How NSO spyware became a favourite espionage tool for autocratic regimes

Israel is coming under fire for the role of its Ministry of Defence in approving the sale of cutting-edge spyware to countries previously exposed for its use in repressing dissidents and violating human rights. 

Allegations include knowingly aiding authoritarian regimes in spying and cracking down on citizens, senior political opposition figures, and in some cases, heads of states. This approval was granted multiple times, in spite of repeat violations that lead to the death of Saudi Arabian journalist Jamal Khashoggi in 2018, as well as the arrest and torture of UAE activist Ahmed Mansoor in 2016, among many others.

NSO Group, a leading Israeli cybersecurity company with deep ties to the state’s intelligence community has become the subject of international controversy for the third time after a comprehensive investigation leaked 50,000 spyware targets which included hundreds of journalists, activists, business executives and politicians.   

The latest revelations indicate an Israeli hacking group’s software was found to have compromised the phones of at least 37 phones belonging to journalists, activists and individuals close to late journalist Jamal Khashoggi. Far larger in scope, the software has led to the death of a journalist in Mexico and seen active use in India against activists, journalists, doctors, opposition politicians, businessmen and even ministers under Prime Minister Narendra Modi. 

This comes following a major investigation by the Washington Post and a number of other media groups working with Amnesty International and Forbidden Stories, French journalism non-profit, posing chilling implications of the role played by states with no qualms over hacking, monitoring and cracking down on free speech and human rights activism.

The organizations also published a list of 50,000 numbers containing targeted individuals in over 50 countries. Though the majority of the numbers are still unattributed, they include at least 189 journalists, 85 human rights activists, 65 business executives, and over 600 politicians, diplomats and officers, not to mention several heads of state.

Journalists, in particular, were targeted from organizations including CNN, AP, NYT, WSJ, Bloomberg, Le Monde, Financial Times and Al Jazeera.

Repression Incorporated

Amnesty International Secretary General Agnes Callamard delivered a scathing statement, describing the NSO spyware as “a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril.”

This comes following an earlier report published in 2020 by Citizen Lab, a cybersecurity non-profit, that traced 36 infected devices owned by journalists, producers and executives working for Qatari news channel Al Jazeera. The hacks were traced back to the Israeli-based NSO group, which managed the hack without getting targets to click on anything, referred to as zero-click vulnerability.

This marks a dramatic upgrade in capabilities, where targets still needed to click on malicious links to unwittingly grant access to a hacker as recently as 2016. 

Long time coming

The UAE’s focus on building cyberwarfare capabilities has not been without impacts for the region. In 2015, Saudi Crown Prince advisor Saud al Qahtani, who would later be fired for playing a role in the murder of Saudi Arabian journalist and dissisdent Jaml Khashoggi, would hire the UAE’s DarkMatter group.

The UAE also brokered a meeting between Saudi Arabian representatives of Crown Prince Mohammed bin Salman and Israel’s NSO Group. The deal would hand Saudi Arabia the tools it needed to realize full spectrum surveillance of its adversaries, through NSO Group’s flagship spyware Pegasus. The same software has resurfaced multiple times in recent years in hacks of activists and journalists, with its use found again in the most recent revelation of 50,000 hacks. 

The very same spyware was used to hack journalist Jamal Khashoggi’s phone prior to his murder, as well as a broad array of dissidents, enemies and political opponents. 

NSO Group has been sued by several parties including Facebook over its penetration of Whatsapp, a close friend of Khashoggi, and several Mexican civil society figures. With lawsuits being presented in an Israeli court however, little was done to censure the organization which enjoys far-reaching connections to the Israeli military and intelligence community.

The ongoing investigation reveals the real-life impacts of Pegasus on freedom of speech, leading to death, arrest or the violation of privacy at the lowest degree.

While NSO group claimed these attacks should be seen as rogue use of their software, little was said about the reality that they have profited significantly from human rights abuses given their leading position in the loosely regulated spyware market.

In a previous investigation, TRT World detailed efforts by the United Arab Emirates and Saudi Arabia to build an offensive cybersecurity capability, beginning by hiring former NSA operatives to man invasive surveillance programs against human rights activists internally, and political dissidents abroad.

After establishing a basic infrastructure through American company Cyberpoint, the UAE would establish its own cyberwarfare body and keep the surveillance project in-house. 

Named Project Raven, the surveillance operation would target hundreds from Turkey, Qatar, Yemen and Iran between 2016 and 2017 according to a Reuters report.

Third denial 

NSO Group did not take responsibility for the third discovery of abuse through its software, instead denying the “false claims”, “wrong assumptions” and “uncorroborated theories”, while emphasizing the company’s belief it was on a “life-saving mission.

The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.

NSO Group describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, though it does not provide names on grounds of confidentiality. 

