Catalonia's parliament, Spain's autonomous region, is housed on the outskirts of Barcelona's Old City, in the ruins of a fortified citadel built by King Philip V to keep an eye on the restive local population. The citadel was constructed with the forced labor of hundreds of Catalans, and its remaining structures and gardens serve as a reminder of oppression for many. Today, a majority of Catalan parliamentarians support the region's independence, which the Spanish government regards as unconstitutional. As Catalonia prepared for an independence referendum in 2017, Spanish police arrested at least twelve separatist politicians. Police raids on polling stations injured hundreds of civilians on the day of the referendum, which received 90% support despite low turnout.
Leaders of the Last month, Jordi Solé, a pro-independence member of the European Parliament, met Elies Campo, a digital-security researcher, in one of the Catalan parliament's ornate chambers. Solé, 45, wore a loose-fitting suit and handed over his cell phone, a silver iPhone 8 Plus. He had been receiving suspicious texts and wanted the device to be examined. Campo, a thirty-eight-year-old soft-spoken man with tousled dark hair, was born and raised in Catalonia and supports independence. He spent years in San Francisco working for WhatsApp and Telegram before returning home. "I feel like it's a type of duty," Campo explained. He is now a fellow at the Citizen Lab, a University of Toronto-based research group that focuses on high-tech human-rights violations.
Campo obtained logs of Solé's phone's behavior, including crashes, and then used specialized software to look for spyware designed to function discreetly. While they waited, Campo combed through his phone for evidence of attacks that take various forms: some arrive over WhatsApp or as SMS messages that appear to come from known contacts; some require a user to click on a link; and others function with no user activity. Campo discovered an apparent message from the Spanish government's social-security department, which followed the same style as links to malware uncovered on other phones by the Citizen Lab.
"With this communication, we have confirmation that you were attacked at some point," Campo explained. Solé's phone soon vibrated. The screen read, "This phone tested positive." "There are two proven cases," Campo told Solé in June 2020. "Back then, your gadget was infected—they gained control of it and were probably on it for several hours." "I'm downloading, listening, and recording."
Solé's phone had been infected with Pegasus, a spyware technology developed by the Israeli firm NSO Group that can extract the contents of a phone, giving access to its texts and photographs, or activate its camera and microphone to provide real-time surveillance, potentially exposing confidential meetings. Pegasus is handy for police enforcement looking for criminals as well as authoritarians attempting to suppress opposition. Solé had been hacked in the weeks leading up to his election to the European Parliament, where he would be replacing a colleague imprisoned for pro-independence actions. "There has been a clear political and judicial persecution of citizens and elected leaders by employing these unclean things, these corrupt tactics," Solé told me.
In Catalonia, Pegasus has targeted around sixty phones belonging to Catalan lawmakers, attorneys, and campaigners in Spain and across Europe. This is the most extensive forensically documented cluster of such attacks and infections ever documented. Three members of the European Parliament, including Solé, were among the victims. Catalan politicians feel that Spanish officials are the most likely perpetrators of the hacking effort, and Citizen Lab's study reveals that the Spanish government utilized Pegasus. A former NSO employee acknowledged the company's presence in Spain. (Requests for comment from government agencies were not returned.)
This article is the first to reveal the findings of the Citizen Lab inquiry. I met with almost forty of the individuals targeted, and the interviews revealed a culture of paranoia and mistrust. "That type of surveillance in democratic countries and democratic states—I mean, it's incredible," Solé added.
Commercial spyware has developed into a $12 billion dollar industry. It is mostly uncontrolled and becoming increasingly contentious. In recent years, Citizen Lab and Amnesty International investigations have uncovered the existence of Pegasus on the phones of politicians, activists, and dissidents living under oppressive governments. Forensic Architecture, a study group at the University of London, linked Pegasus to 300 incidences of physical assault. It has been used to target members of Rwanda's opposition party as well as journalists in El Salvador who have exposed corruption. It appeared on the phones of multiple people close to the deceased reporter Javier Valdez Cárdenas, who was investigating drug gangs. In 2018, around the time that Saudi Crown Prince Mohammed bin Salman sanctioned the murder of journalist Jamal Khashoggi, a longtime critic, Pegasus was allegedly used to monitor phones belonging to Khashoggi's colleagues, potentially assisting the crime. (Bin Salman has denied any involvement, and NSO stated in a statement, "Our technology was in no way linked with the terrible murder.") Further reporting by the Pegasus Project, a cooperation of news sites, has confirmed the links between NSO Group and anti-democratic nations.
However, there is evidence that Pegasus is being utilized in at least 45 nations, and it and comparable technologies have been purchased by law enforcement agencies in the United States and Europe. "The great, ugly secret is that governments are buying this stuff—not just authoritarian regimes, but all types of governments," Cristin Flynn Goodwin, a Microsoft executive who has led the company's attempts to combat spyware, told me.
NSO Group is possibly the most successful, contentious, and important firm of a generation of Israeli companies that have transformed the country into the spyware industry's epicenter. I initially interviewed Shalev Hulio, C.E.O. of NSO Group, in 2019, and have since received access to NSO Group's workers, offices, and technology. The company is in a condition of discord and catastrophe. Its coders boast not only about the use of their software in criminal investigations (NSO maintains that Pegasus is solely marketed to law enforcement and intelligence organizations), but also about the illegal delight of hacking digital systems. The corporation is worth more than a billion dollars. But it is currently in debt, battling a slew of corporate supporters, and, according to industry experts, struggling in its long-standing efforts to sell its goods to US law enforcement, albeit through an American subsidiary, Westbridge Technologies. It is also facing multiple lawsuits in various countries, including those launched by Meta (previously Facebook), Apple, and people who have been hacked by NSO.
