At least 30 critics of the Prayut Chan-o-cha administration had their phones infected with Pegasus spyware, a powerful tool for surveillance and eavesdropping. Although government authorities have yet to be tied to the bugging, an investigation strongly suggests state involvement.

Piyarat ‘Toto’ Chongtep, an activist who has been openly critical of the Prayut-led government since 2014, has experienced state surveillance before. Over the years, he has been followed by plainclothes police officers and found GPS tracking devices attached under his car. He also discovered that his phone service provider was providing the authorities with data on his phone usage during the Court trial.

Piyarat Chongtep

After he founded We Volunteer (WeVo), a pro-democracy protester guard organisation, in the wake of the 2020 mass protests, the monitoring grew deeper, subtler, and more sophisticated, however. He and three fellow WeVo organisers, discovered that their phones were infected by Pegasus, a secretive spyware known for its highly-invasive capabilities.

He blames the authorities, who he suspects may have erroneously labelled his well-trained and disciplined civilian protest guard group as a guerilla organisation.  Although he has yet to obtain conclusive proof, he believes that they have tapped his group’s communications in order to identify their supporters.

According to an investigation released on 18 July by the Citizen Lab and DigitalReach, internet watchdog groups, and iLaw, a local legal watchdog, Piyarat is one of some thirty individuals whose phones have been infected. The list includes 24 activists who have been calling for political and monarchy reform, 3 outspoken academic critics of the military-backed government, and 3 NGO officers who publicly questioned security sector operations.

Imported parasite

As noted in the report, Pegasus is a “highly sophisticated spyware produced by the Israel-based cybersecurity company NSO Group, and is licensed only to government agencies with the approval of the Israeli government.”

It allows attackers to gain complete control over an infected phone, providing access to photos, videos, messages and call records. It can also be used to turn on phone cameras and microphones, allowing hackers to observe real-time situations without the knowledge of phone owners.

“Once a telephone is infected with Pegasus spyware, it becomes a spy in your pocket,” said John Scott-Railton, a Citizen Lab spokesperson, in an online presentation at a briefing in Bangkok on 18 July.

He went on to demonstrate two additional traits of the spyware: a zero-click attack which allows for a targeted device to be infiltrated without the use of click bait lures employed in other hacks, and an automatic tracking record erasure that removes software footprints.

Designed to fight crime and terrorism, the spyware is also ideal for attackers who want to monitor social networks and the activities of political parties and civil groups.

An investigation report launch on Monday.

Pegasus was apparently first used in Thailand on 27 May 2014, 5 days after the 2014 coup. The Citizen Lab found that a cluster of Pegasus servers were then operating in the GMT+7 time zone used by Thailand and nearby countries. The servers had domain names like siamha[.]info, thtube[.]video, thainews[.]asia - names which suggest that the operators were based in Thailand.

They also discovered that a cluster of Pegasus servers were registered by an individual in Thailand in 2016. The registration was made with the email “[redacted][email protected]”. The group speculated that NSB was a possible reference to the Narcotics Suppression Bureau, the government’s anti-drug agency. Other clusters were found in 2018, but it was impossible to identify the operators.

According to Scott-Railton, proving Thai governmental use of Pegasus ultimately requires copies of contracts and concession agreements. IT forensics can provide evidence to some extent but whistleblowers and research into public records are still needed.

Attacks centred on political protests

Sutawan Chanprasert from DigitalReach, a CSO that addresses the impact of technology on human rights in Southeast Asia, believes that Pegasus was used in Thailand to monitor governmental critics and protest-related activities, as well as to uncover the funding sources of the democracy movement.

A number of protest organisers’ phones were infected in the days just prior to mass demonstrations. The phones of 5 people were attacked around the 24th of June 2021 when protest organiser Ratsadon staged a protest to commemorate the 1932 revolution. The attacks were repeated some 11 times.

Panussaya Sitthijirawattanakul, a student activist from Thammasat University (TU) who publicly framed the 10 demands of the monarchy reform movement in 2020, discovered that her phone was  infected on 23 June 2021, one day before the protest. Jutatip Sirikhan, another TU activist has been attacked multiple times.  One occurred on 18 March 2021, two days before the planned protest in Bangkok.

