On September 6, 2024, The Thai Civil Court in Bangkok scheduled for the defense witnesses examination in a lawsuit filed by Pai-Jatupat Boonpattararaksa against NSO Group, which developed the Pegasus spyware, accusing NSO Group of invading his privacy by using the spyware to steal data from his phone. He is asking for 2.5 million baht in damages and asking for a court order to halt NSO’s use of Pegasus spyware in Thailand.
Originally, this hearing was scheduled for the plaintiff’s witnesses. However, as all the plaintiff’s witnesses had already testified, the defense took the stand. The defense presented a computer science expert witness to challenge the credibility of the forensic evidence provided by the plaintiff, which claimed Jatupat’s phone had been hacked by Pegasus spyware three times. The expert aimed to argue that the forensic results were unreliable and could have been fabricated.
The expert witness, Yuval Elovici, is the head of the Cybersecurity Research Center at Ben-Gurion University. NSO initially sought to have Yuval testify online, but the court rejected the request, stating it could not exercise jurisdiction over witnesses residing in another country. The court required the witness to appear in person. Consequently, NSO arranged for Yuval to travel to Thailand to testify in person at the Civil Court on September 6, 2024.
Yuval, an Israeli national, arrived in Thailand and testified in English without submitting his written testimony to the court or the plaintiff’s lawyer at least 7 Days in advance, as required by law. The defense lawyer provided the plaintiff with Yuval’s written testimony only the night before the testimony. The plaintiff’s lawyer objected to the late submission.
Yuval, a retired Israeli major general with a Ph.D. in information systems, began his testimony by explaining his academic and professional background. He works at Ben-Gurion University, where he teaches information security and applied cryptography for graduate students. Yuval testified that he had been approached by NSO to serve as an expert witness, with all travel expenses covered by the company.
Initially, Yuval attempted to read from his written testimony, but the court instructed him not to do so. The defense lawyer asked for the court’s permission to display a PowerPoint presentation on a television screen in the courtroom. The slides, translated from English into Thai, were shown to Yuval and the plaintiff’s lawyers but not to the court. The defense also submitted these slides as evidence. Yuval then proceeded to read from the English-language slides, which were black-and-white and text-only.
The key argument presented by Yuval was that it is extremely difficult to definitively identify cyber attackers. He explained that attackers often use sophisticated techniques to obscure their identity, including imitating attack patterns from other countries to mislead investigators. Attackers might exploit vulnerabilities in software to gain unauthorized access to target systems remotely without detection. He argued that attackers could intentionally plant tools in a system to mislead investigators into attributing the attack to someone else.
Analogously, this tactic is similar to a burglar breaking into a house and leaving behind a glass with someone else’s fingerprints. Once attackers gain access to a system, they can access all data within, including timestamps, logs, and other evidence.
