Continue your mission
Pegasus is a commercial surveillance tool developed by Israel's NSO Group and sold exclusively to government clients. Investigative work by Forbidden Stories, Amnesty International, and a global consortium of journalists revealed systematic targeting of journalists, human rights defenders, lawyers, and heads of state, exposing a structural failure in the regulatory frameworks governing the commercial spyware industry.
# Pegasus Spyware Investigations
Pegasus is not a single cyberattack. It is a platform, a commercial product built by the Israeli surveillance company NSO Group and licensed to government clients around the world for what NSO describes as "lawful interception" of criminal suspects and terrorists. What investigative journalism, forensic research, and legal proceedings have revealed over the past decade is something different: a tool of systematic surveillance deployed against journalists, human rights lawyers, political dissidents, opposition figures, and heads of state, in patterns that bear little resemblance to legitimate law enforcement.
The Pegasus Project, published in July 2021 through a collaboration between Forbidden Stories, Amnesty International, and a consortium of more than 80 journalists from 17 media organizations, brought the scale of the problem into public view. Forensic analysis of phones belonging to confirmed or alleged Pegasus targets, combined with a leaked list of 50,000 phone numbers allegedly selected for surveillance by NSO clients, documented abuse across multiple countries and client governments.
What makes Pegasus consequential as a security case study is not just the scale of its abuse. It is what Pegasus represents structurally: a commercial market for nation-state-grade offensive cyber capability, sold to any government that can pay, with export approval managed as a foreign policy instrument rather than as a human rights control mechanism.
Capability overview: complete device compromise
Pegasus achieves full persistent compromise of both iOS and Android devices. Once installed, it provides the operator complete access to the device's contents and sensors: SMS and encrypted messaging applications (including Signal and WhatsApp), email, contacts, calendar, photos, browsing history, passwords stored in the device keychain, real-time location data, microphone activation (ambient audio recording), and camera activation. The target has no indication that any of this is occurring.
The technical capability is not supplemental to normal device function. It is a covert overlay on top of the entire device. From the operator's perspective, the device becomes a listening post.
Attack vector 1: Malicious links (early Pegasus generations)
Early Pegasus deployments used spear phishing links sent by SMS or email. The target received a message containing a URL; clicking it triggered a browser-based exploit chain that installed the implant. Citizen Lab researchers first publicly documented Pegasus in 2016 after analyzing links sent to UAE human rights activist Ahmed Mansoor. The exploit chain used three chained zero-day vulnerabilities in iOS (collectively called Trident: CVE-2016-4655, CVE-2016-4656, CVE-2016-4657). Apple patched them within ten days of Citizen Lab's disclosure.
These link-based attacks required some degree of social engineering: the target had to tap the link. That friction was eventually eliminated.
Attack vector 2: Zero-click exploits (no user interaction)
NSO Group developed or acquired zero-click exploit chains that require absolutely no action from the target. The most documented is the FORCEDENTRY exploit (CVE-2021-30860), which targeted Apple's iMessage processing pipeline. FORCEDENTRY exploited a vulnerability in the JBIG2 image compression decoder used by iOS to process image attachments. By crafting a specially constructed PDF disguised as a GIF and delivering it via iMessage, the exploit could trigger remote code execution on the device without the target ever seeing a notification, let alone tapping a link.
Citizen Lab discovered FORCEDENTRY artifacts on the phone of a Saudi activist and reported it to Apple in September 2021. Apple released an emergency patch within days. Google's Project Zero published a detailed technical analysis calling FORCEDENTRY "one of the most technically sophisticated exploits we've ever seen," noting that it used a custom virtual machine implemented in JBIG2 data streams to bootstrap the exploit chain.
Additional zero-click attack surfaces documented in connection with Pegasus include vulnerabilities in WhatsApp (CVE-2019-3568, exploited at scale in 2019), Apple Photos, and other media processing libraries. These vectors required only that the target receive a message; processing happened automatically in the background.
Persistence and anti-forensics
Pegasus was designed to survive device reboots on older iOS versions and to operate stealthily. On more recent iOS versions, persistence requires reinfection after reboot, which NSO has addressed through network injection techniques in some deployment scenarios. The malware communicates with command-and-control infrastructure through encrypted channels designed to blend with normal traffic patterns. Older versions of Pegasus left forensic artifacts; versions deployed post-2019 became significantly harder to detect, leading Amnesty International's Security Lab to develop the Mobile Verification Toolkit (MVT) specifically to aid forensic detection of Pegasus infection indicators.
Root cause 1: A commercial market for nation-state-grade offensive capability with inadequate oversight
NSO Group operates legally, in the sense that it is a licensed Israeli defense exporter and its sales require approval from Israel's Ministry of Defense. But the oversight mechanism was not designed to prevent the kind of abuse that the Pegasus Project documented. Export licensing evaluated whether a sale was permissible under Israeli law and policy; it did not include audit mechanisms to verify how the tool was actually used after delivery.
The result was a market where governments with poor human rights records, including Saudi Arabia, the UAE, Azerbaijan, Rwanda, India, and others, could acquire a tool capable of comprehensive surveillance of any individual with a smartphone, use it against journalists and dissidents rather than criminals, and face essentially no accountability unless external investigative journalism revealed the abuse.
Root cause 2: Mobile device trust models were not built for this threat
Apple's iOS security model is premised on a tiered trust architecture: applications must be signed, run in sandboxes, and cannot access system resources outside their entitlements without explicit permission. This model defends effectively against the vast majority of malicious software. Pegasus bypassed it entirely through zero-day exploit chains targeting the operating system's own media processing libraries, before any application-level security control could apply.
