The Washington Post published yet another blockbuster story about NSO Group based on a list of 50,000 cell phone numbers it’s suspected of hacking on behalf of scores of repressive regimes. Among the suspected victims were powerful heads of state including three presidents (France’s Macron, South Africa’s Cyril Ramaphosa, and Iraq’s Barham Salih), one former president (Mexico’s Felipe Calderon), three prime ministers (Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othman), seven former prime ministers targeted while they were in office, and one king (Mohammed VI of Morocco). World Health Organization Director General, Tedros Ghebreyesus was also in Pegasus’ sights. In total, 600 politicians and political leaders in 34 countries were on the list.
Amnesty International researchers were able to trace 1,000 of the phone numbers to specific individuals in 50 countries. Of those, it discovered 37 cell phones which were targeted and successfully infected with NSO’s Pegasus malware:
Military-grade spyware licensed by an Israeli firm…was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners.
The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of the Israeli firm, NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.
The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.
In reading the story, it’s apparent that the list of the 50,000 phone numbers came either from within NSO Group itself; or was obtained by someone with access to such valuable corporate secrets. Though the reporters carefully avoided dealing with this subject in order to protect their source and their own methods of obtaining it and analyzing its contents. It also appears that besides the larger list, the reporters have access to a separate list or documents which specify which phones were infected and when. Though the story does not mention this second set of materials.
On the other hand, if Amnesty and the Post did have access to secret internal documents, I would expect that NSO would be screaming bloody murder and threatening them with prosecution for the theft of corporate property. Since they haven’t done so (yet), it’s not clear how they gained access.
Those targeted are a Who’s Who of world leaders and policymakers including :
…Several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.
Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.
Though individuals were targeted in 50 countries, the majority of the infections were found in only ten, most of which are either authoritarian regimes or ones with extensive intelligence monitoring of citizens: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Previous reporting has shown that NSO does business with all of them.
15,000 of the numbers were located in Mexico, whose security agencies were NSO’s first customer. The Guardian speculates that the value of its contracts would mount into the “hundreds of millions of dollars.” Targets were political and union leaders, journalists, priests, the governors of every state, and human rights activists. In one specific instance, the phone of one journalist which was infected may have led his assassins to track his whereabouts so they could murder him. Pres. Lopez Obrador and 50 of his key aides, including his wife, children, brothers, and heart surgeon, were also targeted during the administration of his predecessor, Enrique Nieto.
NSO Has a Soft Spot for Corrupt Officials and Loyal Clients
The Mexican attorney general, Thomas Zeron, who was NSO’s first client, used Pegasus to target human rights activists, journalists and lawyers fighting on behalf of 43 students gunned down under mysterious circumstances. Later, he was accused by the government of embezzling $50-million in state funds. Given the level of graft involved in the signing of such contracts with Mexican intelligence agencies, it’s likely NSO payed bribes to Zeron to secure the deal.
Trump confidant-fall-guy, Elliot Broidy and his Mexican associate, Jose Azano are accused of offering bribes to Mexican authorities in order to secure the NSO deal. Both Azano and Broidy went to prison on separate and unrelated federal charges. Where did the funds came from? Very possibly out of the pockets of investors like Francisco Partners, which owned the firm at the time.
After being charged with bribe-taking, Zeron fled to Israel. How did he do so while a wanted man and during a national COVID travel ban? The Mexican government has accused NSO, which enjoys close ties to Israel’s military and intelligence apparatus, of facilitating his escape, and later lobbying to grant him asylum (which has not happened). As Mexico demanded his extradition, Israeli authorities attempted to extort their own bribe: until the country drops its support for an ICC investigation of Israeli war crimes, Israel sees no reason to cooperate in the extradition matter. It is typical of Israeli policy that it seek to protect and advance its own interests regardless of moral consequences. It offers cold, hard amorality in place of statecraft or diplomatic niceties.
Indian security agencies, under the direction of a far-right Hindutva government which is engaged in a brutal military occupation of majority-Muslim Kashmir, used Pegasus to target journalists, opposition politicians, government officials and business leaders.
Hungary’s authoritarian leader used Pegasus to target his media enemies. Who did he blame for the charges? “The Jew,” George Soros, of course. Oh the dark irony of using Israeli spyware to hunt your enemies and maintain power, while blaming it all on a Jew!
NSO’s List of Prohibited Countries is a Charade
Though NSO specifically prohibits clients from targeting those in Russia, China, Israel or the US, in fact the cell phones of American living overseas were targeted.
Previous reporting has also disproven this NSO claim as a lie:
…Our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” the company said in its statement. “It is technologically impossible
In Whatsapp’s lawsuit against the Israeli company, it discovered that NSO maintained servers inside the US and that these servers were quite likely collecting data from individuals inside the US. Sen. Ron Wyden suggested during a Senate hearing that NSO could be targeting US government officials:
“If foreign surveillance companies like NSO are helping their foreign government customers hack or spy on Americans, particularly US government employees and contractors, that would raise serious national security issues,” Wyden said. “I am looking into this topic, and expect to have more to say in the coming weeks.”
