The controversial spyware Pegasus and its operator, the Israeli NSO Group, is once again in the news. Last week, in documents filed in a judgment between NSO and WhatsApp, they admitted that any of their clients can target anyone with their spyware, including government or military officials because their jobs are inherently legitimate intelligence targets.
NSO has in the past been very circumspect about who is infected with their spyware, which uses so-called “zero-click” methods meaning that a potential target doesn’t have to click on anything to activate the software. It can access call and message logs, remotely enable the camera and microphone and track the phone’s location, all without any notification to the phone’s owner.
The company has clients around the world, and Pegasus has been deployed in Hungary, the United Arab Emirates, Saudi Arabia, Thailand, Poland, El Salvador and Mexico. Last fall, the security researchers at The Citizen Lab and Access Now discovered Pegasus on seven phones belonging to Russian and Belarusian journalists and activists critical of Russia’s Ukraine invasion. These individuals have been targets of other surveillance methods and physical threats, although the precise nation state source of them isn’t clear.
NSO has had a troubled history with selling its spyware. In the summer of 2021, an international consortium of 150 journalists and security researchers published a series of reports about its activities as part of The Forbidden Stories project. And a planned sale of the company to L3Harris was nixed two years ago, when the US government blacklisted the company. Back then, CSO predicted this could be the beginning of the end for NSO, a prediction that sadly didn’t come to pass. Late last year, Amnesty International found several Indian journalists were the most recent targets of the spyware. And last month, scammers tried to sell various fake copies of Pegasus, only to be discovered by security researchers.
The WhatsApp lawsuit began in October 2019, with the company claiming that NSO had infected 1,400 of its users’ phones back in 2019. It was based on research from Citizen Lab and others. Two of the more infamous Pegasus targets were Saudi journalist Jamal Khashoggi and Hotel Rwanda owner Paul Rusesabagina and his daughter Carine Kanimba. The latter case had agents of the Rwandan government deploying Pegasus on their phones. Kanimba testified before a US House committee in 2022 about her experiences with the spyware.
A former UN official, David Kaye, was quoted by The Record earlier this week saying the analyses by researchers suggest that “certain persons are legitimate targets of Pegasus without a link to the purpose for the spyware’s use.” In the court filings, NSO seems to assert that politicians who are members of opposition parties are legitimate targets for Pegasus. “All senior political operatives should be classified” the same, regardless of which party they belong to. The lawyers wrote in their brief, “Would anyone argue that Mitch McConnell is a member of civil society and not a political official because his party is in the minority of the Senate?”
NSO has repeatedly argued that its software is used to investigate and prevent crimes and terrorism, even though mounting evidence shows otherwise as autocratic regimes continue to be its customers.