WhatsApp snooping: NSO, Pegasus and the realm of digital spying

NSO was formed with blessings of global intelligence agencies and espionage services

FILES-US-ISRAEL-IT-ESPIONAGE-HACKING-FACEBOOK-WHATSAPP WhatsApp has sued Israeli technology firm NSO Group, accusing it of using the Facebook-owned messaging service to conduct cyberespionage on journalists, human rights activists and others | AFP

In 2008, Shalev Hulio and Omri Lavie, high school friends and graduates at Intelligence Unit 8200—Israel's crack cybersecurity and intelligence team or its equivalent of the NSA, founded a company that soon got attention from the who's who of the Western spy world. The company had developed a technology that allowed cellphone makers gain remote access to their customers’ devices for maintenance—a pure commercial purpose.

Back then, the Western spies and intelligence agencies around the globe scrambled to find plausible solutions to intercept communication devices of terrorists. The advent of social media and messaging services had posed a fresh challenge of “going dark”—a term coined by Western intelligence officers and spies—to track terrorist organisations. They warned that the technologies developed by companies such as Apple, Facebook and Google were inadvertently allowing criminals and terrorists to communicate through encrypted channels, indecipherable to intelligence and law enforcement agencies.

It was amid this that Hulio and Lavie incorporated their new company providing a commercial solution. But espionage agencies smelt an opportunity. It wasn't long before Hulio and Lavie came up with a solution to intercept target's phones, which is “by hacking the end points of the communications—the phones themselves— after the data were decrypted”.

Thus NSO, the company at the centre of the WhatsApp snooping controversy, was born with blessings from intelligence agencies and espionage services across the world. By 2011, NSO developed its first prototype, Pegasus, named after the Greek mythological winged horse. A mobile surveillance tool, Pegasus could collect vast amounts of previously inaccessible data—including phone calls, texts, emails, contacts, location and any data transmitted over apps like Facebook, WhatsApp and Skype—from smartphones without leaving a trace.

Pegasus infects individuals’ phones by sending them text messages that tempt them to click an attached link. If the target clicks on the link, the company gains full control over the phone, including its contents and history, and the ability to activate its microphone and camera at will.

Almost a decade after its inception, NSO offers solutions that were once the territory of the likes of UK's GCHQ and US's NSA.

NSO found its first client in the Mexico government, battling the drug menace in the country. According to The New York Times, Mexican officials have credited Pegasus as being instrumental in helping track and capture El Chapo, the famed drug kingpin. However, the government-sponsored cyberespionage was not used only on drug kingpins. The Mexican authorities used Pegasus to spy on “two dozen journalists, government critics, international investigators looking into the unsolved disappearance of 43 students, even backers of a soda tax,” the NYT report stated.

Khashoggi's murder

Sure enough, NSO soon expanded its clientèle across the globe. The company counted “governments on every continent except Antarctica” in its client list. Last year, citing security researchers, tech portal ZDNet had reported that Pegasus malware was found to have been deployed against victims located in 45 countries.

However, the Herzelia-headquartered company shot to infamy after it was linked to the assassination of journalist Jamal Khashoggi. It was alleged that Saudi Arabia (read Crown Prince Mohammed bin Salman) used NSO tools to spy on Khashoggi and his closest contacts, before the Washington Post columnist was murdered inside the Saudi consulate in Istanbul. It is to be noted that without access to Khashoggi’s devices, researchers have not been able to confirm the allegations of NSO surveillance. NSO, for its part, was quick to deny the charges.

However, the denial comes as no surprise. Despite multiple allegations of surveillance sponspored by various governments around the globe, the NSO Group has maintained that the company is a cyber security firm assisting “licensed government intelligence and law enforcement agencies” to fight “terrorism and serious crime”. “NSO creates technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe. The world’s most dangerous offenders communicate using technology designed to shield their communications, while government intelligence and law-enforcement agencies struggle to collect evidence and intelligence on their activities. Our products help government intelligence and law-enforcement agencies use technology to meet the challenges of encryption to prevent and investigate terror and crime,” the company states on its website.

Despite denying its Saudi links, Israeli media reported in April that NSO had frozen its new deals with Riyadh “over concerns of misuse of its equipment”.

Market valuation

NSO was the pioneer in the so-called lawful intercept spyware market valued at $12-billion. The small-sized firm, which employs 600 people in Israel and around the world, has a current market valuation of $1 billion.

FILES-ISRAEL-US-IT-HACK [File] NSO was the pioneer in the so-called lawful intercept spyware market valued at $12-billion | AFP

San Francisco-based private equity firm Francisco Partners purchased a majority 70 per cent stake in NSO for $130 million in 2013. Earlier this year, NSO’s co-founders raised enough money to buy back a majority stake in the company. The London private equity firm Novalpina Capital backed the deal—making its major investors, including the Oregon state employees’ pension fund and Alaska’s sovereign wealth fund, part owners of NSO, the NYT reported.

Interestingly, it would be, perhaps, the only company whose market value has skyrocketed, despite tremendous amount of bad press. Over the past one year, NSO hit headlines as human rights activists, dissidents and journalists across the world levelled snooping charges against governments using Pegasus.

In June, Yana Peel, the head of London’s Serpentine Galleries, resigned following reports that she was a co-owner of NSO. Preceding this, the Financial Times had reported that the NSO Group had “told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch.”

Recently, the Polish government came under pressure after its Anti-Corruption Bureau reportedly bought Pegasus. Earlier this month, Amnesty International claimed that two rights activist based in Morocco were targeted using Pegasus software.

However, the NSO Group maintains that once it provides its software to governments, the firm ceases to be involved in the direct use of the tool. And, amid the charges of surveillance, the group in September unveiled a “new human rights policy” to ensure that its software is not misused.

India connection

On Thursday, a report by The Indian Express, citing a WhatsApp spokesperson, revealed that about two dozen academics, lawyers, Dalit activists and journalists in India were apparently snooped in India using Pegasus.

In May, researchers at the University of Toronto’s Citizen Lab, an internet watchdog, published a report putting NSO and Pegasus at the centre of the ongoing WhatsApp controversy. The researchers claimed that using a major WhatsApp vulnerability, the hackers could load spyware onto a phone through a video call, even if the person never answered the call.

WhatsApp accused the NSO Group of sending malware to roughly 1,400 mobile phones for the purposes of surveillance. Users affected included journalists, human rights activists, political dissidents, and diplomats.

While the NSO Group disputed the allegations, WhatsApp has said NSO Group "developed their malware in order to access messages and other communications after they were decrypted on target devices". "We believe this attack targeted at least 100 members of civil society, which is an unmistakable pattern of abuse," WhatsApp said in a statement.

The affected users had numbers from several countries, including Bahrain, the United Arab Emirates and Mexico, according to the lawsuit.