Named for the winged horse of Greek mythology and often sent by text message, Pegasus can burrow into your phone without your knowledge or even your click, hiding for days or weeks inside, surreptitiously recording everything—messages, photos, encrypted chats, and video and audio—in real-time. Exactly where your data is going often remains a mystery, lost in a tangle of servers. But the deadly impacts of Pegasus and other cyberweapons—wielded by governments from Spain to Saudi Arabia against human rights defenders, journalists, lawyers and others—is by now well documented. A wave of scrutiny and sanctions have helped expose the secretive, quasi-legal industry behind these tools, and put financial strain on firms like Israel’s NSO Group, which builds Pegasus.
And yet business is booming. New research published this month by Google and Meta suggest that despite new restrictions, the cyberattack market is growing, and growing more dangerous, aiding government violence and repression and eroding democracy around the globe.
“The industry is thriving,” says Maddie Stone, a researcher at Google’s Threat Analysis Group (TAG) who hunts zero-day exploits, the software bugs that have yet to be fixed and are worth potentially hundreds of millions to spyware sellers. “More companies keep popping up, and their government customers are determined to buy from them, and want these capabilities, and are using them.”
For the first time, half of known zero-days against Google and Android products now come from private companies, according to a report published this month by Stone’s team at Google. Beyond prominent firms like NSO and Candiru, Google’s researchers say they are tracking about 40 companies involved in the creation of hacking tools that have been deployed against “high risk individuals.”
Of the 72 zero-day exploits Google discovered in the wild between 2014 and last year, 35 were attributed to these and other industry players, as opposed to state-backed actors.
“If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over,” reads the report.
The Google findings and a spyware-focused threat report published by Meta a week later reflect an increasingly tough response by Big Tech to an industry that profits from breaking into its systems. The reports also put new pressure on the US and others to take action against the mostly unregulated industry.
In a blog post, Shane Huntley, senior director of Google’s TAG, noted a series of government agreements to limit spyware’s harms, but added that “we hope to see these initial steps followed by more concrete actions from a broader community of nations to reform the industry and shine more light on abuses.”
Alongside its own threat report last week, Meta suggested that European regulators more stringently enforce their privacy laws, and called on governments globally to help uncover who is actually paying for these services by requiring spyware vendors to retain information on their customers and audit how the technology is being used by those customers.
“EU data protection authorities have a unique opportunity here to regulate spyware companies operating in Europe by requiring that the spyware companies comply with existing data protection regulations,” David Agranovich, Meta’s director of global threat disruption, told reporters.
Cyber mercenaries and intelligence officials point to the use of the weaponry in law enforcement and counterterrorism, and dozens of countries have secretly used hacking tools to track and capture criminals and terror suspects, including the drug lord known as El Chapo. But a staggering body of research and reporting has shown the tools are often used against journalists, human rights defenders, and opposition figures, sometimes as part of brutal crackdowns.
Researchers estimate that government agencies in as many as 46 countries—including Spain, India, and Saudi Arabia—have used Pegasus in some form. A list of fifty thousand phone numbers that had been “selected for targeting” by NSO clients, obtained by reporters in 2020, included at least three presidents, ten prime ministers, and one king, as well as “several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials—including cabinet ministers, diplomats, and military and security officers.” (The Pegasus Project, a journalist consortium led by the French media non-profit Forbidden Stories, confirmed infections on dozens of phones on the list.) Pegasus has also been found on the phones of journalists in India, Jordan, Armenia, Togo and the Dominican Republic; at least six Palestinian human rights defenders, one of whom is also a U.S. citizen; and the two women closest to the murdered Saudi dissident Jamal Khassoghi.
A 2021 analysis by Forensic Architecture, a human rights-focused research group at the University of London, estimated that spyware was involved in at least three hundred instances of physical violence.
“The harm is not hypothetical,” says Stone.
The Biden administration has blacklisted a number of spyware companies since 2021, banning any transfer of U.S. technology to the firms, and this month began taking a tougher stance on the people behind the spyware too. A day before Google released its report, the State Dept. announced new visa restrictions for people “involved in the misuse of commercial spyware” and their families, further limiting spyware makers’ access to the critical US technology sector. Spyware, secretary of state Antony Blinken said in a statement, “threatens privacy and freedoms of expression, peaceful assembly, and association,” and “has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”
Despite the outcry and sanctions, zero-day researchers describe the fight against spyware as a global game of whack-a-mole. And, like a determined hacker, the moles are poised to do everything they can to survive. Firms are increasingly setting up shop or relocating to countries outside Israel—where they are not bound by the same export controls.
“If NSO Group goes bankrupt tomorrow, there are other companies, perhaps seeded with U.S. venture capital, that will attempt to step in to fill the gap,” Citizen Lab’s John-Scott Railton told a congressional hearing last year. “As long as U.S. investors see the mercenary spyware industry as a growth market, the U.S. financial sector is poised to turbocharge the problem and set fire to our collective cybersecurity and privacy.”
