Claims that NSO’s Pegasus spyware helps Israel find hostages are ‘nonsense,’ experts say
The controversial Israeli spyware maker NSO Group hints Israel has been searching for hostages using Pegasus, its notorious spyware platform linked to rampant human rights abuses. The claim comes as the tech firm mounts a renewed push to get its name off of a U.S. government blacklist.
Even after an agreement reached between Israel and Hamas on Wednesday to release 50 hostages, there are still more than 180 hostages who remain—which, if NSO’s suggestions are true, would point to a key role for Pegasus in the Israel-Hamas war.
But rights activists and cybersecurity experts doubt NSO’s infamous phone-snooping tool could help locate the remaining Hamas kidnapping victims.
“I would be shocked if Israel was actually successful in using Pegasus to bring a single hostage back,” says Greg Hatcher, the CEO of offensive cybersecurity consultancy White Knight Labs and a former U.S. Army Special Forces network engineer. “NSO is trying to use these optics to pitch the United States, ‘look, our product can be used for good,’ but that’s actually nonsense.”
The U.S. government doesn’t seem swayed, either.
“The status of [NSO] remains unchanged,” National Security Council spokesperson Adrienne Watson told Fast Company in a statement referring to the Israeli tech firm’s blacklisting. “The U.S. Government remains focused on countering the proliferation and misuse of commercial spyware, which continues to pose a national security and counterintelligence risk to the United States and has enabled human rights abuses across the world.”
A second U.S. official told Fast Company that the U.S. government “has no plans to change the status of NSO group on the entity list.”
Security professionals consider Pegasus to be one of the world’s most potent cyberweapons. It can slip onto a device through an infected text message or even a data voice call. But NSO’s product stands out for its ability to infect a phone through a “zero-click exploit”—that is, without needing any action from the phone’s user, like clicking a link or picking up a call. Once installed, Pegasus can offer its operator live access to the device’s data, location, and even its camera and microphone.
Since its first release in 2011, Pegasus has been infamously wielded against dissidents, journalists, and human rights defenders. That led the U.S. Commerce Department to add NSO to its so-called “entities list” of companies under trade restrictions in 2021, as part of what the agency described at the time as an effort “to put human rights at the center of U.S. foreign policy.”
NSO has been pushing a new narrative since the start of the Israel-Hamas war. In October, an NSO-linked source told Bloomberg that Israel enlisted the firm in its search for hostages, and last week an NSO-linked source told Axios that Israel is likely deploying Pegasus in that search. The spyware’s use should help governments around the world to “understand much better the value of these kinds of tools and why they are needed,” the NSO-linked source told Axios. And earlier this month, The Intercept reported that Timothy Dickinson, a lawyer hired by NSO, sent an “urgent” letter to U.S. national security officials requesting a meeting to discuss Pegasus’s counterterrorism capabilities.
But experts tell Fast Company that in addition to a lack of evidence, any claims about Pegasus’s usefulness in finding hostages just don’t add up.
“I can see Hamas negating this entire attack by simply confiscating every hostage’s phone, turning it off, and physically moving the phone away from the hostages,” says Hatcher.
Adam Shapiro, an advocate who has studied Pegasus at the nonprofit Democracy for Arab World Now, says it’s “fantasy” to think that Hamas would leave hostages’ phones powered and connected—especially when Gaza’s electric and telecom grids have been intermittently disabled. Hamas is also known for using landlines and radios to evade Israeli surveillance, making it all the more unlikely that Pegasus would be useful in this situation, Shapiro says. (The Israeli Defense Forces and Israel’s Ministry of Defense did not respond to requests for comment.)
A grim reputation
While NSO has marketed Pegasus to governments as a military-grade counterterrorism and crime-fighting tool, advocates say it has also been frequently used by authoritarian leaders to target their critics—including activists, academics, lawyers, dissidents, and journalists—some of whom have ended up dead.
Tech research nonprofit The Citizen Lab has published evidence that attackers used Pegasus to target the friends and family of Jamal Khashoggi, a Saudi dissident and journalist who was assassinated by Saudi agents in 2018. A 2021 report by Amnesty International and a consortium of news organizations revealed a leak of over 50,000 phone numbers that may have been targeted by Pegasus, including heads of state, lawyers, and reporters like Cecilio Pineda Birto, who was murdered after reporting on government corruption in Mexico. Pegasus has also been used against Palestinian human rights defenders, according to digital forensic investigators from Front Line Defenders, a Dublin-based human rights group.