In a statement, the company said it had been "targeted by a number of politically motivated advocacy organizations, many with well-known anti-Israel biases," and that "we have repeatedly cooperated with governmental investigations, where credible allegations merit, and have learned from each of these findings and reports, and improved the safeguards in our technologies." "I never anticipated in my life that this company would be so popular," Hulio said. I never anticipated we'd be so successful." He took a breather. "And I had no idea it would be so contentious."Hulio, forty, walks with a ponderous pace and has chubby features. He usually dresses in loose T-shirts and jeans, and his hair is cut in a utilitarian buzz cut. I paid him a visit last month at his duplex in Park Tzameret, Tel Aviv's most affluent area. He lives with his three tiny children and Avital, his wife, who is expecting their fourth kid. Hulio's apartment has a pool on the upper level, while downstairs, in the double-height living room, is a custom arcade console packed with retro games and sporting a cartoon photo of him wearing shades next to the name "Hulio" in enormous eight-bit text. Avital is responsible for the children, regular renovations, and an ever-changing assortment of pets: bunnies remain, a parrot does not.
Marshmallow Rainbow Sprinkle is the family's miniature poodle.
NSO Group was created in 2010 by Hulio, Omri Lavie, and Niv Karmi, who derived the name from the initial letters of their names and rented space in a converted chicken coop on a kibbutz. The company currently employs some 800 people, and its technology has evolved into a key tool of state-sponsored hacking, crucial in the war between great powers.
The Citizen Lab researchers found that Pegasus was used to infect a device connected to the network of 10 Downing Street, the office of Boris Johnson, Prime Minister of the United Kingdom, between July 26 and 27, 2020. A government official confirmed that the network had been compromised, but did not identify which spyware was employed. "My jaw dropped when we identified the No. 10 instance," John Scott-Railton, a senior researcher at the Citizen Lab, recalls. "We assume this involved data exfiltration," said Bill Marczak, another senior researcher at the lab. The National Cyber Security Centre, a part of British intelligence, examined many phones at Downing Street, including Johnson's, according to the official.
A thorough examination of phones was difficult—"it's a brutally hard job," the official said—and the agency was unable to discover the infected handset. The nature of any data that was obtained was never determined.
Based on the servers to which the data was transferred, Citizen Lab estimates that the United Arab Emirates was likely behind the breach. "I had assumed that the United States, United Kingdom, and other top-tier cyber powers were moving slowly on Pegasus because it did not pose a direct threat to their national security," Scott-Railton said. "I realized I was mistaken: even the United Kingdom had underestimated the threat posed by Pegasus and had been spectacularly burnt." The UAE did not respond to several requests for comment, and NSO workers said they were ignorant of the incident. "We hear about every, every phone call that is being hacked around the world, and we get a report right away," one of them added.—a comment that defies the company's frequent claims that it has minimal insight into the behavior of its consumers. "Information raised in the probe suggests that these allegations are, once again, untrue and could not be tied to NSO goods for technological and contractual reasons," the business said in its statement.
According to Citizen Lab, phones connected to the Foreign Office were hacked using Pegasus at least five times between July 2020 and June 2021. An official from the government confirmed that evidence of hacking had been discovered. According to Citizen Lab, the destination servers indicated that the attacks were initiated by states such as the United Arab Emirates, India, and Cyprus. (Indian and Cyprus officials did not respond to calls for comment.) A British court discovered about a year after the Downing Street breach that the UAE had used Pegasus to spy on Princess Haya, the ex-wife of Sheikh Mohammed bin Rashid al-Maktoum, the ruler of Dubai, one of the Emirates.
Maktoum was embroiled in a custody battle with Haya, who had fled to the United Kingdom with their two children. Her British attorneys were also attacked. According to a source close to the situation, a whistleblower contacted NSO to notify it to the Haya cyberattack. Cherie Blair, the wife of former Prime Minister Tony Blair and an adviser to NSO, was engaged by the company to tell Haya's attorneys. "We warned everyone in time," Hulio said. Soon after, the UAE shut down its Pegasus system, and NSO indicated that it would no longer target UK phone lines, as it had previously done for US numbers.
Pegasus has supplied a need for law-enforcement organizations in Europe that previously had minimal cyber-intelligence capacity. "Almost all European countries use our tools," Hulio informed me. "NSO has a monopoly in Europe," a former senior Israeli intelligence official claimed. Authorities in Germany, Poland, and Hungary have admitted to employing Pegasus. Belgian police enforcement employs it as well, though they refuse to admit it. (According to a representative for the Belgian federal police, it adheres to "a legal framework for the use of intrusive tactics in private life.") According to a senior European law-enforcement officer whose agency employs Pegasus, it provides an inside view into criminal organizations: "When do they want to store the gas, go to the spot, set the explosive?"Pegasus has supplied a need for law-enforcement organizations in Europe that previously had minimal cyber-intelligence capacity. "Almost all European countries use our tools," Hulio informed me. "NSO has a monopoly in Europe," a former senior Israeli intelligence official claimed. He said that his organization only employs Pegasus as a last resort, with court authority, but admitted that "it's like a weapon... It is always possible that someone may utilize it incorrectly."
This technology has affected both the United States as a consumer and as a victim. Although the NSA and the CIA have their own monitoring technology, other government agencies, including the military and the Department of Justice, have purchased spyware from private corporations, according to persons familiar with the transactions. According to the New York Times, the FBI purchased and tested a Pegasus system in 2019, but the agency denied using the technology.