I strongly doubt he would have done so without knowing this was in fact happening. The Daily Beast writes that one of the Americans Pegasus targeted was Rob Malley, Pres. Biden’s special representative to Iran. Malley is a controversial figure among the Israel Lobby and Republicans because, though Jewish, he is allegedly insufficiently pro-Israel. Several parties would consider him a hostile party and be eager to know what he’s doing, among them Saudi Arabia and Israel.
In reporting the Post story, several of the journalists involved found that their own or other family members’ phones had been attacked by Pegasus. This raises a suspicion that NSO itself or agents acting on its behalf, may be using its own malware in its corporate battle against its “enemies” in the press.
The article recounts the breadth of private information which Pegasus can obtain and how thoroughly it defeats any security measures:
Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.
In other words, once Pegasus has infected your device, everything on it is wide-open, no matter how many security provisions you’ve employed to defend against intrusion.
Israeli Intelligence Backdoor
Cyber-security analysts and US intelligence officials believe that Israeli intelligence has, with the cooperation of NSO itself, engineered a Pegasus “backdoor” which permits agencies like the Mossad and AMAN to track all the data which the company’s clients are extracting from their targets’ electronic devices:
…Current and former US intelligence officials told the Washington Post…that there was a presumption that Israel had some access – via a “backdoor” – to intelligence unearthed via such surveillance tools.
John Scott-Railton, a senior researcher at the Citizen Lab at the University of Toronto, said he believed it would be “irresponsible” for a state to allow the large-scale distribution of a powerful surveillance tool such as Pegasus without being able to keep an eye on what was being done with it.
He said court records had revealed that NSO used servers that were not always located on the premises of the client. “What that means is there’s the potential for visibility. And it would be crazy for them [the Israelis] not to have visibility,” he said.
In that case, NSO becomes much more than a private company. It becomes a massive repository of global intelligence data; and an extension of the state and a means for advancing its interests.
Veteran Israeli security correspondent Yossi Melman tweeted this dyspeptic view of the company and its prospects:
NSO is finished. The days of this company and its Pegasus malware are numbered. For years I’ve warned that this would end badly. I criticized the defense ministry which supported it. I was among the few in the media who argued that it was impermissible to arm shady regimes with such weapons under the guise of fighting terror and crime; and that it would be used to harm journalists and activists. Veteran journalists collaborated with NSO and were recruited to write flattering profiles.
Netanyahu as NSO’s Chief Salesman
In fact, Bibi Netanyahu’s travels abroad offer evidence that he saw himself as NSO’s chief salesman:
The countries in which journalists were targeted through NSO’s technology that were revealed in Project Pegasus include Saudi Arabia, Hungary, Azerbaijan, the United Arab Emirates, Rwanda, Morocco, India and Mexico. This list might ring a bell with anyone who follows the news in Israel, since it mirrors the list of countries with which Israel improved its diplomatic relations in recent years, under former Prime Minister Benjamin Netanyahu.
In summer 2016, Netanyahu embarked on a trip to several African countries, including Rwanda, “after decades in which no Israeli prime minister has visited Africa,” a Foreign Ministry press statement said. In December 2016, he visited Kazakhstan and Azerbaijan.
In July 2017, he became the first Israeli prime minister to visit Hungary. In September 2017, he visited Mexico, saying, “I’m embarking today on a historic visit to Latin America. This is the first time since Israel was established that a sitting prime minister has visited south and central America.”
In January 2018, he paid a “historic visit” to India, months after Indian Prime Minister Narendra Modi visited Israel for the first time. Nor was this the only reciprocal visit. For instance, Hungarian Prime Minister Viktor Orban came to Israel a year after Netanyahu’s visit to Hungary.
…With Morocco, there were no official visits at the head of government level, but there were lower-level visits, and the countries improved their bilateral relationship, agreeing in December 2020 to “resume relations.”
One month earlier, Netanyahu paid a semisecret visit to Saudi Arabia; this apparently wasn’t his first visit there.
On each of these trips, Netanyahu announced the “development of reciprocal relations,” and he was accompanied on the plane by delegations of businesspeople. According to official press statements, they came from fields such as water and agriculture. But in reality, defense companies also participated in these visits.
Of course, it is normal for prime ministers to hawk the wares of their country to foreign buyers. Promoting exports and business ties is an important part of the job. But in this case, Netanyahu was marketing NSO’s products to some of the most repressive regimes on the planet, ones with which Israel shared similar authoritarian and ideological affinities which made them especially receptive to the spyware. Further, the dates on which these states signed contracts with NSO coincide closely with the dates of Netanyahu’s visits there.
The Post quotes NSO’s response to its report, which contains its typical template response:
…It does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.
