(JNS) Allegations that spyware developed by Israeli cyber firm NSO Group was widely misused by its government clients has created a migraine not only for the company but for Israel’s cyber industry and Ministry of Defense. However, the “scandal” leaves some dubious.
Forbidden Stories, a Paris-based journalism nonprofit, broke the story in mid-July, charging that NSO’s spyware was not being used for its intended purpose—to track criminals and terrorists—but instead was being turned against politicians, journalists and critics of repressive regimes.
The spyware, named Pegasus, hacks undetected into smartphones and transforms them into surveillance devices. The spyware can remotely access emails, passwords, contact lists, even the phone’s camera, microphone and tracking system, according to NSO marketing materials.
“My view is that what’s going on with the NSO issue is an orchestrated effort to harm Israel by smearing one of its cyber companies. This has nothing to do with NSO,” Israel Defense Forces’ Col. (res.) Gabi Siboni, a researcher at the Jerusalem Institute for Strategy and Security with expertise in cyber security, military strategy and technology, told JNS.
“There are numerous non-Israeli companies that provide similar services in France, the U.S., the U.K. They have not been targeted like this,” he noted.
In Italy, there is Memento Labs and in Spain, Mollitiam. The United Arab Emirates’ DarkMatter Group claims to be purely defensive, though whistleblowers said it was also engaged in offensive capabilities.
Siboni sees the NSO story as a broadside against Israel’s cyber industry as a whole, a pillar of the country’s economy.
If someone is trying to take Israeli cyber down a notch, they’ve chosen to strike Israel at its strongest point. Israel’s cyber industry is on a tear. It raised $3.36 billion in the first half of 2021—an amount that “broke the fundraising record of all 2020 together,” according to numbers provided to JNS by Israel’s National Cyber Directorate. More than a third of the world’s cyber unicorns are Israeli (unicorns are private companies worth more than $1 billion).
Siboni says the motives behind the story are political. “We are facing BDS attempts, and we have to confront them. This is all part of the same campaign, and we have to develop a strategy.”
‘Defense Ministry promised to get to the bottom of it’
What will likely raise suspicion for some is the identity of one of the key players—Amnesty International, whose Security Lab provided cellphone “forensics” for Forbidden Stories. The lab said it confirmed traces of the NSO Group’s Pegasus spyware on 37 phones belonging to journalists, human-rights activists and others. The findings were peer-reviewed and confirmed by a Canadian organization called Citizen Lab, reported Forbidden Stories. Those 37 phones are only a drop in the bucket on a list of 50,000 numbers that Forbidden Stories claimed had been hacked or targeted for hacking by NSO software.
Neither Forbidden Stories nor Amnesty will reveal how the list was obtained; JNS contacted both, but they did not reply.
Although Forbidden Stories is a relative unknown, Amnesty International’s motives are certainly open to question. Aside from its one-sided view of the Arab-Israeli conflict, as detailed by such groups as NGO Monitor, in 2019 it attempted to sue Israel’s Ministry of Defense in Tel Aviv District Court to force it to strip NSO Group of its export licenses. Amnesty claimed NSO’s Pegasus software had been used against human-rights activists including an Amnesty employee. The suit was thrown out in 2020 due to a lack of evidence.
Siboni said that doesn’t prove conclusively that Amnesty is the one behind the story. “I’m sure some journalist got this information and thought they got it from a reliable source,” he said.
Eyal Zisser, vice rector of Tel Aviv University and a professor of Middle Eastern studies, stressed that Israelis do not support the idea of spying on journalists or human-rights activists.
“Israel needs to investigate the matter and get to the bottom of it. If it turns out NSO clients did spy on reporters and activists, then they should be punished. If they did so with NSO’s knowledge, then the company must be punished as well. The Israeli Defense Ministry has promised to get to the bottom of it,” he told JNS.
However, he, too, tends to agree that something’s “missing” from the story and also believes that the criticism of NSO is driven by politics. “Al Jazeera, I noticed gave much attention to it,” he said of the Qatar-based news outlet whose hostility to Israel is well-documented. Zisser would not venture to guess about the story’s origins. “I’m sure [the Ministry of Defense] knows exactly who’s behind it.”
“There are countries which would be very happy to see Israel attacked rather than themselves,” he said, adding that NSO Group has become a convenient scapegoat, diverting attention not just from badly behaving state actors, but also social-media companies like WhatsApp and Facebook, which have come under scrutiny for collecting personal data.
