NSO Group, the infamous Israeli surveillance company, has been under a lot of fire recently. If you remember, in August we published a report1 in which we detailed how one of our staff members at Amnesty International (who was working on the issue of the Saudi women activists arrested2) was targeted using the mobile surveillance suite Pegasus, sold by NSO. In that report we also mentioned a Saudi human rights defender who we discovered also being targeted, whom identity we didn’t reveal at his request. Since then, he spontaneously decided to identify himself in the press as Yahya Assiri.
While at the time we discovered these attacks in early June they seemed like isolated events, over the months it became obvious that a larger campaign of surveillance was being conducted (most likely by the Saudi government) in a coordinated attempt to suppress dissent that culminated with the murder of Jamal Khashoggi.
On October 1st, right before the news of the murder, Citizen Lab discovered another Saudi dissident based in Canada, Omar Abdulaziz, was also targeted with NSO Group’s spyware3. In November, Forbes reported that yet another Saudi dissident, the YouTube comic and satirist Ghanem Almasarir, was also targeted with Pegasus4.
In October, we released a list5 of more than 600 domains used to deliver NSO Group’s exploits through SMS or WhatsApp messages. Recently we have also announced that we’re demanding for NSO Group’s export license to be revoked and we are considering legal action against the company6. Few days ago, Omar Abdulaziz also announced that he’s suing NSO Group in connection with the infection of his device, which he claims was purposefully targeted by the Saudi authorities to snoop on his communications with Khashoggi7.
If all this wasn’t enough, Citizen Lab published yet another report detailing how Pegasus was used in Mexico to target journalists colleagues of a reporter who was gunned down in 2017, likely in connection with this investigations into the cartels8
I have worked on plenty of investigations into surveillance companies, and uncovered numerous abuses of their products. However, the amount of cases where NSO Group’s Pegasus was found used to repress dissent and monitor reporters and human rights defenders is unprecedented. Why is that?
This piling number of abuses could very likely be a direct result of the company’s lack of proper human rights due diligence. According to an investigation by Haaretz, NSO Group indeed sold their products to Saudi Arabia for a wowing $55 million, apparently in defiance of the Israeli Ministry of Defence.
Additionally, it could be that the efficacy and the sophistication of the attack suite that NSO Group provides, and the immense power that is derived, might in fact be an irresistible incentive for ruthless governments to use it even more so against dissidents, journalists and human rights defenders.
While so far we have only observed attacks being delivered through SMS or WhatsApp messages requiring the victim to click on a link in order to activate the exploitation and infection, the investigation by Haaretz suggests that NSO Group might have sold Saudi Arabia their “0-click” solution as well. This would mean that Saudi Arabia, as well as any other government NSO Group might have sold this to, could have the ability to remotely compromise any iPhone without sending anything visible to the victims and without requiring them to click on any link. This could be theoretically possible if NSO Group would have knowledge of vulnerabilities in the radio components of the phone.
Currently there is no evidence NSO Group or Saudi Arabia have access to such exploits. To the contrary, the fact that messages with “1-click” exploit links are being found around and used so widely rather suggests the opposite. However, if those claims are proved to be true, the effects of such a capability in the wrong hands could be catastrophic.
With all attention and the mounting legal trouble, it is unclear what will happen with NSO Group. In the meantime, our investigations continue.
We are trying to identify other journalists and human rights defenders who might have also been similarly targeted with Pegasus. If you have any information to share, please do get in contact.
I can be found as @nex on Wire and @nex on Keybase, as well as via email:
1: Amnesty International Among Targets of NSO-powered Campaign ↩
2: Saudi Arabia: women’s rights activists arrested before lifting of driving ban ↩
3: A Quebecer spoke out against the Saudis - then learned he had spyware on his iPhone ↩
4: Exclusive: Saudi Dissidents Hit With Stealth iPhone Spyware Before Khashoggi’s Murder ↩
5: investigations/indicators.csv ↩
6: Israel: Rogue NSO Group must have licence revoked over controversial surveillance software ↩
7: Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit Says ↩
8: Reckless VI: Mexican Journalists Investigating Cartels Targeted with NSO Spyware Following Assassination of Colleague ↩