Setting rigorous standards for who can use commercial spyware is complicated by the fact that such technology is marketed as a diplomatic tool. The outcomes can be chaotic. According to the New York Times, the CIA paid for Djibouti to purchase Pegasus in order to combat terrorism. According to a previously undisclosed WhatsApp probe, the technology was also utilized against members of Djibouti's own administration, including Prime Minister Abdoulkadar Kamil Mohamed and Interior Minister Hassan Omar.
According to the Washington Post and Apple, the iPhones of eleven persons working for the US government abroad, many of whom were at the embassy in Uganda, were hacked using Pegasus last year. According to NSO Group, "after a media enquiry" about the incident, the company "quickly shut down all the customers potentially connected to this issue, due to the seriousness of the allegations, and even before we began the investigation." The Biden Administration is looking into additional targeting of US officials and has initiated an investigation into the risks presented by foreign commercial hacking tools. Officials from the administration told me that they want to take additional, forceful moves. The most significant is "a prohibition on the United States government purchasing or using foreign commercial malware that poses counterintelligence and security risks to the United States government or has been inappropriately employed abroad," according to Adrienne Watson, a White House spokesperson.
The Commerce Department put NSO Group, along with many other spyware manufacturers, on a list of entities barred from obtaining technology from American companies without a license in November.
The next day, I was in New York with Hulio. NSO could no longer lawfully purchase Windows operating systems, iPhones, or Amazon cloud servers, which are used to run its operations and construct its spyware. "It's ridiculous," he said. "We never sold to any country that is not a US ally or an Israeli ally." We've never sold to a country with whom the United States does not do business." Deals with international clients require "formal written authorisation from the Israeli government," according to Hulio.
"I believe it is poorly understood by American politicians," said Eva Galperin, head of cybersecurity at the watchdog group Electronic Frontier Foundation. "They keep expecting the Israeli government to punish NSO for this, when in fact they are doing the Israeli government's bidding." The Washington Post claimed last month that Israel had barred Ukraine from obtaining Pegasus in order to avoid alienating Russia. "Everything we're doing has been approved by the Israeli government," Hulio explained. "The Americans developed the entire regulatory machinery in Israel."
NSO sees itself as a form of armaments dealer working in an unregulated field. "There are the Geneva Conventions for the use of a weapon," Hulio explained. I firmly believe that a convention of countries should be established to agree on the proper use of such instruments" for cyber warfare. In the absence of international regulation, a struggle between private enterprises is taking place: on one side, firms like as NSO; on the other, the big technology platforms via which such firms operate their spyware.
On Thursday, May 2, 2019, Claudiu Dan Gheorghe, a software engineer, was working at Building 10 on Facebook’s campus in Menlo Park, where he managed a team of seven people responsible for WhatsApp’s voice- and video-calling infrastructure. Gheorghe, who was born in Romania, is thirty-five, with a slight frame and dark, close-cropped hair. In a photograph he used as a professional head shot during his nine years at Facebook, he wears a black hoodie and looks a little like Elliot Alderson, the protagonist of the hacking drama “Mr. Robot.” Building 10 is a two-story structure with open-plan workspaces, brightly colored accent walls, and whiteboards. Engineers, most of them in their twenties and thirties, hunch over keyboards. The word "concentration" is inscribed on a wall and imprinted on magnets strewn over the workspace. "It seemed like a church a lot of the time," Gheorghe recounted. WhatsApp, which Facebook purchased for $19 billion in 2014, is the world's most popular messaging service, with around two billion monthly users.
Facebook had positioned the platform, which uses end-to-end encryption, as perfect for confidential communications; now, the company's security team has been working for more than two years to strengthen the security of its products. One assignment involved inspecting "signalling messages" sent by WhatsApp users to the company's servers in order to initiate calls. Gheorghe was alerted to an unexpected signaling message that evening. A bit of code meant to dictate the ringtone instead contained code with weird instructions for the recipient's phone.
Anomalies were common and usually innocuous in a system as huge as Facebook's. Unfamiliar code could be from an older version of the software, or it could be a stress test conducted by Facebook's Red Team, which simulates attacks. However, as developers in Facebook's global offices awoke and began to study the code, they were alarmed. According to Otto Ebeling, who worked on Facebook's security team in London, the code appeared "clean, smooth, which was worrying."Joaquin Moreno Garijo, another member of the London security team, wrote on the company's internal messaging system early the next morning that, due to the sophistication of the code, "we suspect the attacker may have located a weakness." Security programmers frequently characterize their work in terms of vulnerabilities and exploits. Apple developer Ivan Krsti likened the concept to a heist scene in the film "Ocean's Twelve," in which a character dances through a hall packed with lasers that trigger alarms. "The vulnerability in that scene is that there is a way through all the lasers that allows you to walk across the room," Krsti explained. “But the exploit is that someone had to be a skilled enough dancer to perform the dance."
By late Sunday, a team of engineers working on the issue had concluded that the malware was an active exploit, hitting vulnerabilities in their infrastructure as they watched. They noticed data being copied from consumers' phones. "It was terrifying," Gheorghe recounted. "Like the earth is trembling beneath you because you developed this thing, and it's used by so many people, but it has this big defect in it."The engineers rapidly identified methods to prevent the harmful code from running, but they disputed whether to do so. Blocking access would alert the attackers, allowing them to cover their tracks before the engineers could certain that any solution closed all possible channels of attack. "It'd be like chasing ghosts," Ebeling explained. "Made a choice not to roll out the server-side fix," WhatsApp security engineer Andrey Labunets said in an internal message, "because we don't understand the root cause the impact for users and other possible attacker numbers / approaches."
