The military-grade malware created by Israeli-based cyber surveillance company, NSO Group, came under scrutiny after an investigation by a consortium of media organisations found that governments used its surveillance application Pegasus to hack smartphones and spy on journalists, political opponents, and human rights activists among others.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group identified more than 1,000 individuals across 50 countries, being under potential surveillance.
Amnesty’s Security Lab examined 67 smartphones for suspected attacks. Of those, 23 were successfully infected and 14 showed signs of attempted penetration, according to reports.
While the stated purpose of the company was said to be for targeting terrorists and criminals, several authoritarian regimes have used the surveillance application to commit human rights abuses. However, NSO strongly denied the claims and refused to reveal which countries had purchased the software.
In India, the government is alleged to have spied on 300 people including Congress leader Rahul Gandhi, IT Minister Ashwini Vishnaw, poll strategist Prashant Kishor, Trinamool Congress MP Abhishek Banerjee, journalists and founding members of The Wire news media and journalist and adviser at NewsClick Paranjoy Guha Thakurta, among others.
The snooping controversy rocked the monsoon session of the Parliament for the second day in a row, leading to repeated adjournments. The government could not transact any legislative business.
So, what is NSO?
NSO is an Israeli cybersecurity company headquartered in the tech and cyber hub of Herzliya, near Tel Aviv. The company is named after the initials of its founders – Niv Carmi, Shalev Hulio and Omri Lavie.
Hulio and Lavie, two childhood friends, turned entrepreneurs in their early 20s, coinciding with Israel’s booming tech startup ecosystem. They founded MediaAnd, a product placement startup in 2007. But the global recession hit their business and they went on to start their next venture CommuniTake Technologies. CommuniTake offered remote support for mobile devices, wherein, technicians took control of the device remotely, eliminating the need to visit a service station, according to Israeli business daily Globes.
The company sold its product to mobile operators to help with tech support. But they weren’t the only ones interested in their remote control capability. The possession of just a telephone number that enabled the system to access the details of calls, messages, emails and social network applications on the phone, interested intelligence agencies, who were looking to hack into devices without permission.
Hulio and Lavie, who according to Forbidden Stories, knew little of the opaque cyber-intelligence world decided to give it a shot and roped in Niv Carmi, a former Mossad intelligence operative and security expert to form a new venture. Thus was formed NSO Group and its surveillance application Pegasus in 2010.
Fast forward several years, Pegasus turned into a sophisticated hacking tool in the hands of various governments across the world. It uses zero-click attacks/exploits that do not require the phone users to click on any links to activate it. The spyware emerged as a leading threat to democracies worldwide.
Controversies over the years
NSO first hit the headlines the late 2015-2016 amid reports of human rights workers, journalists, politicians, and researchers allegedly being under surveillance by the Mexican authorities and the UAE government.
The first case was of Ahmed Mansoor, a world-renowned human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award, who is currently serving a 10- year prison sentence for expressing his criticism of the Emirati government’s human rights abuses.
Mansoor received a suspicious text containing a link that promised ‘new secrets’ about detainee conditions in UAE. While he did not fall for the bait, he instead sent it to Citizen Lab, a Toronto, Canada-based digital rights organisation, which specialised in surveillance. They were able to trace back the link to NSO Group and their attempt to install Pegasus on the activist’s iPhone.
In the second instance, in 2017, reports emerged that the Mexican government used the surveillance application of NSO to retrospectively spy on dozens of Mexican lawyers, journalists, human rights defenders, who were neither terrorists nor criminals. It sparked a major political scandal in the country.
Again, in December 2018, Omar Abdulaziz, a Saudi dissident, accused the company of infiltrating his smartphone. Abdulaziz pressed charges, claiming that the firm sold its spyware to the Saudi government and gave access to his conversations with Jamal Khashoggi, the US-based journalist and critic of Saudi Arabia’s government, who was murdered when he walked into the Saudi consulate in Istanbul.
In the recent investigation report, it was revealed that months before he died, people associated with Khashoggi, including the two women closest to him, were selected for potential surveillance.
In the following years, the NSO’s activity increased with clients in 45 countries. “At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates,” a report by The Citizen Lab said.
The NSO Group’s products were used to infiltrate devices of Amnesty International staff. Subsequently, About 30 petitioners from Israel, including Amnesty International and Israel activists, filed a petition in the Tel Aviv District Court seeking an order from the Ministry of Defense to revoke NSO’s export license. But the court last year dismissed the legal bid saying the rights organization did not prove NSO’s technology had been used to spy on its members.
As per reports in Forbidden Stories, Apple’s iPhones, generally considered to be secure smartphones in the market, have not been spared from the attacks. “As part of the Pegasus Project, Amnesty International’s Security Lab has documented dozens of successful infections in iPhones, including new models running on the latest version of iOS – released in May of this year,” a report in Forbidden Stories said.
In 2019, NSO again made headlines when Financial Times published a report that the company’s software had been used to hack WhatsApp, which is used by 1.5 billion people worldwide.
WhatsApp went to the federal court accusing NSO of creating an exploit that was used to conduct cyber-espionage on roughly 1,400 user accounts, including those of journalists and human rights activists. As of April 2021, the three-judge panel seemed to be leaning against granting NSO’s request to force the dismissal of the suit based on the doctrine of sovereign immunity.
Snooping closer home
In India, when the breach was brought to light by Indian Express in 2019, the IT Ministry sent a letter to WhatsApp, to which the company stated it had alerted authorities in May and September 2019 about the incident. Ever since it raised alarms about NSO’s activities.
The newly appointed IT minister Ashwini Vaishnaw while addressing the Parliament on July 19, dismissed allegations of unauthorised surveillance by NSO. He said the report is an attempt to malign Indian democracy.
“In the past, similar claims were made regarding the use of Pegasus on WhatsApp by Indian State. Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court. The press reports of 18th July 2021 also appear to be an attempt to malign the Indian democracy and its well-established institutions,” he said.