Revealed phone numbers of targets show clusters of ten countries, including Saudi Arabia, the United Arab Emirates, Azerbaijan, Morocco, Mexico, India, Bahrain, Rwanda, Kazakhstan and Hungary; with evidence provided by Citizen Lab that all 10 countries have been clients of NSO Group in the past.  

Undermining democracy

The violations of privacy made possible by advanced spyware poses a fundamental risk to the function of democracies around the world. 

With access to phones of activists and journalists, gathering and sharing information on corruption, abuse of power, human rights violations and abuses or illegal practices can lead to being targeted, harassed, arrested or even killed. More significantly, repeat violations introduce a chilling effect, where sources are no longer willing to share sensitive information, even off the record, for fear of being targeted.

In politics and business, it grants ruling powers an enormous advantage, with access to insider political strategy and foreknowledge of future plans. Civil society is dealt an equally grievous blow, with human rights workers unable to help victims for fear of inadvertently putting the people they want to help on security lists.

Surveillance is primarily unethical because it grants a state the means to gather information, statements and details about a subject without the presence of legal guidance; leading to implications and arrests not otherwise possible under international standards for due process and criminal investigation. 

Timothy Summers, former cybersecurity engineer at a US intelligence agency, spoke to the Washington Post about his views of the hack.

“This is nasty software — like eloquently nasty,” he emphasized. Using it “one could spy on almost the entire world population.”

Israeli state complicit 

The spyware-in-question, Pegasus, was developed nearly 10 years ago by former Israeli cyber operatives with close ties to the Israeli state apparatus. Many cybersecurity experts in Israel hail from its infamous Unit 8200, an Israeli military cybersecurity agency, and the largest single military unit the Israeli Defence Forces.  

The unit is known for spying on Palestinian civilians for “coercion purposes”, and surveilling Palestinian-Americans through an intelligence-sharing agreement with the NSA. Most importantly, Israeli media reports and former employees have described how often members of the unit “blur the line” between profit and service to intelligence goals.

For NSO Group to approve sales of its products to other parties, it requires approval by the Israeli Ministry of Defence. This is rarely an issue, given Israeli foreign policy treats the sales as diplomatic starting points for normalization talks, and ultimately representative of an official larger strategy. This official and thorough review process would make the Israeli government complicit if it was aware of the end-use of such spyware, or its sale to countries with poor human rights records. 

While major tech companies such as Apple have introduced security updates to their smartphones in a bid to keep up with hacker exploits, in a number of documented cases, Pegasus was able to hack new security measures within hours regardless of encryption and strong passwords. 

The spyware can access and download photos, location records, emails, messages, passwords, call logs, social media posts, and financial information. Little in the way of encryption currently exists to safeguard against it.

Breaking laws got easier

Spyware is increasingly being used by strongman governments around the world, with the most recent leaks including Hungarian Prime Minister Victor Orban, who maintains that any surveillance conducted was done in accordance with the law.

This presents a legal Catch-22 of sorts. In most countries, surveillance can only be authorized with evidence that further information related to an ongoing judicial investigation can be found through the use of a wiretap. Strict guidelines exist, limiting the kinds of conversations that can be recorded, and how long surveillance can continue without signs of specific criminal activity. 

Access to someone’s phone and all the information on it, allows states to tailor legal requests based on foreknowledge, itself a violation of privacy. Usually, this is conducted through third-party bodies or justified in the name of security. 

Hacking economy on the rise

Software like Pegasus has deeper ramifications beyond surveillance, but also empowers transnational criminal networks, drug cartels, and terrorist groups that rely on off-the-shelf spyware for their own ends. State investment into loosely regulated spyware supports a dark technological economy, with a historic 10 million denial of service attacks carried out in 2020 alone according to Help AG, a prominent global cybersecurity company. The company also reports that the scale of these attacks is on the rise.

NSO Group’s first customer in 2011 was Mexico, selling its spyware to Mexico’s lead domestic intelligence agency. However, limits of regulations and internal controls meant that the software would end up in private hands for political and criminal use. NSO Group does not take responsibility for these occurrences. At least 15,000 Mexicans have appeared on leaked target lists, including multiple investigative journalists. 

In one case, Pegasus’s ability to geolocate a phone lead to the assassination of Cecilio Pineda, gunned down while resting in a hammock as he waited at a car wash.

Where technology companies could once keep up with individual hacking exploits easily, the rise of spyware companies doing business with the highest bidder has made it far more difficult for mainstream cybersecurity engineers to keep up with them, particularly where they benefit from ties to intelligence communities such as the US’s NSA or Israel’s Unit 8200. 

With little in the way of government regulation or international controls on this most recent weapon, democratic speech, privacy and freedom itself are quickly becoming inconveniences to autocratic states that can finally be ignored. This is fast becoming an unchecked race for control of entire populations, silencing critics, dominating social media spaces and ensuring the questionable continuity of human-rights violating regimes across the world.