More than 30 Thai activists and supporters have been hacked with NSO Group’s potent Pegasus spyware, civil society groups said late Sunday, in the first countrywide campaign brought to light because Apple warned targeted iPhone users.
It issued one of the new reports, identifying many of the hacking victims by name, including two of its own participants. Another report came from Toronto-based Citizen Lab, which analyzed digital traces left in the phones and named Pegasus as the attack program that broke into the devices in 2020 and 2021. Amnesty International used a different method to examine some of the phones and agreed with Citizen Lab’s conclusions.
Though he was not shocked that he had been hacked, iLaw representative Yingcheep Atchanont told The Washington Post: “I was surprised later when I found out that I was infected so many times during late 2020 and early 2021. That time I was just an observer of the protests; my role is just campaigning on the constitutional amendment.”
Israel-based NSO Group has been blacklisted from deals with U.S. companies after a wave of revelations that its spyware was used against peaceful dissidents and their associates around the world, including those close to slain Saudi journalist Jamal Khashoggi, as well as State Department employees.
The fresh reports show that many attacks came around the time the targets were involved in rallies against government policies. Though they do not assert that the Thai government was responsible, one or more Thai agencies would be more logical suspects than those of neighboring countries, Citizen Lab said.
The Thai government won a widely criticized election in 2019 after a coup several years earlier that clamped down on freedoms. Since then, it has arrested many protest organizers, including some named as hacking victims in the new reports.
Some have been charged under sweeping laws that make it illegal to criticize the king, who lives mainly in Germany. Others were accused of violating emergency decrees that banned some negative media reporting and large gatherings after protests drew tens of thousands.
NSO says it sells only to government agencies and gets Israel’s approval for its deals. The Thai government, which has wide latitude to spy on citizens under recent laws, previously denied hacking activists.
The company did not answer questions from The Post about its business in Thailand, instead offering a one-sentence statement: “Politically motivated organizations continue to make unverifiable claims against NSO hoping they will result in an outright ban on all cyber intelligence technologies, despite their well documented successes saving lives.”
Citizen Lab has not advocated for any such ban.
The Thai Embassy in Washington did not respond to a request for comment.
NSO has served as the latest symbol for one of the world’s more complex challenges: how to stop governments from hiring top engineering talent to take advantage of software flaws and spy on whomever they want.
Apple and Facebook parent Meta have both filed lawsuits accusing NSO of breaking U.S. laws by hacking their gear.
In a recent briefing, Apple said it has sent warnings to an undisclosed number of government hacking targets in 150 countries. It also announced that it would be releasing an optional Lockdown Mode intended to make its phones, tablets and computers safer by reducing some of the convenient features — such as receiving iMessage attachments and automatically previewing web links — that also make it possible to install spyware with alerting a user.
Prior reporting had identified Thailand as a location for surveillance operations, including Pegasus. But the new reports go further by naming victims and giving context for specific attacks.
“The infections occurred from October 2020 to November 2021, coinciding with a period of widespread pro-democracy protests, and predominantly targeted key figures in the pro-democracy movement,” wrote Citizen Lab, which is affiliated with the University of Toronto. “In numerous cases, multiple members of movements or organizations were infected.”
Pegasus is a monitoring system that can capture audio, pictures, texts, contacts, emails, and all messages on a phone, including those that are strongly encrypted. It can be installed with any working “exploit,” or attack program, that works against a particular model of Android or iPhone. The most effective exploits do not need the phone’s owner to click on anything to be installed silently. Typically, soon after Apple or another vendor detects an exploit or patches the security flaw it used, NSO and its competitors roll out another one.
The Thais hit with Pegasus include five members and associates of FreeYouth, including former Student Union of Thailand president Jutatip Sirikhan; four members of WEVO, short for We Volunteer, which protects other groups during public actions; and four members of Bangkok university-based United Front of Thammasat and Demonstration.
Human rights lawyer Arnon Nampa, who has defended activists accused of violating the law against insulting the king, was infected repeatedly, including once while he was in jail without his phone.
Also infected, according to the reports, were Thai actress Intira Charoenpura, who publicly supported the protests and called for donations, and rapper Dechathorn “Hockhacker” Bamrungmuang, who faulted the government in song. His single “My Country Has” has racked up more than 100 million views on YouTube.