The attack surface for zero-click exploits is unavoidable: a smartphone must process incoming messages to function. The parsing of external data (images, video, audio, documents) is a necessary feature, and every parser is a potential exploit surface. NSO's technical capability to find and exploit vulnerabilities in those parsers faster than Apple and Google could patch them represented a structural advantage that no ordinary security hygiene could address.
Root cause 3: Surveillance target profiles did not fit stated justification
NSO Group consistently maintains that Pegasus is sold exclusively for lawful interception of serious criminals and terrorists, and that it includes contractual prohibitions on targeting civil society, journalists, and political figures. The Pegasus Project findings directly contradict this. Forensic confirmation of Pegasus infections on phones belonging to journalists, lawyers, and activists, combined with the pattern of phone numbers on the leaked targeting list, indicated that multiple NSO clients systematically used the tool outside its stated purpose. NSO's contractual and technical controls were insufficient to prevent this use.
Root cause 4: Geopolitical instrumentalization of export approvals
Israel's approval of Pegasus sales has functioned as a foreign policy tool, extending relationships with governments in the Gulf, South and Southeast Asia, and Eastern Europe. When NSO's relationship with Saudi Arabia became untenable following the murder of journalist Jamal Khashoggi and subsequent forensic evidence linking Pegasus to associates of Khashoggi's, Israel revoked Saudi Arabia's access. The regulatory mechanism that ultimately constrained abuse was diplomatic calculation, not human rights compliance.
The most consequential individual case connected to Pegasus is the murder of journalist Jamal Khashoggi in October 2018. Khashoggi, a Washington Post columnist and critic of Saudi Crown Prince Mohammed bin Salman, was killed inside the Saudi consulate in Istanbul. Forensic analysis by Citizen Lab found that the phones of at least five individuals in Khashoggi's circle had been compromised with Pegasus in the months before and after his death, including the phone of his close friend and fellow dissident Omar Abdulaziz. The surveillance of Khashoggi's network provided the Saudi government with visibility into his activities, communications, and relationships.
French President Emmanuel Macron was listed among the 50,000 phone numbers in the leaked Pegasus Project data, reportedly targeted by Morocco. Heads of state from Pakistan, South Africa, and other countries appeared on the same list. The targeting of sitting heads of state represented a significant escalation in the documented scope of Pegasus deployment.
Approximately 1,000 journalists and 600 politicians and government officials were identified on the leaked list. Forensic confirmation of actual infection was possible for a subset of these, but the pattern across the full list was consistent with systematic targeting of civil society.
The U.S. Commerce Department placed NSO Group on the Entity List in November 2021, prohibiting American companies from selling technology to NSO without a license. This effectively cut NSO off from many technology vendors and raised the cost of maintaining its product. Apple filed a lawsuit against NSO Group in the same month, seeking an injunction to prevent further exploitation of Apple devices.
Apple introduced Lockdown Mode in iOS 16 (2022), an extreme hardening setting that disables many iOS features (including most iMessage attachment processing, complex web browsing features, and wired device connections) specifically to reduce the attack surface available to state-sponsored spyware. Apple described it as a tool for "the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats." Lockdown Mode exists because Pegasus demonstrated the inadequacy of standard iOS security for high-risk targets.
TID (Threat Intelligence and Defense): Pegasus represents the highest tier of the threat intelligence challenge: commercial, nation-state-grade, zero-click mobile exploitation deployed against specific individuals. Predictive Defense Intelligence for high-risk targets (journalists, activists, executives, government officials) must include mobile threat intelligence as a first-class discipline. This means active monitoring for indicators of compromise through tools like MVT, awareness of active zero-day campaigns from organizations like Citizen Lab, and recognition that standard endpoint security tools do not detect Pegasus infections on mobile devices. The threat is not theoretical for high-value targets.
DPS (Data Protection and Sovereignty): Pegasus produces complete data exfiltration as its primary output. Every communication, every document, every location data point on a compromised device becomes sovereign data belonging to a foreign government intelligence service. Sovereign Data Protocol principles applied to high-risk individuals require a mobile security posture that goes beyond standard device management: assessing what sensitive data exists on mobile devices, minimizing sensitive data stored on endpoints under threat, using communication tools with independent authentication (not device-dependent keys), and for the highest-risk cases, operational security practices that treat mobile devices as potentially compromised.
IAT (Identity Access and Trust): Pegasus attacks the device trust model at its foundation. Zero-click exploits bypass all application-level authentication because they execute before any user-facing process runs. Zero Possession Architecture principles are directly relevant: the premise that trust cannot be granted based on device state alone becomes critical when the device itself may be hostile. For organizations protecting high-risk individuals, this means architecting communications and data access in ways that do not depend on the integrity of any single endpoint, including mobile endpoints, and applying context-aware access controls that can flag anomalous data access patterns even if the device credentials appear valid.
RGA (Risk Governance and Assurance): The Pegasus case exposes a structural gap in the governance of commercial surveillance technology. The regulatory frameworks that exist (export licensing, national security review) were not designed to enforce human rights compliance in end-use. Perpetual Compliance Assurance addresses risk governance as a continuous state rather than a periodic checkpoint. Applied to the Pegasus policy context, this means organizations and governments need audit mechanisms with actual teeth: technical reporting requirements from surveillance tool operators, independent third-party verification of end-use compliance, and real consequences for documented abuse. The current framework failed because compliance was not continuously verified against observable outcomes.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.