Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Fraud Risk Management
World Leaders Included on Alleged Spyware Targeting ListNSO Group Refutes Alleged Targeting List - But How Does It Know Customers' Targets?
Can NSO Group and other commercial spyware vendors survive the latest revelations into how their tools get used?
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
NSO Group, an Israel-based vendor of surveillance software - including Pegasus spyware that it says it sells only to law enforcement and intelligence agencies of "vetted governments" - has allegedly again been found to be providing its wares to oppressive regimes, including Azerbaijan, Bahrain, Kazakhstan, Saudi Arabia and the United Arab Emirates. Other countries have also allegedly been using its software to target not just suspected criminals or terrorists - which the company says is the use case for Pegasus - but also journalists, political opponents, business executives and even world leaders.
"We are claiming very vocally that these are not Pegasus targets, or selected as Pegasus targets, or potential Pegasus targets."
The leak of an alleged target list containing 50,000 individuals' contact details, to which 10 NSO-using governments contributed, has reignited questions about whether commercial spyware should be allowed to exist, and if so, whether access to such software should be heavily restricted.
French investigative nonprofit Forbidden Stories, working with a consortium of media organizations as well as Amnesty International, said they obtained the list, leading to the launch of their collective Pegasus Project. Members of the consortium began to publish results from months of research on Sunday, and continue to do so. They say the target list included contributions from the aforementioned five countries, plus Hungary, India, Mexico, Morocco and Rwanda.
NSO Refutes Target List
The NSO Group strongly denies that the list of 50,000 individuals' phone numbers and email addresses was a targeting list.
"The list is not a list of targets or potential targets of Pegasus," an NSO Group tells me in a statement. "The numbers in the list are not related to NSO group. Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false."
NSO Group says it investigates any evidence that its software is being used in an unapproved manner.
"NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations," the company says. "NSO will thoroughly investigate any credible proof of misuse of its technologies, as we always had, and will shut down the system where necessary."
World Leaders Targeted
The Pegasus Project has reported that at least some individuals on the alleged target list were targeted with Pegasus spyware, sometimes just seconds after being added. Amnesty International's technical team said it was able to verify through tests of dozens of smartphones of individuals on the list that 37 had been infected with or previously targeted by Pegasus.
On Tuesday, the Washington Post reported that presidents, prime ministers and even a king appeared on the leaked list. But it said that none of their phones have been tested, so there's no evidence to confirm or deny whether they might have been targeted with Pegasus.
The Washington Post reports that the list includes contact information for:
- Three sitting presidents: France's Emmanuel Macron, Iraq's Barham Salih and South Africa's Cyril Ramaphosa;
- Three current prime ministers: Pakistan's Imran Khan, Egypt's Mostafa Madbouly and Morocco's Saad-Eddine El Othmani;
- Seven former prime ministers who were in office when their names were added to the list, based on time stamps: Yemen's Ahmed Obeid bin Daghr, Lebanon's Saad Hariri, Uganda's Ruhakana Rugunda, France's Édouard Philippe, Kazakhstan's Bakitzhan Sagintayev, Algeria's Noureddine Bedoui and Belgium's Charles Michel;
- One king: Morocco's Mohammed VI.
In response to inquiries about those and other names, NSO Group told the Washington Post that "we can confirm that at least three names in your inquiry, Emmanuel Macron, King Mohammed VI, and [World Health Organization Director General] Tedros Ghebreyesus - are not, and never have been, targets or selected as targets of NSO Group customers."
How Do Customers Get Investigated?
Shalev Hulio, the co-founder and CEO of NSO Group, tells Financial Times - whose editor, Roula Khalaf, was one of 180 journalists on the leaked target list - that the company's tools are not regularly used to target journalists, human rights advocates and other members of civil society who have no nexus to crime or terrorism. The CEO said the company continues to shut down access for specific government agencies when evidence surfaces that they have improperly used Pegasus.
"We are claiming very vocally that these are not Pegasus targets, or selected as Pegasus targets, or potential Pegasus targets. This has no relation to any customer of ours or NSO technology," Hulio tells the Financial Times.
NSO Group told me that while it doesn't know who its customers target, "they are obligated to provide us with such information" if the company states that it's investigating alleged violations of its terms of service.
But if the company has no visibility into customers' targets, how can it verify whether journalists, dissidents and political opponents are being targeted? Asked that question, Hulio told the Financial Times that his company asks customers individually if they are abiding by its terms and conditions.
But clearly, oppressive regimes, politicians who have targeted their political rivals and governments who have brutally murdered dissidents on foreign soil cannot be trusted to answer truthfully.