NSO was caught unawares thanks to the advanced research done by the head of Amnesty International’s Berlin-based Security Lab, Claudio Guarnieri
The NSO Group headquarters in Herzliya, Israel (Photo: Getty Images)
ABOUT WRITING WHAT would become his signature 1983 song titled ‘Every Breath You Take’ for the British rock band The Police, musician Sting said later, “I didn’t realise at the time how sinister it is. I think I was thinking of Big Brother, surveillance and control.” He was referring to George Orwell and the plight of his protagonist Winston Smith in the classic Nineteen Eighty-Four. Though Orwell’s dystopian novel was published in 1949, Big Brother tactics are as old as empires. And as technology grows at a fast clip, the whole exercise gets far more disquieting, causing a chilling effect. Khadija Ismayilova, the Azerbaijan-based investigative journalist, was watched even in her toilet and bedroom. People who were after her later sent her stills from the footage they had taken from her bedroom and warned her to stop writing.
This appalling case of targeting people with intimate photographs and sexual kompromat is just the tip of the iceberg. The Pegasus Project, a recent investigation by 17 media groups across the world, including one from India, coordinated by the Paris-based journalism nonprofit Forbidden Stories with technical support by Amnesty International’s Security Lab, has proved that reality is, literally, stranger than dystopian fiction. They found that Israeli spyware company NSO Group’s military-grade spyware was used to listen to and watch round-the-clock the activities of hundreds of journalists, human rights activists, politicians, businessmen and heads of state. Their flagship product Pegasus is capable of zero-click attacks on smartphones using vulnerabilities of the operating system or those of apps, meaning a phone can be hacked even without the user clicking on a deceptive malware.
The NSO database has a list of more than 50,000 phone numbers. Which means they were potential targets of its clients. Since NSO doesn’t sell Pegasus to non-state actors and non-official agencies, the finger of suspicion has fallen on governments, including India’s, for allegedly using Pegasus to spy on people. NSO claims its advanced spyware is sold only to fight terrorism and extreme crime.
But extensive investigation has shown that many of the targets are journalists working on crucial stories, social activists, businessmen, politicians who have nothing to do with terrorism and extreme crime. The list included even pro-government journalists and ministers within governments that had purportedly become NSO clients—which smacks of paranoia at top levels of governments. The Hindu’s deputy editor Vijaita Singh whose name appears on the list tells Open about her experience. “It was disconcerting and unsettling. It will be inappropriate to hazard a guess on why my number was chosen for surveillance. The information that we gather is in the newspapers the following day. My job is that of a chronicler and will continue to objectively pursue public interest journalism.”
Most governments have denied the use of Pegasus notwithstanding the proof from forensic experts. According to the Washington Post, which is part of the investigation, the targets include three sitting presidents—France’s Emmanuel Macron, Iraq’s Barham Salih and South Africa’s Cyril Ramaphosa—and three current prime ministers—Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani. Seven former prime ministers are also on the list: Yemen’s Ahmed Obeid bin Daghr, Lebanon’s Saad Hariri, Uganda’s Ruhakana Rugunda, France’s Édouard Philippe, Kazakhstan’s Bakhytzhan Sagintayev, Algeria’s Noureddine Bedoui and Belgium’s Charles Michel. Morocco’s King Mohammed VI is also a Pegasus victim. In India, Rahul Gandhi, pro-tribal activists and close to 40 journalists are allegedly Pegasus targets.
Although Israeli officials did not respond to mails, the country has announced the creation of an inter-ministerial team to look into the matter, according to a Reuters report quoting an unnamed Israeli source. The report, however, added the source as saying that a review of the export of Pegasus is unlikely amid calls by Amnesty International and others for a moratorium on such spyware that can be misused by tyrants and democrats alike.
NSO earned notoriety first in 2019 following charges that the Saudi Arabian government had used its dreaded spyware to plan the brutal murder of Saudi Arabian-origin journalist, author and Washington Post columnist Jamal Khashoggi at the Saudi consulate in Istanbul in October that year. NSA whistleblower Edward Snowden had then called NSO the “worst of the worst.” The current probe has proved traces of Pegasus snooping on the smartphone used by Khashoggi’s fiancée Hatice Cengiz.
The earlier version of Pegasus had used spear fishing—luring a person to click on a malware link to infect phones. In 2019 again, it was in the headlines after Facebook sued NSO when its clients used Pegasus to snoop on 1,400 civilians, mostly lawyers, journalists and rival politicians in over 40 countries, by exploiting a vulnerability on its WhatsApp messaging platform.
Cybersecurity veteran Rakesh Nair, CEO and co-founder of California-based Kognos Inc, a company that is into cyber threat hunting, or proactively searching through networks to detect and isolate potential threats, tells Open that most often it is difficult to find traces of hacking as the Pegasus-like malware self-destructs after the mission is over. He warns of the dangers when nation-states enter the game of snooping by spending large amounts of taxpayer money. Such spyware exploits zero-day vulnerabilities, or flaws in the operating system or apps that the makers don’t know exist, he says.
Mumbai-based cyber security veteran Ritesh Bhatia notes, “Once installed, Pegasus is able to capture all the information on the device and then relay it to the hacker’s control centre. The hacker can essentially read all your SMSes; emails; chats on WhatsApp, Telegram, Signal, Viber; record keystrokes, calls and surrounding sounds; access gallery, take photos using your device camera; access your location, bank account passwords, and much more.”
Although Israel, whose economic mainstay is defence exports, has shown no signs that it will clamp down on the activities of NSO, Amazon Web Services has shut down infrastructure and accounts linked to the NSO Group following the publication of the latest reports. Further, many big names earlier associated with NSO as senior advisors seem to have distanced themselves from the company. Open has found that the names of the following people are now missing from the company website: Tom Ridge, former Pennsylvania state governor who was also the first US Secretary of Homeland Security; Gérard Araud, a veteran former French diplomat; and Juliette Kayyem, who is currently on the faculty of Harvard University’s Kennedy School of Government.
NSO was caught unawares thanks to the advanced research done by the head of Amnesty International’s Berlin-based Security Lab, Claudio Guarnieri. Until then, NSO clients were under the impression that no forensic probe could uncover their spying activities.
An argument that has been lapped up by people favouring governments is that if you have done nothing wrong, there is nothing to worry even if you are spied on with Pegasus. Bhatia disagrees: “Being spied upon is an invasion of privacy. Would these same people share every bit of information that happens in their own homes? Having such spywares on a device is like having a CCTV capturing your every moment, and at every place all the time. Our devices are now a virtual clone of our personal lives, and no one will be comfortable sharing every detail, especially with an outsider who has illegitimately entered the device.”
He feels that the onus is now on the developers of the operating systems to build secure products and keep testing often for any vulnerabilities. “One should also use a limited number of apps and install them from respective official stores—Play Store and App Store. Switch off WiFi, location and Bluetooth functions when you don’t need to use them. It is also advisable to change the devices that no longer support the older versions of iOS and Android. It is time to be as paranoid as The Family Man Season 2’s Chellam Sir,” Bhatia says.
More importantly, if there are laws that help people in power justify every whim, they must change. As the late internet prodigy and hacktivist Aaron Swartz said, “There is no justice in following unjust laws.”
More Columns
The Ghost of Tipu Sultan Still Haunts India Shaan Kashyap
Objects of Defiance Shaikh Ayaz
It’s tragic that 35 years after the Berlin Wall fell, Europe still relies on the US for security: Harold James Ullekh NP