11 July 2024

A joint report, by the Thai NGO Internet Law Reform Dialogue (iLaw), Digital Reach and The Citizen Labclaims that the use of the invasive Israeli Pegasus spyware on the devices of prominent individuals leading Thailand’s mass pro-democracy protests, calling for major reform, as well as academics and human rights defenders, who have publicly criticised the Thai government, spanned 2020 and 2021.

According to iLaw, these anti-government elements, including human rights activists, opposition politicians and academics, claimed last November that they had received Apple emails warning them that they may have been the subjects of state-sponsored attacks, which were eventually found to be Pegasus hackings. About 30 anti-Thai government activists were allegedly targeted, among them being Anon Nampa, Panusaya Sithijirawattanakul and Jatupat Boonpattararaksa.

Amnesty International has called for the Thai government to investigate the use of the spyware, saying in a statement issued today (Monday) that the “Thai authorities must launch an independent, prompt, thorough and effective investigation into the use of Pegasus spyware and take necessary measures to foster a safe environment for civic engagement.”

“Such measures must include the amendments to legislation enabling state surveillance, including the Computer Crimes Act, the Cybersecurity Act and the National Intelligence Act,in line with international human rights law, as well as the implementation of safeguards to protect the right to privacy and freedom of expression, association and peaceful assembly,” it added.

Pegasus is hacking software, or spyware, developed, marketed and licensed to governments around the world by an Israeli company, the NSO Group. It has the ability to infect billions of phones running either the iOS or Android operating systems.

Pegasus infections can be achieved through “zero click” attacks, which do not require any interaction from the phone’s owner or user in order to succeed. In 2019, WhatsApp revealed that NSO’s software had been used to send malware to more than 1,400 phones, by exploiting a zero-click vulnerability. Simply by placing a WhatsApp call to a target device, malicious Pegasus code can be installed on the phone, even if the target never answered the call.

Once installed on a phone, Pegasus can harvest more or less any information or extract any file, SMS messages, address books, call histories, calendars, emails and internet browsing histories.

“It is worth remembering that this is only what has been found so far and the scale of surveillance attempts could be wider and more damaging,” said Etienne Maynier, Technologist at Amnesty International.