The NSO spyware linked to Jamal Khashoggi's murder was used to track Indian activists
NSO Group, the Israel firm which developed Pegasus, the spyware that was used to bug phones of Indian journalists and activists through WhatsApp, is no stranger to controversy.
It was already notorious for lending surveillance technology to repressive regimes to spy on dissidents, when it was sued by Facebook on Wednesday.
Co-founded by Shalev Hulio and Omri Lavie in 2010, NSO has been credited with developing one of the most sophisticated phone-hacking malware. Pegasus, as the malware is called, has been used to infect mobile devices of dissidents in several countries.
Last year, Omar Abdulaziz, a native of Saudi Arabia who sought asylum in Canada and later became its permanent resident, filed a lawsuit against NSO after he found out his phone was hacked into with the malware.
A friend of slain Saudi dissident Jamal Khashoggi, Abdulaziz blamed this hacking for the Washington Post columnist's murder in the Saudi consulate in Istanbul last year.
In his court papers, according to a report in Washington Post, Abdulaziz revealed that he was in touch with the columnist regularly and was helping him design a logo for a foundation Khashoggi was in the process of setting up.
It was Citizen Lab, an independent research lab at the University of Toronto, which found out about hacking of Abdulaziz’s phone during an investigation called Hide and Seek. The Lab started the investigation after coming across several instances of similar hacking of other dissidents and human rights workers in Mexico, Panama and the UK.
“Israel-based ‘Cyber Warfare’ vendor NSO Group produces and sells Pegasus mobile phone spyware suite. Pegasus customers can infect targets using Androids and iPhones by sending them specially crafted exploit links. Once a phone is infected, the customer has full access to a victim’s personal files, such as chats, emails and photos. They can even surreptitiously use the phone’s microphones and cameras to view and eavesdrop on their targets,” Citizen Lab wrote in one of its blogs explaining the workings of Pegasus.
The lab also helped crack the mystery of a message received by Ahmed Mansoor, an internationally renowned Emirati dissident, in 2016. The activist from the UAE approached Citizen Lab after growing suspicious of a message which promised revealing “secrets” about the tortures in UAE jails.
During their analysis of the message, researchers from Citizen Lab and Lookout, a security firm, found that a link came with the message which when clicked led to a “chain of zero-day exploits (zero-days) that would have remotely jail-broken Mansoor’s iPhone 6 and installed sophisticated spyware”. They identified the spyware as Pegasus. The vulnerability in their software led Apple to upgrade their iOS that year.
In the Hide and Seek investigation between 2016 and 2018, Citizen Lab found that there were a total of 45 countries, including India, where Pegasus operators may be conducting surveillance. One of these operators, they identified as GANGES, which was operating in India, Pakistan, Bangladesh, Brazil and Hong Kong and used a “politically themed” domain signpetition.co.
In 2017, the researchers found victims of similar cyber attacks among Mexican journalists and human rights workers. In their investigation, they found that as many as 10 journalists and social workers, all engaged in exposing government corruption, had received messages which carried Pegasus.
The targeted journalists were responsible for bringing to light a high-profile case which came to be known as Casa Blanca or White House – a scandal which involved Enrique Pena Nieto, the then Mexican President, favouring a contractor to build his family house.
In 2018, Amnesty International alleged that one of its staff members was targeted by the spyware built by NSO. The staff member was working in Saudi Arabia and had received a message which had the Pegasus malware.
“In its analysis of these messages, Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group,” Amnesty wrote in a post on its website in 2018.
In its statements made to several investigators and journalists, NSO has always claimed to adhere to a policy of selling the software only to governments to “prevent terrorism and crime”. But investigators who have worked on cases where dissidents were attacked with the malware are not convinced.
“Of course governments need to be technologically empowered to investigate tough criminal targets. But if you sell sophisticated spying technology to unaccountable and repressive security services, they are going to abuse it. Is NSO taking the problem seriously? They say so, yet their products continue to be implicated in abuses,” John Scott-Railton, a researcher with the Citizen Lab, told The Guardian this June.
The NSO is now majorly owned by Novalpina, a British private equity firm, which acquired 70 per cent stake in it in February. The firm’s website lists one of NSO’s co-founder, Hulio, as a veteran of Israel Defense Force.