304 North Cardinal St.
Dorchester Center, MA 02124
Cybersecurity researchers have outlined cases where Thai activists involved in the country’s pro-democracy protests had their devices infected with spyware.
Cyber security researchers on Monday reported details of cases in which Thai activists involved in the country’s pro-democracy protests had their mobile phones or other devices infected with government-sponsored spyware.
Investigators from Internet watchdog groups Citizen Lab, Thailand’s Internet Law Reform Dialogue, or iLaw, and Digital Reach said at least 30 individuals — including activists, academics and people working with civil society groups — were targeted by an unnamed government entity or entities for surveillance. with Pegasus, a spyware produced by the Israeli cybersecurity company NSO Group.
Reports from the two groups named many of those targeted, confirming earlier reports of surveillance that Citizen Lab’s John Scott-Railton said showed governments were using their ability to buy technology designed to fight crime and terrorism to spying on critics and other private citizens.
“Citizen Lab believes there is a fundamental challenge for civil society,” Citizen Lab’s John Scott-Railton said in an online presentation at the Bangkok briefing.
The attacks on individuals’ devices spanned from October 2020 to November 2021, a timing “highly relevant to specific Thai political events” as they occurred during a period when pro-democracy protests erupted across the country.
But Scott-Railton said Citizen Lab, which uncovers digital espionage campaigns and insecure software, believes there is still an active Pegasus operator in Thailand.
Those whose devices were hacked were either involved in the 2020–2021 protests or were publicly critical of the Thai monarchy. Lawyers who defended the activists were also under such digital surveillance, the researchers said.
Spyware Pegasus is known for its “zero-click exploit”, which means it can be remotely installed on a target’s phone without the target having to click on any links or download software.
Spyware can obtain any data on devices, including contact lists and group chats, making it highly effective against political groups and movements, Scott-Railton said.
NSO Group products, including Pegasus software, are typically licensed only to government intelligence and law enforcement agencies for the purpose of investigating terrorism and serious crime, according to the company’s website. Citizen Lab and other cybersecurity researchers tracked spyware in 45 countries.
In a separate report on Monday, human rights organization Amnesty International reiterated its call for a global moratorium on the sale of spyware.
“Illegal targeted surveillance of human rights defenders and civil society is a tool of repression. It’s time to crack down on this industry that continues to operate in the shadows,” Amnesty Tech Deputy Director Danna Ingleton said in a statement.
The company has denied allegations that its spying software helped lead to the killing of Saudi journalist Jamal Khashoggi, perhaps the most high-profile case to date. It insists that its sales go through a strict ethical vetting process and that Pegasus spyware is only sold to governments for security reasons.
In November, the US government blacklisted NSO Group and Apple sued it and notified Pegasus victims. Facebook has sued NSO Group for using a somewhat similar exploit that allegedly penetrated its globally popular encrypted messaging app WhatsApp.
The Citizen Lab and iLaw reports do not blame any specific government official, but say the use of Pegasus suggests the presence of a government operator. When reports first emerged in November 2021 that dissidents were being targeted, the government denied the allegations.
Apple said it is seeking a permanent injunction barring NSO Group from using any Apple software, services or devices to “prevent further abuse and harm to its users.”
Apple’s notifications to customers about spyware infections are a key part of its defense strategy against such digital surveillance, Scott-Railton said.
“Apple did something remarkable by alerting recipients to this suspicious targeting. If you look at the infection online, it stopped after the Apple notification,” he said. “It was a very consistent thing.
Cyber security experts said that turning off and restarting the device can break the spyware’s digital connection. Security updates have also helped close loopholes exploited by attackers.
“Laying defenses on devices is very important,” Scott-Railton said. “Anything is better than nothing.”
However, spyware is constantly updated and designed to be difficult to detect, making it easier for surveillance by governments that have found it a useful tool to suppress dissent.
Thailand’s student pro-democracy movement has intensified its activities in 2020, largely in response to the continued influence of the military in government and hyper-royalist sentiment.
The movement was able to attract crowds of up to 20,000–30,000 people in Bangkok in 2020 and had a following in major cities and universities.
“There is long-term evidence of the presence of Pegasus in Thailand, suggesting that the government likely had access to Pegasus during the period in question,” the researchers said in the report. The more than 30 people it targeted were also “of great interest to the Thai government”.
The military overthrew an elected government in 2014, and coup leader Prayuth Chan-ocha was appointed prime minister after a 2019 general election brought a military-backed political party to power. Protesters campaigned for Prayuth and his government to step down, demanding reforms to make the monarchy more accountable and to change the constitution to make it more democratic.