Therefore it cannot be held responsible for the malign acts committed by them. This is reminiscent of claims by cigarette and gun manufacturers that they only make the products, they don’t force consumers to use them or control how they are used. Of course, this legal strategy failed with the cigarette makers, who settled multi-billion dollar lawsuits with victims. Gun makers continue to successfully shield themselves from such lawsuits. But over time, their defense will also fail and they will be held liable for the damage their products do and the lives they destroy.
NSO’s defense is morally bankrupt. In the Post report, the company boasts that it has withdrawn licenses for countries abusing its technology. It attests to its good intentions by bemoaning the fact that it left $100-million in revenue on the table by cancelling these contracts. Only a company of its level of moral depravity would try to prove its moral purity with the claim that it restrained its greed in order to adhere to high moral standards.
The only way NSO could know if a client is misusing its technology is by monitoring its use. Thus it does “have insight” into the ways in which Pegasus is employed. Not to mention that clients do not use Pegasus independently of NSO. The company sets up servers which download the malware to the target’s phone. It knows precisely who is targeted and how; and it knows precisely what information is exfiltrated from the devices and uploaded to the client’s servers.
NSO offers more pablum in this statement:
“Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,”
The level of dishonesty is breathtaking. NSO is actually responsible indirectly for the murder of at least two journalists. It is responsible for the arrest and imprisonment of scores of other dissidents in multiple countries. Yet it has the effrontery to claim it is on a life-saving mission. It is on a mission, but not a moral one. Its real mission is to reach a billion-dollar unicorn valuation and line the pockets of its Israeli founders and UK investors with billions in profits.
Israel’s Defense Ministry Responds
The Israeli defense ministry nominally offers oversight over the export of advanced military and intelligence products to foreign countries. As such, it approves export licenses for these companies. In practice, there is no oversight to speak of despite these claims to the contrary:
“As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end-use/end user certificates provided by the acquiring government,” a spokesperson for the Israeli defense establishment said Sunday. “In cases where exported items are used in violation of export licenses or end-use certificates, appropriate measures are taken.”
This is an outright lie. The ministry can point to no company whose license it has ever revoked for violating the provisions listed above. In a few limited cases it has revoked licenses, but only because Israeli weapons technology was exported to China in violation of US export agreements.
NSO’s Critics Speak
The Post details the dangers to journalists posed by this intrusive technology, which one human rights lawyers has likened to “having someone sitting inside one’s head”:
…The widespread use of spyware has emerged as a leading threat to democracies worldwide, critics say. Journalists under surveillance cannot safely gather sensitive news without endangering themselves and their sources. Opposition politicians cannot plot their campaign strategies without those in power anticipating their moves. Human rights workers cannot work with vulnerable people — some of whom are victims of their own governments — without exposing them to renewed abuse.
In the case of the murder of Post journalist, Jamal Khashoggi by Saudi assassins, they had not only infected the phone of Saudi-Canadian dissident, Omar Abdulazziz, with Pegasus, but the device of Khashoggi’s first wife. After his murder, the journalist’s fiancee also found the Saudis had infected her electronic device.
The article quotes a former cyber-security engineer at a US intelligence agency making a sweeping and frightening evaluation of the effectiveness of the malware:
“This is nasty software — like eloquently nasty,” said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it “one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”
NSO Takes the Gloves Off Against Its Critics
NSO has mounted a full-frontal assault on its detractors. It has done everything from creating an ethics advisory board consisting of former Obama officials like Julie Kayyem and Daniel Shapiro; to hiring one of Washington’s premier libel attorneys, Thomas Clare, known for suing individuals who seek to impugn the integrity of his corporate clients.
Though the Post calls Clare “a libel attorney,” it doesn’t say that he has threatened to sue Amnesty or the newspaper. Thus, it’s unclear whether Clare is establishing a basis for an actual lawsuit; or whether he’s merely seeking to intimidate the company’s critics. If the former is his strategy, he runs the risk of opening NSO to subpoenas for internal documents and depositions of not only its senior executives, but also the hackers who devise the exploits used to compromise the human rights of tens of thousands around the world. Is it a risk he’s willing to take?
Regulate NSO Before It’s Too Late
The world has come to a major crossroads: Israeli malware has done incalculable damage to human rights the world over. The only way to restrain such abuses is through either US or international regulation. Congress must pass legislation that defines proper and improper conduct. It must assess penalties for violations and enforce them.
There is a potential major stumbling block in the path of such regulation: major powers like China, Russia and the US operate national intelligence agencies which develop and use such cyber-tools to pursue their own state interests. If the world cracks down on private companies, these states will worry that they will be next. After all, NSO cannot (yet) harm entire nations or sabotage their infrastructure as the NSA can. Once you stop the Israelis, the world will examine much more closely the malign behavior of these intelligence behemoths which operate on a much greater scale than NSO could ever manage.
Edward Snowden, perhaps with this in mind, takes a more radical position, arguing for abolition; the entire spyware market should be eliminated because of its capacity for evil. Further, he says there is no constructive purpose for this technology and hence it should be made illegal.