Investigators: Pegasus spyware targeted dozens of Thai activists, academics

A rapper, an actress, Thai academics, and pro-democracy protest leaders were among dozens whose phones were hacked with spyware likely linked to the government, cybersecurity researchers said Monday in releasing forensic findings about the first known use of such espionage technology in Thailand.

At least 30 people were targeted for surveillance with Pegasus spyware produced by Israeli cybersecurity company NSO Group, research groups said as they unveiled their findings in Bangkok. These groups are Citizen Lab, a Canada-based cyber-research organization, iLaw, a Thai digital and legal rights NGO, and Digital Reach, a Southeast Asian tech rights organization.

The phone hacks were revealed in November 2021, when Apple warned several Thai iPhone users that “state-sponsored attackers” may have targeted their devices, said Ruchapong Chamjirachaikul, advocacy officer at iLaw.

“This was the same time Apple filed a lawsuit in the U.S. against the NSO Group whose spyware Pegasus had been used to hack iPhones. So, this was the moment we found out how serious the situation was,” he said while releasing a report about his group’s findings at the Foreign Correspondents’ Club of Thailand (FCCT).

Soon after the revelation, the three organizations conducted a forensic investigation into the phones of those infected by the spyware, including people who had not been contacted by Apple.

“We discovered an extensive espionage campaign targeting Thai pro-democracy protesters and activists calling for reforms to the monarchy,” Citizen Lab said in its own report.

The victims included anti-government rapper Dechathorn “Hockhacker” Bamrungmuan, actress and activist Intira Charoenpura, as well as Arnon Nampa and Panusaya “Rung” Sithijirawattanakul and other leaders of pro-democracy protests that began in July 2020.

On Monday, a national police spokesman denied the allegations and said officers were following the law.

“The national police bureau has authority under the penal code to prevent and suppress crimes, to keep peace and maintain national security and so on as it is assigned,” Col. Krishna Pattanacharoen told reporters.

“The national police bureau has not deployed any spyware for surveillance or to violate individual privacy as reported on social media. For the conduct of the security mission, the national police bureau strictly performs its duty according to the framework of laws.”

Rung, one of the public faces of the street protests, apparently had her phone infected with spyware while jailed on charges of royal defamation and sedition – one of four times she was hacked. She has since been released on bail.

“I was still in prison, but my social media was updated. Maybe they wanted to see who was behind it,” Rung said at the FCCT on Monday.

Another infection occurred as she and others were organizing a massive protest in Bangkok in June 2021. Since the hackings, she said she has tried to limit her use of phones.

“The best we can do is use airplane mode most of the time or leave our phones far away when we discuss something sensitive,” she said.

Sarinee Achavanuntakul, an adjunct professor at Thammasat University, said she originally considered Apple’s email a spam.

“I was angry at first – how dare they!” she said Monday. “But when you look at it, you can see a pattern. The common theme is that all of us are dissidents and critics of the government.”

An iLaw program manager, meanwhile, said he thought the Apple email was a mistake.

“I didn’t know why I was targeted. I still don’t know,” Yingcheep Atchanont told BenarNews on Monday. “I had never heard about this spyware technology before. It’s like in the movies.”

Citizen Lab said his phone was infected 10 times.

John Scott-Railton, a senior researcher at the Citizen Lab, said while researchers could “not conclusively attribute” the infections to any specific agency, “there are numerous pieces of circumstantial evidence … that suggests that a Thai governmental operator is pretty likely.”

He said the targeting matched individuals of interest to Thai authorities.

“As far as we know, Pegasus is exclusively sold to governments, which means when you find a case of a Pegasus infection, you can be sure that a government is behind it with some degree of certainty,” Scott-Railton told BenarNews.

Yingcheep said he “decided I don’t want to be just a victim because this is an illegal action,” adding he and other victims want to sue the government and are asking parliamentarians to investigate.

‘Unverifiable claims’

The NSO Group, the maker of the Pegasus spyware, rejected the allegations made by the research groups.

“Politically motivated organizations continue to make unverifiable claims against NSO hoping they will result in an outright ban on all cyber intelligence technologies, despite their well-documented successes saving lives,” its spokesperson said in an email to BenarNews on Monday.

“We refer you to the report itself, which states that the forensic evidence they collected from infected devices did not, in itself, provide strong evidence pointing to a specific NSO customer.”

Last year, the U.S. government blacklisted the NSO Group for supplying spyware that foreign governments have allegedly used against peaceful dissidents and their associates worldwide.

The phone hackings occurred between October 2020 and November 2021 at the height of the street protests when young Thais demanded changes to the constitution, for Prime Minister Prayuth Chan-o-cha to resign and for the monarchy to be reformed.

The youngest victim was 18 at the time of the cyber infections, according to one of the research reports.

“It is clear that the Thai government is the main benefactor of this Pegasus operation and probably the only benefactor in Thailand,” said iLaw’s Ruchapong. “It is in the interest of the Thai government to launch a cyber-attack on the Thai dissidents who are critical of the regime.

“There is a correlation between the time of the Pegasus attack and major political demonstrations.”

The researchers said the actual number of those targeted was very likely to be much higher.

“The use of Pegasus against dissidents is believed to have been motivated by three main aims – to monitor the online activities of dissidents, to monitor the protests and to seek information about the funding sources for the protests,” Digital Reach analyst Sutawan Chanprasert said.

“Pegasus is a tool of mass surveillance and a source of serious human rights violation,” Ruchapong said.

While there have been no signs of hacking after November 2021, there is “currently an active Pegasus operator in Thailand,” Citizen Lab’s Scott-Railton said. “It’s a really important and interesting question where that use is happening right now and who the targets are.”

Researchers said the Pegasus spyware can be installed onto targets’ phones remotely without them clicking on any suspicious links or opening files.

“There was no mistake … nothing they could have done to protect their devices from this insidious attack,” Scott-Railton said. “Once a phone is infected with spyware, it becomes a spy in your pocket.”

On Monday, London-based Amnesty International said its security lab independently confirmed five of the cases raised in the report involving Thai activists.

“These new revelations are a shocking example of just how low authorities might stoop to control peaceful dissent,” said Etienne Maynier, a technologist at Amnesty International, adding the scale of surveillance attempts could be more extensive and more damaging.

Wilawan Watcharasakwet and Nontarat Phaicharoen in Bangkok contributed to this report.