During crisis meetings on Monday with WhatsApp's top executive, Will Cathcart, and Facebook's head of security, the company warned its engineers around the world that they had 48 hours to examine the problem. "How many victims would there be?" Cathcart recalled being concerned. "I mean, how many individuals were injured as a result of this?" The company's executives decided not to immediately notify law authorities, afraid that US officials would tip off the hackers. "There's a chance of—you might go to a customer," he explained. (Their suspicions were justified: the F.B.I. hosted NSO engineers at a site in New Jersey, where the agency tested the Pegasus software it had purchased, according to the Times.)Cathcart informed Mark Zuckerberg, who described the situation as "horrific" and pressed the staff to work immediately. "It was a terrible Monday," Gheorghe said. I got up about 6 a.m. and worked till I couldn't stay awake any longer."
NSO's headquarters are in Herzliya, a Tel Aviv suburb, in a glass-and-steel office complex. The neighborhood is home to a slew of technological enterprises from Israel's growing startup scene. A twenty-minute stroll takes you to the beach. The world's most infamous commercial hacking company is impressively unprotected: at times, I was waved through by a single security guard.
On the fourteenth level, hooded programmers congregate in a canteen equipped with an espresso machine and an orange juicer, or on a deck with views of the Mediterranean. According to one user, "life was lot easier when apple and blackberry were just fruits." Stairs go down to the several programming groups, each with its own relaxation area complete with couches and PlayStation 5s. The Pegasus crew enjoys playing FIFA, a football game developed by Electronic Arts.
Employees informed me that the corporation hides its technology behind an information-security department staffed by several dozen professionals. "There is a very substantial section in the organization that is in charge of whitewashing, I would say, all connections, all network connections between the client and NSO," a former employee explained. "They are buying V.P.N. servers all around the world." They have this entire infrastructure set up so that no contact can be tracked."
Despite these safeguards, WhatsApp developers were able to trace data from the attack to IP addresses associated with NSO properties and Web services. "We now know that one of the world's largest threat actors has a live exploit against WhatsApp," Gheorghe said. "I mean, it was fantastic because some of these things are quite rare to catch." However, it was also quite frightening." The victims' identities began to emerge. "There are likely journalists, human rights activists, and others on the list," wrote Labunets, the security engineer, on the company's messaging system. (In the end, the team discovered that fourteen hundred WhatsApp users had been targeted.)
By midweek, roughly thirty people were working on the problem in a 24-hour relay, with one group sleeping while another came online. The team's deadline was extended by Facebook, and they began reverse engineering the dangerous code. "To be honest, I think it's amazing. "I mean, it seems like magic when you look at it," Gheorghe added. "These individuals are incredibly intelligent," he added. "I disagree with what they do, but my, that's a sophisticated thing they made." The vulnerability initiated two video calls, one of which joined the other, with the malicious code buried in its settings.
The operation took only a few seconds and quickly removed any notifications. The code employed a technique known as "buffer overflow," in which a device's memory is overloaded with more data than it can handle. "It's like writing on a piece of paper and going outside the lines," Gheorghe added. "You start writing on whatever surface you have, right?" You begin writing on your desk." The overflow permits the software to freely overwrite adjacent portions of memory. "You can program it to do whatever you want."I met with a vice-president for product development at NSO, who insisted that I only use his first name, Omer, citing, ironically, privacy concerns. "You uncover nooks and crannies that allow you to perform things that the product designer didn't envision," Omer explained. When the hack gained control, it loaded more software, allowing the attacker to extract data or activate a camera or microphone. The entire process was "zero click," with no action required from the phone's owner.
NSO's Core Research Group, which consists of several dozen software professionals, created the software. "You're searching for a silver bullet, a simple exploit that can affect as many mobile devices as possible worldwide," Omer explained. "A lot of people, you know, would think of hackers as being, like, one person in a dark room, like, typing on a keyboard, right?" Gheorghe added. That is not the case—these individuals are simply another IT corporation." It is customary for computer businesses to hire personnel with hacking experience and to pay independent programmers who find flaws in their systems. The vanity address for Facebook's headquarters is 1 Hacker Way.
At both NSO and WhatsApp, the engineers closest to the coding are frequently regarded by coworkers as quirky introverts who resemble fictional hacker tropes. "They are unique individuals." "Not all of them can speak clearly with other humans," Omer remarked of the Pegasus programmers. "Some of them go two days without sleeping. They go insane when they don't get enough sleep."
Late in the week, Facebook's security team planned a ruse: they would pretend to be an infected device in order to convince NSO's servers to send them a copy of the code. "But their software was smart enough not to be fooled by this," Gheorghe explained. "We were never able to get our hands on that."
"It's a cat-and-mouse game," Omer explained. Although NSO claims that its customers govern the usage of Pegasus, it does not deny its direct involvement in these transactions. "Every day, things are patched," Hulio explained. "This is standard procedure around here."
WhatsApp users experienced repeated missed calls at times, but the malware was not effectively implanted. Engineers were able to investigate what happened when Pegasus failed after learning about these occurrences. Gheorghe told me at the conclusion of the week, "we said, OK, we don't have a whole knowledge at this moment, but I think we captured enough." Facebook contacted the Department of Justice, which is investigating NSO, on Friday morning. The corporation then changed its servers to prevent the malicious code from running. "Ready to roll," Gheorghe wrote that afternoon on the internal messaging service. The repair was designed to appear to be ordinary server maintenance, so that NSO could continue to launch assaults and provide Facebook with more data.
