Government use of Israeli firm NSO Group's Pegasus spyware is rampant across Europe and ranges from dozens of hacks of Catalonian phones to infections at U.K. government offices, revealed an investigation by the New Yorker posted Monday.
The investigation publishes findings from Citizen Lab, a forensic analysis group that has long worked to uncover spyware abuses, and is otherwise based on conversations with employees of Pegasus maker NSO Group; with government officials in several countries, including in the EU; and with tech-industry sources. It offers a rare inside view of NSO’s workings and the cat-and-mouse game the developer plays with firms like Apple and Meta, the latter of which owns Facebook and WhatsApp.
The report says over 60 politicians, lawmakers, lawyers and political activists in Catalonia were targeted using the spyware, most likely by the Spanish government. A former NSO employee confirmed to the New Yorker that the company "has an account in Spain," echoing previous media reports on Spain's use of the spyware.
According to the exposé, among Citizen Lab's findings was that Pegasus was used to "infect a device connected to the network" of U.K. Prime Minister Boris Johnson's office in July 2020 and that "phones connected to the Foreign Office" were hacked with Pegasus at least five times from July 2020 through June 2021.
British authorities investigated the Downing Street hack, the report said, and it is unclear what if any data was actually stolen. Citizen Lab says the destination servers for the Foreign Office attacks suggest these were initiated by several states, including the United Arab Emirates, India and Cyprus.
The first confirmed case of a British national being infected with the spyware, in August 2020, was found by the Project Pegasus investigative consortium (led by the Paris-based NGO Forbidden Stories with the help of Amnesty International). That revelation was published in mid-2021, at which point media reports said NSO had blocked U.K. phone numbers from searches in early 2021. American phone numbers are also blocked, according to the company.
The New Yorker piece says at least 45 countries are NSO clients, and reports the CEO Shalev Hulio as saying that “almost all governments in Europe are using our tools.” A former senior Israeli intelligence official told the publication that “NSO has a monopoly in Europe.”
- NSO File: A Complete List of Individuals Targeted With Pegasus Spyware
- NSO Is an Arm of Israel's Government
- In First, Israel Police Admit Misuse of NSO Spyware
A former employee says NSO had long wanted to foster ties in Europe: “For a European country, they would charge ten million dollars. And for a country in the Middle East they could charge, like, two hundred and fifty million for the same product…. When they understood that they had misuse in those countries that they sold to for enormous amounts of money, then the decision to shut down the service for that specific country became much, much harder.”
A few months ago the New York Times reported that NSO had been in talks with the FBI and the CIA about selling them the technologies. While the FBI only bought a system for internal testing uses, said the paper, the CIA did follow through with a plan to buy the spyware for Djibouti. According to the New Yorker, the spyware was then used against the country’s prime minister and interior minister.
Last year, as reported by the Washington Post, Apple discovered that U.S. State Department officials in Uganda were targeted by the spyware. The Biden administration subsequently turned on the company, adding NSO to the Department of Commerce’s so-called blacklist – alongside Candiru, another Israeli offensive cyber firm, whose tech was also used to hack Catalonian officials.
Officials who spoke with the New Yorker say that despite NSO’s desire to remove itself from the blacklist and some attempts by Israeli officials to lobby their case, the administration now plans to take more “aggressive” action against such firms. They are now even considering banning the sale of foreign spyware that could pose “counterintelligence or security risks for the U.S. government or has been improperly used abroad,” according to a White House spokesperson.
Rickrolling and zero-clicks
The report also provides great detail into the inner workings of NSO and its technical teams. The service NSO provides – hacking into encrypted devices – is based on so-called “exploits,” or security loopholes in phones defenses. Many times these exploits are fixed by firms like Apple after they are discovered, resulting in a cat-and-mouse dynamic between NSO’s hackers and the cybersecurity teams at Apple or Meta.
