Journalists are prime targets for cyberattacks due to the sensitive nature of their work. While all organisations or individuals that use digital technologies are at risk of a cyberattack, malign actors and repressive governments target journalists more. The mobile devices — laptops and smartphones — that journalists use in their line of work often contain sensitive data and communications of particular interest to large and small businesses, law enforcement, government agencies, and numerous other organisations.
Journalists must therefore treat cybersecurity as an essential component of factual but safe reporting. Reporters working on exposes or investigative stories are at elevated risk of being targeted, since mobile data can be a matter of life and death. The Pegasus scandals involving various governments worldwide demonstrated why secure communications are crucial to the safety of journalists.
The Pegasus scandal
For the better part of July 2021, international media outlets aired story after story about spyware known as Pegasus and the Israeli organisation behind it, NSO Group. According to The Washington Post, Pegasus can hack a fully updated phone with one text only. A consortium of media outlets — including The Guardian, Le Monde, and The Washington Post — conducted investigations into what has been dubbed the Pegasus Project. A forensic investigation by Amnesty International found that the Pegasus spyware had infected 37 out of 67 smartphones it examined.
What is Pegasus
Pegasus is a spyware tool created to enable government agencies to perform clandestine operations. According to NSO, Pegasus cannot be traced back to the agency using it. NSO creates products for law enforcement and government intelligence agencies to counter encryption challenges in fighting terrorism.
NSO has indicated to the Washington Post that it develops products for governments only and would cut ties if there was evidence of misuse. Still, write-ups by Forbidden Stories of NSO's controversies spanning several years have inspired lawsuits from activists and journalists alike, arguing that governments have used Pegasus inappropriately.
On hacking journalists
An investigation involving 17 media groups revealed that various actors had attempted to hack 37 smartphones belonging to journalists and human rights activists. According to the investigations, Amnesty International discovered the smartphones from a list of leaked mobile numbers. The numbers were investigated for possible surveillance by governments that use the NSO spyware.
In a report by The Guardian, operators can use the Pegasus software to extract data from a mobile phone — including photos, text messages, and call logs — or activate a device's microphone to spy on conversations secretly. The list of journalists targeted using Pegasus dates back to 2016 and includes reporters from international media organisations: the Associated Press, CNN, Bloomberg News, Al Jazeera, the Financial Times, the New York Times, the Wall Street Journal, Le Monde, Voice of America, and the Washington Post.
NSO has refuted the claims, calling the report "full of wrong assumptions and uncorroborated theories". However, Pegasus has been mentioned in other spying allegations. Research by Citizen Lab between July and August 2020 found that Pegasus had been used to hack at least 36 smartphones of Al Jazeera journalists, with the operators reportedly working for various governments within the Middle East.
Journalists, activists and forensic investigators are in the same boat
While the total number of individuals spied on using Pegasus is still unclear, the Pegasus Project centred around a list of 50,000 phone numbers. After analysis, the Project linked more than 1,000 numbers to their owners and found a significant number of individuals who should not be under government surveillance — including hundreds of government officials, a king, ten prime ministers, three presidents, 85 human rights activists, and more than 189 journalists.
Forensic specialists also require secure communication channels. They are responsible for gathering evidence from a crime scene, and criminal parties may attempt to hack them to find out whether evidence exists and whether they are at risk of being caught. Activists, journalists and forensic examiners therefore need to be extra cautious about mobile security.
Protect against social engineering baits
Pegasus attack reports show that human rights activists received WhatsApp and SMS bait messages urging them to click malicious links. Clicking the links downloads spyware that exploits vulnerabilities in operating systems and browsers. Victims are more likely to click since the messages may claim to be from established institutions like news agencies and embassies.
- —Avoid the impulse to click links if a message has a sense of urgency.
- —Type the link manually only if you trust the site, to ensure you enter the correct URL and not a malicious one.
- —Save frequented websites in a bookmark folder and access them via bookmarks.
- —Use link expanders to expand shortened URLs so you can scrutinise the link before clicking.
Protect against network injection attacks
Pegasus also infected multiple devices through man-in-the-middle attacks by intercepting unencrypted network traffic, such as HTTP requests, and redirecting the traffic to malicious payloads. For the attack to work, victims must connect to rogue access points — but the attacks also worked on devices using mobile data only, especially in countries where governments control telecommunication services.
- —Visit websites with HTTPS only.
- —Use VPN services to protect network traffic from interception and malicious injections.
Protect against zero-click exploits
According to the forensic report by Amnesty International, Pegasus infected some devices through zero-click exploits — a hacker exploits a vulnerable application or operating system before the user can install the patches released to mitigate the vulnerability. Some Pegasus infections occurred through zero-click attacks on iMessage and Apple Music.
- —Update all installed applications promptly.
- —Reduce the applications installed on a device to minimise the apps that contain vulnerabilities.
- —Audit installed apps frequently to determine those that are rarely used and uninstall them.