What the latest Pegasus spyware leaks tell us
Over the weekend, a consortium of international news outlets published their findings from an investigation into the use of Pegasus, the marquee spyware product of the secretive billion-dollar Israeli surveillance company NSO Group.
The reports from the Guardian, the Washington Post, and 15 other media organizations are based on a leak of tens of thousands of phone numbers that appear to have been targeted by Pegasus. While the devices associated with the numbers on the list were not necessarily infected with the spyware, the outlets were able to use the data to establish that journalists and activists in many countries were targeted—and in some cases successfully hacked.
The leaks indicate the scope of what cybersecurity reporters and experts have said for years: that while NSO Group claims its spyware is designed to target criminals and terrorists, its actual applications are much more broad. (The company released a statement in response to the investigation, denying that its data was leaked, and that any of the resulting reporting was true.)
My colleague Patrick Howell O’Neill has been reporting for some time on claims against NSO Group, which “has been linked to cases including the murder of Saudi journalist Jamal Khashoggi, the targeting of scientists and campaigners pushing for political reform in Mexico, and Spanish government surveillance of Catalan separatist politicians,” he wrote in August 2020. In the past, NSO has denied these accusations, but it has also more broadly argued that it can’t be held responsible if governments misuse the technology it sells them.
The company’s central argument, we wrote at the time, is one “that is common among weapons manufacturers.” Namely: “The company is the creator of a technology that governments use, but it doesn’t attack anyone itself, so it can’t be held responsible.”
Leaks are an important tool for understanding the way Pegasus is used, in part because it is so hard for researchers to spot the software when it is on devices. In March, one researcher at the cybersecurity watchdog Citizen Lab—which has focused on studying the software—explained how Apple’s high security measures had allowed NSO to breach iPhone security but block investigators.
“It’s a double-edged sword,” said Bill Marczak, a senior researcher at Citizen Lab. “You’re going to keep out a lot of the riffraff by making it harder to break iPhones. But the 1% of top hackers are going to find a way in, and once they’re inside, the impenetrable fortress of the iPhone protects them.”
It is not the first time NSO has found itself embroiled in controversy. Facebook is currently suing the company over allegations that Pegasus manipulated the infrastructure of WhatsApp to infect more than 1,400 cell phones. Facebook has said in court documents that its own investigation has identified more than 100 human rights defenders, journalists, and public figures targeted by Pegasus.
Last August, NSO Group CEO and cofounder Shalev Hulio told MIT Technology Review that he knew his company had “been accused, with good reason, of not being transparent enough,” and that his industry should be held more accountable for its secrecy, particularly as its methods become harder to detect by outside watchdogs and researchers.
As the Post notes, NSO Group does not provide details on its clients, citing confidentiality. Two weeks ago, the company released its first “Transparency and Accountability Report,” where it revealed that it has 60 clients in 40 countries. Most of the clients are intelligence agencies or law enforcement.