Representatives of the European Parliament Committee of Inquiry on Pegasus spyware recently visited Israel and learned from NSO personnel that the company has active contracts with 12 of the 27 European Union members. The replies of the Israeli cyber warfare company to the committee’s questions, which were obtained by Haaretz, reveal that the company is now working with 22 security and enforcement organizations in the EU.
Days of war: Understanding this weekend's Israel-Gaza flare-up
Committee representatives visited Israel in recent weeks to learn in-depth about the local cyber warfare industry, and held discussions with NSO employees, representatives of the Defense Ministry and local experts. Committee members included a Catalan legislator whose cell phone was hacked by an NSO customer.
The committee was established after the publication of Project Pegasus last year, and its objective is to create pan-European regulations for the acquisition, import and use of cyber warfare software such as Pegasus. But while committee members were in Israel, and particularly since their return to Brussels, it was revealed that in Europe also has a well-developed cyber warfare industry – and many of its customers are European countries.
The Israel company's Pegasus spyware and competing products make it possible to infect the cell phone of the victim of the surveillance, and afterwards enable the operator to eavesdrop on conversations, to read apps with encrypted messages, and provide total access to contacts and files on the device, as well as the ability to eavesdrop in real time on what is taking place around the cell phone, by operating the camera and the microphone.
During their visit to Israel the European legislators wanted to know the identity of NSO customers in Europe at present and were surprised to discover that most of the EU countries had contracts with the company: 14 countries have done business with NSO in the past and at least 12 are still using Pegasus for lawful interception of mobile calls, according to NSO response to the committee’s questions.
In response to the legislators’ questions, the company explained that at present NSO works with 22 “end users” – security and intelligence organizations and law enforcement authorities – in 12 European countries. In some of the countries there is more than one client. (The contract is not with the country, but with the operating organization). In the past, as NSO wrote to the committee, the company worked with two additional countries – but the ties with them were severed. NSO did not disclose which countries are active customers and with which two countries the contract was frozen. Sources in the cyber field figure these countries are Poland and Hungary, which last year were removed from the list of countries to which Israel permits the sale of offensive cyber.
- Israel Police's Pegasus spyware prototype revealed
- Why Every Democracy Should Fear Israeli Spyware
- NSO's Pegasus: The Israeli Cyber Weapon Used Against 180 Journalists
Some of the committee members believed Spain may have been frozen after the exposure of the surveillance of leaders of the Catalan separatists, but sources in the field explained that Spain, which is considered a law-abiding country, is still on the list of the Israeli Defense Ministry’s approved countries. The sources added that after the affair exploded, Israel, NSO and another Israeli firm working in Spain demanded explanations from Madrid – and were promised that the use of the Israeli devices was done legally. The sources claim that the contract between the Israeli companies and the Spanish government was not discontinued. Meanwhile, in Spain it was revealed that the hacking operations – as problematic as they are in political terms – were carried out legally.
The exposure of the scale of NSO activity in Europe sheds light on the less dark side of the offensive cyber industry: Western countries that operate according to law and judicial oversight of eavesdropping on civilians, as opposed to dictatorships which use these services secretly against dissidents. NSO, other Israeli companies and new European providers are competing for a market of legitimate customers – work which doesn’t usually involve negative publicity.
This field, which is called lawful interception, has in recent years aroused the anger of technology companies such as Apple (manufacturer of the iPhone) and Meta (Facebook is the owner of WhatsApp, via which the spyware was installed). The two sued NSO for hacking phones via their platforms and are leading the battle against the industry. The field is also causing great unease in Europe, which has led comprehensive legislation on the issue of internet privacy, but that doesn’t mean that there is no interest in these technologies or use of them on the continent.
Only last week it was revealed that Greece operated software similar to Pegasus, called Predator, against an investigative journalist and against the head of the socialist party. The prime minister claimed that the eavesdropping was legal and based on an injunction. Predator is manufactured by the cyber company Cytrox, which is registered in northern Macedonia and operates from Greece. Cytrox belongs to the Intellexa Group, owned by Tal Dilian, a former senior member of the Israeli intelligence service. Intellexa was formerly located in Cyprus, but after a series of embarrassing incidents it transferred its activity to Greece. While the export of NSO’s Pegasus is overseen by Israel’s Defense Ministry, the activity of Intellexa and Cytrox is not under supervision.
In the Netherlands, too, there was recently a public discussion after it was revealed that the secret service used Pegasus to catch Ridouan Taghi, a drug lord arrested in Dubai and accused of 10 shocking murders. Although the use was legal and activated against a criminal element, in Holland they wanted to know why the secret service was involved in an internal Dutch police investigation, and after the report there were demands for a self-examination regarding the manner in which the spyware was used in Holland.
Along with the Israeli companies that are active on the continent, it turns out there are quite a number of spyware manufacturers in Europe. Last week Microsoft revealed new spyware called Subzero, which is manufactured by an Austrian company located in Lichtenstein, called DSIRF. The spyware exploits a sophisticated zero-day weakness to hack computers. As opposed to NSO, which waited several years to admit that it works with customers in Europe, the Austrians fought back, and two days after the Microsoft exposé they reacted harshly and explained that their spyware “was developed solely for official use in EU countries, and the software was never misused.”
In Europe there are more veteran spyware companies: A few weeks ago Google security investigators revealed new spyware named Hermit, manufactured by an Italian company called RSC Labs, a successor to Hacking Team, an old and familiar competitor, whose internal correspondence exposed a huge leak to Wikileaks in 2015. Hermit also exploited an unfamiliar security weakness to enable the hacking of iPhones and Android devices, and was found on devices in Kazakhstan, Syria and Italy.
In this case as well there is an indication that the customers of RCS Labs, which is located in Milan with branches in France and Spain, includes official European enforcement organizations. On its website it proudly reports over “10,000 successful and legal hackings in Europe.”
Additional spyware for cell phones and computers was revealed in the past under the names FinFisher and FinSpy. In 2012 The New York Times reported how the Egyptian government used the device, which was originally designed for fighting crime, against political activists. In 2014 the spyware was found on the device of an American of Ethiopian origin, which aroused suspicion that the authorities in Addis Ababa are customers of the British-German manufacturer, a company called Lench IT Solutions.
European lawmaker Sophie in ‘t Veld, who is a member of the Pegasus inquiry committee, told Haaretz: “If just one company has 14 member states for customers, you can imagine how big the sector is overall. There seems to be a huge market for commercial spyware, and EU governments are very eager buyers. But they are very quiet about it, keeping it from the public eye.”
Companies like NSO are in a dilemma: Revealing the identity of the customer governments that make legal use of its tools will help to deal with the public criticism from organizations such as Citizen Lab, the media and the legislators, but will endanger future agreements – in light of the breach of trust and the secrecy contracts with its customers.
“We know spyware is being developed in several EU countries. Not least Italy, Germany and France,” in ‘t Veld said. “Even if they use it for legitimate purposes, they have no appetite for more transparency, oversight and safeguards. Secret services have got their own universe, where normal laws don’t apply. To an extent, that has always been the case, but in the digital era they have become all-powerful, and practically invisible and totally elusive.”
NSO has not responded to Haaretz's request for comment.