The next day, WhatsApp engineers said, NSO began sending what seemed to be decoy data packets, which they suspected were a technique to determine whether NSO's operations were being monitored. "They actually provided a YouTube URL in one of the infected packets," Gheorghe told me. "When we saw what it was, we all burst out laughing." The link led to the 1987 music video for Rick Astley's song "Never Gonna Give You Up." Ambushing someone with a link to the song is a common trolling strategy known as Rickrolling. "Rickrolling is something my colleague might do to me, not some type of semi-state-sponsored people," Otto Ebeling recounted. Cathcart informed me, "There was a message in it." They were saying,We saw you and know what you did." (Hulio and other NSO personnel claimed they had no recollection of Rickrolling WhatsApp.)
WhatsApp began notifying users who had been targeted in the months that followed. Numerous government figures were on the list, including at least one French ambassador and the Prime Minister of Djibouti. "There was no crossover between this list and actual law-enforcement outreach," Cathcart explained. "You could see, gosh, there are so many countries all around the world." This isn't just one agency or organization targeting people in one country." WhatsApp also began partnering with the Citizen Lab, which notified victims of the possibility of being hacked again and assisted them in securing their devices. "It was really remarkable how many people were disappointed and saddened, but in a fundamental way not surprised, almost relieved, as if they were receiving a break," John Scott-Railton said."It was really amazing how many individuals were disappointed and devastated, but in a profound way not surprised, almost relieved, as if they were finally obtaining a diagnosis for a secret sickness they had been suffering from for many years."
Catalans made up five of the inaugural WhatsApp group, including elected officials and an activist. Campo, the Catalan security expert, understood that the incidents "were most likely only the tip of the iceberg." "That's when I found myself at the convergence of technology—a product that I helped build—and my home nation," he continued.
WhatsApp continued to provide information with the Department of Justice, and the firm sued NSO in federal court that fall. Cathcart told me that NSO Group "breached our systems and destroyed us." "I mean, do you just sit there and do nothing about it?" No. There must be repercussions."
"I simply remember that one day the lawsuit happened, and they shut off our employees' Facebook accounts, which was a really bully move for them to do," Hulio added. "I think it's a great hypocrisy," he added, referring to problems surrounding Facebook's position in society. NSO has requested that the action be rejected, stating that the company's work on behalf of governments should provide it with the same immunity from lawsuits as those governments. So far, the courts in the United States have rejected this argument.
WhatsApp's assertive approach stood out among large technology corporations, which are frequently hesitant to draw attention to cases in which their systems have been hijacked. The lawsuit marked a turning point. The technology industry was now publicly allied against the spyware vendors. "The moment the whole thing just burst," Gheorghe said.
Microsoft, Google, Cisco, and other companies have written a legal brief in support of WhatsApp's lawsuit. Goodwin, a Microsoft executive, was instrumental in bringing the firms together. "We couldn't let NSO Group win by claiming that just because a government uses your products and services, you acquire sovereign immunity," she explained."The repercussions of it would have been extremely dangerous." Hulio contends that when governments employ Pegasus, they are less likely to rely on platform providers for expanded "back door" access to consumers' data. He conveyed his displeasure with the case. "Instead of them responding, 'OK, thank you,' they're going to sue us," he explained. So, let's meet in court."
Microsoft, like many other companies, has a security staff that fights hackers. Although Pegasus is not intended to target users via Microsoft platforms, at least four persons in Catalonia who use Microsoft Windows on their PCs have been attacked by Candiru, a firm created by former NSO workers.
(A Candiru spokeswoman stated that their goods must be used for the "sole goal of combating crime and terror.") In February 2021, the Citizen Lab discovered signs of an ongoing infection—unusual for malware of this caliber—on the laptop of Joan Matamala, an activist with close ties to separatist politicians. Campo called Matamala and told him to cover the laptop in aluminum foil as a temporary measure to prevent the infection from connecting with servers. Citizen Lab was able to extract a copy of the spyware, dubbed DevilsTongue by Microsoft. Microsoft delivered upgrades some months later that blocked DevilsTongue and prevented new assaults.
After iPhone users were allegedly targeted by NSO in November, Apple launched its own lawsuit. NSO has requested that the case be dismissed. "Apple is not a corporation that believes in theatrical lawsuits," said Ivan Krsti, the engineer. "We've spent the entire time waiting for a smoking gun that would allow us to file a winnable claim."
Apple established a threat-intelligence unit almost four years ago. Two Apple personnel involved in the project told me it was a reaction to the spread of spyware, as exemplified by NSO Group. "NSO is a major issue," one of the staff informed me. "Even before the news broke, we had disrupted NSO a number of times." With the release of iOS 14 software in 2020, Apple launched a technology dubbed BlastDoor, which shifted the processing of iMessages—including any potentially harmful code—to the cloud.—into a chamber linked to the rest of the operating system by a single, narrow data stream. However, Omer, the NSO Vice President, informed me that "newer features usually have some flaws in their armor," making them "easier to target." Krsti admitted that "a type of an eye of a needle of an opening remained."
Apple's security team received word in March 2021 that a hacker had successfully threaded the needle. Even in cyber warfare, there are double spies. "We've spent a long time and a lot of effort in trying to get to a place where we can actually learn something about what's going on profoundly behind the scenes at some of these firms," a source familiar with Apple's threat-intelligence capabilities said. (According to an Apple representative, Apple does not "run sources" within spyware companies.)Spyware vendors, too, rely on intelligence collection, such as obtaining pre-release versions of software to plan their next attacks. "We follow publications and beta versions of any apps we're targeting," Omer explained.
