Did NSO Go Rogue and Use Pegasus Spyware for Private Ops?

Haaretz reported that NSO hacked phones 'unofficially' with Pegasus for Israel's Mossad. Could it do the same for its own purposes? The company says no, but experts warn it is possible

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
The NSO Group is now facing allegations that it offered a bag of cash to gain access to a crucial U.S. mobile network.
The NSO Group is now facing allegations that it offered a bag of cash to gain access to a crucial U.S. mobile network.Credit: Artwork: Anastasia Shub. Photos: Sebastian Scheiner, AP / Andrei Minsk / Shutterstock
Omer Benjakob
Omer Benjakob

The NSO Group’s Pegasus spyware is now synonymous with state surveillance. Supposedly intended for use against serious criminals and terrorists, most of the cases that are publicly known cast the spyware in a very different light, with law enforcement and intelligence agencies using it to snoop on journalists, human rights activists, lawyers and even political opponents.

Many reports and dire warnings have been issued by rights groups about the inherent risk the military-grade spyware poses when it falls into the hands of illiberal regimes or police forces with little regard for surveillance court orders (as is reportedly the case in Israel).

However, little has been written about another possible form of misuse: Can the spyware be used by the firm itself? 

If Pegasus is so dangerous in the hands of client operators – governmental agencies that seemingly face at least some form of oversight and public criticism for their actions – what prevents misuse of the spyware by its Israeli creators?

On Sunday, Haaretz revealed that the Mossad also made what appeared to be off-the-book usage of the NSO spyware for reasons as yet unknown. According to Chaim Levinson, during the 2016-2021 tenure of Yossi Cohen, Mossad officials would visit NSO and ask it to hack specific phones with the program, even though it is assumed the intel organization has similar capabilities. 

The report seems to fly in the face of claims that have been made by NSO. When asked whether its leadership, workers with access to the system or even rogue elements within the firm could use the spyware off-the-books, an NSO representative said such a scenario was impossible.

The spokesperson explained that legal, organizational and technical obstacles exist to prevent such misuse, which, they noted, would also pose a branding and financial risk to the firm. 

Sources with knowledge of the Pegasus system explain that no single worker within NSO has full access to a fully working system. Everything from the demos performed for potential clients to Pegasus’ installation at client sites, plus the training NSO provides, are all fully compartmentalized, so no one person ever has full access to a working system, or even a full understanding of it. 

Demo systems are limited in capabilities and are under strict oversight, for instance.

Though the NSO representative refused to reveal what other technical restrictions exist to prevent in-house misuse of a working system, they stressed that if an NSO employee or executive tried to spy on, say, their ex-partner, it would raise numerous red flags across the organization and would be noticed immediately. 

The data collected would need to be stored somewhere, they said, which would raise an alarm.

NSO has long argued it has no access to its clients’ data and cannot see what use is made of Pegasus by the end user. It claims there is no single server containing all of the search data or information scraped from infected phones. 

If this is true, the rogue use of Pegasus would require either NSO to have its own system running internally, or for someone to piggyback a client’s system. 

One source explained that the latter scenario is unlikely, as the sale of Pegasus’ license to a specific client limits the number of targets it can infect and is geographically constrained to work only in certain parts of the world. 

In other words, an Israeli worker trying to use a Pegasus system installed in Poland or India would face a problem: either the client would notice someone using their “bank” of potential infections, or the device they are trying to target would not be possible due to what is termed “geofencing.” 

NSO has long claimed its system cannot infect Israeli or U.S. numbers. However, The New York Times has since reported that the FBI was provided with a version of the spyware called Phantom, which can target American devices. In addition, the Israeli police seemingly purchased a version of Pegasus that can target local phones. 

Former Israel Police chief Roni Alsheich. Credit: Emil Salman

The first scenario – that NSO has its own system running internally – cannot theoretically be ruled out: Nothing prevents the firm from maintaining a secret in-house system with its own server and a small, dedicated team. 

In fact, Sunday’s report about the Mossad and NSO revealed that the firm does have the ability to conduct hacks on behalf of the Israeli intelligence agency, though it is highly likely this system is under strict regulation.

Serious deterrent

When asked what prevents an executives from spying on, say, a competitor by using an in-house server, the NSO representative stressed that even if such a system existed, the legal risks posed by such a scenario would serve as a serious deterrent. 

They added that the question is tantamount to asking what prevents workers in a munitions factory from stealing guns and using them illegally, or what stops a police officer from abusing their power. 

The difference, perhaps, is that spyware like Pegasus can cover its tracks and its victims may never know they were targeted, thus increasing the potential risk. 

Others with knowledge of the field claim it would be expensive and even financially reckless for NSO to try to use its spyware tool for internal needs, as each infection risks exposing the loophole Pegasus uses. This could potentially expose the firm’s business, for no clear benefit.   

Cyberdefense experts, whose business is to safeguard against attacks facilitated by firms like NSO, were slightly more skeptical. They noted that there is no real way to prevent the firm misusing its own system.

“There’s this gap: On the one hand, [NSO] says it has no access to the system it sells and that its clients bear sole responsibility for its usage. On the other hand, it built the system. It owns the system and it knows how to operate it or support its operation,” explained Guy Barnhart-Magen, co-founder of the cybersecurity firm Profero.

Zuk Avraham is the founder and CEO of ZecOps, a cybersecurity firm whose platform inspects phones for current infections or traces of historic attacks. He stressed that there is no “technical restriction that prevents a worker with access to [NSO’s] codes from using it for an attack; only legal and ethical restrictions exist.”

Barnhart-Magen agreed, saying there is no technical way to prevent such a scenario, only a legal one. However, he added that “the fear of a worker hacking someone without authorization, and it being discovered and made public, serves somewhat as a deterrent.”

Avraham also warned of clients or even former workers making use of the spyware by creating their own version of it. 

“Anyone who has been targeted, even as part of a demo to a client, can reverse engineer their code and then have a similar technology at their disposal,” Avraham said. “That requires a bit of knowledge, but much less knowledge than is required to build the original system.”

Indeed, in 2018, a former NSO employee was found guilty of stealing a version of the spyware and offering it for sale online for $50 million. 

Barnhart-Magen said it is important to remember that technologies like Pegasus only offer a new version of an old dilemma.

“The police also have access to many classified systems. We want to hope there is oversight and some form of internal safeguards to make sure these systems cannot be abused," he said. “But this is a concern we can have with any system that can be exploited or abused by those with power and the access to it.”

Click the alert icon to follow topics: