Pegasus Spyware Warrants International Cyber Security Attention

Over the last week, The Washington Post along with 16 partners conducted an investigation, which revealed a military-grade spyware for tracking terrorists. Licensed by an Israeli firm to governments around the world, it was used in 37 successful smartphone hacks of journalists, business executives, and human rights activists. The Israeli firm, NSO Group, is the leading unregulated private spyware firm in the industry, according to The Washington Post. The spyware known as Pegasus was found capable of infecting smartphones to enable access to messages, pictures, emails, as well as recording calls and activating microphones.

The 37 phones appeared on a list of 50,000 numbers, centered in countries known to illegally survey citizens and serve as clients to NSO Group. The Paris-based non-profit organization Forbidden Stories and human rights group Amnesty International had access to the list and shared it with media outlets for further investigation. NSO Group issued a statement on their website denying the reports from Forbidden Stories, saying they are “full of wrong assumptions and uncorroborated theories that raise serious doubt about the reliability and interests of the sources.” Reporters and investigators were able to identify many numbers on the list and match them to people spanning across the globe. Among them were royal Arab family members, several heads of state and prime ministers, 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials.

The journalist numbers on the list spans back to 2016 and comes from media companies like CNN, The Associated Press, The New York Times, The Wall Street Journal, Bloomberg News, and Al-Jazeera to name a few. The NSO Group’s stated purpose of the Pegasus spyware is intended “only for use in surveilling terrorists and major criminals,” according to a spokesperson for the group. Amnesty International shared copies of the data with Citizen Lab, which confirmed the signs of Pegasus infection. Citizen Lab is a research group out of the University of Toronto that specializes in studying the Pegasus software. They also conducted a peer review of Amnesty International’s methods and agreed they were appropriate.

During a phone interview given by NSO Group chief executive Shalev Hulio to The Washington Post, he affirmed that the group terminates its contracts with companies who misuse the Pegasus system. He also confirmed that in the last 12 months, the groups ended two contracts with companies over human rights abuses, but would not name the countries involved. NSO Group issued another statement, defending its reputation and citing the positives which have come from the spyware: “[our technologies] are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate natural disaster survivors…”

The Israeli Defense Ministry also released a statement which said Israel only approves exports of cyber products to governments “exclusively for lawful use, and only for the purpose of preventing and investigating crime and counter-terrorism.” Amnesty International then released a counter statement, slamming the NSO and cyber-security industry for disrespecting human rights. They also called for an “immediate moratorium on the export, sale, transfer and use of surveillance technology.” Israeli officials, specifically Health Minister Nitzan Horowitz, planned to meet with Defense Minister Benny Gantz on Thursday to discuss the NSO Group data. Slight pushback came from lawmakers about halting NSO Group’s exports. Former Israeli military deputy chief Yair Golan said “it is not just NSO that does such things.”

The United States weighed in on the matter. Timothy Summers, who worked as a cybersecurity engineer with a U.S. intelligence agency, described the Pegasus software as “eloquently nasty.” He explained that if the software were in the wrong hands, one could “spy on almost the entire world population,” and speculated that humanity is not fit for one person to have access to this power. NSO Group has since hired Thomas Clare to legally represent the company and defend his initial statement about the information collected being filled with denial. Clare claimed the issue’s reporting went off assumptions, factual errors, and was overall flawed, and shifted the blame. “[N]SO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus,” Clare claimed. However, he concluded that it “may be part of a larger list of numbers,” possibly “used by NSO Group customers for other purposes.”

Answering follow-up questions, NSO Group called the 50,000 phone number list “exaggerated” and believed the findings were based on “misleading interpretation of leaked data from accessible and overt basic information.” They alleged the information was found through Home Location Register (HLR) services. The HLR refers to a database of essential operating cell networks. These types of registers record the networks and general locations of cellphone users. The major issue now becomes telecommunication safety and security, while still meeting demands of the group’s monetary backings. Karsten Nohl, the chief scientist for Security Research Labs in Berlin said he would not be surprised if NSO Group had access to several countries’ HLR databases. He cautioned “it’s not difficult to get that access. Given the resources of NSO, it’d be crazy to assume that they don’t have [access] from at least a dozen countries…from a dozen counties, you can spy on the rest of the world.”

The NSO Group is also adamant about their lack of ability to surveil American phones. Although roughly a dozen Americans working overseas were found on the list, no evidence was found of successful spyware penetration. In a statement released by NSO Group regarding access to American numbers, they said “our products, sold to vetted foreign governments, cannot be used to conduct cyber-surveillance within the United States…” It has now become an even longer cat-and-mouse game between cell providers like Apple and other spyware makers, including NSO Group. Apple has spent over 10 years creating and adding new protections for their customers. Head of Apple Security Engineering and Architecture Ivan Krstić affirmed in a statement that they have “led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market.”

Krstić also explained that the attacks supposedly carried out by NSO Group are extremely expensive to develop and usually used to target very specific individuals. This means that NSO Group is not an overwhelming threat to the majority of iPhone users, but still very much on Apple’s security radar. While the Pegasus spyware isn’t a major concern for most people on a daily basis, it is causing American cyber-security companies to heighten attentiveness to creating a program that deters them and other types of spyware.


Leave a Reply