The phone of activist Jatupat Boonpattararaksa or ‘Pai Daodin’ was attacked on 23 June 2021 and again on 28 June 2021, just prior to scheduled protests in Bangkok and Khon Kaen. Inthira Charoenpura, an actress known for her support and fundraising for the pro-democracy movement also had her phone attacked in April and June 2021.

People involved in the movement behind the scenes were also frequently attacked. The phone of Niraphorn Onnkhaow, a founding member of the TU-based protest organiser United Front of Thammasat and Demonstrations (UFTD) was infected 14 times between February 16 - July 7, 2021. 

An infographic from the Citizen Lab shows the rate and date of infections.

Ruchapong Chamjirachaikul from iLaw contends that the only party likely to have benefited from the spying is the Thai government.  He notes that targets were invariably political dissidents involved in organising mass protests, that the authorities have a history of purchasing surveillance technology from abroad, and that the NSO Group only sells Pegasus to government agencies.

He adds that the investigation was launched after Thai activists, all iPhone users, were notified by Apple that their devices had been breached, possibly by a state-sponsored attack in November 2021.  Many more victims, Android users, may have been unknowingly infected.  There are technical difficulties in ascertaining a breach and the attacker can spread the infection to other phones through contact lists.

Anon Chawalawan, another iLaw officer, notes the coup paved the way for extensive state surveillance, physically and in the cyber realm. The junta summoned people to the military camps around the country, subjecting them to military interrogation and demanding access to their phone data. Contact information was even used to bring criminal charges; in one instance, a lese majeste lawsuit stemmed from a private conversation.

The 2019 Cyber Security Act allows state officials to question individuals, conduct searches and seize digital devices without a Court warrant in situations deemed to pose a severe threat to national cybersecurity. The National Intelligence Act passed the same year allows intelligence operatives to use cyber and digital means to procure needed information.

Government data collection that related to security matters was also exempted from the recently adopted Personal Data Protection Act (PDPA).

“The use of Pegasus spyware that has been detected by activists who received email from Apple in November 2021 was just evidence which proves that the Thai state desperately needs to contain the uprising and is willing to do whatever they can to contain the situation. And this is why the activists, civil society groups, and any other concerned parties need to pay attention closely to this development,” said Anon.

Seeking a countermeasure

As a result of surveillance, Piyarat no longer trusts the privacy of his communications.  He now uses an older model of telephone for voice communication, only using the internet for public communications like Facebook posts.

Puangthong Pawakapan, an Associate Professor in the Faculty of Political Science at Chulalongkorn University (CU) who was not involved with the youth movement, discovered that her phone was also infected. 

She believes that the surveillance stems from her involvement in a fact-finding mission over the deadly crackdown against the red shirt protesters in 2010, her published research about the citizens’ surveillance work organised by the military’s Internal Security Operations Command (ISOC), and her critical posts on social media.

Puangthong added that government in Israel, where Pegasus was developed, should not turn a blind eye to its role in providing autocrats around the world with a powerful tool to terrorise political dissidents. She went on to draw a comparison – one bordering on hyperbole – between such state-sanctioned surveillance campaigns and the Holocaust.

“They call for people around the world to have sympathy, to understand the tragedy that occurred to the Jews at the hand of the Nazis during the holocaust, but what the Israeli government is doing to people around the world is no different; [they facilitate] crimes against people who have no way to fight the reign of terror that has been inflicted on the world nowadays,” said Puangthong.

Sarinee Achavanuntakul, an online influencer and a member of Thai Netizen Network, a civil society working on digital and human rights issues who was also another victim of Pegasus, said she is angered by the attack, which violated the privacy of the people she contacted while the spyware was on the phone.

She called for authorities to probe the matter, suggesting that members of the parliament seek evidence of state links to NSO and complicit government agencies.

Yingcheep Atchanont, iLaw manager and another Pegasus victim turned investigation collaborator, is looking into the possibility of filing a class action suit against the government to seek compensation for the serious privacy breach.  It is as if they “set up a camera and microphone in our office the whole time”. 

Note: On 14.00 of 20 July 2022, Prachatai English has added and replaced previous content with a fully edited version.