Pegasus Spyware & Not-For-Profit Cyber Security - What Are The Risks?

Uploaded on 2022-01-05 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

When working with charities, in any capacity, the first priority is the beneficiaries, whether people, animals or the planet. And, for many charities and not-for-profits, where donations, often irregular, make up the vast proportion of income, it can be hard to prioritise efforts outside of helping those who need it.  

However, with NSO Group’s Pegasus software being increasingly used by bad actors, it’s incredibly important to prioritise your cyber security efforts when working in charity, especially for those involved in humanitarian efforts. 

What Is The Pegasus Spyware? 

Pegasus was developed by NSO Group with the aim of counter terrorism and crime prevention. Sold to only government law enforcement and intelligence clients, Pegasus was developed with good intentions, but has been increasingly used for opposition spying, humanitarian crackdown and on journalists investigating potentially damaging stories. 

How Does Pegasus Work? 

Pegasus works using a zero-injection process, whereby an individual does not need to do anything for the software to be added to their phone, and they may not even notice. 

Then, once added to a person’s phone, every activity a person does can be seen and monitored, from the camera and microphone to every call made. Essentially, it turns a person’s phone into a full spyware device, capable of transmitting image and voice, even if the camera hasn’t been opened. This makes it incredibly powerful in crime and terrorism prevention, but also when used in opposition spying and use on innocent citizens and government officials. 

What Are The Risks To Charities? 

Charites and not for profits, as well as those carrying out humanitarian aid, are always at risk of hacking, spyware and tracking of any sorts. Anything that puts a government or presiding body at risk, or goes against someone’s authoritarian principles, is at risk of being followed in some way. 

The cybersecurity risks to charities include: 

  • Sensitive information on whereabouts of at-risk people being obtained. As the Pegasus spyware can be used to infiltrate cameras and microphones, conversations can be overhead and information regarding the movement of high-risk people. 
  • State sponsored hacking being used on people of interest.
  • Unknowingly sharing details on confidential work.
  • Access to private information that could put the person at risk.

Why Are Charities At Particular Risk? 

As charity work is often carried out anytime, anywhere, by people of all kinds, the risk of spyware being installed and used to infiltrate potentially high-risk individuals is greater. Similarly, if a person is easily identifiable as working for a charity, especially one that carries out humanitarian aid or similar work, then the software can easily be installed and used to track information. 

This particular method of identification became known recently, when US State Department workers who linked their state.gov email address with their Apple ID, were targetted while working in Uganda, an area of high political tension currently. While NSO Group says they have prevented their intrusion method from working on US phone numbers beginning with +1, if someone is using another phone number, or has an obviously identifiable email address, then they put themselves at high risk. 

How Can Charities Protect Themselves? 

While a cyber attack cannot be prevented from being instigated, measures can be put in place to make users aware of the potential risks. 

Update to latest security patches:   When a new security patch is released, it’s important to update to the latest version as soon as possible. Security patches are different to normal updates as they fix an issue that has been identified, rather than providing new features. 

Educate staff and volunteers on spotting potential cyber security issues:   Many cybersecurity attacks can be minimised through education of staff and volunteers. Things like using a password manager, having an IT support team to contact with questions and questioning emails that seem odd, are all important parts of a prevention strategy. 

Separate work and personal devices:   Our guard often comes down when using personal devices or conducting personal matters. To prevent cyber attacks happening in homes, separate any work onto a different device, and use different computers where possible. 

Kitty Bates is a cybersecurity content expert at outsourced IT support provider ramsac.

You Might Also Read: 

Spyware - Apple Starts Legal Action Against NSO Group:

« The Top 10 Most Severe Vulnerabilities In 2021
Russia Fines Google For Illegal Content Breach »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cleo

Cleo

Cleo is a leader in secure information integration, enabling both ease and excellence in business data movement and orchestration.

Fortify Experts

Fortify Experts

Fortify Experts is a search and recruitment firm specializing in Cyber Security.

Cyber Base

Cyber Base

Cyber Base is an Information Technology company based in Uganda providing software and hardware solutions to clients.

ECOMPLY

ECOMPLY

ECOMPLY is an all-in-one GDPR Compliance Solution. Efficient data protection management system for businesses and DPOsomply.

NetSecurity

NetSecurity

NetSecurity is a Brazilian company specializing in Information Security. We provide Managed Security Services (MSS), network security solutions and other specialist services.

eResilience

eResilience

eResilience is a division of Referentia Systems, a pioneer in an ultra-secure information safeguarding technique known as “Enclaving”, in which data can be segmented and protected within a network.

PeckShield

PeckShield

PeckShield is a blockchain security company which aims to elevate the security, privacy, and usability of entire blockchain ecosystem by offering top-notch, industry-leading services and products.

Cloudsine

Cloudsine

Cloudsine (formerly Banff Cyber Technologies) is a cloud technology company specializing in cloud adoption, security and innovation.

Bleam Cyber Security

Bleam Cyber Security

Bleam is a leading provider of Managed Cyber Security Services and Information Security consulting. We deliver enterprise class security services to UK SME’s to stop data breaches.

KirkpatrickPrice

KirkpatrickPrice

KirkpatrickPrice is dedicated to providing you with innovative security guidance and efficient audit services.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Vaultinum

Vaultinum

Vaultinum are a trusted independent third party specialized in the protection and audit of digital assets.

PDQ

PDQ

PDQ helps IT professionals to manage and organize hardware, software, and configuration data for Windows- and Apple-based devices.

DATS Project

DATS Project

DATS Project enables the utilization of high computing power across a number of cybersecurity services, all on a pay-as-you-go basis, eliminating the need for upfront investment costs.

DataGuard

DataGuard

DataGuard is a security and compliance software company trusted by organisations across the globe.

Blue Mantis

Blue Mantis

Blue Mantis is a security-first, IT solutions and services provider with a 30+ year history of successfully helping clients achieve business modernization.