NSO Group is used to hunting terrorists, drug rings and pornography offenders, but now it is being hunted and is, at least for the moment, on the run.
In mid-July, the Pegasus Project, a group of 17 media organizations – having been provided with information from a mix of Amnesty International, the Citizen Lab of University of Toronto and Forbidden Stories – broke the most damaging information yet to come to light regarding the Israeli cellphone hacker known as NSO.
What did this giant information dump mean, who dumped it, how did it throw NSO so off balance and what is next in the half-decade-long battle between the hacker group and human rights groups?
FIRST, WHAT was leaked?
According to reports, NSO’s Pegasus hacking malware was found on 37 cellphones out of 65 numbers that were checked on a list of more than 50,000 cellphones that were targets.
In addition, the media consortium involved in publishing the bombshell identified the owners of more than 1,000 numbers from the 50,000-number list.
It discovered that among these 1,000 numbers were at least 65 business executives, 85 human rights activists, 189 journalists, several Arab royal family members and more than 600 politicians and government officials – including cabinet ministers, diplomats and security officers.
Top officials whose cellphones appear on the list included French President Emmanuel Macron, Iraqi President Barham Salih, South African President Cyril Ramaphosa and leaders from Pakistan, Egypt and Morocco.
Countries accused of abusing NSO technologies by reports included Hungary, India, Mexico, Saudi Arabia, the UAE, Bahrain and Morocco.
All of this sounds horrible and, like NSO, is the Antichrist or at least the cyber anti-democracy scourge of the world.
In addition to how it sounds, NSO itself admits it has cut off at least five governmental clients who abused its technology to go after exactly the kinds of people on the above list – even if it is not those same people.
A NSO source reportedly leaked to NPR that as a result of the current crisis, the company specifically ended its contracts with the Saudis and the UAE.
One representative for NSO would not discuss specific countries, but also did not deny the NPR report (another source questioned the report) and The Jerusalem Post has reported in the past about some of these NSO clients.
And yet, when one sifts through all of these frightening revelations, there is almost nothing concrete to grab on to. Whatever there is does not really show anything new. At most it gives more color to the fact that some of NSOs clients have abused Pegasus.
Some outlets directly involved with breaking the NSO story have admitted that they do not know who provided the 50,000-number list and cannot vouch for its credibility, aside from the 37 cellphones where malware was found. As questions grew about the list, Amnesty gave two messages: not all of the numbers are from NSO, and the numbers are from NSO clients, showing the character of who NSO clients might go after.
The 50,000-cellphones list itself never made any sense to anyone who follows NSO closely, considering that each client is usually limited to a dozen or a few dozen targets and NSO has only around 60 clients.
So maybe it has targeted between 600 and 1,800 cellphones – a 2019 lawsuit by Facebook against the group claims it has targeted at least 1,400 – but 50,000 never sounded right.
None of this proves that NSO is innocent. But it is critical to differentiate between the real, more nuanced allegations and the “pile everything on” allegations.
This is especially true when The New York Times, Reuters and others have done exposés in recent years about ex-NSA personnel and other US private sector hacker companies carrying out a lot of the same activities that NSO is now accused of.
It should also be recalled that the NSA itself was listening to many European ally and other heads of states’ telephone calls until Edward Snowden blew their cover in 2013, and some of those who had been involved clearly took technologies into the private sector.
In any event, the Post contacted Forbidden Stories, The Guardian and The Washington Post to get more information.
Neither Forbidden Stories nor The Guardian responded despite multiple attempts to solicit a response.
For The Washington Post, Vice President for Communications Shani George responded to questions about the number of those hacked by NSO by directing The Jerusalem Post to a July 24 follow-up story by The Washington Post and a specific excerpt.
In that story, the specific excerpt said, “In response to the Pegasus Project, NSO said the list of more than 50,000 phone numbers was not related to NSO or Pegasus and that the number was ‘exaggerated’ in terms of NSO’s clients. A source familiar with company operations said an NSO client typically targets 112 phones a year. NSO has said it has 60 clients in 40 countries.”
