NSO Group’s Pegasus pitch: ‘Heaven’, ‘Eden’, ‘Erised’ & $6.8 million/year licence

The end use, per these documents, would happen via the sale of licenses to a trio of innocuously-named delivery “vectors”— ‘Heaven’, ‘Eden’, and ‘Erised’ (desire written backwards)—all part of a hacking suite called “Hummingbird.” Simply put, vectors are entry points for attackers. The names of these vectors were previously unknown, and have emerged following depositions of multiple NSO Group executives.

The documents reveal that between April 2018 and May 2020, the company charged its customers — “select government agencies approved by the Government of Israel”— $6.8 million (Rs 57.3 crore) for a one-year license. WhatsApp estimated the number following an expert testimony by Dana Trexler, who runs an “intellectual property disputes and valuations practice”. WhatsApp also estimated that NSO Group earned an approximate $31 million in revenue in 2019 from the sale of these licenses. NSO has challenged these numbers.

In a sworn declaration to the court on October 11, Tamir Gazneli, the NSO Group’s head of research and development stated that “NSO’s government customers would alone operate Pegasus and make decisions about how to do so.” He further said, “NSO never installed the Pegasus agent on the device of a non-consenting third party. NSO never used an installed Pegasus client to obtain information from the device of a non-consenting third party.” Gazneli’s deposition revealed that these “Malware Vectors were used to successfully install Pegasus on “between hundreds and tens of thousands” of devices.”

The installation of Pegasus extended to devices in India, including those allegedly belonging to journalists, politicians, Union Ministers, besides members of the civil society. After allegations in India that Pegasus was used on people in India, several petitions were filed in the Supreme Court seeking an inquiry into the charges. In 2021, the Supreme Court had formed a committee of technical experts to look into allegations of unauthorised surveillance using the Pegasus software. In August 2022, the committee of technical experts found no conclusive evidence on use of the spyware in phones examined by it but noted that the Central Government “had not cooperated” with the panel. The report is sealed and has not been released publicly since.

“As the report is submitted to the Supreme Court, it will not be proper to offer any comments,” retired judge Justice R V Raveendran, who was supervising the probe panel, said.

These documents, at the very basic level, paint a picture of how the NSO Group came to develop this spyware while hawking it to customers ready to shell millions of dollars to pry on individuals.

“NSO stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system. We are confident that these claims, like many others in the past, will be proven wrong in court, and we look forward to the opportunity to do so,” Gil Lainer, VP for Global Communications, NSO Group told The Indian Express in an emailed statement. A WhatsApp spokesperson, in response to the Express’ questions, said, “The evidence unveiled shows exactly how NSO’s operations violated US law and launched their cyberattacks against journalists, human rights activists and civil society… We are going to continue working to hold NSO accountable and protect our users.”

From Heaven to hell

At the heart of how the NSO Group fanged its Pegasus product is a sophisticated cat-and-mouse game between its engineers and WhatsApp.

It first launched Heaven in 2018, an exploit born out of NSO’s extensive reverse-engineering efforts—mimicking everything from WhatsApp’s servers to decompiling the source code, a violation of WhatsApp’s Terms of Service. “NSO developed an installation vector called Heaven, that used NSO’s own modified client application called the WhatsApp Installation Server (WIS),” WhatsApp alleged in these court documents. The WIS was allegedly able to “impersonate the Official Client to access WhatsApp’s servers and send messages, including call settings that the Official Client could not.”

Essentially, Heaven would use “manipulated messages” to force WhatsApp’s “signalling servers to direct target devices to a third-party relay server controlled by NSO.” After NSO began distributing Heaven to its customers around April 2018, deployment was short-lived. Security updates to WhatsApp’s servers in September and December 2018 prevented NSO’s access, leading to Heaven’s permanent disablement.

Enter “Eden”, a new zero-click malware vector the NSO Group developed as a slight improvement over Heaven. The key difference here was that, unlike Heaven, Eden would need to “go through WhatsApp’s relay servers” to “send malicious messages to the target’s devices.” NSO admitted that it deliberately designed “Eden” to use WhatsApp’s relay servers to circumvent the 2018 security updates that effectively blocked NSO’s initial method to install Pegasus on a target device.

It further admitted, in the unsealed documents, that Eden was “responsible for the attacks against approximately 1400 devices” that WhatsApp observed in 2019. Upon detection, WhatsApp followed its 2018 protocol, making security changes to its servers and the Official Client. The documents also quote Tomer Timer, an NSO pre-sales executive, as saying, “Eden has finished its duty with us as a patch was done on the server side with the application it works with,” before adding that NSO has “the resources to finds some thing [sic] new in a relatively short time.”

Erised is the third malware exploit, which NSO continued to sell and distribute to customers even after WhatsApp sued the company in 2019. Much like its predecessor Eden, Erised also used WhatsApp’s servers to install Pegasus on the intended target’s device. Sometime in May 2020, WhatsApp patched up its server-side security and blocked Erised’s access. Erised’s existence, WhatsApp contends, wasn’t previously discovered during the lawsuit, and even as NSO argued “WhatsApp is once again secure,” while seeking dismissal of the Meta-owned platform’s claims for injunctive relief. What is not clear, however, is if NSO Group has deployed any further exploits.

‘Press Install’

As per the documents, WhatsApp also claimed that Pegasus customers had minimal inputs in the deployment, with the NSO Group managing a substantial part of the process. This contrasts with NSO’s repeated claims that it had no knowledge of how its customers deployed Pegasus, or who the intended targets were.

WhatsApp, however, contended the opposite, saying the NSO’s customers’ role is minimal. “The customer only needed to enter the target’s device number and ‘press Install, Pegasus will install the agent on the device remotely without any engagement.”

“In other words, the customer simply places an order for a target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus. NSO admits the actual process for installing Pegasus through WhatsApp was ‘a matter for NSO and the system to take care of, not a matter for customers to operate,’” WhatsApp said in the court documents. It added that NSO provides no contract in which any customer agreed to Pegasus’ use restrictions, and provides no proof customers used the spyware only for law enforcement.

The documents show that a deposed NSO employee acknowledged under questioning from WhatsApp lawyers that one known target of Pegasus, Princess Haya of Dubai, was one of the 10 examples of targets by NSO’s clients who had been “abused” “so severely” that NSO disconnected the service.