The report reveals how WhatsApp engineers first discovered Pegasus exploiting their system. WhatsApp engineers say the NSO-originated code was “brilliant… It feels like magic. These people are very smart. I don’t agree with what they do, but man, that is a very complicated thing they built.” The WhatsApp exploit, the report says, “triggered two video calls in close succession, one joining the other, with the malicious code hidden in their settings. The process took only a few seconds, and deleted any notifications afterward.”
Mark Zuckerberg, they said, was horrified
The engineers attempted to mend the error – which allowed them to actually see the data being transferred from WhatsApp users to different servers – in a way that would not alert NSO. The report then reveals how NSO, likely aware they may have been caught, tried to test WhatsApp by sending “decoy data packages.”
“In one of the malicious packets, they actually sent a YouTube link,” an engineer from WhatsApp told the New Yorker. “We were all laughing like crazy when we saw what it was” – a link to the music video “Never Gonna Give You Up” by Rick Astley, a known internet prank called “Rickrolling.”
The report also reveals how Apple first discovered Pegasus’ so-called zero-click exploit: While most hackings of mobile devices require the target to click on a link that causes them to download some form of the spyware, Pegasus can infect a phone without the target doing anything at all.
“Apple’s investigation took a week and involved several dozen engineers based in the U.S. and Europe," according to the piece. "The company concluded that NSO had injected malicious code into files in Adobe’s PDF format. It then tricked a system in iMessage into accepting and processing the PDFs outside BlastDoor.” The hack was “borderline science fiction,” a person familiar with Apple’s threat-intelligence efforts told the New Yorker.
‘Lies’ and Black Cube
The report also includes rare inside information from within NSO. For example, one former employee says that NSO has a “very large department… which is in charge of whitewashing, I would say, all connection, all network connection between the client back to NSO.”
Per the source, “they are purchasing servers, VPN servers across the world. They have this whole infrastructure set up so none of the communication can be traced.”
A VP of product at NSO, identified only as “Omer,” spoke to the New Yorker at length about NSO’s operations: “You find the nooks and crannies enabling you to do something that the product designer didn’t intend.… You’re looking for a silver bullet, a simple exploit that can cover as much mobile devices around the world.”
“Every day, things are being patched,” NSO’s Hulio told the New Yorker – in other words, the company ensures daily that it still has access to mobile devices and thwarting defenses. "This is the routine work here.”
The report also revealed that NSO seems to have lied about the fact that they don't have access to client data: “That’s a lie,” an NSO engineer told the New Yorker. Other engineers said "there is some real-time monitoring of systems to prevent unauthorized tampering with or theft of their technology.”
Another former employee said that with the customer’s permission, “There is remote access… They can see everything that goes on. They have access to the database, they have access to all of the data.”
Perhaps the most concerning aspect of the report lies in the details of NSO’s ties with Black Cube, the Israeli intelligence firm hired by Harvey Weinstein to shame his accusers and which has since implicated in a number of scandals.
Lawyers involved with the WhatsApp suit against NSO were allegedly contacted by fake personas working for Black Cube, the New Yorker reported.
In 2019, the Associated Press reported that Black Cube agents targeted lawyers linked to another lawsuit against the firm filed by victims of the spyware in Cyprus.
Hulio confirmed that NSO did hire Black Cube: “For the lawsuit in Cyprus, there was one involvement of Black Cube" because the lawsuit “came from nowhere, and I want to understand.”
But he said NSO had not hired Black Cube for other lawsuits. Black Cube did not respond to the New Yorker’s request for comment, though “a source familiar with the company denied that it had targeted” the lawyers representing WhatsApp.
An NSO Group spokesperson told Haaretz in response that, “The information raised regarding these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.
“NSO continues to be targeted by a number of politically motivated advocacy organizations, like Citizens Labs and Amnesty to produce inaccurate and unsubstantiated reports based on vague and incomplete information. We have repeatedly cooperated with governmental investigations, where credible allegations merit.”