For over a week since July 18, a global consortium of 17 media organisations reported a leaked list of over 50,000 phone numbers in more than 45 countries that were potentially targeted for surveillance by misusing Pegasus, an Israeli-made spyware that its manufacturer says is sold only to state actors for tracking organised criminals and terrorists.
In India, the names of 125 potential targets out of 300-odd verified ones from over 2,000 Indian numbers found on the leaked list have been made public.
The government has denied “unauthorised interception” and described the Pegasus Project as a “fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions”.
While the media consortium that published the Pegasus Project investigation pointed to the very specific nature of Pegasus’s clientele to imply illegal state surveillance on dissidents, activists, politicians, lawyers, and journalists at a global scale, it did not offer any insight into the nature or reliability of the leak, ostensibly to protect the source.
On Wednesday, the offices of the NSO Group, the cyber-intelligence company that manufactures Pegasus, were inspected by Israeli government officials.
A team from the Defence Ministry visited the NSO Group headquarters at Herzliya near Tel Aviv at the same time as the Israeli Defence Minister Benny Gantz arrived in Paris on an official visit, The Guardian, which is one of the media partners of the Pegasus Project, reported.
France’s President Emmanuel Macron’s phone numbers are in the leaked database, and he has asked Israel’s Prime Minister Naftali Bennett for a “proper” investigation into the findings of the media investigation.
That the Pegasus Project investigation has not provided details about the leak, has raised questions about the rationale of the existence of such a global list of phone numbers. The NSO Group, which has been traditionally media-averse, has put forth a series of counters to debunk the investigation.
NSO has claimed that the investigation was based on a list that had nothing to do with Pegasus, and that the company was recently approached by an information broker who had offered a list of targets apparently leaked from the NSO’s servers in Cyprus.
“We don’t have servers in Cyprus and don’t have these types of lists… This is an engineered list unrelated to us. We looked over it with the clients and it slowly became clear to us that it is an HLR Lookup server and has nothing to do with NSO. We understood that this was a joke,” NSO’s founder-CEO Shalev Hulio told CTECH, an Israeli tech news website, last week.
Both claims — that NSO does not have servers in Cyprus, and that the list was probably obtained from an HLR (Home Location Register) lookup server unrelated to NSO — are suspect.
In 2014, NSO acquired Circles Technologies, a company set up in Cyprus by a former Israeli military officer, primarily to integrate with Pegasus a unique phone-tracking technology that the Cypriot company claimed to have developed.
NSO ran the Cyprus office of Circles Tech until mid-2020 when, according to Motherboard, the tech arm of the Canadian-American magazine Vice, it fired its entire Cyprus staff and closed the country operation.
Presumably, NSO did maintain servers for its Circles Tech office in Cyprus for a considerable period between 2014 and 2020 — a window that largely overlaps with the time span when the numbers on the leaked list were allegedly targeted.
As for the second claim, HLR databases are used for ascertaining a phone’s location from its mobile number to execute innocuous tasks such as SMS messaging.
But an HLR lookup could also be the first step in launching a cyber attack through malicious links sent via text, one of NSO’s primary methods for installing Pegasus.
If NSO, or Circles Tech, indeed hired an HLR Lookup service to “determine if the device was currently active/registered and so available for infection by SMS,” wrote security firm AdaptiveMobile’s chief technology officer Cathal McDaid, the presence of a third-party would explain how a single list of global targets could become available at a single source.
In fact, a third-party HLR server as source may also explain the tight correlation, found during the forensic audit of 67 devices, between the time stamp for a number on the leaked list and the actual time when the spyware’s activity started on the device or it came under surveillance — within a few seconds in some cases.
NSO’s third counter has been that the volume — 50,000-plus target numbers in question — was “insane” because the “average number of targets per NSO customer was at around 100” and the company has not sold to more than 60-odd clients.
Taken at face value, this does appear to dent the media consortium’s claim. However, WhatsApp’s 2019 discovery of Pegasus infiltration revealed that at least 121 Indian numbers were targeted in just 12 days between April 29 and May 10. In comparison, the latest expose claimed over 2,000 Indian numbers on the “potential target” list between 2016 and 2021.
NSO has categorically denied the use of Pegasus on certain targets, such as French politicians and the wife of the murdered Saudi journalist Jamal Khashoggi. However, the company has maintained all along that it does not keep track of the specific targets of their clients.
Founder-CEO Hulio tried to resolve this apparent contradiction in his interview with CTECH. Partners of the Pegasus Project, he said, shared with NSO a few of the 37 numbers they claimed to have confirmed as targeted with Pegasus.
“The claim that they found something forensic is incorrect… We checked the numbers we were given with every client, including past clients which we requested permission to search their systems,” Hulio was quoted as saying.
Insisting that “the client can’t lie because this is an analysis that we conduct in his system” logs, Hulio ruled out possibilities that his clients might find ways to fool the flagship NSO software. This pride in its technology was also reflected in NSO’s claim that any random list of 50,000 phone numbers could anyway include a few dozen Pegasus targets.
Under intense media glare, Hulio also asserted that “journalists, human rights activists, and civil organizations are all off-limits”, and that NSO would do “anything in order to prevent the misuse” of Pegasus.
But with any penal action wrapped in secrecy, NSO’s commitment rings hollow in the face of the recurrent instances of misuse of Pegasus in the past.
Besides, only 67 out of 50,000-odd phones were checked forensically, and 37 — mostly belonging to members of the group claimed to be “off-limits” by NSO — threw up the footprints of Pegasus.
Faced with these figures, Hulio was on the defensive — and admitted that NSO had changed its human rights policy only in 2020, while the leaked data was from 2017 and 2018. He promised action against clients found guilty in the ongoing investigation.
The lingering mystery over the leak’s source may have called its credibility into question, but the emphatic denial of the spyware’s developer is yet to become the last word.