Citizen Lab Q and A: The abuses of NSO Group’s hacking software and the threats to journalists




Just days ago, the founder and co-president of NSO Group — which sells spyware to governments that have used it to hack journalists — gave a startling interview with CBS 60 Minutes. NSO Group’s founder appeared to defend intercepting journalists’ communications and compromising their mobile devices in pursuing of alleged “terrorists.” The company has also been accused of selling Pegasus to Saudi Arabia, which allegedly used it to spy on journalist Jamal Khashoggi’s associate shortly before Khashoggi’s murder.

The Citizen Lab at the Munk School of Global Affairs and Public Policy at the University of Toronto has been researching NSO’s spyware Pegasus for years — including identifying numerous governments that operate the spyware, and journalists and activists who have been targeted.

Freedom of the Press Foundation spoke to the Citizen Lab Senior Researcher John Scott-Railton about Pegasus, the significance of the CBS interview, and what the public can do to curtail spyware abuse.

This interview has been lightly edited for clarity.

Citizen Lab has obviously researched Pegasus extensively. How did this start?  

The research began with an investigation that my Citizen Lab colleague Bill Marczak was doing on a threat actor in the United Arab Emirates. Bill called the group Stealth Falcon at the time, but more recently it has been connected to a notorious hacking company named Dark Matter. That research identified some domains that looked different, and could be connected to a company named NSO Group. Later, UAE-based (and now jailed) human rights defender Ahmed Mansoor reached out to bill with some suspicious text messages. When Mansoor got in touch, we paid attention, because Bill had previously found that Mansoor was targeted with other commercial spyware, including Hacking Team and FinFisher.

When Bill looked he realized that the messages could be linked to that domain list. Then he borrowed a colleague's iPhone, clicked on a suspect link, and watched as the phone was infected with NSO Group's Pegasus Spyware. That infection confirmed that we were looking at NSO Group's spyware, and that the domains he had collected were part of NSO's infection infrastructure.

With this knowledge, it was possible to begin looking for more cases.  And sure enough, we began finding other cases of abusive targeting, in other countries. One of the most dramatic cases is Mexico where, in collaboration with a number of Mexican civil society organizations, including R3D, SocialTIC, and Article 19, we began digging for more cases. As of now we have publicly identified 25 cases of abusive targeting in Mexico, alone.

At least nine journalists have been targeted with Pegasus in Mexico alone. And it really seems to be not just any journalists that are targeted, but investigative journalists and those that report on, say national security or corruption…

Of all of the different categories of targeting that we see with Pegasus, as well as other forms of government exclusive spyware, we consistently find journalists among the most targeted.

There is an additional troubling nexus in Mexico: Journalists investigating cartels, a team of international investigators investigating the mass disappearance of 43 students in Mexico, and lawyers representing cartel victims have all been targeted with Pegasus. This seems backwards, and is it stands in stark contrast to NSO Group's CEO's recent claims that their spyware is used to investigate cartels.

In the CBS interview with NSO Group CEO Shalev Hulio and Co-President Tami Shachar, they seemed to defend journalists as legitimate hacking targets. On intercepting them if they happen to be in touch with a drug cartel, for example, they said that is a decision the “intelligence agency should get."

One of the claims in the 60 Minutes story was that NSO Group had investigated the use of its product and only found three cases of abuse. And that they took some unspecified action. And of course, my question is, which of the 25 cases in Mexico alone, for example, did they have in mind?

The idea that NSO Group would be capable of fully investigating itself is also odd. There’s this tension running through their public statements: on the one hand denials of the growing pile of evidence of abuses, and on the other hand, claims that they are doing effective due diligence and have found very few problems.

We know the story that NSO is telling the public, but I wonder what story they tell the talented developers who work there. Obviously, there are some extremely smart people working for NSO Group. I wonder how they feel about some of these reports [of abuse], and NSO’s public statements. Do they feel empowered to ask their bosses and managers serious questions about abuses? Are they getting clear answers? I'm genuinely curious.

Pegasus works by running in the background, and is designed to be stealthy. How do people know they have been infected, and how do they know to reach out to Citizen Lab?