That month, Citizen Lab researchers informed Apple: the phone of a Saudi women's rights activist, Loujain al-Hathloul, had been hijacked over iMessage. Later, the Citizen Lab was able to deliver Apple a copy of an exploit discovered in an image file by researcher Bill Marczak after months of examining Hathloul's phone. According to a source familiar with Apple's threat-intelligence capabilities, obtaining the material over an encrypted digital channel was "kind of like getting something handed to you in a biohazard bag that says, 'Do not open except in a Biosafety Level 4 facility.'"Apple's inquiry lasted a week and comprised several dozen engineers from the US and Europe. The business concluded that NSO introduced malicious malware into Adobe PDF files. It then deceived an iMessage system into accepting and processing the PDFs outside of BlastDoor. "It borders on science fiction," claimed a source familiar with Apple's threat-intelligence capabilities. "It's difficult to accept when you read the analysis." Project Zero, Google's security research team, also studied a copy of the exploit and later wrote in a blog post, "We assess this to be one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states."In the NSO offices, programmers in the Core Research Group printed a copy of the post and hung it on the wall.
Apple released platform updates that rendered the vulnerability obsolete. According to Krsti, this was a "huge point of pride" for the team. "We saw it coming," Omer said. We were basically counting down the days till it happened." According to him and others at the company, the next exploit is unavoidable. "There could be some gaps." It could take us two weeks to come up with a mitigation, a workaround."Employees exchanged uncomfortable looks with hovering public-relations officials during interviews at NSO's headquarters this month as they answered questions about morale in the middle of the scandals, lawsuits, and blacklisting. "To be honest, not every time the mood is fantastic," Omer admitted. Others expressed allegiance to the company and faith in the ability of its instruments to catch crooks. "The corporation has a very powerful narrative that it attempts to promote internally to employees," said the former employee. "You either support them or oppose them."
Because of the caliber of talent and experience provided by the military, Israel has become the world's most significant source of private surveillance technology. "Because of mandatory service, we can recruit the finest of the best," said the former top intelligence official. "From M.I.T. to Google, the American dream is moving." The Israeli ideal is to get to 8200," the Israeli military-intelligence unit that spyware vendors frequently recruit from. (Hulio, who portrays himself as a lousy student with "nothing special" upbringing, frequently emphasizes that he did not serve in Unit 8200.) Historically, NSO has been seen as an intriguing work opportunity for young veterans.
However, a former NSO staffer informed me that others had become disillusioned after learning that Pegasus had assisted Jamal Khashoggi's murder. "At that point, many of my colleagues opted to leave the organization," the former employee explained. "I think this was one of the main incidents that drove many of the staff to, like, wake up and realize what was going on." The departures have been "like a snowball" in recent years. In answer to questioning about the company's troubles, Hulio stated, "What concerns me are the vibes of the staff."
NSO was saddled with hundreds of millions of dollars in debt in 2019 as part of a leveraged-buyout deal in which Novalpina, a London-based private-equity firm, acquired a 70% share. Moody's, a financial services organization, recently reduced NSO's credit rating to "bad," and Bloomberg classified it as a troubled asset that Wall Street traders avoided. Two top NSO executives have left, and the company's relationship with its supporters has deteriorated. Due to infighting among Novalpina's partners, control of its assets, including NSO, was transferred to a consulting firm, Berkeley Research Group, who promised to strengthen oversight. However, a BRG senior reportedly stated that collaboration with Hulio was "essentially non-existent."
According to Agence France-Presse, tensions have arisen because NSO's creditors have urged for ongoing sales to nations with questionable human-rights histories, while BRG has moved to halt them. "We do have some disagreements with them," Hulio remarked of BRG. "It's about how to run the company."
The difficulties of NSO have affected its strong relationship with the Israeli state. When his unit turned down European countries wanting intelligence partnership in the past, the former senior intelligence official remembered, "Mossad said, Here's the next best thing, NSO Group."
"According to some people aware with the transactions, Israeli authorities gave minimal ethical direction or restriction." "Israeli export control was not dealing with ethics," the former official claimed. It was concerned with two issues. The first is Israeli national interest. Second, reputation." According to the former NSO employee, the state "was well aware of the misuse, and even exploiting it in its own diplomatic contacts." (In a statement, Israel's Ministry of Defense stated that "each licensing assessment is performed in light of many elements, including the product's security clearance and assessment of the country toward whom the product would be sold. Human rights, policy, and security concerns are all taken into account.")Following the blacklisting of NSO, Hulio attempted to seek the help of Israeli leaders such as Prime Minister Naftali Bennett and Defense Minister Benny Gantz. "I sent a letter," he explained. "I stated that as a regulated corporation, you know, everything we've ever asked was with the consent and authority of the Israeli government." However, according to a senior Biden Administration official, the Israelis lodged only "very modest concerns" over the blacklisting. "They didn't like it, but there was no standoff."
Arab members in Israel's assembly are spearheading a small movement to investigate the state's involvement with NSO. "We tried to discuss this in the Knesset twice... to tell Israeli politicians, You are selling death to very weak communities that are in conflict, and you've been doing this for too long," Arab party head Sami Abou Shahadeh told me. "It never worked," he continued, "because, first and foremost, they don't see any problem with that." A Front Line Defenders investigation last October discovered Pegasus infections on the phones of six Palestinian activists, including one whose Jerusalem resident status had been revoked.
Arab assembly members in Israel are leading a tiny push to investigate the state's participation with NSO. "We tried to discuss it twice in the Knesset... to tell Israeli politicians, You are selling death to extremely weak people who are in conflict, and you've been doing it for far too long," Arab Party president Sami Abou Shahadeh told me. "It never worked because, first and foremost, they don't see any problem with that," he continued. Last October, Front Line Defenders uncovered Pegasus infections on the phones of six Palestinian activists, including one whose Jerusalem resident status had been revoked.