In its report, Google describes a “rise in turnkey espionage solutions” offered by dozens of shady companies. While Israeli cyberattack firms like NSO and Candiru have drawn the most scrutiny, Google’s analysis highlights the rise of smaller spyware firms based in Europe and Asia. That includes what the Carnegie Endowment called last year a secondary tier “of boutique spyware firms, hacker-by-night operations, exploit brokers, and similar groups.” Google chose to name 11 firms and nine affiliates in its report, each of which had appeared in previous reports; Stone and a spokesperson did not specify why the other companies were not disclosed.
The spyware firms represent only a small fraction of a global hacking-for-hire industry. (A leak this week from I-Soon, a Shanghai-based cybersecurity vendor with government ties, suggests that it carried out global attacks on a series of high-value government targets and dissidents in 2021 and 2022, in part by breaching WiFi networks and devices.) Some of the spyware companies lack websites, and hide under complex corporate structures to conceal their owners, investors, and clients. Tel Aviv-based Candiru, Google notes, has changed names multiple times, to Grindavik, then Taveta, then Saito Tech. Another firm named by Google, the Vienna-based DSRIF, shuttered its operations in August 2023, but an affiliate, Machine Learning Solutions (MLS), is reportedly continuing some of its work. The companies did not respond to requests for comment and in some cases were not reachable.
The spyware makers named by Google include:
- Candiru, founded in 2014, is thought to be Israel’s second-largest spyware maker after NSO. With funding from NSO investors as well as the government of Qatar, its systems have been found to have been operated by multiple countries, including Saudi Arabia, Israel, U.A.E., Hungary, Indonesia, and Uzbekistan. In November 2021, the US Commerce Department added Candiru and NSO to its trade blacklist.
- Cy4Gate, founded in 2014, specializes in “lawful interception” technology, including the Epeius spyware targeting Android and iOS systems. In 2022, Cy4Gate acquired fellow Italian firm RCS Lab, known for its “Hermit” spyware tools. Google and Meta have observed RCS Lab campaigns in Italy, Kazakhstan, Azerbaijan and Mongolia.
- The Intellexa Alliance acts as a hub for various surveillance companies, including Cytrox—the creator of a Pegasus-like tool called Predator—as well as WiFi and mobile interception firm WiSpear and Senpai, which specializes in open-source intelligence gathering. In June 2021, four executives of an Intellexa member, Nexa Technologies, were indicted by the Paris Judicial Court for “complicity in acts of torture,” a decade after the Wall Street Journal revealed the firm was selling surveillance software to the government of Libya. In 2021 Meta banned Cytrox for abusing its platforms, and the US Commerce Dept. blacklisted the company in 2023.
- NSO Group, based in Herzliya, Israel, was first exposed in 2016, when Citizen Lab found Pegasus on the phone of Ahmed Mansoor, a human-rights defender based in the United Arab Emirates. Around the globe, the Pegasus Project estimates that hundreds of members of civil society have been targeted by its spyware. Numerous NSO alumni have founded or moved to other cyberweapon makers. The initial technical director of Pegasus holds the same role at Patternz, a startup founded in 2019 that boasts of its ability to track individuals using data from the digital advertising market. Other surveillance companies, including Rayzone, Bsightful and Venntel, use a similar technique, exploiting a system that privacy researchers have called a threat to national security.
- Negg Group, an Italian cybersecurity firm, was first revealed in 2017 by Kaspersky as the developer of the “VBiss” and “Skygofree” Android malware, which can infect mobile devices through one-click exploit chains or by drive-by downloads. Google discovered targets in Italy, Malaysia, and Kazakhstan.
- PARS Defense is a cybersecurity company headquartered in Istanbul that, says its website, “helps customers to solve forensic challenges in mobile world [sic].” It has been linked to the exploitation of two recent vulnerabilities targeting iOS.
- QuaDream, founded in 2014 by a group that included two former NSO employees, developed REIGN, a spyware that includes capabilities such as “real-time call recordings, camera activation — front and back,” and “microphone activation,” according to a brochure. In April 2023, Quadream abruptly shut down, according to Haaretz, after the Israeli government prevented it from exporting its tools to foreign countries including Morocco, and after researchers at Microsoft and Citizen Lab reported that REIGN had been used against journalists, opposition figures and advocacy organizations across the globe.
- Variston Information Technology was founded in Barcelona in 2018 and soon after acquired TrueL IT, an Italian firm specializing in zero-day vulnerabilities. The company works with the ironically-named, Abu Dhabi-based Protect Electronic Systems to package and sell its spyware and infrastructure. In April 2023, the trade publication Intelligence Online reported that Variston had established closer ties to the cyber subsidiary of the UAE-owned defense company Edge Group.
