Spyware was used on journalists; it is a reminder for newsrooms to step up their cybersecurity training.
Not even rigorous security measures could protect Hungarian investigative journalists from getting hacked by Pegasus, a cutting-edge spyware product made by the Israeli company NSO Group, writes the Organized Crime and Corruption Reporting Project (OCCRP).
András Szabó and Szabolcs Panyi both work for the Hungarian investigative news outlet Direkt36 and were among the many journalists whose phones were hacked.
Szabó recounted his thoughts about the first time he heard he was hacked. He couldn’t believe how such a thing could happen to him.
He and his colleagues were always cautious while uncovering corruption cases by the Orbán government in Hungary. They used Signal for communications, two-factor authenticated email and social accounts. They attended cybersecurity workshops, had secure passwords…
But it wasn’t enough.
[Note: Spyware is a type of malicious software (malware) that aims to gather information about a person or organization and send it to another entity in a way that harms the user. Pegasus-powered attackers were able to take complete control of a device, including accessing encrypted messaging apps like WhatsApp and Signal, and turning on the microphone and camera. NSO Group claims their customers are always governments, never private individuals or companies. With Pegasus NSO is able to target specific phone numbers and infect the associated devices with Pegasus code.]
The journalism network effect
The Pegasus Project was formed as a collaborative investigation under the coordination of the journalism nonprofit Forbidden Stories and human rights group Amnesty International, OCCRP and 16 media partners around the world including The Guardian in the U.K, Le Monde in France or Süddeutsche Zeitung in Germany.
One of the OCCRP editors on the project, Pavla Holcová, the founder and director of the Czech Centre for Investigative Journalism, said in a recent interview the spyware was not used only by corrupt and troubled regimes across the world but their misuse of the tool proposed to be used against terrorists shows how troublesome is the whole situation.
The investigation is still ongoing and we will likely get more stories out of the leak in the coming future.
At this point I would like to point out that this kind of investigation would be almost impossible a few decades ago. Sure, the key tool enabling most of the cooperation is the internet. Although the networks of journalism outlets across the globe are the real deal.
Forbidden Stories was founded just four years ago in Paris with the mission to continue and publish the work of other journalists facing threats, prison, or murder. Since then it has earned wide recognition for their work and won several journalism prizes.
The Amnesty International Security Lab launched only in 2019. It is located in Berlin where the cybersecurity researchers were able to find traces of Pegasus and confirm the attacks.
OCCRP was also founded less than two decades ago in 2006. It is a consortium of investigative centers, media and journalists operating in Eastern Europe, the Caucasus, Central Asia and Central America. Since its creation it has become a well known and respected organisation as it chooses carefully with whom it works.
Five years ago the Panama Papers investigation was published spearheaded by the International Consortium of Investigative Journalists and co-published by more than 100 media partners around the globe. Another great example of a massive worldwide cooperation of journalists.
ICIJ wrote earlier this year that half a decade later, the Panama Papers’ revelations about how the offshore financial system enables greed and treachery continue to roil political and economic systems worldwide. ICIJ launched in 1997 by the Center for Public Integrity and was spun off into a fully independent organization in early 2017.
Another example is the Global Investigative Journalism Network (GIJN) that was formed in 2003 and became a nonprofit corporation in 2014. Apart from producing stories, GIJN conducts trainings and provides resources to journalists.
Fortunately, nowadays there are these and more networks (I know I did not include a few notable ones like The Center for Investigative Reporting) journalists can turn to in case they get their hands on materials that need a wider team to investigate.
The security of newsrooms
Another important reminder that the NSO Pegasus hack surfaced was the vulnerability of digital communication and security measures taken by journalists.
As I mentioned earlier, the two Hungarian journalists and I believe also the other investigative reporters targeted were using advanced security measures, had their phones updated with the latest OS updates and despite all that had their data accessed by the attackers.
Many cybersecurity experts that have been featured in reports of the spyware hack in the media the past few days said that at one point such attack is almost impossible to resist.
You are dealing with nation state security measures and perhaps the most advanced cybersecurity software. It was nice to hear EU officials condemn such attacks but it would be much better to act and come up with legal protections against journalists in such cases.
On the other hand it is also a reminder for newsrooms to step up their cybersecurity training (if they have any, if not I recommend contacting one of the above-mentioned networks and ask for help).
This piece was originally published in The Fix and is re-published with permission. The Fix is a solutions-oriented publication focusing on the European media scene. Subscribe to its weekly newsletter here.