Hundreds of thousands of cybersecurity researchers employed by the largest tech companies spend almost all their time looking for and fixing loopholes in their software code. Companies managing tech products and solutions even have bounty programmes to reward independent cybersecurity researchers for detecting flaws they may have missed themselves. In such an ecosystem, a cyber-offensive tool that would be lapped up by governments around the world would require the tool to trick not only the targets but also the platform through which it is delivered.
Israel’s NSO Group, which is at the heart of the alleged state surveillance of thousands of human rights activists, lawyers, journalists, politicians, and dissidents in countries including India, has built such a tool — Pegasus, the world’s most invasive spyware. It can find a route into a target’s device that is unknown to the developer of the device and its software, and without requiring the target to take any action such as clicking a link.
According to a profile of the NSO Group published by the French nonprofit Forbidden Stories, which has published the ‘Pegasus Project’ along with its media partners, the company was started by Shalev Hulio and Omri Lavie, friends who started out with a product placement startup MediaAnd in the early 2000s. The startup was all but washed out by the recession of 2008, but Hulio and Lavie found an opportunity in the 2007 launch of Apple’s iPhone. It marked a watershed moment — people began to use handheld devices for more than just calling and texting at scale.
Hulio and Lavie launched Communitake, Forbidden Stories reported, which allowed users to take control of any smartphone from a distance. This was originally meant for mobile operators, who would want to take control of devices to provide tech support. But as the use of smartphones spread and the need arose for providing security features like encrypted messaging services, this presented a challenge for law enforcement and intelligence agencies.
So far, intelligence agencies would intercept a message or call while it was in transit on networks of telecom companies. But encrypted services meant that without the encryption key, they couldn’t access the message anymore — unless they accessed the device itself and decrypted the communication.
“Without knowing it, Hulio and Lavie had solved the problem for them: agencies could simply pirate the phone itself, bypassing encryption and giving them all of the information they needed and more. The way Hulio tells it, the two Israeli entrepreneurs were approached by intelligence agencies interested in their technology. Hulio and Lavie knew little of the opaque world of cyber-intelligence but they decided to give it a shot. They brought on Niv Carmi, a former Mossad intelligence operative and security expert and created NSO Group in 2010. The trio (Niv, Shalev and Omrie, or NSO, for short) operated with clear roles: Niv Carmi handled the tech and Hulio and Lavie the business,” Forbidden Stories noted.
From here on, NSO started focusing on building Pegasus as a spying solution for intelligence agencies and police forces. The narrative they built was that government agencies would use it to tackle terrorism, drug-trafficking, etc. But its first known state client — Mexico — then equipping itself with cyber-espionage tools to fight drug trafficking, went beyond the script. Forbidden Stories reported that more than 15,000 numbers were selected for targeting by Mexican agencies between 2016 and 2017. Among these were those of people close to then candidate Andres Manuel Lopez Obrador, now Mexican President, besides journalists, dissidents, their colleagues and family members.
“The Mexican government liked Pegasus so much it ended up equipping several of its agencies with the spyware tool: in addition to the Attorney General’s office, Mexico’s intelligence bureau and army were also given access. In turn NSO Group continued to provide their clients with juicier offers — each technology more sophisticated than the last,” Forbidden Stories reported.
This catapulted NSO Group to a leader in the spy-tech industry, leaving behind then heavyweights such as European companies Hacking Team and FinFisher.
Until then, Pegasus was utilising attack vectors such as malicious links in e-mails and SMSes. Once clicked, the link would install the spyware, giving the hacker complete access to the device without the target’s knowledge. Then, it leapfrogged to “zero-click” infections.
Such infections, used in WhatsApp and iMessage hacks, do not require any intervention from the end-user. On WhatsApp, a missed call on the voice call feature would insert a malicious code into the device. With iMessage, a short message preview did the trick.
Newsletter | Click to get the day’s best explainers in your inbox
In 2014, a US-based private investment firm, Francisco Partners, bought NSO Group for $120 million. With this, the company started focusing on finding vulnerabilities in various apps used by smartphone consumers. This also helped it earn a wider set of clients.
A 2018 report by Canada’s The Citizen Lab found suspected Pegasus infections associated with 33 of the 36 Pegasus operators it identified in 45 countries.
The NSO Group also found itself in the crosshairs in relation to the murder of Saudi journalist Jamal Khashoggi in October 2018. Months later, in February 2019, Hulio and Lavie bought back the company from Francisco Partners with the help of Novalpina, an investment firm backed by European venture capitalists for a reported $850 million.
At the time, Novalpina said it would ensure NSO Group’s technology is used only for lawful purposes. However, little changed. In July 2020, The Citizen Lab wrote to the South Yorkshire Pensions Authority, which has invested in Novalpina, and highlighted new research showing “use of NSO Group’s technology against civil society, media, human rights defenders, and political opposition members”.
A year later, Forbidden Stories, Amnesty International and 17 media partners published reports from a list of 50,000 names including journalists, opposition members, activists and even members of the administration being selected for surveillance using Pegasus.
Responding to queries from The Indian Express, an NSO spokesperson said the investigation “has been flimsy from the beginning”. The spokesperson dismissed the list as “an equivalent of opening the White Pages, choosing randomly 50,000 numbers, and drawing headlines from it”. The spokesperson said that “the report itself stated that ‘it is unknown how many of the phones were targeted or surveilled’,” and that “even the Washington Post’s editor stated that ‘the purpose of the list could not be conclusively determined’.”
Importantly, however, the spokesperson said the company would investigate “all credible claims” of misuse of its technology, and would take strong action, including shutting down the customer’s system, if warranted.
“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a customers’ system, something NSO has proven its ability and willingness to do, due to confirmed misuse, has done multiple times in the past, and will not hesitate to do again if a situation warrants,” the spokesperson said.