"I know there have been misappropriations," Hulio admitted. "It's difficult for me to live with that." And I clearly feel bad about it. That is not an exaggeration. I never said it before, but now I'm saying it." Hulio stated that the company had turned down 90 customers and hundreds of millions of dollars in business due to concerns about abuse. Such statements, however, are difficult to verify. "NSO wanted Western Europe primarily so they could tell individuals like you, 'Here's a European example,'" said a former Israeli intelligence official who now works in the spyware industry. "However, the vast majority of their business is subsidized by the Saudi Arabias of the globe."” "For a European country, they would demand ten million dollars," said the former employee, who was familiar with NSO's sales activities. And for a country in the Middle East, they could demand something like $250 million for the same goods." "When they realized that they had misused in those countries that they sold to for tremendous sums of money, the choice to shut down the service for that specific country became much, much harder."
When asked about the worst abuses of his technology, Hulio used an argument that is central to his company's defense against WhatsApp and Apple. "We don't have access to the data on the system," he explained. "We don't participate in the business, and we don't see what the consumers do." We have no method of keeping track of it." When a client purchases Pegasus, an NSO crew travels to install two racks, one for storage and the other for running the software, according to company executives. The system then operates with only a limited connection to the Israeli NSO.
However, NSO engineers admit that some systems are monitored in real time to prevent illegal tampering with or theft of their equipment. "That's a lie," the former staffer said of Hulio's promises that NSO is officially barred from managing the system. The former employee recalls NSO's support and maintenance efforts, which included remote access with the customer's authorization and live oversight. "There is remote access," said the former employee. "They can witness everything that happens." They have access to the database, as well as all of the data." "They can have remote access to the system when we approve them to access the system," a top European law enforcement officer told me.
NSO executives claim that they are striving to build guardrails in an unregulated industry. They have trumpeted the formation of a compliance committee and informed me that they now keep a list of nations ranked by risk of abuse, based on human-rights indicators from Freedom House and other organizations. (They refused to reveal the list.) Customers' Pegasus systems, according to NSO, keep a file that records which numbers were targeted; customers are legally compelled to turn over the file if NSO launches an investigation. "We've never had a consumer say no," said Hulio. According to the corporation, it can terminate systems remotely and has done so seven times in the last several years.
Hulio stated that the competition is significantly more worrisome. "Companies found themselves in Singapore, Cyprus, and other areas where there is no actual regulation," he explained. "They can also sell to anybody they choose." The spyware industry is also rife with rogue hackers eager to breach gadgets for anyone willing to pay. "They'll take your computers, your phone, and your Gmail," Hulio stated. "It's clearly illegal. However, it is currently fairly frequent. It's not that pricey." He claims that some of the technology with which NSO competes originates from state actors such as China and Russia. "I can tell you that now in China, today in Africa, the Chinese government is providing capabilities that are essentially identical to NSO."According to a Carnegie Endowment for International Peace research, China provides surveillance capabilities to sixty-three countries, frequently through commercial enterprises affiliated with the Chinese government. "NSO, perhaps, will not exist tomorrow," Hulio predicted. "There will not be a vacuum. "What do you believe will happen?"
NSO is also up against Israeli enterprises. Large-scale hacking campaigns, such as the one in Catalonia, frequently employ tools from a variety of organizations, including those formed by NSO alumni. Candiru was founded in 2014 by Eran Shorer and Yaakov Weizman, both former NSO personnel. It was purportedly related to recent attacks on websites in the United Kingdom and the Middle East (Candiru disputes this), and its software was found on Turkish and Palestinian nationals' computers. Candiru does not have a website. The company is named after an Amazon River basin parasite fish that drains the blood of larger fish.
Two years later, QuaDream was created by a group that included two other former NSO employees, Guy Geva and Nimrod Reznik. It, like NSO, focuses on smartphones. Reuters revealed earlier this year that QuaDream had exploited the same weakness that NSO had used to obtain access to Apple's iMessage. QuaDream, whose premises are hidden behind an inconspicuous door in the Tel Aviv suburb of Ramat Gan, appears to rely on regulatory havens like many of its competitors: its flagship malware, Reign, is purportedly held by a Cyprus-based firm, InReach. According to Haaretz, the firm is currently working for Saudi Arabia. (QuaDream was unable to be reached for comment.)
Other Israeli companies position themselves as having a better reputation. Paragon, which was created in 2018 by former Israeli intelligence personnel and includes former Prime Minister Ehud Barak on its board of directors, sells its technology to government agencies in the United States. The fundamental technology of Paragon focuses on hacking encrypted messaging networks such as Telegram and Signal rather than capturing complete control of phones. According to one CEO, the company has committed to selling mainly to countries with relatively uncontroversial human-rights records: "Our approach is to have values that are interesting to the American consumer."
Gonzalo Boye, an attorney representing nineteen Pegasus victims in Catalonia, is preparing criminal accusations for courts in Spain and other European nations, accusing NSO, as well as Hulio and his co-founders, of violating national and European Union regulations. Boye has represented exiled Catalan politicians such as former President Carles Puigdemont. The Citizen Lab discovered that between March and October of 2020, Boye was targeted eighteen times with text texts posing as updates from Twitter and news sites.