- Wintego Systems, founded by alumni of Verint, another Israeli firm, develops advanced communication, intelligence, and data-decoding solutions for the government and homeland security sectors. According to a company brochure, its spyware “uses Wi-Fi to obtain secured data from web accounts (cloud services) and apps, including the entire contents of email, photos, files, chats, social network activity, contact lists, and calendars.”
Meta’s threat team also recently took action against dozens of accounts run by eight spyware firms from Spain, Italy and the United Arab Emirates. In a quarterly threat report issued on February 14, the company named Italian firms Cy4Gate and RCS Labs, Negg Group, and IPS Intelligence; Spanish companies Variston and its subsidiary TrueL IT, and Mollitiam Industries; and the UAE-based Protect Electronic Systems. Meta said the firms used fake accounts to scrape data, perform social engineering or test their spyware capabilities.
Among the most arresting aspects of Google’s report are the profiles of six spyware victims, compiled by researchers at its think tank Jigsaw. They include Galina Timchenko, editor of the exiled independent Russian news outlet Meduza, who was at home in Riga, Latvia in June 2022, when she received a strange message from Apple. It said she was being targeted by “state-sponsored attackers [who] are likely targeting you individually because of who you are or what you do.” Used to years of phishing attempts and denial-of-service attacks, she let her technical team know and put it out of mind.
But as an investigation by the nonprofit Access Now and the cyber sleuths of Citizen Lab would soon find, her phone had been infected by Pegasus. The infection had occurred months earlier, a day before Timochenko attended a secret meeting in Berlin of exiled Russian media outlets to discuss the Kremlin’s expansion of its “foreign agents” laws. Using an exploit targeting Apple’s HomeKit and iMessage, the attackers presumably had access to her device during the meeting and for possibly weeks afterwards. Sensitive communications, data, and sources had potentially been compromised. Timchenko had no idea anything was amiss.
Even a single, stealthy infiltration—or just the threat of one—poses a broader threat. “It affects us when political opponents are being targeted and hacked, because that calls into question free and fair elections,” Stone says. “It affects us all when our journalists are being targeted and [are] scared to put out the truth.”
Who hacked Timchenko’s phone? Either Kazakhstan or Azerbaijan, two suspected Pegasus clients, could have carried out the attack at Moscow’s request, Access Now investigators said. But as far as researchers knew, neither country had ever used Pegasus in Europe, and Timchenko was in Berlin when her phone was attacked. Or the culprit may have been a European country: Germany, Latvia, and Estonia are known Pegasus customers.
U.S. agencies have also bought Pegasus and similar spyware. Months after the Commerce Dept put NSO and another Israeli firm, Candiru, on its blacklist, the New York Times reported that the FBI had purchased Pegasus for “testing,” and had considered a product for US phone numbers called Phantom, which NSO had previously pitched to police departments. The CIA had purchased Pegasus for the government of Djibouti, the Times reported, despite longstanding concerns about human rights there.
The U.S. Drug Enforcement Administration has also deployed a Pegasus-like product, Graphite, to pursue drug cartels. The company that makes it, Paragon—backed by ex-Prime Minister Ehud Barak and at least one US-based venture capital firm, Battery Ventures—has sought to skirt scandal, and in 2021 hired the well-connected WestExec Advisors to ease its entry into the US. The company has even sought guidance on which other government customers would be acceptable to US officials, the Financial Times reported.
NSO has also enlisted powerful lobbyists to burnish its image in DC, including the NSA’s former general counsel. In a letter last May to the American Bar Association, NSO warned of the risks of a federal moratorium on commercial spyware. “While we fully support the effort to develop a regulatory framework to govern the sale and use of commercial intelligence technology,” NSO’s general counsel Shmuel Sunray wrote, “we fear that a moratorium would leave the industry dominated by companies operating with less regulation, less oversight, and less motivation to respect human rights,including companies operating from Russia and China.”
Part of NSO’s messaging has also revolved around the Israel-Hamas war: After the October 7 attack, Haaretz reported that Israel’s security services began pulling in companies like NSO, Candiru and Paragon to try to track hostages in the Gaza Strip.
“NSO’s technology is supporting the current global fight against terrorism in any and all forms,” one company lobbyist wrote in a November letter to Sec. of State Antony Blinken, requesting an urgent meeting. “These efforts squarely align with the Biden-Harris administration’s repeated messages and actions of support for the Israeli government.” Cybersecurity experts cast doubt on the hostage-tracking idea, and a U.S. official told Fast Company that the U.S. government “has no plans to change the status of NSO group on the entity list.”
