By John Scott-Railton, Bill Marczak, Irene Poetranto, Bahr Abdul Razzak, Sutawan Chanprasert, and Ron Deibert
Introduction: Surveillance & Repression in Thailand
The Kingdom of Thailand is a constitutional monarchy with a parliamentary-style government divided into executive, legislative, and judiciary branches. The country has been beset by intense political conflict since 2005, during the government of former Prime Minister Thaksin Shinawatra. Corruption allegations against the regime culminated in a military coup on September 19, 2006 that ousted Thaksin. The military launched another coup on May 22, 2014 and seized power following mass protests against the civilian government led by Thaksin’s sister, Yingluck Shinawatra. The junta claimed that the 2014 coup was needed to restore order and called itself the National Council for Peace and Order (NCPO).
In this report, we detail our discovery of an extensive espionage campaign targeting Thai pro-democracy protesters and activists. Through careful forensic methods, we confirm that at least 30 individuals’ phones were hacked with NSO Group’s Pegasus spyware. The hacking took place between October 2020 and November 2021, a period of time coinciding with intense pro-democracy protests in Thailand.
All the infections involved the use of two different “zero-click” versions of Pegasus, which involve no interaction with the victim and allow a government operator to silently and remotely hack a device in ways that are nearly impossible for a user to detect. Once infected with Pegasus, an operator can turn on the camera and microphone, intercept all text messages, read emails, track location, review contacts, history and archived photos, and much more.
In November 2021, coinciding with their announcement of a lawsuit against NSO Group, Apple started to send notifications worldwide to victims of Pegasus infections, including in Thailand. Our investigation began after several Thai activists received these notifications and reached out to us and other civil society partners.
Key Findings
- We discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy.
- We forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus spyware.
- The observed infections took place between October 2020 and November 2021.
- The ongoing investigation was triggered by notifications sent by Apple to Thai civil society members in November 2021. Following the notification, multiple recipients made contact with civil society groups, including the Citizen Lab.
- The report describes the results of an ensuing collaborative investigation by the Citizen Lab, and Thai NGOs iLaw, and DigitalReach.
- A sample of the victims was independently analyzed by Amnesty International’s Security Lab which confirms the methodology used to determine Pegasus infections.
This report is a companion to a report with detailed contextual analysis by iLaw and DigitalReach.
Findings: Pegasus Infections in Thailand
On November 23, 2021, Apple began sending notifications to iPhone users targeted by state-backed attacks with mercenary spyware. The recipients included individuals that Apple believes were targeted with NSO Group’s FORCEDENTRY exploit. Many Thai civil society members received this warning. Shortly thereafter, multiple recipients of the notification made contact with the Citizen Lab and regional groups.
In collaboration with Thai organizations iLaw and DigitalReach, forensic evidence was obtained from notification recipients, and other suspected victims, who consented to participate in a research study with the Citizen Lab. We then performed a technical analysis of forensic artifacts to determine whether these individuals were infected with Pegasus or other spyware. Victims publicly named in this report consented to be identified as such, while others chose to remain anonymous, or have their cases described with limited detail.
