The biggest spy scandal of the year has been all but ignored in conservative media. Apart from a freelance story in the Washington Examiner, a conservative reader will be entirely in the dark about the scandal embroiling Israeli cybersecurity firm NSO Group.
At the heart of it is a winged horse, Pegasus, the name for the program that can crack iPhones, which apparently has been used to target journalists, activists, and politicians in more than a dozen countries, with significant implications for the free political process. Everyone who’s seen House of Cards knows how a little well-placed blackmail can move the world, but what if that blackmail could be obtained without even being in the same room as the target, or without the target having even clicked on a malware link?
The company, while based in Israel, licensed its software to dozens of countries, including India, Hungary, Saudi Arabia, the United Arab Emirates, Morocco, and Bahrain. NSO maintains its software is used only to track terrorists and criminals, and its misuse is due to rogue clients. But this is an explanation many find hard to believe.
In India, the NSO Group scandal has reached a fever pitch, and the high court is weighing an official inquiry. Pegasus software has been found on the phones of opposition party figures as well as on the phone of the former president of the Indian National Congress, Rahul Gandhi. This would be like finding out that Peter Thiel — or Richard Branson — hacked Nancy Pelosi’s phone for Trump while he was in the White House. Absolutely explosive.
“If there is a serious abuse of human rights, a targeting of a journalist … just for him per se being a journalist, we would just shut down the system,” NSO’s general counsel told NPR in August. According to French intelligence, journalists, including a France 24 broadcaster, were targeted.
This spyware has very real implications: friends and the fiancée of Jamal Khashoggi, the journalist and operator sawed into pieces and tossed in a bag at the Saudi Embassy in Istanbul, had NSO’s spyware on their phones. French President Emmanuel Macron reportedly had the Pegasus software on his phone, and it has been alleged that the hack of Jeff Bezos several years ago involved Pegasus as well.
In August, Canada’s CitizenLab released a report regarding nine Bahraini activists targeted with zero-click attacks. “In all of the cases, hackers used NSO’s ‘zeroclick’ iMessage exploit, a powerful attack that requires no phishing and merely takes advantage of security weaknesses in the messaging app’s code to compromise a device,” wrote Gizmodo. Several outlets published explainers on how to check one’s phone for invasive code.
The scandal exploded into the public eye this July, when a list of 50,000 phone numbers purporting to be a set of NSO targets was leaked to a consortium of journalists. It’s impossible to tell which ones were successfully hacked without examining the phones themselves, but samples indicate that about half to two thirds of the targets were penetrated.
NSO Group has come under investigation in Israel, and its offices were inspected in late July. “You didn’t know about the software’s very wide use against dozens of journalists in dozens of countries, to know what they are doing?” asked an Israeli radio host. “You didn’t know that the ruler of Dubai used Pegasus to track his daughter and wife?… You also didn’t know that your software was installed in the phone of the fiancée of Saudi journalist Jamal Khashoggi, who was murdered by representatives of the regime in Riyadh? All that you didn’t know?”
In the United States, NSO’s spyware has raised eyebrows among big tech companies. Amazon cut off its web services in July, and in December, Google, Dell, Microsoft, and Cisco filed a brief in Facebook’s lawsuit against the firm. The Facebook lawsuit centers around 1,400 WhatsApp users who were allegedly targeted by NSO’s attacks. The lawsuit began during the winter of 2019, which was around the same time that Reuters reported the FBI was probing NSO Group.
In late July of this year, Mexican authorities alleged a kickback scheme involving the NSO contract. Pitchbook reported that Novalpina Capital, the majority owner of NSO, was dissolving, and about a week later it was reported in the Times of Israel that the Oregon pension fund was reconsidering its investment. Four Democratic senators also proposed blacklisting the company.
Around the same time, just after shutting down all other inquiries, NSO Group CEO Shalev Hulio gave an interview to Israel Hayom, a right-wing daily in Israel, arguing he saw a “guiding hand” behind the investigation, “either Qatar or BDS, or both.” He also spoke with Forbes. Other analysts have put out the line that concern over the Pegasus scandal is motivated by the BDS movement.
The Forbes writer says,
Frustratingly for NSO’s detractors, the Pegasus Project left some wiggle room for Hulio in referencing a list of what was alleged to be a list of 50,000 “potential” targets of NSO clients. Believed to have first been obtained by French nonprofit Forbidden Stories, the list remains something of a mystery: Neither Forbidden Stories nor its media partners have explained where the list came from, what it is or how it’s linked to NSO.
It’s true that the origin of the list is obscure — also possibly not exhaustive, crucially not including any American residents — but one could speculate. There are Canadian investigators looking into Pegasus targets, and French intelligence has been openly critical. It seems reasonable to infer that the source was someone the U.S. was in a position to influence, given the lack of Americans. There’s a big lawsuit in the UK and by some of the U.S.’s biggest tech companies. All of this suggests the Five Eyes (an intelligence sharing alliance consisting of the United States, the United Kingdom, Canada, Australia, and New Zealand) as the most likely source of the list.