‘We don’t have a list of targets’
Assaf Harduf, senior lecturer at Israel’s Zefat Academic College in northern Israel who specializes in cyber crime, told JNS that many indeed are starting to worry about social-media companies, “but the masses still provide corporations unlimited data on the road to getting more ‘Likes’ online. People forfeit much privacy for social acceptance … .”
NSO Group, for its part, has vociferously denied charges that its clients have misused its product. Company co-founder and CEO Shalev Hulio said a list of 50,000 numbers is impossible as the company has only 45 clients, and each client is limited to tracking 100 “targets” each year.
“Since we established the company, through all the years, we didn’t have 50,000 targets,” he told Hebrew daily Israel Hayom on July 23. NSO was founded in 2010.
Hulio said he first thought the whole thing was a joke. When in late June he was warned by someone outside the company that the firm’s servers in Cyprus had been breached and its list of targets had been leaked, he had a moment’s anxiety but then realized, “we don’t have servers in Cyprus, and also, we don’t have a list of targets.”
Shalev said the client chooses whom to follow with the spyware, and NSO doesn’t operate it for the client once it’s installed. However, NSO reserves the ability to disconnect a client from the network if the product is misused, which the company has done in five cases. NSO has refused to sell its services to 90 countries and all of its business has been conducted under the Defense Ministry’s supervision. Two-thirds of NSO’s customers are in Europe, said Shalev.
On June 30, NSO released its first-ever “Transparency and Responsibility Report,” which offered a unique look into the limitations of and restrictions on its Pegasus software.
Although initially responsive to the media, NSO Group abruptly stopped cooperating on July 21, clearly reaching the conclusion that those pushing the story were not acting in good faith. The company issued a statement on its website titled “Enough is Enough.”
“In light of the recent planned and well-orchestrated media campaign led by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter, and it will not play along with the vicious and slanderous campaign,” the statement said.
‘Israel has a very strict export law’
Countries accused of misusing the software have not only denied the allegations but denied they were NSO clients. Morocco “categorically rejected” the claim its intelligence services targeted 10,000 numbers on the list and said it never acquired Pegasus software.
Morocco’s Minister of Foreign Affairs Nasser Bourita said on July 22 that the story was a “bluff. … It’s not journalism. It is sabotage on a large scale made from scratch and without any proof.” Other countries, like India, Hungary and Rwanda, also denied using the software.
The denials did little to derail the story, in part due to Forbidden Stories’ partnership with 17 media outlets, among them The Washington Post, Le Monde and The Guardian, ensuring widespread coverage in numerous countries.
A flurry of political reaction followed. Four U.S. Democratic congressmen issued a July 26 letter calling on the government to consider sanctioning NSO Group. In Europe, the head of the European Commission said if the hacking was true, it was “completely unacceptable.”
Israeli Defense Minister Benny Gantz found himself obliged to assure his French counterpart that French President Emmanuel Macron’s phone had not been hacked (his number, along with those of 13 other heads of state were on the list). “Israel is investigating the matter with the utmost seriousness,” Gantz said during his July 28 meeting in Paris with French Minister of the Armed Forces Florence Parly. The French government announced that it had launched investigations into the allegations.
Israel’s Ministry of Defense said that Israel regulates the export of cyber products and only approves their use to government entities for “preventing and investigating crime and counter-terrorism.”
“Israel has a very strict export law. There’s a very serious committee sitting in the Ministry of Defense, Foreign Ministry, Economic Ministry—they all combine to review any export requests. They either refuse or give a waiver to export. First of all, NSO would never export without this consent,” said Siboni.
Regardless of its validity, the story has forced Israel’s cyber industry to take notice. The Marker, a Hebrew-language business daily, reports that on Aug. 1, several Israeli cyber companies dealing in “offensive” cyber capabilities gathered for an emergency meeting in Tel Aviv to develop a unified approach and discuss possible regulatory fallout from the charges of mass spying.
“Cyber surveillance is a technology that can do much good when turned against criminals and terrorists, but in the wrong hands, it can invade privacy and suppress freedom,” said Zisser. “It is in that sense a problematic technology and working out the rules for its control is the challenge.”
Harduf added that “technology is known to be neither good nor bad; it is but a tool. Like guns and knives, cars and electricity, cyber technology can be used to help others or to hurt them. We must consider how to encourage positive uses and suppress negative ones.”