Center for food distribution to the poor and the hungry showing nonprofit and Pegasus spyware

Pegasus and the Nonprofit Sector

From the Blackbaud attacks in 2019 and one cyberattack happening every 39 seconds, nonprofit organizations, with access to valuable data, have never been more at risk. The increase in remote working, differing data protection regulations by state and federal level, and ever-changing international compliance, has led to a landscape plagued by risk.

And now, in 2022, a threat known as Pegasus looms over. Let’s take a look at the implications it has on the nonprofit sector.

What is Pegasus?

Pegasus is an advanced spyware software created by NSO Group, an Israeli company, which allows to harness a persons existing phone and turn it into a surveillance device, providing records on their whereabouts, access to their camera and microphone as well as transmitting emails, phone calls and text messages sent to and from the device. It makes it one of a few so called ‘cyber mercenary’ softwares that allow users to tap into suspects devices and collect information on them.

Originally created to help bring down serious crime problems such as drug trafficking, terrorism and pedophilia rings, it’s been used by nation states to repress bad media, attack human rights activists, and some believe it has played a part in journalist murders. Saudi Arabia and the UAE are known users of the software in previous years, as well as many other national ministries and potential criminal gangs having access.

How does Pegasus work?

Pegasus is different in the way it accesses a person’s phone, by utilizing unknown ‘zero day’ attacks. A zero-day attack is a vulnerability unwittingly built into a device that isn’t patched at release. These kinds of vulnerabilities allow access if exploited, and because the company that created the software doesn’t know they exist, they can continue unnoticed for months.

Pegasus is then installed using a zero click approach, which requires no interaction from the potential target. This makes it incredibly dangerous, as placed into the hands of malicious actors, it could easily create a foul play motive, and provide bad actors with the tools needed to hijack innocent people, or those who dare speak negatively of a repressive regime.

Pegasus in the news

The software isn’t new in America, in fact at the end of 2021, Reuters revealed that at least nine US State Department employees had their phones hacked by an unknown body using the Pegasus software. All those involved had been involved with Uganda to some capacity, with some phones hacked having Ugandan phone numbers.

This breach led to NSO Group being placed on the US Commerce Departments Entity List, preventing US companies from working with them.

Why are nonprofits at particular risk?

Nonprofits have long been at risk from data breaches, as they often have weaker cybersecurity defenses or spend less budget on protecting their computers. Similarly, with low budgets, many volunteers and staff use their own devices, known as BYOD (Bring Your Own Device) which can easily lead to multiple problems.

Similarly, nonprofits are also at risk because they hold PII (Personally Identifiable Information) on many people across the States, all who will have money to donate.

For example, Blackbaud, a donor management platform used by many nonprofits across the US, was breached in 2019, leading to millions of donor records exposed and held at ransom by hackers.

When it comes to Pegasus, nonprofits still find themselves at risk. America hasn’t always got good political relationships with every country, and as such, certain groups of charities such as humanitarian aid or those involved with marginalized groups in some countries, find themselves at risk of attack by repressive nation states or criminal gangs targeting potentially large money pots.

How can nonprofits protect themselves?

For nonprofits, it’s important to be aware and be protected from cybersecurity risks. While the core monetary focus of any nonprofit is always to helping those in need, some expense must be made on protecting nonprofits from hacking and cybercrime.

Invest in a password manager

Password managers, such as Dashlane or Last Pass, allow volunteers and employees to securely store passwords and sensitive information in a highly encrypted format, without having to remember each individual password.

It is a simple yet highly effective way to encourage good password management in a digital friendly way.

Update to the latest security patches

When released, update to security patches. Unlike product or device updates, security patches fix identified vulnerabilities and rectify zero-day vulnerabilities. By encouraging staff to run updates weekly across all devices, you can ensure your systems are protected from zero-day attacks.

Part of this should also be investing in technology that receives regular security updates. If devices are too old, they will no longer receive patches and have the potential to render themselves vulnerable. While it can be a hard cost to stomach for nonprofits, it’s a necessary one to protect yourself.

Use two factor authentication (2FA)

Two factor authentication requires a two-step login, which prevents unwanted attackers from logging in to your devices. By using 2FA, whether with Google Authenticator, a passcode sent to a trusted mobile number, or using a ‘key’ such as an encrypted USB stick, you can authorize logins carefully, ensuring the safety of your accounts.

By rolling this out, not only for staff and volunteers, but for users of your software, you can ensure optimal protection of accounts and their data.

Education of volunteers and staff

The human firewall is a popular acronym in cybersecurity and is our biggest defense, yet our biggest weakness against attackers and cybercriminals.

By educating anyone who works with your nonprofit on how they can spot scams, how they can question emails and suspicious messages, you stand better equipped to prevent unwanted access of your systems.

#Nonprofit organizations have long been at risk from #databreaches, as they often have weaker #cybersecurity defenses, yet hold PII, and many volunteers and staff use their own devices. #respectdataClick to Tweet

Human firewall training should also cover things like creating 2FA, and good password management and creation, which all contribute to a more secure business.


Cybersecurity Content Curator at ramsac