Pegasus Spyware & Not-For-Profit Cyber Security - What Are The Risks?

Uploaded on 2022-01-05 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

When working with charities, in any capacity, the first priority is the beneficiaries, whether people, animals or the planet. And, for many charities and not-for-profits, where donations, often irregular, make up the vast proportion of income, it can be hard to prioritise efforts outside of helping those who need it.  

However, with NSO Group’s Pegasus software being increasingly used by bad actors, it’s incredibly important to prioritise your cyber security efforts when working in charity, especially for those involved in humanitarian efforts. 

What Is The Pegasus Spyware? 

Pegasus was developed by NSO Group with the aim of counter terrorism and crime prevention. Sold to only government law enforcement and intelligence clients, Pegasus was developed with good intentions, but has been increasingly used for opposition spying, humanitarian crackdown and on journalists investigating potentially damaging stories. 

How Does Pegasus Work? 

Pegasus works using a zero-injection process, whereby an individual does not need to do anything for the software to be added to their phone, and they may not even notice. 

Then, once added to a person’s phone, every activity a person does can be seen and monitored, from the camera and microphone to every call made. Essentially, it turns a person’s phone into a full spyware device, capable of transmitting image and voice, even if the camera hasn’t been opened. This makes it incredibly powerful in crime and terrorism prevention, but also when used in opposition spying and use on innocent citizens and government officials. 

What Are The Risks To Charities? 

Charites and not for profits, as well as those carrying out humanitarian aid, are always at risk of hacking, spyware and tracking of any sorts. Anything that puts a government or presiding body at risk, or goes against someone’s authoritarian principles, is at risk of being followed in some way. 

The cybersecurity risks to charities include: 

  • Sensitive information on whereabouts of at-risk people being obtained. As the Pegasus spyware can be used to infiltrate cameras and microphones, conversations can be overhead and information regarding the movement of high-risk people. 
  • State sponsored hacking being used on people of interest.
  • Unknowingly sharing details on confidential work.
  • Access to private information that could put the person at risk.

Why Are Charities At Particular Risk? 

As charity work is often carried out anytime, anywhere, by people of all kinds, the risk of spyware being installed and used to infiltrate potentially high-risk individuals is greater. Similarly, if a person is easily identifiable as working for a charity, especially one that carries out humanitarian aid or similar work, then the software can easily be installed and used to track information. 

This particular method of identification became known recently, when US State Department workers who linked their state.gov email address with their Apple ID, were targetted while working in Uganda, an area of high political tension currently. While NSO Group says they have prevented their intrusion method from working on US phone numbers beginning with +1, if someone is using another phone number, or has an obviously identifiable email address, then they put themselves at high risk. 

How Can Charities Protect Themselves? 

While a cyber attack cannot be prevented from being instigated, measures can be put in place to make users aware of the potential risks. 

Update to latest security patches:   When a new security patch is released, it’s important to update to the latest version as soon as possible. Security patches are different to normal updates as they fix an issue that has been identified, rather than providing new features. 

Educate staff and volunteers on spotting potential cyber security issues:   Many cybersecurity attacks can be minimised through education of staff and volunteers. Things like using a password manager, having an IT support team to contact with questions and questioning emails that seem odd, are all important parts of a prevention strategy. 

Separate work and personal devices:   Our guard often comes down when using personal devices or conducting personal matters. To prevent cyber attacks happening in homes, separate any work onto a different device, and use different computers where possible. 

Kitty Bates is a cybersecurity content expert at outsourced IT support provider ramsac.

You Might Also Read: 

Spyware - Apple Starts Legal Action Against NSO Group:

« The Top 10 Most Severe Vulnerabilities In 2021
Russia Fines Google For Illegal Content Breach »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Openminded (OPMD)

Openminded (OPMD)

Openminded is a French security and network services company.

Entrust

Entrust

Entrust is a global leader in digital security, identities, payments, and data protection.

Mission Secure (MSi)

Mission Secure (MSi)

MSi is a specialized provider of next generation cyber defense solutions protecting control systems and critical physical assets in energy, transportation and defense.

NXO France

NXO France

NXO is an independent leader in the integration and management of digital workflows with services covering digital infrastructures, communications & collaboration, and security.

SlashNext

SlashNext

The SlashNext Internet Access Protection System (IAPS) provides Zero-Day protection against all internet access threats including Social Engineering & Phishing, Malware, Exploits and Callback Attacks.

Aveshka

Aveshka

Aveshka is a professional services firm focused on addressing complex threats and challenges including Cybersecurity and Information Technology.

Endian

Endian

Endian’s mission is to provide a secure platform that connects distributed people and things, simplifying the digitalization of businesses.

Checksum Consultancy

Checksum Consultancy

Checksum Consultancy specializes in Information security, Risk management, and IT governance.

Infosec Partners

Infosec Partners

Whether you’re looking for complete managed security or an on-call expert advisor, we offer a range of managed security services to complement your internal team or primary outsource partner.

Cypress Data Defense

Cypress Data Defense

Cypress Data Defense helps clients build secure applications by providing training, best practices, and evaluating security during every stage of the Secure Application Development Lifecycle.

Scrut Automation

Scrut Automation

Scrut Automation's mission is to make compliance less painful and time consuming, so that businesses can focus on running their business.

Iris Powered by Generali

Iris Powered by Generali

Iris Powered by Generali is an identity theft resolution provider. Our offering combines expert assistance and support with user-friendly identity protection technology.

CyberUp

CyberUp

CyberUp is a nonprofit organization created to strengthen the cybersecurity workforce. We help employers reimagine how they grow and scale their cybersecurity workforce.

SecureDNE

SecureDNE

SecureDNE are a leading provider of cutting-edge Fractional CISO, Managed Cybersecurity Services, and Cybersecurity Engineering Solutions.

Geobridge

Geobridge

Geobridge was one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations.

Dapple Security

Dapple Security

Dapple Security is creating cutting edge technology utilizing responsible biometrics that protects people and privacy through a first-of-its-kind passwordless platform.