NSO Group told European lawmakers this week that “under 50” customers use its notorious Pegasus spyware, though these customers include “more than five” European Union member states.
The surveillance-ware maker’s General Counsel Chaim Gelfand refused to answer specific questions about the company’s customers during a European Parliament committee meeting on Thursday.
Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only “for the purpose of preventing and investigating terrorism and other serious crimes.”
Generally speaking, a target selected by an NSO customer has their phone or other device infected with hidden spyware via the exploitation of one or more security vulnerabilities. Once installed, this software can secretly snoop on that person’s calls, messages, and other activities. The code is installed by, say, sending a booby-trapped message to the victim that when received and automatically processed by their device, causes the spyware to silently deploy and run.
These tools are “licensed solely to law enforcement and government agencies,” Gelfand said, adding these are “limited in number, and contracts are carefully contracted to only permit legitimate use.”
Well, kind of
But, later, he added, sometimes private companies do get involved. A government agency “is always the end user,” Gelfand said.
“There are sometimes commercial, third parties that are involved in the transaction for reasons of security aspects,” he continued. “These commercial third parties will very often be the in-between as an intermediary between NSO and a government on the contractual side of things. They never receive use of the system itself, they do not have access to the system.”
The US ban-hammered the notorious Israeli software provider last year. European lawmakers opened an inquiry this year into spyware in general, and Pegasus more specifically, after the code was reportedly found on cellphones associated with the UK and Spanish prime ministers, Spain’s defense minister, and dozens of Catalan politicians and members of civil society groups.
Gelfand refused to answer if his company sold spyware, or had revoked licenses, to countries including Saudi Arabia, the United Arab Emirates, Hungary, and Poland while he was questioned for two and a half hours by Euro lawmakers. However, they did manage to extract some interesting details about Pegasus during the questioning.
Previously, the surveillance-ware maker had 60 customers in 45 countries, but “that number has gone down,” Gelfand said. In additional, NSO is investigating “over 20” customers that are allegedly misusing the software.
And while the Pegasus Project reported a list of more than 50,000 phone numbers that had been targeted by the zero-touch spyware, Gelfand told the committee that a more accurate number “in a given year is approximately 12,000 to 13,000 targets.”
‘Saving lives wordwide’ since 2010
As a reminder: NSO Group claimed it developed the data-stealing software to help law enforcement agencies prevent terrorist attacks and break up pedophile crime rings. In Gelfand’s words: “This technology has been conceived and designed to save lives worldwide … [and] make the world a safer place.”
However it’s more highly publicized uses, by governments worldwide, include spying on journalists, activists, everyday citizens, elected officials, and their political opponents.
During the RSA Conference this month Heather Mahalik, a senior director of digital intelligence at SANS Institute, named Pegasus as one of the most dangerous cyber threats today.
“This attack literally flies through the air, lands on your iOS or Android device,” Mahalik said. “You don’t click it, and it immediately self-installs, which is where my job becomes very difficult. It also self-destructs.”
The flying-horse malware can be installed on a victim’s phone without any user interaction. And once it’s deployed, the NSO customer controlling that instance of Pegasus has access to everything on the victim’s device, including emails, passwords, and photos.
How NSO scores countries
The Israel-based company says it scores countries before it will sell Pegasus to them, and claims [PDF] these scores take into account things like a country’s record on human rights and free speech, as well as political stability and perceived corruption.
If a country scores a 20 or lower, NSO says it won’t sell them spyware; Gelfand added, “we have since raised that bar.”
When asked by EU lawmakers about various’ countries’ scores, Gelfand said Saudi Arabia received “around 30.” For comparison: Belgium score is around 80, while Spain comes in around 75, and Poland and Hungary are 65 or 64, according to Gelfand.
If a customer violates the terms of its agreement with NSO – we wonder if snooping on Amazon founder Jeff Bezos is a deal breaker – the vendor says it can remotely shutdown the customer’s Pegasus deployment.
He did note that NSO has fired “over eight” customers during the “past several years,” and that some of these misbehaving agencies came to light because of whistleblowers and the Pegasus Papers.
“We have terminated contracts with EU member states,” Gelfand said.
Terminating contracts with or outright refusing to sell Pegasus to customers has cost the beleaguered company more than $300 million, Gelfand noted. “We’re always putting ethics over revenue, and the amount of money that this has cost us in contracts that we have not entered is huge,” he said.
Cue the violins.
How about those acquisition rumors?
Speaking of lost revenue, President Joe Biden’s crackdown on NSO has been another financial blow to the poor spyware developer. And when asked about rumors that US defense contractor L3Harris and data-mining firm Palantir had both expressed interest in buying NSO, Gelfand again declined to answer.
“The company is always in various negotiations with different companies around the world,” he said. “Regarding acquisitions: more than that is something that I can’t get into because of confidential information.” ®