Based on this excerpt, The Washington Post seems to accept that most of the 50,000 numbers on the list do not necessarily relate to NSO or its clients, even if aspects of the list and information leaked might further expose wrongdoing by NSO’s clients.
NEXT, WHO dumped the list?
NSO itself has made numerous statements in interviews to Israel Hayom, The Times of India, and has made certain implications in off-the-record conversations with The Jerusalem Post.
From all of the above, the list of who may have leaked to Amnesty International, Citizens Lab and the media consortium the cellphone numbers, malware issues and other NSO information includes: Qatar, BDS activists and competing technology companies.
Some have also cited the absence of Iranian cellphone numbers on the list as a hint that the Islamic Republic could have been involved, but NSO itself has not gone after this theory.
The bottom line is that very few companies or even countries would have the ability to hack some of the information leaked from NSO, to out Macron’s and other national leaders’ phone numbers (even if unrelated to NSO) and to mix in other serious-looking information, possibly from other cyber companies, to help grab headlines.)
WhatsApp-Facebook and some NSO competitors could be on a short list of parties with the ability and motivation to hack and leak NSO information (though other sources indicate that Qatar and BDS supporters have far more to gain from the current focus on NSO).
WhatsApp is engaged in an ongoing costly lawsuit against NSO. This lawsuit has already made it to a federal appeals court and will likely drag on for three to 10 years before getting anywhere.
Going back to the Washington Post story from July 24 (itself partially based on a story in The Guardian), it focuses mostly on an open attack by WhatsApp CEO Will Cathcart that the Pegasus Project reporting “matches what we saw in the attack we defeated two years ago,” including the types of targets “who had no business being spied on in any shape or form.”
Cathcart said the denials by Shalev Hulio “don’t all match the facts” that he said WhatsApp uncovered while investigating alleged hacking of its app in recent years by NSO’s Pegasus software.
The WhatsApp CEO was ready to dissect every argument NSO put up in defense.
For example, regarding the concept that NSO could not have so many victims, he said, “What we saw was 1,400 victims in that brief period” of two weeks, Cathcart said in The Washington Post report. “What that tells us is that in a longer period of time, over a multiyear period of time, the numbers of people being attacked is very high.”
Recalling the 1,400-number lawsuit also makes a critical point: WhatsApp may have more data about NSO, how its malware operates and how to counter-hack NSO than anyone else on the planet, given that it has had years to conduct forensics on its 1,400 penetrated devices.
Cathcart also hooked on to an inconsistency which The Jerusalem Post has asked NSO about and never gotten a complete answer: What does it mean that NSO offers its customers technical assistance? Is it really possible that when it provides technical assistance amid a hacking operation, it never learns anything about who the targets are? NSO’s argument that it is completely (as opposed to partially) ignorant of its clients’ targets would appear to some as a stretch of the imagination.
The Northern District of California Court handling the Facebook lawsuit also seemed to think NSO has some control of what its clients do. This was based on NSO’s own explanation of how its technology works: clients need only enter a cellphone number and then NSO’s technology does everything else automatically.
Next, WhatsApps’s Cathcart made the point that just because five years ago NSO could not gain greater control in real time over preventing abuses by its clients (to date it seems cutting off contracts happens when outsiders complain), or its clients could not abuse NSO technology and get control over it more than NSO thinks, does not mean this cannot change.
In other words, there is no reason NSO or its clients could not have gotten better at this by 2021.
“Well, software can be changed very easily,” Cathcart told The Guardian. “So how are they sure it is not being changed? Or are they actually operating it themselves?”
Cathcart also asked how NSO could be certain that Pegasus cannot target +1 numbers, those with the country code for the United States.
“Is the reason why they are so confident US numbers are not being targeted, is they are operating it themselves and they have the list [of targets]?” Cathcart said. “And if that’s the case, why aren’t they accountable for cases of abuse that are happening?”
Americans “travel overseas, they have overseas numbers, ambassadors, people all around the world. Is really the only protection the country code on your phone number? That’s a little nuts,” he said. “It’s like saying you’re going to make a missile that you’re sure is going to blow up in only certain parts of the world. It’s not how missiles work.”
NSO has said targeting Americans is “technologically impossible.” An analogy might be made to the impossibility of changing a certain kind of clock to reflect a 25-hour day.
