Cybersecurity researchers say that Thai activists involved in pro-democracy protests in 2020 and 2021 had their cell phones or other devices infected and attacked with spyware, most likely by a government entity.
The report, which was produced as part of a collaborative investigation by the Citizen Lab and the Thai civil society groups iLaw and DigitalReach, described “an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy.”
It found that at least 30 individuals were targeted for surveillance with Pegasus, a spyware application produced by the Israel-based cybersecurity company NSO Group. Those affected included activists, scholars, and people working with civil society groups, whose common denominator was a close involvement in the campaign of massive street protests that unfurled in the second half of 2020 and ran into the first months of 2021. The protests were notable for connecting calls for democratic reforms to demands that the Thai monarchy be reformed, a virtual taboo in Thailand’s politics up until that point.
The government responded to the protests by manipulating COVID-19 health protocols to prevent mass gatherings and weaponizing Thailand’s controversial lese majeste law against anyone referring even obliquely to the power of the monarchy of King Vajiralongkorn. Many of the victims named in the Citizen Lab have also been detained, arrested, and imprisoned for their political activities or criticisms of the Thai monarchy.
Among the most prominent of these, the report claims, were Panusaya “Rung” Sithijirawattanakul, a member of the United Front of Thammasat and Demonstration, a prominent student group based at Thammasat University; Jatupat Boonpattararaksa, the head of the Thalufah pro-democracy movement; and Arnon Nampa, a leading human rights lawyer. The Thai actress Inthira Charoenpura, who spoke out publicly in support of protests and donated water and other supplies to demonstrators, was also repeatedly infected with the Israeli spyware.
The Pegasus spyware, which came to prominence due to a joint global media investigation last year, is particular dangerous because of its ability to carry out “zero-click exploits.” These enable it to be installed remotely onto a target’s phone without the target having to click any links or download any malware.
The report argues that there is no hard forensic evidence about who is behind the infections of activists’ phones, but that a number of factors point in the direction of the Thai government. By NSO Group’s own admission, its products, including the Pegasus software, are sold exclusively to governments, meaning that “it is reasonable to conclude that the discovery of Pegasus spyware indicates the presence of a government operator.”
Moreover, the report claims that there “is longstanding evidence showing Pegasus’ presence in Thailand, indicating that the government would likely have had access to Pegasus during the period in question.” Add to this the fact that the targets were of “intense interest to the Thai government,” and that the attacks spanned from October 2020 to November 2021, a timing “highly relevant to specific Thai political events,” and it is likely that the Thai government has been conducting an unauthorized and possibly illegal campaign of surveillance. In many cases, the report claims, victims had their devices infected just before taking part in protests and other significant political actions.
The revelations show the extent to which Prime Minister Prayut Chan-o-cha’s government has sought to forestall the momentum of the pro-democracy movement that has arisen since the flawed national election of 2019.
According to the report, the infections appear to have ended in November 2021, when Apple began notifying iPhone users that they had been targeted by state-backed attacks with mercenary spyware. Among those who received notifications were numerous members of Thai civil society, who subsequently made their devices available for forensic examination by iLaw and DigitalReach.