NSO Group The spy tech hegemon

Rahul Khullar
The Story so far
A global investigation was carried out by a global consortium of media houses coordinated by France’s non-profit organisation-Forbidden Stories and a technical support of Amnesty International’s Security Lab. The investigation named “Project Pegasus” accused Governments of misusing spyware viz. Pegasus supplied by an Israeli “Cyber Warfare” vendor NSO to snoop on dissidents, journalists, activists, lawyers and heads of states which has “exposed a global human rights crisis”. The alleged snooping had been carried out primarily in 10 countries including India. The reports are based on a database of about 50,000 contact numbers accessed by Forbidden Stories and Amnesty International, which they believe are the numbers of potential individuals who were spied on or were about to be spied using Pegasus.
Amnesty International has demanded a moratorium on surveillance technologies until there is a ‘human rights-compliant regulatory framework in place’. In India, this issue has been a centre of discussion among the opposition parties which are now demanding a ‘Supreme Court Monitored Probe’ into the misuse of Pegasus spyware for political benefits.
What is a pegasus?
Pegasus is a mobile phone spyware suite developed by Israeli based Cyber Surveillance group NSO (Niv, Shalev & Omri- founders of NSO group) which was developed to spy and track on Terrorists, drug traffickers, paedophiles, and other criminals who have access to advanced technology and are harder to monitor, track, and capture. NSO claims that it sells this spyware only to “vetted Governments and law enforcement agencies”.
Genesis of NSO, from startup to a spy-tech leader.
NSO was started by two friends Shalev Hulio and Omri Lavie, who launched “MediaAnd”, a product placement startup in the early 2000s. The company was hard hit by the recession of 2008, but Hulio and Omri didn’t step back and wait for the right time and eventually they found the opportunity to launch the first iPhone. Iphone’s launch changed the way conventional handheld devices were used. Now people began to use handheld devices more than just calling and texting at scale.
Sensing this opportunity Hulio and Omri launched ‘CommuniTake’- an application that allows users to share, in real-time, screenshots of his/her device with a tech support agent. With the launch of iPhones a new age of encryption also commenced which provided strong privacy to the customers. This presented a great challenge for the intelligence agencies to intercept a target who was using encrypted services because an end-to-end encrypted message or call cannot be accessed or intercepted without an encryption key which is only with the sender/caller and the receiver of the message/call. Without knowing it, Hulio and Omri had solved the problem for them: agencies could simply pirate the phone itself, bypassing encryption and giving them all the information they needed and more. Soon an intelligence company approached them, they were interested in their technology. This was the turning point for both friends. Hulio and Omri knew little about the opaque world of cyber-intelligence but they decided to give it a try. Soon Niv Carmi- a former Mossad intelligence operative and security expert joined both friends and created NSO Group in 2010. The trio (Niv, Shalev & Omri or NSO, for short) operated with clear roles: Niv Carmi handled the tech and Hulio and Lavie the business.
Later in 2004, a US-based private investment firm, Francisco Partners, bought NSO Group for $120 million.
Now the company started a new research in finding vulnerabilities in various apps used by smartphone consumers. This helped NSO attract a wide set of clients.
In February 2019 the company was bought back from Francisco Partners with the help of Novalpina-an investment firm backed by a European venture capital list for a sum of $850 million.
A cyber-surveillance leader with a history of tech misuse.
Now NSO Group has established itself in the cyber-surveillance market and have focused on building Pegasus as a spying solution only for intelligence and law enforcement agencies. They are on a mission to save lives by tackling terrorism, drug trafficking, paedophiles etc.
But things never went as they thought they would. Since 2016, researchers have documented the abuse of Pegasus against journalists, human rights defenders, and members of civil society. The first known state client of NSO Group was Mexico- which was then equipping itself with cyber-espionage tools to fight drug trafficking but soon Mexico went beyond the script. Forbidden stories reported that more than 15,000 numbers were selected for spying by Mexican agencies between 2016 and 2017. Among these were those people who were close to then-candidate ‘Andres Manuel Lopez Obrador’, now Mexican President, besides journalists, descendants, their colleagues and family members.
‘Ben Hubbard’, a Beirut Bureau Chief of the New York Times used to report on Saudi Arabia including on Crown Prince Mohammed bin Salman (MBS). On June 21, 2018, Hubbard received an SMS on his phone stating in Arabic: “Ben Hubbard and the story of the Saudi royal family”. Hubbard provided this message to the Citizen lab (An interdisciplinary laboratory based in Canada) in October 2018 for analysis.
Later it was found that the SMS belonged to NSO group’s Pegasus infrastructure used by the kingdom (Saudi Arabia) operator to snoop on him and his journalism.
And the infamous murder of Saudi dissident/journalist, ‘Jamal Khashoggi’ in 2018 was linked with Pegasus which was used by Kingdom operators to spy on Khashoggi and his close friend ‘Omar Abdulaziz’ with whom he was regularly in touch over messages and calls. They discussed their plans to deal with the Saudi Government’s growing online troll Army, muzzling dissenting voices and human rights violations via text messages.
Now in 2021 ‘Project Pegasus’ has exposed an extensive global cyber-surveillance carried out by the clients of NSO to snoop on Civil Society, Journalists, Judiciary, Head of States, dissidents, Opposition members and Ministers compromising the sacrosanct democratic credential of the Right to Privacy and committing an infringement of internationally accepted Human Rights.
Nso’s Sophisticated Attack Vectors
NSO Group was able to capture the entire cyber-surveillance industry due to its use of state of the art and sophisticated attack vectors to penetrate the targeted system. This made NSO group a leader in the spy tech industry, leaving behind renowned cyber-surveillance companies such as Hacking Team and FinFisher.
To monitor a target, a Government operator of Pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, gives the entire access of the victim’s phone to the hacker. Once the phone gets infected and Pegasus gets installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on and off the phone’s camera and microphone to capture activity in the phone’s vicinity. This method of snooping is called “Spear-fishing”.
Wait, this was what the Pegasus could do earlier but now the updated and more sophisticated version of this spyware does not even demand any action from the victims’ end. Now even a simple Whatsapp missed call or an iMessage can do the job of entering successfully into the targeted phone by using the Zero-day vulnerabilities in an operating system and this sophisticated method of attack is called “Zero Click Attack” which makes it a state-of-the-art cyberweapon. These vectors can penetrate both Android and IOS devices without even letting the victims know that their private information has been compromised.
How to contain this unauthorized eavesdropping?
From the individuals’ end, there is practically no way to save ourselves from this highly sophisticated malware as it uses state of the art ‘Zero Click’ vector attacks that don’t even require an action from the target’s end and unilaterally the black hat can compromise the victims’ data. It is almost next to impossible to save your data from such an invasive attack. But to check this unauthorised snooping we need to bring ‘regulations at the source’ and the source is all those cyber-weapon industries like NSO Group, Hacking Team and FinFisher etc. which are allegedly non-compliant to the Human Rights and the Right to Privacy of the Civil Society. There has to be a check on the distribution and the use of such invasive cyber-weapons even if the companies claim to sell their technologies only to the “Vetted Governments” because there had been a lot of examples to prove that not all Governments are responsible enough to use such a sophisticated cyber-weapons and they end up using it to spy on their own denizens.