After every report we publish, more journalists and others get in touch, and say, “Hey, I’ve got some potentially suspicious messages if you’d like to take a look.” Usually we are. We then examine them and compare them to domains that we’ve identified as NGO Group’s exploit infrastructure. This points to the extreme importance of continued reporting on this issue, because with every report, we get contacted by new individuals who believe they may have been targeted.

Are there any particular devices more at risk? For example, are iPhones and Androids equally vulnerable?

We know that NSO Group sells the ability to compromise major phone operating systems. You’re not going to find a popular device that would suddenly protect you from Pegasus. This points to a serious problem: must people just have to hope that oversight and legal restrictions on how this spyware is used will be enough to protect them.  But it's pretty clear that oversight has broken down in a lot of situations, or was not there in the first place.

What can technology companies — like Apple, for example — do about this to protect their users?

Apple has been doing a lot. When we found the first case of Pegasus targeting in 2016, we worked with Apple, and they patched every single Apple device. Something like a billion devices received a patch — both phones and computers — that blocked the particular exploit chain that was being used. Google, too has been vigilant and collaborative with the security sector in investigating and publishing on NSO's ability to target androids. I think we definitely look to tech companies to be extremely vigilant and proactive in spotting cases, and patching vulnerabilities.

Pegasus is a pretty sophisticated piece of software; we’re pretty impressed by the sophistication of its design. I think NSO Group will continue to work on its software, so that it will continue to function in new operating system environments so that it will be harder to detect and investigate.

We also have to look to governments that are potentially buying this, and keep asking the question about whether if stockpiling these exploits is really in the interest of global net security.

What do you think NSO should do when it is seeing governments who buy Pegasus abusing it and targeting journalists and human rights advocates instead of alleged terrorists?

NSO Group has a credibility problem, partially of their own making. If they really want to address it, then working with competent authorities [investigating misuse of their spyware] and being honest about abuse is critical. Instead, they seem to have taken a strategy of casting general — never specific — doubt on researchers, while at the same time stating that their own investigations found little evidence of "real" misuse. I think most people look at this and say: this doesn't sound like a commitment to addressing abuses.

What kind of advice can you offer journalists — such as those reporting in Mexico or Saudi Arabia — to minimize risk of potential infection by spyware like Pegasus?

One of the most important things that journalists can do is maintain extreme vigilance and to collaborate with organizations that can help them be systematic about their security. When they do get suspicious messages, they should make sure to alert people who are in the position to act on them. In Mexico, for example, there are a number of organizations that have now participated in the investigation of Pegasus — R3D, SocialTIC, and Article 19 — and those organizations would be probably happy to speak with journalists who have concerns.

More broadly, I think that this points to the importance of independent civil society organizations that are in a position to work on these investigations and collaborate with researchers like ourselves to investigate these really troubling cases.

What can people to do curtail the abusive use of spyware?

From governments, I think anyone who learns about these cases wants to see careful and well-structured mechanisms to regulate the sale and export of these technologies, and investigate abuses.  From big tech companies, I think users would like to know that the developers of operating systems are constantly working to keep them as secure as possible.

At the end of the day conversations about this kind of targeted surveillance have to be public conversations about what kind of powers and oversight we want public authorities to have when it comes to spyware. The problem is that the spyware industry has moved faster than those conversations, and is really trying to block additional scrutiny. 

The proliferation of this spyware should concern governments for another reason, too: In Mexico, for example, we have identified numerous cases of public officials, including the then-president of Mexico's Senate, who were targeted with Pegasus. Can NSO Group or others assure various governments that their officials won’t be targeted with this kind of thing?   Furthermore, we, as well as Amnesty International, have shown evidence of targeting across borders. Omar Abdulaziz was targeted by a foreign government NSO operator while in Canada. That is a national security concern for the countries where the targeting has taken place.

So far, concerns about spyware come straight from data and evidence.  More cases will undoubtedly emerge. Companies like NSO have the opportunity to be a part of inevitable public conversations about regulation and oversight.  However, I suspect many folks will be reluctant to give them a seat at the table until they start answering the evidence with good faith answers, not spin.

Donate to support press freedom

Your support is more important than ever.