New Delhi: Recent revelations made by the Pegasus Project, a global media consortium, on the alleged use of spyware on prominent individuals across the world, has put the NSO Group, an Israeli-based cyber-surveillance company, front and centre.
Reports released by 17 media organisations since late Sunday revealed that the NSO-made Pegasus spyware was allegedly used to attempt to hack into the phones of political leaders, including heads of states, journalists, activists and lawyers in countries like the UAE, Saudi Arabia, Mexico, Morocco and Hungary, among others.
In India, besides journalists and activists, opposition leaders, including Congress’ Rahul Gandhi, and Union ministers such as IT Minister Ashwini Vaishnaw were also purportedly targeted.
The consortium investigated a leaked list of 50,000 numbers, which were allegedly selected for surveillance by clients of the NSO. While the surveillance company did not reveal who its clients are, it has noted that only “vetted governments” can purchase Pegasus.
Consequently, several activist groups and media organisations have also held the NSO Group responsible for the hacking attempts carried out using its spyware. However, the security company on its part has said that it does not operate the spyware it sells and therefore, it cannot supervise its use.
ThePrint traces the origins of this controversial cybersecurity firm and takes a look at some of its activities prior to the Pegasus scandal.
Founding of the NSO Group
Based in Herzliya that is situated in the north of Tel Aviv, NSO Group Technologies was established in 2010 by Niv Carmi, Shalev Hulio and Omri Lavie. The name of the company is an acronym of the first names of its three founders.
Hulio and Lavie are childhood friends, believed to be former members of Unit 8200, an intelligence-gathering unit of the Israel Defense Forces. They had previously collaborated on the launch of two startups in the early 2000s — MediaAnd and CommuniTake.
While MediaAnd, a product placement startup, fell victim to the 2008 economic recession, the technology developed by CommuniTake, which could access a mobile phone remotely, was the precursor to the NSO Group.
Within a couple of years of establishing CommuniTake, Hulio and Lavie collaborated with Niv Carmi, a former Mossad intelligence operative, to establish NSO. Carmi was responsible for the technology aspect while Hulio and Lavie took care of the business side.
In 2014, US private equity firm Francisco Partners spent $120 million to buy a majority stake in NSO Group. Five years later, in 2019, the firm sold its stake to NSO Group’s founders and management, and European private equity firm Novalpina Capital, but the financial details of the acquisition were not disclosed.
At the time, the company was valued at $1 billion, according to a Reuters report.
First contract with Mexico
According to the NSO Group website, it helps “licensed government intelligence and law-enforcement agencies lawfully address the most dangerous issues in today’s world” with its products.
To this end, the company inked its first deal with Mexico in 2011, when former president Felipe Calderon was in power, and sold its flagship product Pegasus to the country to track drug cartels.
The Pegasus spyware operates through a phishing link that the hacker sends to the intended target on text message or email. If the target clicks on the link, the spyware is automatically downloaded on the target’s device and can begin relaying information to the hacker’s device remotely.
In 2016, Mexico arrested a notorious drug lord of the Sinaloa Cartel, Joaquín Guzmán alias ‘El Chapo’, with the help of Pegasus by gaining access to his phone and tracking his location.
However, the spyware was not used to target just drug lords and their cartels.
In 2017, a widespread inquiry was conducted by NGOs in Mexico into “systematic surveillance” conducted by government agencies on slain journalists and their family members.
The findings of the investigation were distributed on social media using the hashtag #GobiernoEspía (#SpyingGovernment) and claimed that Mexico spent more than $80 million on Pegasus spyware from NSO.
— Citizen Lab (@citizenlab) August 2, 2017
However, no progress has been made on the case since then.
The Pegasus Project also recently revealed that the phone numbers of 15,000 Mexicans, including politicians, journalists and activists, were allegedly targeted using the spyware.
The targets included current Mexican President Andres Manuel Lopez Obrador, prior to his 2018 win, and 50 people close to him. Obrador has labelled Mexico’s use of Pegasus as “shameful”.
Criticism over Jamal Khashoggi’s killing
While Mexico’s use of Pegasus remained controversial in the 2010s, it was the killing of Jamal Khashoggi, a Washington Post columnist and critic of the Saudi Royal Family, in October 2018 that brought considerable infamy to the NSO Group.
The lawsuit claims that Saudi Arabia had used NSO’s spyware to access Abdulaziz’s communications with Khashoggi in the months leading up to the killing.
But in a 2019 interview with US channel CBS News, NSO’s CEO Shalev Hulio categorically denied any involvement in Khashoggi’s murder.
“Khashoggi murder is horrible. Really horrible. And, therefore, when I first heard there are accusations that our technology (had) been used on Jamal Khashoggi or on his relatives, I started an immediate check about it. And I can tell you very clear, we had nothing to do with this horrible murder,” Hulio said in the interview.
However, the Pegasus Project reported that in the months before Khashoggi’s death and a year after it, the numbers of people close to him were selected for surveillance by NSO’s clients. It hasn’t been discovered who the clients are.
“The phones of Hatice Cengiz and Hanan Elatr — who were engaged to and married to Khashoggi, respectively — were forensically examined, with a successful infection confirmed on one of them,” noted a report in The Wire, a part of the consortium.
In a statement to the consortium, the company reiterated that its products were not used on Khashoggi or his associates.
“As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is being made without validation,” said the NSO Group.
India and NSO
The NSO Group first garnered headlines in India in 2019 when WhatsApp notified several academics, lawyers, Dalit activists and journalists that their numbers were targeted by Pegasus for a two-week period in May that year.
Those targeted included scholar Anand Teltumbde, who is under arrest for his alleged involvement in the Bhima Koregaon case, Nagpur-based human rights lawyer Nihalsing Rathod, anti-caste activist Rupali Jadhav, among others
At the time, Congress leader Kapil Sibal had criticised the Narendra Modi government over the issue and had said that the “Surveillance State is here”.
Modiji’s open transparent government !
The Surveillance State is here :
WhatsApp’s US based Director Carl Woog reveals that an Israeli NSO group used it’s spyware Pegasus to target Indian journalists and human rights activists for 2 weeks till May 2019
What about now ?
— Kapil Sibal (@KapilSibal) October 31, 2019
In response to a question in the Rajya Sabha in 2019, then IT minister Ravi Shankar Prasad had said that “no unauthorised interception” had taken place.
In light of the ongoing Pegasus scandal, current IT minister Ashwini Vaishnaw has also said that “unauthorised interception” has not taken place.
Therefore, between 2019 and 2021, India has neither confirmed nor denied whether it is one of NSO Group’s clients.
(Edited by Rachel John)