Pegasus Spyware & Not-For-Profit Cyber Security - What Are The Risks?

When working with charities, in any capacity, the first priority is the beneficiaries, whether people, animals or the planet. And, for many charities and not-for-profits, where donations, often irregular, make up the vast proportion of income, it can be hard to prioritise efforts outside of helping those who need it.  

However, with NSO Group’s Pegasus software being increasingly used by bad actors, it’s incredibly important to prioritise your cyber security efforts when working in charity, especially for those involved in humanitarian efforts. 

What Is The Pegasus Spyware? 

Pegasus was developed by NSO Group with the aim of counter terrorism and crime prevention. Sold to only government law enforcement and intelligence clients, Pegasus was developed with good intentions, but has been increasingly used for opposition spying, humanitarian crackdown and on journalists investigating potentially damaging stories. 

How Does Pegasus Work? 

Pegasus works using a zero-injection process, whereby an individual does not need to do anything for the software to be added to their phone, and they may not even notice. 

Then, once added to a person’s phone, every activity a person does can be seen and monitored, from the camera and microphone to every call made. Essentially, it turns a person’s phone into a full spyware device, capable of transmitting image and voice, even if the camera hasn’t been opened. This makes it incredibly powerful in crime and terrorism prevention, but also when used in opposition spying and use on innocent citizens and government officials. 

What Are The Risks To Charities? 

Charites and not for profits, as well as those carrying out humanitarian aid, are always at risk of hacking, spyware and tracking of any sorts. Anything that puts a government or presiding body at risk, or goes against someone’s authoritarian principles, is at risk of being followed in some way. 

The cybersecurity risks to charities include: 

  • Sensitive information on whereabouts of at-risk people being obtained. As the Pegasus spyware can be used to infiltrate cameras and microphones, conversations can be overhead and information regarding the movement of high-risk people. 
  • State sponsored hacking being used on people of interest.
  • Unknowingly sharing details on confidential work.
  • Access to private information that could put the person at risk.

Why Are Charities At Particular Risk? 

As charity work is often carried out anytime, anywhere, by people of all kinds, the risk of spyware being installed and used to infiltrate potentially high-risk individuals is greater. Similarly, if a person is easily identifiable as working for a charity, especially one that carries out humanitarian aid or similar work, then the software can easily be installed and used to track information. 

This particular method of identification became known recently, when US State Department workers who linked their state.gov email address with their Apple ID, were targetted while working in Uganda, an area of high political tension currently. While NSO Group says they have prevented their intrusion method from working on US phone numbers beginning with +1, if someone is using another phone number, or has an obviously identifiable email address, then they put themselves at high risk. 

How Can Charities Protect Themselves? 

While a cyber attack cannot be prevented from being instigated, measures can be put in place to make users aware of the potential risks. 

Update to latest security patches:   When a new security patch is released, it’s important to update to the latest version as soon as possible. Security patches are different to normal updates as they fix an issue that has been identified, rather than providing new features. 

Educate staff and volunteers on spotting potential cyber security issues:   Many cybersecurity attacks can be minimised through education of staff and volunteers. Things like using a password manager, having an IT support team to contact with questions and questioning emails that seem odd, are all important parts of a prevention strategy. 

Separate work and personal devices:   Our guard often comes down when using personal devices or conducting personal matters. To prevent cyber attacks happening in homes, separate any work onto a different device, and use different computers where possible. 

Kitty Bates is a cybersecurity content expert at outsourced IT support provider ramsac.

You Might Also Read: 

Spyware - Apple Starts Legal Action Against NSO Group:

« The Top 10 Most Severe Vulnerabilities In 2021
Russia Fines Google For Illegal Content Breach »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

GIAC provides certification in the knowledge and skills necessary for a practitioner in key areas of computer, information and software security.

Muninn

Muninn

At Muninn (aka Wehowsky), we specialize in mitigating potential risks within your network, providing one of the leading network detection and response (NDR) solutions on the market.

EverC

EverC

EverC (formerly EverCompliant) is a leading provider of cyber intelligence that allows acquiring banks and payment service providers (PSP) to manage cyber risk.

Kryptus

Kryptus

Kryptus provides a wide array of solutions for hardware, firmware and software ranging from semiconductors to complex digital certificate management systems.

GuardianKey

GuardianKey

GuardianKey is a solution to protect systems against authentication attacks.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

New Enterprise Associates (NEA)

New Enterprise Associates (NEA)

As one of the world’s largest and most active venture capital firms, NEA has developed deep domain expertise and insight into our industries of focus - technology and healthcare.

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

Nettoken

Nettoken

Nettoken is the first identity management platform designed for everyday internet users, to encourage awareness and control of our ever expanding digital footprint and personal cybersecurity.

International Cybersecurity Forum (FIC)

International Cybersecurity Forum (FIC)

The International Cybersecurity Forum (FIC) has established itself as the benchmark event in Europe in terms of digital security and trust.

Information Services Group (ISG)

Information Services Group (ISG)

As a leading global research and advisory firm, ISG partners with our clients to determine a future vision, lead rapid change and realize the value of your digital investments at scale.

GeoEdge

GeoEdge

GeoEdge is the premier provider of ad security and quality solutions for the online and mobile advertising ecosystem.

SE Ventures

SE Ventures

SE Ventures provides capital to big ideas and bold entrepreneurs who can benefit from Schneider Electric's deep domain expertise, R&D assets, and global customer base.

Sekur Private Data

Sekur Private Data

Sekur Private Data Ltd. is a Cybersecurity and Internet privacy provider of Swiss hosted solutions for secure communications and secure data management.

CBIT Digital Forensics Services (CDFS)

CBIT Digital Forensics Services (CDFS)

CDFS is Australia’s premier supplier of digital forensic tools, industry-embedded training and certification to Law Enforcement, Government, and Corporate Enterprise.

Ryan Financial Lines

Ryan Financial Lines

Ryan Financial Lines Cyber provides risk transfer solutions for complex cyber and technology exposures, globally.