The Thai government is suspected of using Israeli surveillance technology against more than two dozen dissidents and activists who supported democratic reforms, in what experts said was part of a wide-ranging campaign to try to shut down criticism using one of the most advanced spying tools in the world.
A report by researchers at Citizen Lab at the University of Toronto paints a devastating picture of the pervasive use of NSO Group’s Pegasus spyware in 2020 and 2021 against pro-democracy protesters, including many who have repeatedly faced arrest, harassment and physical attacks by Thai authorities. The Citizen Lab’s forensic analysis, which was peer-reviewed by experts at Amnesty International’s security lab, also raises questions about statements made by Thai government officials, who last year said reports of state-sponsored attacks were “untrue”.
Citizen Lab said: “It can be concluded that the attackers targeted selected individuals with Pegasus in order to gather particular information rather than using it for mass surveillance against dissidents in general.”
A successful infection of a phone with Pegasus gives a user of the spyware total control over the contents of a phone, including photographs, location, its microphone, camera and calls. It can turn a phone into a remote listening device.
Among the people whose phones were analysed by Citizen Lab and turned out to be infected with Pegasus, were at least four members of a prominent youth movement called United Front of Thammasat and Demonstration, including Panusaya “Rung” Sithijirawattanakul, who has been charged with at least 10 lèse-majesté offences, which criminalise insults to the Thai royal family. In one case, Panusaya wore a crop top shirt with the message “I have only one father” written on her skin, which was taken as a sign she was mocking the king – whose supporters describe him as the nation’s “father” – and led to criminal charges.
Arnon Nampa, a leading human rights lawyer and protest leader, was also hacked using Pegasus. His work has included defending activists accused of lèse-majesté, and publicly calling for the repeal of the law. He was charged with at least 14 lèse-majesté charges and was detained for a total of 339 days between 2020 and 2022. In one case, he was infected with Pegasus around 14 July 2021, the day he was quoted in a Bloomberg article about the Thai government’s response to Covid-19.
iLaw, a Thai civil society organisationthat worked with Citizen Lab and itself was targeted with spyware, said it believed attackers were looking for “behind-the-scenes information” about the activists’ online activities, such as who was running some activist leaders’ Facebook accounts while the leaders were being detained in jail.
The Thai actor Inthira Charoenpura, who is known to financially support protests and has used her social media account to invite people to protest, was infected four times by a user of Pegasus from May to July 2021, Citizen Lab said.
“We have known for long that the Thai state is inclined to conduct illegitimate surveillance operations on its own citizen, but [this investigation] has shown how desperate the Thai state really is when it comes to controlling the rise of youths who have a different ideal image of the country,” said Yingcheep Atchanont, the iLaw programme manager.
The sweeping investigation found that the surveillance campaign appeared to have been briefly interrupted after the publication one year ago of the Pegasus Project, a collaborative investigation by the Guardian and other media partners into the abuse of Pegasus by governments and regimes around the world.
A timeline of the mobile phone infections or targeting shows they were disrupted again after Apple fixed a vulnerability in its software, which researchers associated with Pegasus infections.
The infections of phones appear to have been halted after 23 November 2021, when Apple began notifying members of Thai civil society – along with other customers around the world – that their phones had likely been targeted by a state actor.
John Scott-Railton, a senior researcher at Citizen Lab, said NSO’s sales to undemocratic regimes and repressive royals were helping to “fuel authoritarianism” around the world, a critique that was also levelled at NSO by the Biden administration, when it placed the Israeli company on a US blacklist last year.
“Enough is enough, NSO must be held accountable. Government regulators have the tools, it’s time for them to hit the brakes on this out-of-control company,” Scott-Railton said.
An NSO spokesperson declined to comment on specific questions about the findings, but said in a statement: “Politically motivated organisations continue to make unverifiable claims against NSO hoping they will result in an outright ban on all cyber intelligence technologies, despite their well-documented successes saving lives.”
NSO has regularly said it cannot discuss specific cases in which Pegasus has allegedly helped save lives due to the national security implications of such revelations.
Citizen Lab said the forensic evidence they collected from infected devices did not, in itself, provide strong evidence pointing to a specific NSO customer. But that “numerous elements” provided circumstantial evidence that one or more Thai government operators were responsible for the surveillance campaign.
This included the fact that the victims were of intense interest to the Thai government; that the hacking points to a “sophisticated understanding” of non-public elements of the Thai activist community, including financial backers who were targeted; and that the timing of the hacks coincided with political events in Thailand.
“There is longstanding evidence showing Pegasus presence in Thailand, indicating that the government would likely have had access to Pegasus during the period in question,” the report said.
The Thai embassy in Washington DC did not immediately respond to a request for comment.