developed by Apple to combat mercenary malware and protect high-risk customers from “highly targeted cyberattacks,” the company also revealed earlier this month.
Although it’s not immediately clear if it’s related to a specific government agency, Citizen Lab stated that at least one Pegasus customer is now operational in Thailand. Although NSO has long maintained that its spyware is used by government clients to combat serious crime, the evidence thus far has shown that the surveillance technology has frequently been abused to eavesdrop on members of civil society. Since then, the U.S. has placed the Israeli company on a blocklist.
“The hacking points to a sophisticated understanding of non-public elements of the Thai activist community, including funding and roles of specific individuals,” said Citizen Lab researchers. “This finding is part of a broader trend seen in Thailand where the government has been engaged in increased efforts to monitor or control information since the 2014 coup.”
The move also comes as Amnesty International reaffirmed that the spying business is operating unregulated since there isn’t a global ban on selling spyware. Amnesty International’s Etienne Maynier stated that Thailand can now be officially added to the growing list of nations where peacefully advocating for change, expressing an opinion, or debating government policies may result in intrusive surveillance that has a significant negative impact on a person’s freedom of expression, privacy, and sense of security.
