Questions are being asked about the work of Israel-based cyber surveillance specialist NSO Group after it exposed more than 50,000 phone numbers belonging to activists, journalists and other people deemed "of interest" to some of the world's most repressive regimes that had been using its Pegasus remote access trojan (RAT).

Details of the abuse of Pegasus spyware - which is legitimately used by law enforcement clients and counter-terrorism agencies, among others - were revealed over the weekend of July 17 and 18 in a coordinated release by several media outlets, including the Guardian in the UK.

The newspapers obtained the list of numbers from a French non-profit organisation Forbidden Stories and a charity Amnesty International.

The data leak includes details of journalists from major media organisations including Al Jazeera, Bloomberg, CNN, The Economist , New York Times and Wall Street Journal , among others.

In addition to information from world leaders, such as French President Emmanuel Macron, authorities from other countries, such as Azerbaijan, Bahrain, United Arab Emirates, Hungary, Kazakhstan, India, Mexico, Morocco, Rwanda and Saudi Arabia are also on the list.

In a lengthy statement, NSO vehemently denied the allegations contained in the stories. The Israeli company says it vetted all its government customers and did not operate the systems sold to them, nor did it have access to the data they might collect.

This is not the first time that questions have been raised about Pegasus software

In 2019, WhatsApp discovered that Pegasus had been used to infect more than 1,000 devices with malware via a Zero Day vulnerability.

NSO has also been accused of exploiting vulnerabilities in Apple software to target iOS devices. Analysis by Amnesty International's Security Lab suggests that the Israeli company is constantly looking for new zero days in established mobile applications.

As well as exploiting vulnerabilities, or by spear-phishing attacks against targets, Pegasus can also be installed via wireless if the target phone is within range of a specific transceiver, Amnesty said.

Once present, it can export all the contents of a device, as well as take control of the phone's microphone and camera and record calls.

Based on malware techniques, Pegasus is spyware that can hack any iOS or Android device and steal a variety of data from the infected device, including text messages, emails, key logs, audio and information from installed apps such as Facebook or Instagram.

The spyware can record conversations and videos, as well as take pictures from the device's camera.

Threat actors can use Pegasus to stealthily collect information from high-value targets, including executives with strategic corporate information and government officials with access to national or international secrets.

How Pegasus works and what it does

A Pegasus attack starts with a simple phishing scheme: the attacker identifies a target and sends that target the URL of a website via email, social media, text message or any other message.

Once the user clicks on the link, the malware secretly performs a trio of zero-day exploits against the victim's device, remotely unlocking it so the spyware can be installed.

The only indication that something has occurred is that the browser closes after the user clicks on the link. There is no other indication that anything has happened or that new processes are running.

Once installed, the Pegasus starts contacting the operator's command and control servers to receive and execute the operator's commands.

Spyware contains malicious code, processes and applications that spy on what the user does on the device, collects data and reports what the user does. The malware can access and export calls, emails, messages and logs from apps including Facebook, Facetime, Gmail, WhatsApp, Tango, Viber and Skype.

Once spyware unlocks the user's device, it compromises the original applications already installed on the device to capture data instead of downloading malicious versions of those applications.

Exploits like Pegasus uses Zero Day to attack high-value targets

Pegasus takes advantage of Zero Day vulnerabilities , a flaw that is unknown to software, hardware, firmware manufacturers or those responsible for patching the flaw, to remotely unlock a user's device, install malware and allow the attacker to access virtually all information on the device.

Because a Zero Day vulnerability cannot be known in advance, there is no way to protect against a specific exploit before it happens. However, there are actions that companies can take to reduce their level of exposure to risk.

While maintaining a high standard of information security may not prevent all Zero Day attacks, investment in information security can help detect the key symptoms of attacks, trigger preventative actions and defeat them after vulnerabilities have been fixed.