Thai pro-democracy activists targeted by Pegasus spyware, researchers say

Thai democracy activist holding up her cellphone
Thai pro-democracy activist Panusaya Sithijirawattanakul holds up her cellphone during a news conference in Bangkok on Monday.
(Sakchai Lalit / Associated Press)

Cybersecurity researchers reported details Monday of cases where Thai activists involved in the country’s pro-democracy protests had their cellphones or other devices infected and attacked with government-sponsored spyware.

Investigators of the internet watchdog groups Citizen Lab; Thailand’s Internet Law Reform Dialogue, or iLaw; and Digital Reach said at least 30 individuals — including activists, scholars and people working with civil society groups — were targeted by an unnamed government entity or entities for surveillance with Pegasus, a spyware produced by the Israeli-based cybersecurity company NSO Group.

The reports from the two groups named many of those targeted, confirming earlier reports of the surveillance, which John Scott-Railton of Citizen Lab said shows that governments are using technologies designed to fight crime and terrorism to spy on critics and other private citizens.


“Citizen Lab believes there is a fundamental challenge for civil society,” Scott-Railton said in an online presentation at a briefing in Bangkok.

The attacks on the individuals’ devices spanned from October 2020 to November 2021, a timing “highly relevant to specific Thai political events,” since they took place over the period when pro-democracy protests erupted across the country.

Scott-Railton said Citizen Lab, which exposes digital espionage campaigns and insecure software, believed there was still an active Pegasus operator in Thailand.

An investigation by a global media consortium alleges that military-grade malware from Israel-based NSO Group is being used to spy on journalists, human rights activists and political dissidents.

July 18, 2021

Those whose devices were attacked were either involved in the 2020-2021 protests or were publicly critical of the Thai monarchy. Lawyers who defended the activists also were under such digital surveillance, the researchers said.

The Pegasus spyware is known for “zero-click exploits,” which means that it can be installed remotely onto a target’s phone without the target having to click any links or download software.


The spyware can obtain any data on the devices, including contact lists and group chats, making it highly effective against political groups and movements, Scott-Railton said.

NSO Group’s products, including the Pegasus software, are typically licensed only to government intelligence and law-enforcement agencies to investigate terrorism and serious crime, according to the company’s website. Citizen Lab and other cybersecurity researchers have tracked the spyware to 45 countries.

Poland’s most powerful politician acknowledges the country bought the advanced Pegasus spyware but denies it was used against political opponents.

Jan. 7, 2022

In a separate report Monday, the human rights group Amnesty International reiterated its call for a global moratorium on the sale of spyware.

“The unlawful targeted surveillance of human rights defenders and civil society is a tool of repression. It is time to clamp down on this industry that continues to operate in the shadows,” Amnesty official Danna Ingleton said in a statement.

NSO Group has rejected accusations that its snooping software helped lead to the killing of Saudi journalist Jamal Khashoggi, perhaps the highest-profile case so far. It maintains that its sales undergo a rigorous ethical vetting process and that Pegasus spyware is sold to governments only for security purposes.

In November, the U.S. government blacklisted NSO Group, and Apple sued it and notified Pegasus victims. Facebook has sued NSO Group over the use of a somewhat similar tool that allegedly intruded via its globally popular encrypted WhatsApp messaging app.

A cybersecurity rights group says the phones of dozens of independence supporters in Spain’s Catalonia, including the regional chief, were hacked.

April 18, 2022

The reports by Citizen Lab and iLaw do not accuse any specific government actor but say the use of Pegasus indicates the presence of a government operator. When news that dissidents had been targeted first surfaced in November, the Thai government denied the allegations.

Apple said it sought a permanent injunction to ban NSO Group from using any Apple software, services or devices to “to prevent further abuse and harm to its users.”

Apple’s notifications to customers of spyware infections are a crucial part of a defense strategy against such digital surveillance, Scott-Railton said.

“Apple did something remarkable by notifying the recipients of this suspected targeting. If you look at the infection online, it stopped after Apple’s notification,” he said. “It was a very consequential thing.”

The cybersecurity experts said that turning off and restarting a device can break the spyware’s digital connection. Security updates also have helped to close the loopholes that such attackers exploit.

“Layering up defenses on devices is very important,” Scott-Railton said. “Anything is better than nothing.”

But the spyware is constantly being updated and is designed to be difficult to spot, facilitating surveillance by governments that have found it a useful tool for suppressing dissent.

Thailand’s student-led pro-democracy movement ramped up activities in 2020, largely in reaction to the continuing influence of the military in government and hyper-royalist sentiment.

A cybersecurity watchdog says the cellphones of dozens of journalists at Al-Jazeera, the Qatari media company, have been targeted by advanced spyware.

Dec. 21, 2020

The movement was able to attract crowds of as many as 20,000 to 30,000 people in Bangkok in 2020 and had followings in major cities and universities.

“There is longstanding evidence showing Pegasus presence in Thailand, indicating that the government would likely have had access to Pegasus during the period in question,” researchers said in the report. The more than 30 individuals targeted were also “of intense interest to the Thai government.”

The army in 2014 overthrew an elected government, and Prayuth Chan-ocha, the coup leader, was named prime minister after a 2019 general election put in power a military-backed political party. Protesters have campaigned for Prayuth and his government to step down and demanded reforms to make the monarchy more accountable and to amend the constitution to make it more democratic.