At least one attempt was successful, resulting in a Pegasus infection. Boye claims he now spends as much time as he can outside of Spain. In a recent interview, he said, "How can I defend someone when the opposing side knows exactly what I've said to my client?" Hulio declined to identify particular customers, but said Spain's use of the technology was legal. "There is clearly a rule of law in Spain," he said. "And if everything was legal, with the approval of the Supreme Court or all the legal systems, then it couldn't be abused." "We are not criminals," said Catalonia's current President, Pere Aragonès.He is one of three people who have served in that role whose phones have been infected with Pegasus. “What we want from the Spanish authorities is transparency.”
The European Parliament established a committee last month to investigate the use of Pegasus in Europe. According to Reuters, senior officials at the European Commission were targeted by NSO malware last week. The investigation group, which includes Puigdemont, will meet for the first time on April 19th. The operations of the NSO, according to Puigdemont, are "a threat not just to the legitimacy of Spanish democracy, but to the credibility of European democracy itself."
Three activists have recently warned NSO Group, as well as the governments of Saudi Arabia and the United Arab Emirates, that they intend to sue over alleged Pegasus violations. (The corporation answered that their claims had "no substance.") NSO is still defending itself in the WhatsApp lawsuit. It filed an appeal with the United States Supreme Court earlier this month. "If we have to go battle," Shmuel Sunray, NSO's general counsel, said. WhatsApp lawyers claim that in their fight against NSO, they have met deceptive techniques, including an apparent campaign of private surveillance.
On December 20, 2019, Joe Mornin, an associate at Cooley L.L.P., a Palo Alto law firm representing WhatsApp in its lawsuit against NSO, received an e-mail from a lady identifying herself as Linnea Nilsson, a producer for a Stockholm-based company planning a cybersecurity documentary series.
Nilsson kept her name a secret, but she was so eager to meet Mornin that she bought him a first-class aircraft ticket from San Francisco to New York. The ticket was purchased in cash through World Express Travel, a travel operator specializing in excursions to Israel. Mornin never redeemed his ticket. A documentary company's website, which was populated with photographs from elsewhere on the Internet, quickly vanished. So did Nilsson's LinkedIn profile.
A woman claiming to be Anastasia Chistyakova, a Moscow-based trustee for a wealthy individual, contacted Travis LeBlanc, a Cooley lawyer working on the WhatsApp matter, many months later, requesting legal help. The woman communicated by voicemail, e-mail, Facebook, and LinkedIn. Mornin recognized her voice as Nilsson's, and the law company eventually discovered that her e-mail originated from the same block of IP addresses as Nilsson's. The instances were reported to the Department of Justice by the lawyers.
The tactics were similar to those used by Black Cube, a private intelligence firm headed mostly by former Mossad and other Israeli intelligence personnel and known for utilizing operators with phony identities. The firm worked on behalf of producer Harvey Weinstein to search down women who had accused him of sexual abuse, and three of its staffers were sentenced to suspended prison terms last month for hacking and intimidating Romania's leading anti-corruption prosecutor.
At least one other case involving NSO Group has been related to Black Cube. The A.P. stated in February 2019 that Black Cube agents had targeted three attorneys participating in a separate lawsuit against NSO Group, as well as a London-based journalist reporting the case. Lawyers for hacked journalists and activists, Mazen Masri, Alaa Mahajna, and Christiana Markou, sued NSO and a related corporation in Israel and Cyprus. All three got communications in late 2018 from people claiming to be linked with a wealthy firm or individual, constantly urging meetings in London. NSO Group has denied hiring Black Cube to spy on competitors. Hulio, on the other hand, admitted the link to me, adding, "For the case in Cyprus, there was one involvement of Black Cube."because the lawsuit "came out of nowhere," and I want to know why. He stated that he had not hired Black Cube for any other lawsuits. Black Cube declined to comment on the instances, although a person close to the company denied that it had targeted Cooley lawyers.
"People can adjust to nearly any condition," Hulio once told me. The NSO Group must now adjust to the fact that its main product has become a symbol of oppression. "I'm not sure we'll win, but we'll fight," he remarked. One option was to broaden the product line. The business showed me Maestro, an artificial-intelligence program that analyzes surveillance data, makes models of people's relationships and routines, and notifies law enforcement to changes in routine that could be precursors to crime. "I'm convinced this will be the next big thing coming out of NSO," one of its designers, Leoz Michaelson, told me. "Mathematically vectorizing every life pattern."
The tool is already in use in a few countries, and Hulio claims that it helped lead to an arrest when a suspect in a terrorism probe changed his routine subtly. The corporation appeared to have given little thought to the possibility that this tool, too, would spark criticism. When I asked Michaelson what would happen if law police arrested someone for, example, going to the shop in the middle of the night, he answered, "There may be false positives." However, "this guy who is going to get milk in the middle of the night is in the system for a reason," he noted.
However, the danger to onlookers is not theoretical. Elies Campo decided last week to scan the phones of his parents, both scientists who are not involved in political activities, for spyware. When he visited them over the Christmas vacation in 2019, he discovered that both had been infected with Pegasus. "The idea that anyone may be at risk from Pegasus wasn't simply a concept anymore," Campo explained, "it was my parents sitting across the table from me." The researchers discovered a new type of zero-click exploit that attacked iMessage and iOS's Web-browsing engine on his mother's phone, which had been hacked eight times. There is no proof that iPhones are still vulnerable to the attack, which has been given the working name Homage by Citizen Lab.
"You're not going to believe this, but your mother is patient zero for a previously unknown exploit," Scott-Railton informed Campo when the proof was revealed.
During a recent visit to NSO's offices, the windows and whiteboards were covered in flowcharts and diagrams in Hebrew and English text, commemorating product and exploit ideas. A single phrase was scrawled in huge red Hebrew characters and forcefully emphasized on one whiteboard: "War!"
writted by cryptoanonymous: 12/05/2022