NSO Group, which builds tools for breaking into some of the world’s most popular electronic devices, is one of many cybersecurity contractors that insist that its weapons be used only to enforce laws, to stop criminals and terrorists. But on Tuesday, the human rights nonprofit Amnesty International announced that one of its staff member’s phones had nearly been hacked by the company’s spyware in Saudi Arabia alongside that of another activist—two more in a string of NSO-enabled attacks that have targeted an estimated 174 activists, journalists, lawyers, and others in abusive ways.
NSO, founded in 2010 by former Israeli intelligence officials, still sells only one product, Pegasus, a spyware package thought to be capable of penetrating most smartphones. Infiltration typically begins by sending a link sent to the target’s phone. It can be sent as a tweet, a taunting text message, or an innocuous email—any electronic message likely to convince the user to open the link. Once they do, the phone’s web browser connects to one of NSO Group’s many anonymous servers across the globe. From there, Pegasus determines the type of device, then installs the exploit remotely and surreptitiously.
In June, an unnamed Amnesty International staff member received a suspicious message in Arabic on WhatsApp. “The text contained details about an alleged protest outside the Saudi embassy in Washington, D.C., followed by a link to a website,” Amnesty International reported. Instead of clicking the link, the employee sent the message to investigators. “Investigations by Amnesty International’s technology team revealed that clicking the link would have, according to prior knowledge, installed ‘Pegasus’.”
In a separate attack, an unnamed target received an SMS text message about a mysterious court order, along with a URL, which investigators later linked to NSO. The nonprofit did not say if that attack was successful.
Toronto internet watchdog Citizen Lab issued a report last year about how the clandestine company helps governments hack the phones of activists and others. As John Scott-Railton, a senior researcher at Citizen Lab, told Fast Company at the time, “Anything you can do on the phone, Pegasus can do on your phone.” The software can turn on a target’s smartphone camera and watch anybody within the frame, or use the built-in microphone to listen in on conversations. Scott-Railton also explained that Pegasus can add and delete files and manipulate other types of phone data. (Since the report, Apple and Google have issued updates to defend against the spyware, but that doesn’t guarantee that every phone is protected.)
When contacted last fall by phone, an NSO Group employee at its office in Maryland refused to comment, saying, “We don’t talk to journalists.” While the firm apparently still isn’t talking to journalists, they did send a statement to Amnesty International with a familiar refrain, stating that their product “is intended to be used exclusively for the investigation and prevention of crime and terrorism,” adding that “any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.”
Despite such assurances, NSO Group’s spyware suite, Pegasus, is regularly used by governments to surveil the mobile devices of journalists, human-rights activists, lawyers, investigators, and even scientists and public health campaigners, according to Citizen Lab. It’s been used in Mexico, Panama, and the United Arab Emirates for the purpose of spying on civilians. And the company has registered web domains in several countries with questionable civil rights records, including Uzbekistan, Bahrain, Kenya, Saudi Arabia, Nigeria, and others. Citizen Lab estimates 174 people have been “abusively targeted” with the software.
Cyber weapons like Pegasus have also raised serious fears about theft, which were borne out last month when Israel’s state attorney’s office indicted a former employee of the company for allegedly stealing the company’s source code. The ex-employee reportedly tried to sell the Pegasus code to competitors for $50 million in cryptocurrency, but a prospective buyer alerted the company, according to the indictment.
Last year, the Blackstone Group was reportedly in talks to buy NSO in a deal that would have valued the firm at as much as $1 billion. Findings by Citizen Lab were said to have helped end those talks. Two weeks ago, another attempt by NSO Group to sell the company was scuttled when the firm’s negotiations with Verint Systems, a New York-based security and surveillance company, fell apart. Reuters, citing the Israeli financial news website Calcalist, reported that NSO Group’s founders, Shalev Hulio and Omri Lavie, want to remain independent, a stipulation that Verint opposed.
Francisco Partners, the San Francisco private equity firm with a 60% stake in NSO Group, supported the deal. Last year it was revealed that Lieutenant General Michael Flynn, President Trump’s former national security adviser, was paid about $140,000 to advise Francisco Partners in 2016 during his tenure at the Trump campaign. As part of his consulting work, Flynn, who pled guilty last year to lying to the FBI about his conversations with the Russian government, was also appointed to the advisory board of OSY Technologies, which is part of the NSO Group.
This story has been corrected to indicate the location of NSO’s US office.