Digital security experts and civil rights advocates say recent revelations that at least 30 academics, advocates and pro-democracy activists in Thailand were targeted with sophisticated spyware may be just the “tip of the iceberg” and that their search for more targets will go on.
A pair of reports released this week in Bangkok by Canada’s Citizen Lab and two local rights groups — the Internet Law Reform Dialogue, or iLaw, and DigitalReach — said the team confirmed that 30 Thai activists and academics had their Apple iPhones hacked between 2020 and 2021 with the Pegasus advanced software program.
It is not clear who is behind the attacks.
The Pegasus program, developed and licensed by Israel’s NSO Group, can take complete and covert control of a mobile phone, gaining access to all of its information and communications. What sets Pegasus apart from most other spyware is a so-called “zero click” feature, the ability to infect a phone without having to trick the user into taking any action.
The hacks first came to light last year, when Apple began notifying iPhone owners that their devices had been compromised. Yingcheep Atchanont, iLaw’s program manager, told VOA the joint research team inspected some 200 iPhones and found Pegasus on 10 whose owners had either not received or seen Apple’s alerts. Twenty other of the iPhone owners had seen the alerts and had the infections confirmed by the research team.
Five of the 30 have chosen to remain anonymous. The 25 named targets have all, to some degree, criticized the administration of Prime Minister Prayut Chan-ocha. The former army general toppled the country’s elected government in 2014, and five years later won a controversial election tilted heavily in his favor. Some of the hacking targets are among the most prominent leaders of a protest movement demanding Prayut’s resignation or reform of the country’s powerful monarchy and, taken together, face dozens of criminal charges.
A few are liberal academics, such as Prajak Kongkirati, a political science scholar at Thailand’s Thammasat University, who first dismissed Apple’s alert as spam, not expecting to be the target of any spying.
‘It rarely stops here’
“It’s very scary,” Prajak said after learning of the sweeping access Pegasus grants the spyware operator to the target’s professional and personal life.
“It’s like the 1984 novel,” he added, citing author George Orwell’s vision, from just after World War II, of a dystopian future surveillance state. “But this is in real life, it’s really happening.”
The research team says it could not yet confirm who launched the attacks, but Citizen Lab said at least one of the Pegasus operators behind them was in Thailand as of Monday. The NSO Group has previously stated it sells only to government bodies. Yingcheep, whose own phone was hacked by the program 10 times, said the Thai government would have the most to gain from the attacks.
Citizen Lab’s John Scott-Railton said the team was continuing to search for more targets, and for who exactly was targeting them.
“We’re still investigating all aspects of this case,” he told VOA, adding that hackers may be using other types of spyware besides Pegasus to target Thai activists and advocates as well.
“When you find evidence of this kind of targeting, it rarely stops here,” he said. “For me this is often a tip of the iceberg problem.”
“So far we have only some names in our heads that we think they should be checked, but I know there are more people who can be targets,” said Yingcheep. “We believe that if the government possesses this weapon, the victims will be much more.”
“I believe that there are likely to be more cases,” agreed DigitalReach founder Sutawan Chanprasert.
The team said Apple appears to have closed the digital back door Pegasus was exploiting with its latest operating system. But another potential pool of targets might be found among the many people using phones running Google’s Android system. Sutawan said the team still lacks the tools to check Android phones for Pegasus but is in the early stages of developing them.
“Android is still a mystery, actually, so we still have no clue regarding ... whether Android has patched this kind of vulnerability in their system,” she said. “It’s still a black hole.”
‘I want them to [be held] responsible’
When reports of the Pegasus hacks first surfaced last year, the Thai government denied any involvement. Deputy Prime Minister Prawit Wongsuwan said the reported attacks were under investigation.
A government spokesman did not reply to VOA’s request for comment following the latest revelations. On Tuesday, though, the national police told local media they had “never used any spyware to violate anyone’s rights.”
The same day, Digital Economy and Society Minister Chaiwut Thanakamanusorn told the National Assembly, Thailand’s parliament, he was aware of some “very limited” use of spyware by other government agencies, citing anti-narcotics operations as an example but giving no details.
The Israeli Embassy in Thailand and the NSO Group did not reply to VOA’s requests for comment, either. The NSO Group says on its website that its customers are contract-bound to limit the use of its products to serious crimes such as terrorism and “to ensure that the products will not be used to violate human rights.”
Scott-Railton, of Citizen Lab, says there’s very little people can do to stave off zero-click spyware like Pegasus.
In general, though, he advised keeping phones up to date with the latest operating software and to use two-factor authentication for any online accounts, preferably with an authentication application rather than text messaging, which governments can intercept. He also urged Gmail users who believe they may be at high risk of cyber-snooping to sign up for Google’s Advanced Protection Program, which makes their accounts harder to hack by disabling some features.
Yingcheep and Sutawan also suggested using encrypted messaging applications with timed message-deleting options and keeping phones out of audio and visual range during sensitive face-to-face conversations.
Activists are taking note.
Panusaya “Rung” Sithijirawattanakul, one of the most prominent figures of Thailand’s pro-democracy movement, said Apple’s hacking alert arrived while she was in prison awaiting trial on multiple charges of defaming the monarchy, each with the potential to have her jailed for up to 15 years. She found out from her sister after walking out of prison on bail in December.
She says she changed all her passwords, makes sure to keep her phone’s software up to date, and leaves the phone behind for “important conversations.” Everyone else in her circle of activists is now doing the same, she added, though they know nothing is guaranteed to keep their phones or computers completely safe.
“I hope that we can find out eventually who did this,” Panusaya said. “I want them to [be held] responsible.”