The powerful software is being used to illegally hack the mobile phones of human rights defenders.
The mobile phones of six Palestinian human rights defenders operating in the Israeli-occupied West Bank were hacked using the NSO Groups all-pervasive Pegasus spyware, revealed Amnesty International and internet watchdog Citizens Lab in a report released earlier this week.
The investigation was sparked when Palestinian human rights organisation Al Haq contacted Front Line Defenders on 19 October about a potentially hacked device belonging to a Jerusalem-based staff member.
And of 75 iPhones subsequently inspected, six of these devices had been hacked by Pegasus spyware.
The phones that were scrutinised by Front Line Defenders all belonged to the staff of six civil society organisations, including Al Haq, that had been designated as terrorist entities by the Israeli state on 16 October. And the six devices detected had all been hacked prior to any terrorist labelling.
FLD posits that not only does the designation criminalise these organisations, but it serves to cut off their legitimate funding sources. And while the Palestinian groups involved have stopped short of blaming the Israeli government for the hacking, they’re calling on the UN to inquiry into the matter.
These latest revelations around Pegasus spyware – which the NSO Group claims is only used to investigate terrorism and crime – reveal that despite laws preventing the wholesale spying on domestic nonsuspects in law, governments are finding their way around such restrictions.
Once a smartphone has been infected with Pegasus spyware, the attacker has complete access to anything on it. They can listen in to phone calls, look through and copy photos or messages, and access passwords, as well as location data.
The hacking software, which can be used on iPhones or Android devices, permits those guiding it to activate a phone’s camera or microphone, so it can also monitor anyone else in the company of the phone’s owner.
Indeed, Pegasus turns a phone into a 24 hour surveillance device.
Founded in 2010, Israeli technology company NSO Group is primarily known for developing the Pegasus software, which it sells to foreign governments under Israeli Defence Ministry granted licences. And while it claims the program is for fighting terrorism and crime, it can’t guarantee this.
Earlier versions of Pegasus detected back in 2016 used spear-phishing techniques to infect a phone, which involve a person clicking on a fake link. But, these days, the program uses zero-click surveillance, which means a device can be infected without any interaction from its user.
The Pegasus Project released multiple reports in July outlining that governments are using Pegasus on human rights defenders, lawyers and journalists. Aided by Amnesty and Forbidden Stories, the consortium consists of 80 journalists from 17 media organisations in 10 countries.
The investigation was sparked by a list leaked to Forbidden Stories, which included 50,000 phone numbers belonging to people believed to have been targeted as persons of interest by clients of NSO. Although the presence of a number on the list does not indicate that a phone was infected.
Consortium member the Guardian details that the investigation found at least ten governments believed to be NSO customers, including India, Saudi Arabia, Hungary, and Mexico. And the target list also included politicians, religious leaders, business executives and NGO staff.
The Pegasus Project found there was evidence that Hungary’s Orbán government utilised Pegasus in its campaign against the media, which targeted investigative journalists, while Saudi Arabia used the program to monitor the associates of murdered Washington Post journalist Jamal Khashoggi.
And Forbidden Stories found that at least 180 journalists around the globe had been selected to be surveilled with Pegasus.
No sovereign immunity
On Tuesday, a US appeals court ruled that Facebook is able to proceed with a case against the NSO Group, over its use of a zero-day vulnerability in its WhatsApp system to hack into the devices of 1,400 users. The infiltration of the phones occurred in early 2019.
The appeal saw NSO’s claim that it has been acting as a foreign government agent in relation to the matter rejected. If the privately-owned company had succeeded it would have been awarded community-based immunity, which protects foreign agents when acting in an official capacity.
US Judge Danielle Forrest found that regardless of who the NSO Group’s government clients are, this doesn’t grant the Israeli firm the “agency or instrumentality of a foreign state”. And this upheld the original judge’s finding in the legal action that was first launched by Facebook in October 2019.
WhatsApp maintains that earlier that year, NSO exploited a glitch in its video calling system, which allowed it to target around 100 civil society organisations in a hacking spree across 20 countries, which included Mexico, the United Arab Emirates and Bahrain.
The US Department of Commerce placed the NSO Group and another Israeli hacking-for-hire firm, Candiru, on a trading blacklist last week. The ban prevents US hardware and software companies from exporting goods to these entities, which could see them forced to shut down.
The commerce department stated the decision was based on the evidence that Pegasus has enabled authoritarian governments to conduct transnational repression, which involves targeting dissidents, journalists and activists outside of sovereign borders in order to silence dissent.
NSO was found to be renting out server space from companies, like Amazon Web Services, to facilitate its hacking, although these initiatives have been brought to a halt since the Amnesty report revealed it was happening in July.
The Israeli government is currently lobbying Washington to revoke the decisions to blacklist NSO Group, despite the mounting evidence of the human rights abuses that Pegasus has enabled across the globe.
However, this week’s revelations around the spyware being used to target Palestinian human rights activists in the occupied territories will serve to stymie Israel’s argument that the software is somehow a crucial part of its foreign policy.
This is especially so as the New York Times has revealed that Israel’s official policy prohibits foreign governments from using Pegasus to hack into Israeli phone numbers, but this also means that Israeli government agencies do have the authority to use the spyware to surveil domestic devices.