NSO Is Everywhere And Still Lying About What It Can And Can’t Do To Control Misuse Of Its Exploits
An in-depth report on Israeli malware manufacturer NSO Group has (again) exposed the company's lies about its activities (and the activities of its customers).
Here's what NSO said to Calcalist in July of last year as the steady drip of bad news became a cascade.
According to [NSO founder and CEO Shalev] Hulio, the average for our clients is 100 targets a year. If you take NSO's entire history, you won't reach 50,000 Pegasus targets since the company was founded. Pegasus has 45 clients, with around 100 targets per client a year. In addition, this list includes countries that aren't even our clients and NSO doesn't even have any list that includes all Pegasus targets - simply because the company itself doesn't know in real-time how its clients are using the system."
And here's what NSO said in a statement to Forbidden Stories in an attempt to claim the site's reporting was false.
NSO does not have insight into the specific intelligence activities of its customers...
Ronan Farrow's long report on NSO Group for the New Yorker contains many interesting details about the company, its actions, and the actions of companies like WhatsApp that are attempting to thwart successful malware deployment. But one thing that stands out immediately is that NSO - despite Shalev Hulio's ongoing efforts - cannot keep its story straight about what it does or does not know about its customers' use of its Pegasus malware.
It begins with this, the compromise of device linked to the UK government that was traced back to the United Arab Emirates by Citizen Lab:
The Citizen Lab's researchers concluded that, on July 26 and 27, 2020, Pegasus was used to infect a device connected to the network at 10 Downing Street, the office of Boris Johnson, the Prime Minister of the United Kingdom. A government official confirmed to me that the network was compromised, without specifying the spyware used. When we found the No. 10 case, my jaw dropped," John Scott-Railton, a senior researcher at the Citizen Lab, recalled. We suspect this included the exfiltration of data," Bill Marczak, another senior researcher there, added.
And that blockbuster leads to this admission by a NSO employee, which contradicts Shalev Hulio's repeated claims NSO has no idea how its customers utilize its spyware:
The U.A.E. did not respond to multiple requests for comment, and NSO employees told me that the company was unaware of the hack. One of them said, We hear about every, every phone call that is being hacked over the globe, we get a report immediately...."
So, it appears NSO Group does know what its customers are doing. And if it is unable to identify misuse of its products by its customers, it's because it's being willfully blind. It has the information. It apparently has just decided to not use it to cut off access to abusive government agencies and officials. Some of this willful blindness can be blamed on the Israeli government, which has wielded the company's powerful offerings as a tool of diplomacy, brokering deals with Israel's many enemies to secure an uneasy, tenuous peace reliant on unofficial concessions and compromises.
There's much more in the report. According to NSO's CEO, NSO has a monopoly in Europe." That admission flows from Citizen Lab's latest report, which shows NSO malware has been deployed to spy on Catalan politicians, activists, and academics, presumably by the Spanish government.
Every Catalan Member of the European Parliament (MEP) that supported independence was targeted either directly with Pegasus, or via suspected relational targeting. Three MEPs were directly infected, two more had staff, family members, or close associates targeted with Pegasus.
There is a steady flow of evidence linking NSO malware to abusive governments and their abusive use of these tools, yet the company's CEO still claims NSO has no idea what its customers are doing.
Asked about the extreme abuses ascribed to his technology, Hulio invoked an argument that is at the heart of his company's defense against WhatsApp and Apple. We have no access to the data on the system," he told me. We don't take part in the operation, we don't see what the customers are doing. We have no way of monitoring it."
According to a former NSO employee, this is a lie. The company offers tech support to its customers that includes remote access. With this, NSO has access to customers' data and remote databases. If it had any interest in curbing abuse, it had the power to do so. It simply chose not to. It could have done something long before it was hit with sanctions as its reputation went down the toilet. But it preferred to sell as much as possible to as many customers as possible while only maintaining a particularly weak form of plausible deniability. Now, its denials aren't even minimally plausible.