A hack targeting US officials is just the latest problem for NSO Group, the Israeli company behind Pegasus spyware.
The advanced spyware Pegasus, created by Israeli firm NSO Group and used by governments like Saudi Arabia to gather intelligence on those it deems terrorists or criminals, has reportedly been detected on at least 11 iPhones used by US officials in Uganda or conducting business related to the country, as well as locals working for the embassy.
That news — first reported Friday by Reuters — will likely exacerbate NSO Group’s fraught relationship with the US government; while the company claims that Pegasus can’t be used on phones with US numbers, the recent hack shows there are loopholes which allow foreign governments to spy on US citizens and government employees. It’s the first known incident of the technology being used against American officials, although it’s not yet known which of NSO Group’s clients hacked the devices.
NSO Group has long claimed that its clients — which run the gamut from from monarchies like the UAE to democratic nations like Germany and Mexico — are closely vetted, but there is a long record of its technology being misused for nefarious purposes, like spying on dissidents or estranged spouses, as the ruler of Dubai is alleged to have done.
NSO Group scandals also pose a diplomatic problem; though NSO is a private company, it’s closely linked to the Israeli government, and Israel’s defense ministry has to sign off on the export license for the technology, ostensibly ensuring that it’s used only for the purposes “of preventing and investigating crime and counterterrorism,” according to an Israeli defense spokesperson who spoke to the Washington Post in July.
Extensive reporting from 17 outlets and more than 80 journalists proves, however, that that hasn’t always been the case: Among other incidents, Pegasus was allegedly used to surveil Saudi dissident and Washington Post columnist Jamal Khashoggi before his murder in October 2018.
More recently, the US has started to take action against the company. In November, NSO Group was placed on the Commerce Department’s “entity list,” which severely restricts the export of American technologies that could be used by NSO Group to support Pegasus and similar projects.
Now, given the recent reporting on Pegasus’s use against State Department employees, harsher crackdowns on NSO and similar technology could be on the horizon. On Thursday, the Biden administration announced plans for a US-led initiative on the use of surveillance technology — like Pegasus — by authoritarian regimes. The aim, according to the Wall Street Journal, is to create a framework around the export and licensing controls of such technology, as well as create an information-sharing network to detect and report on its misuse.
Pegasus has been used to spy on dissidents, journalists, and politicians
According to the Washington Post, 11 people connected to the US embassy in the Ugandan capital Kampala — including some US citizens working as foreign service officers — were notified by Apple that their devices had been hacked.
While NSO has previously said Pegasus can’t be used against US-based devices, Americans working overseas can — and often do — acquire local phone numbers, which may be vulnerable to Pegasus attacks.
According to the New York Times, the targets were easily identifiable as State Department employees — they had used their professional email addresses to create their Apple IDs. While it’s not clear who perpetrated the attack, and there is no indication it was NSO Group or the state of Israel, using the Pegasus exploit, hackers could look at and copy files from targets’ devices, as well as track their movements and record conversations.
NSO Group maintains that governments that purchase Pegasus are carefully vetted and are not to use the product besides for specific purposes; however, the company has repeatedly sold Pegasus to countries known to use surveillance technology to track dissidents, lawyers, journalists, and other members of civil society.
Extensive reporting in July showed that security services and law enforcement agencies in places like Saudi Arabia, Mexico, Azerbaijan, and Morocco appeared to have purchased the technology, according to reporting by the Pegasus Project, a consortium of 17 news outlets including the Washington Post, the Guardian, Die Zeit, and French outlet Forbidden Stories.
According to the Pegasus Project, a list of 50,000 potential target phone numbers was hacked, apparently from servers in Cyprus, and leaked to Forbidden Stories and Amnesty International, who shared it with journalists. They were able to identify 1,000 different potential targets from the phone numbers, including politicians like French President Emmanuel Macron, a key US ally, as well as journalists, activists, and lawyers from around the world.
Pegasus is so useful — or so dangerous, depending on one’s perspective — because it can access a target’s phone completely undetected. While the spyware can infect via a link sent through a messaging service like WhatsApp, it’s also possible for users to access targets’ phones through a so-called “zero-day” exploit — a bug that the device manufacturer hasn’t yet detected. The exploit can be active and present on a device for months before the manufacturer finds the flaw and fixes it.
According to Reuters, the devices infected in the attacks against State Department officials were initiated through a graphics processing vulnerability which had been open to exploitation since at least February of this year, and wasn’t been patched until September. Other victims include Thai dissidents and a Ugandan opposition leader.