There is less NSO can say about blocking targeting Americans with foreign cellphones, but it could argue that no one has come forward with such claims.
Next, the Washington Post article points out that many of the largest Internet firms have joined the WhatsApp suit in an amicus brief on behalf of the company.
Cathart even provided a final statement to try to rally the world against NSO and crystallize any anger against it from this moment.
“I’m hoping we don’t forget this moment.... I’m hoping the conversation will change. I think it depends on governments recognizing the national security threat,” he said.
There is no evidence that WhatsApp was behind the hack and maybe it did start with Qatar or members of the BDS movement.
In addition, NSO was not hit merely by WhatsApp, but by a sustained alliance of tech giants, including Microsoft and possibly others.
Microsoft, along with Google, hit the Israeli offensive cyber firm Candiru the week before the NSO story broke with accusations about it selling capabilities for hacking Microsoft Windows.
Was this really just a coincidence?
WhatsApp declined to comment for this story, but did forward multiple links to tweets and op-eds written by Cathcart slamming NSO.
THE ONLY good news for NSO, after it has been blasted globally and has come under heavy scrutiny from the Defense Ministry and likely been forced to end some contracts, is that it seems the defense establishment is not ready to end its business yet.
Around three weeks after the scandal broke, the Knesset Foreign Affairs Committee has sufficed with a generic statement about probing the issue.
However, The Jerusalem Post understands that the Knesset is sitting back on this one and trusting the defense establishment to handle it at its own pace. This means no embarrassing public hearings going for the political kill anytime soon.
Defense Minister Benny Gantz already went to France to plead NSO’s case and vouch for it that it was not involved in any conspiracy against Macron.
Although the ministry visited NSO’s offices to probe, along with the Mossad, IDF intelligence and others, all signals are that this, and cutting a few contracts, are to show the issue was taken seriously, not to end NSO.
This should not come as a surprise after The Jerusalem Post reported in July 2020 that almost two dozen Defense Ministry officials showed up at a hearing to convince the Tel Aviv District Court not to interfere with NSO’s export license, in spite of all of its drawbacks (the court ruled for NSO).
NSO has also taken a big strategic hit economically. There is chaos among the three lead investors in NSO’s main investor, Novalpina, which has led to outside investors taking control of the fund and seeking an immediate sale.
All of this could end or slow NSO’s plans to grow to all new highs by going public. And this after it put two years of work into a mid-July transparency report which was supposed to pave the road to that goal.
This all comes after NSO had just switched to Novalpina in 2019 after having a similar crisis with its original global investor since 2014, Francisco Partners.
Reportedly, NSO has new investors who want to replace Novalpina.
So it will survive. But none of this was free, and NSO clearly was not ready for the diplomatic and economic wounds it received.
The big question about the future of NSO is whether Israel will continue to use it as a foreign policy tool for attracting nondemocratic countries to normalize and partner with the Jewish state; or whether, with normalization with four countries in the bag from 2020 and a new human-rights-focused US administration, Jerusalem will direct NSO to stick to more democratic and above-board clients.
Put differently, The Jerusalem Post knows that NSO was one piece, among several pieces, that helped lead to normalization with the Gulf countries by 2020 in the Netanyahu-Trump era.
But whether that was the right or wrong move then, post-normalization in 2021 in the Bennett-Biden era, Israel may decide it is definitely not the right trajectory for the future. The Jerusalem Post has gotten mixed signals from different sources, such that the answer may be the government still is not sure what its final move is.
Haaretz reported that Daniel Reisner, a top lawyer at Herzog, Fox & Neeman, but even more importantly the former chief of the IDF’s international law department and a longtime defense establishment insider, recently hosted a meeting for NSO, Candiru and several other Israeli cyber firms.
The Jerusalem Post has learned that there was no such meeting. But even discussion about such a meeting shows the focus in the strategy for Israel’s cyber industry going forward as opposed to shutting down.
Whether the new rules are a radical reorientation away from certain nondemocratic regimes or merely a pause and warning to be more careful until the storm dies down will heavily impact not only NSO but Israel’s cyber, public diplomacy and diplomatic futures.