Despite the government restrictions, the growth of the cybermercenary business reflects a subterranean, symbiotic relationship. As with the disinformation business, the spyware industry often relies on the talent and expertise of former government hackers, while the vendors afford governments plausible deniability. This, says Google, “shifts the burden of the cost and reputational risk of the exposure of these tools from the government customer to the [vendor],” which “may increase the likelihood the tools will be used.”
Israel’s homegrown cyberattack industry, considered the world’s best, isn’t just a point of pride for government officials but a tool of realpolitik. As with conventional weapons sales, the state controls the export of hacking tools, and Israel has regularly used sales of Pegasus to rally support among other nations at the UN, or in its campaign against Iran. After NSO turned off Saudi Arabia’s Pegasus access in the wake of Khassoghi’s murder, the crown prince placed an urgent phone call to Prime Minister Benjamin Netanyahu, and Saudi’s Pegasus access was switched back on. (Soon after, researchers at Citizen Lab found, Saudi Arabia used Pegasus to break into the phones of 36 journalists at Al Jazeera, its rival Qatar’s news network.)
Israel has also limited the use of Pegasus for fear of upsetting other allies, including the Kremlin. After Russia invaded Ukraine, Israel blocked sales of Pegasus to Ukraine, and turned off the ability of Estonia to use its $30 million Pegasus purchase to target Russian phones.
At the start of the cyberweapon supply chain is often an individual researcher who’s found an undiscovered backdoor into an operating system. They could help strengthen the system, for instance through a disclosure or a bug bounty program. Or they can sell their discoveries to exploit brokers or vendors like NSO. On one exploit marketplace, Zerodium, a prized Android zero-click exploit can now fetch up to $2,500,000, about $500,000 more than the price of a similar iOS hack. The weapons built from these exploits cost customers millions more, and come bundled in slick dashboards with optional features.
Widespread reports of abuse have pushed Google and other companies to take a more proactive approach to powerful zero-days, joining researchers and journalists in exposing vendors and explaining their weaponry. Apple began sending warnings to suspected targets like Timchenko in 2021, and last year introduced Lockdown Mode, an iOS and MacOS opt-in feature aimed at thwarting zero-click exploits. In 2019, Meta sued NSO Group after the company identified over fourteen hundred WhatsApp users who had been targeted by a zero-click NSO hack. Apple filed suit in November 2021, describing NSO in a filing as “amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.” (A California judge recently denied NSO’s motion to dismiss.)
Stone credits Big Tech for simply being more open about exposing flaws in their systems. This protects users and pushes costs up for the spyware companies, forcing them “to go back more to the drawing board to invest more time on their exploits,” says Stone.
Compared to only a few years ago, says Stone, “we as an industry and as defenders have a much cleaner picture of what is actually happening and what hackers are actually doing.”
The US has also taken a series of steps against certain companies and uses of spyware. Last year, the Commerce Department added Cytrox and Intellexa to its entities list, and President Biden issued an Executive Order banning the U.S. government use of commercial spyware—specifically, the kind that poses “significant risks of improper use by a foreign government or foreign person.” (Altogether, the Biden administration says more than 50 U.S. personnel on three continents have been successfully targeted by spyware overseas.)
More salvos came this month. A day after the US announced new visa restrictions for spyware makers, a group of 35 nations, led by the UK and France, signed an agreement to “tackle proliferation and irresponsible use of commercial cyber intrusion tools and services.” Representatives from Hungary, Mexico, Spain, and Thailand—which have been linked to spyware abuses—did not sign the pledge; Israel was absent.
Chastened by sanctions, Israel’s government has been taking its own steps to tighten its spyware exports, cutting the number of permitted customer countries to 37 from 110. The restrictions have left some domestic spyware companies reeling, and led at least three to bankruptcy. NSO itself teetered on the brink of bankruptcy, and in 2022 cofounder Shalev Hulio stepped down following a wave of departures.
Still, NSO continues to develop its spyware, with new owners and a renewed hope for profitability. The Wall Street Journal reported last May that NSO’s lenders—including Credit Suisse and Senator Investment Group—have lent millions more to the company, and have been working with NSO co-founder Omri Lavie. According to corporate filings, a Luxembourg holding company controlled by Lavie is now listed as the sole shareholder of NSO’s parent company. Lavie has also reportedly taken charge at NSO, firing a number of directors and officers.
A spokesperson for Google lauded the US’s new visa restrictions, which specifically target individuals like Lavie. But more forceful action is needed, says Google, which also called for governments, including the US, to disclose their own historical use of these tools.
“As long as there is a demand for surveillance capabilities,” says Google, “there will be incentives for [surveillance vendors] to continue developing and selling tools, perpetrating an industry that harms high risk users and society at large.”
If you have any information to share about these companies or other spyware and hacking vendors, you can reach me through Twitter, where you can DM me for my Signal number, and at pasternack@protonmail.com
Recognize your brand’s excellence by applying to this year’s Brands That Matter Awards before the early-rate deadline, May 3.