Once a device has been infected, Pegasus can access even encrypted messaging systems like Signal, as well as cameras and microphones — enabling the hacker to record conversations and turning the device into a secret surveillance tool in itself, according to the Organized Crime and Corruption Reporting Project. The Guardian’s reporting at the time suggested that in addition to attacking via widely-used messaging apps, Pegasus could potentially have the capability to attack through the Photos and Music apps on Apple devices.
In November, the company and another Israeli tech manufacturer, Candiru, were added to the US Commerce Department’s entity list, a move which prohibits NSO Group from purchasing US technology.
According to the Commerce Department, the decision to do so was made “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” as well as evidence that the companies’ spyware was being used by governments to suppress dissent on a global scale.
The language could not be clearer. This is a huge testament to investigative journalism- this is why we do what we do- and to the work of @davidakaye @citizenlab @jsrailton @billmarczak and colleagues like @azamsahmed and targets who bravely stepped fwd and were punished for it. pic.twitter.com/XPdTDjuSHL
— Nicole Perlroth (@nicoleperlroth) November 3, 2021
The decision puts NSO Group in the company of firms like Huawei, the Chinese technology manufacturer which many Western governments have accused of digital espionage. It’s an undesirable position for a company so closely tied to the government of a US ally — one whose military and defense industries are deeply entwined with the US.
NSO Group is in debt and under pressure
Shortly after NSO Group was added to the entity list last month, according to Axios, former NSO Group CEO and co-founder Shalev Hulio wrote to Israeli officials, including Prime Minister Naftali Bennett and Defense Minister Benny Gantz, asking Israel to lobby Washington on NSO’s behalf. Hulio reportedly claimed that the addition of NSO Group to the entity list was a coordinated campaign by anti-Israeli organizations to damage the reputation of Israeli businesses, and NSO Group said publicly it was “dismayed” by the decision and had terminated contracts with government agencies which misuse its products.
Indeed, it’s an unusually forceful move for the US to place such severe restrictions on businesses in a closely allied country; however, Friday’s reports of the hacks on the phones of US officials in Uganda said the spying had been going on for months, a fact which could have influenced the decision to punish NSO Group so severely.
In a November statement announcing NSO Group’s addition to the entity list, the Commerce Department specifically cited embassy workers as a potential target for Pegasus.
“We have been acutely concerned that commercial spyware like NSO Group’s software poses a serious counterintelligence and security risk to US personnel, which is one of the reasons the Biden-Harris Administration has placed several companies involved in the development and proliferation of these tools on the Department of Commerce’s Entity List,” the National Security Council said in a statement to the Washington Post on Friday.
In response to NSO Group’s inclusion on the entity list, Israel’s government has sharply limited the number of nations that NSO Group and other spyware vendors are allowed to sell to, from 102 to 37.
Some groups, however, say it’s not far enough. On Friday, 81 human rights organizations from around the world, including Amnesty International, Human Rights Watch, and Reporters Without Borders, called on the European Union to impose sanctions on the company for its repeated enabling of human rights abuses, including the recent targeting of Palestinian activists.
“There is overwhelming evidence that Pegasus spyware has been repeatedly used by abusive governments to clamp down on peaceful human rights defenders, activists and perceived critics,” Deborah Brown, a senior digital researcher and advocate for Human Rights Watch, said. “The EU should immediately sanction NSO Group and ban any use of its technologies.”
This summer, after the Pegasus Project reporting came out, the UN Human Rights Office of the High Commissioner also called for a moratorium on the sale of such surveillance technology until an international framework on the safeguarding of human rights and the use of surveillance tech like Pegasus is in place.
Sen. Ron Wyden (D-OR), who is a member of the Senate Intelligence Committee, has repeatedly and forcefully condemned NSO Group, saying that the US should “[cut] them off from the American financial system and investors by issuing sanctions under the Global Magnitsky Act,” which targets corruption and human rights abuses.
International opprobrium isn’t NSO Group’s only problem, either: According to recent reports, the firm is $500 million in debt, and risks defaulting. As Bloomberg reported in November, Moody’s dropped the company’s credit rating to Caa2 — eight grades below investment grade, indicating that Moody’s believes NSO highly likely to default on its debts.
The downgrade and low cashflow are due to lower revenue and the payment of dividends to shareholders, but the consistent bad press and placement on the entity list will likely only contribute to NSO Group’s problems.
“Who will want to work with a company that’s been so publicly sanctioned by the U.S. government?” David Kaye, a former UN special rapporteur on the promotion of free speech and freedom of expression, told the Washington Post in November. “Who would invest in a company with this kind of black mark?”