NSO has long denied that its technology has been involved in human rights abuses, and says it only sells the software to “vetted” government agencies, charging them millions of dollars a year for access. “We are very selective with respect to the identity of the countries and customers with which we are willing to do business in order to mitigate the risk of such misuse,” it wrote in its November letter to the U.S. officials. Last year, the company told E.U. legislators that it had active customers in 12 E.U. countries, though it didn’t disclose which, according to Israeli newspaper Haaretz.
But activists say the rights abuses linked to Pegasus haven’t subsided—and have only continued to proliferate in recent months.
In October, Pegasus was discovered on the phone of Anand Mangnale, an Indian investigative journalist who in August reported on stock manipulation by the massive Adani Group conglomerate, which has close ties to Prime Minister Narendra Modi’s government. iVerify, a mobile security company that examined Mangnale’s phone, tells Fast Company the device was infected through a zero-click attack over iMessage. The attacker “simply sends a message to the device and the infection implants. Users see nothing and there are few outward signs that a person’s phone is infected, so it’s very hard to detect,” says Rocky Cole, the company’s COO.
Mangnale was one of at least 20 high-profile Indian opposition politicians and journalists who received notifications from Apple in late October that they may have been targeted by state-sponsored cyberattacks. While the Indian government has never confirmed its use of Pegasus, hundreds of Indian phone numbers were found on the 2021 list of leaked phone numbers, and digital rights researchers have found Pegasus infections on multiple Indians’ devices.
In October, a number of people in Armenia also received warnings from Apple that their phones had been targeted by state-sponsored hackers; a digital rights advocate involved in the investigation tells Fast Company “we strongly suspect” the attack was a variant of Pegasus. Researchers have previously confirmed Pegasus attacks against journalists and human rights activists in the country.
In September, researchers reported a Pegasus infection on the device of a person working at a Washington, D.C.-based organization. That month, researchers revealed a Pegasus infection on the device of exiled Russian journalist Galina Timchenko, the CEO of Meduza, a prominent opposition media outlet that has criticized Vladimir Putin. Researchers have not been able to conclusively determine the identity of the attackers.
Israel claims that it exercises oversight over NSO’s exports of Pegasus, and in 2021 announced that foreign governments purchasing the spyware would have to sign a pledge not to use it to attack dissidents or political opponents. But “NSO group, as far as the public record can tell, has never suspended a sale of its spyware or services to a client based on documented human rights abuses,” says Shapiro.
Lobbying heats up
Despite Pegasus’s harrowing track record, NSO has doubled down on attempts to remove itself from the Commerce Department blacklist. Hatcher, the cybersecurity expert, says U.S. lobbying has long been a priority of Omri Lavie, the NSO cofounder who became the group’s majority owner earlier this year. “[Lavie] has always argued that the company should have a marketing campaign for the West, because operating in the United States and Europe would be extremely lucrative and bring legitimacy to the company’s terrible reputation,” Hatcher says.
Justice Department filings show that NSO spent over $1 million in 2022 on a team of high-powered lobbyists to try and sway U.S. officials. But government email records reviewed by Fast Company show that the spyware lobbyists encountered a chilly reception. One of the lobbyists, Steve Rabinowitz, a former Clinton White House staffer, sent so many emails in 2022 unsuccessfully pleading U.S. officials for a meeting that Elena Love, a Department of Commerce official, remarked to her colleagues, “Sheesh. . . .” and “He’s persistent.” In subsequent emails, the officials shared articles with each other about how NSO’s spyware had been used to hack U.S. diplomats’ phones.
NSO hasn’t given up. Filings show that it added more elite lobbyists this year, including Stewart Baker, a former general counsel at the National Security Agency, Jeffrey Weiss, a former commerce department official, and Timothy Dickinson—the lawyer who relayed NSO’s “urgent” letter touting Pegasus’s features to U.S. officials earlier this month. (Neither the NSO lobbyists nor Love responded to requests for comment.)
Rand Hammoud, an anti-surveillance campaigner with the digital rights group Access Now, doesn’t think NSO will win over Washington any time soon. The Biden administration has been “quite active” in soliciting evidence and recommendations from rights advocates and tech experts about Pegasus’s dangers, she says. And those groups’ conclusions are straightforward: “Pegasus is still being sold to governments. It’s still being used against human rights activists and journalists,” Hammoud says. “The U.S. government’s human rights and national security concerns, which are the reasons NSO got on the entities list in the first place, are still there.”
This story has been updated to include comment from the National Security Council and a U.S. official.
(12)
