Protesters in Bangkok showing democracy activists targeted by Pegasus spyware

Pegasus Spyware Used Against Civilian Political Opposition Again; Thailand Democracy Activists in “Milk Tea Alliance” Movement Targeted

The University of Toronto’s Citizen Lab, which has exposed many prior illicit uses of Pegasus spyware, has reported the discovery of a new violation of privacy that took place from late 2020 to late 2021. Numerous democracy activists opposed to the Thailand monarchy were targeted during this period of heavy protesting.

Pegasus spyware emerges again in Thailand as citizens challenge the monarchy

As the Citizen Lab report notes, Thailand is not generally viewed as a country that stifles free expression and organization given the semi-democratic parliamentary system and that citizens have relative freedom to express their views on the internet. However, the country has long had extensive control over television and radio. There is also one sore spot that anyone in the country, including visitors, has to be very cautious about: the “lèse-majesté” laws that forbid public insult toward or defamation of the royal family. These laws have become increasingly harsh since the country’s most recent military coup in 2014.

The elections of 2019 ended up solidifying the role of leaders that took power in that coup, leading to significant political unrest. This coalesced around the “Milk Tea Alliance” in 2020, a largely youth-driven movement that took to social media to question the legitimacy of (and continued need for) the Thai monarchy. Thai officials responded to this movement by making broad and frequent use of the lèse-majesté laws to arrest democracy activists, prompting a formal expression of grave concern from the United Nations. This arrest wave was accompanied by a campaign of requests by the authorities to social media platforms to remove posts critical of the current government or monarchy.

The new Citizen Lab information reveals that this campaign of arrests and social media restriction was also quietly accompanied by espionage on the devices of democracy activists, academics, lawyers and staff of NGOs. All told the Pegasus spyware was found on the phones or computers of at least 30 individuals; though the spy campaign dates from October 2020, the first hint that the illicit activity was going on was notifications from Apple to some impacted device users in the country in November 2021.

Not all of the individuals that were hit with Pegasus spyware have been publicly identified, but the report highlights some of the most prominent democracy activists that were targeted. In most cases, these individuals had already been arrested in the past (in some cases several times) for protest activity.

Thai government’s hard line with democracy activists extended to covert monitoring of devices

Prominent democracy activists with FreeYOUTH, United Front of Thammasat and Demonstration (UFTD), and We Volunteer (WEVO) were among those with evidence of Pegasus spyware on their devices.

Some of these figures were hacked multiple times. President of the Student Union of Thailand and FreeYOUTH organizer Jutatip Sirikhan had her phone infected with Pegasus spyware six times between October 2020 and March 2021. A prominent member of UFTD, Panusaya “Rung” Sithijirawattanakul, was hacked three separate times in June 2021 and then once again in September (corresponding with protest dates). A Thai actress who called for donations for protest groups, Inthira Charoenpura, was also infected three times between April and June 2021. Those that were arrested during this period had their phones removed from their custody for as long as three and a half months, creating ample opportunity to simply load Pegasus spyware directly onto the device.

While some of the democracy activists had their phones seized, much of the attack window took place during the period the “Kismet” and “ForcedEntry” zero-click iOS exploits were available. This potent hacking tool was able to compromise phones simply by sending a particular iMessage; the recipient would only need to receive it, not even to open it, for their iPhone to be compromised. Citizen Labs said that at least several of the democracy activists with “outdated phones” were compromised in this way.

The report also indicates that the use of Pegasus spyware to track democracy activists and other dissidents may extend much farther into the country’s history, back as far as May 2014 (during the coup). A number of servers facilitating the spyware went online in the country in May and November of that year. Another cluster of similar servers went online in 2016, and a lone operator that was exclusive to Thailand was seen making attempts to pass the spyware in 2018.

As is almost always the case with incidents involving the Pegasus spyware, there is no “smoking gun” that points directly to members of the Thai government as clients. Citizen Lab attributes the attacks to the government/monarchy based on the target selection, timing of infections corresponding with political events, and the fact that the activity was contained to Thailand without any apparent foreign intervention.