NSO claims 'more than 5' EU states use Pegasus spyware

And it's like, what ... 12, 13,000 total targets a year max, exec says


NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

Generally speaking, a target selected by an NSO customer has their phone or other device infected with hidden spyware via the exploitation of one or more security vulnerabilities. Once installed, this software can secretly snoop on that person's calls, messages, and other activities. The code is installed by, say, sending a booby-trapped message to the victim that when received and automatically processed by their device, causes the spyware to silently deploy and run.

These tools are "licensed solely to law enforcement and government agencies," Gelfand said, adding these are "limited in number, and contracts are carefully contracted to only permit legitimate use."

Well, kind of

But, later, he added, sometimes private companies do get involved. A government agency "is always the end user," Gelfand said.

"There are sometimes commercial, third parties that are involved in the transaction for reasons of security aspects," he continued. "These commercial third parties will very often be the in-between as an intermediary between NSO and a government on the contractual side of things. They never receive use of the system itself, they do not have access to the system."

The US ban-hammered the notorious Israeli software provider last year. European lawmakers opened an inquiry this year into spyware in general, and Pegasus more specifically, after the code was reportedly found on cellphones associated with the UK and Spanish prime ministers, Spain's defense minister, and dozens of Catalan politicians and members of civil society groups. 

Gelfand refused to answer if his company sold spyware, or had revoked licenses, to countries including Saudi Arabia, the United Arab Emirates, Hungary, and Poland while he was questioned for two and a half hours by Euro lawmakers. However, they did manage to extract some interesting details about Pegasus during the questioning. 

Previously, the surveillance-ware maker had 60 customers in 45 countries, but "that number has gone down," Gelfand said. In additional, NSO is investigating "over 20" customers that are allegedly misusing the software.

And while the Pegasus Project reported a list of more than 50,000 phone numbers that had been targeted by the zero-touch spyware, Gelfand told the committee that a more accurate number "in a given year is approximately 12,000 to 13,000 targets."

'Saving lives wordwide' since 2010

As a reminder: NSO Group claimed it developed the data-stealing software to help law enforcement agencies prevent terrorist attacks and break up pedophile crime rings. In Gelfand's words: "This technology has been conceived and designed to save lives worldwide … [and] make the world a safer place."

However it's more highly publicized uses, by governments worldwide, include spying on journalists, activists, everyday citizens, elected officials, and their political opponents. 

During the RSA Conference this month Heather Mahalik, a senior director of digital intelligence at SANS Institute, named Pegasus as one of the most dangerous cyber threats today.

"This attack literally flies through the air, lands on your iOS or Android device," Mahalik said. "You don't click it, and it immediately self-installs, which is where my job becomes very difficult. It also self-destructs."

The flying-horse malware can be installed on a victim's phone without any user interaction. And once it's deployed, the NSO customer controlling that instance of Pegasus has access to everything on the victim's device, including emails, passwords, and photos.  

How NSO scores countries

The Israel-based company says it scores countries before it will sell Pegasus to them, and claims [PDF] these scores take into account things like a country's record on human rights and free speech, as well as political stability and perceived corruption.

If a country scores a 20 or lower, NSO says it won't sell them spyware; Gelfand added, "we have since raised that bar."

When asked by EU lawmakers about various' countries' scores, Gelfand said Saudi Arabia received "around 30." For comparison: Belgium score is around 80, while Spain comes in around 75, and Poland and Hungary are 65 or 64, according to Gelfand.

If a customer violates the terms of its agreement with NSO – we wonder if snooping on Amazon founder Jeff Bezos is a deal breaker – the vendor says it can remotely shutdown the customer's Pegasus deployment. 

"I can confirm that when we define a customer that has violated the terms of use, they're terminated," Gelfand said, again declining to discuss if, for example, Saudi Arabia was one such terminated customer.

He did note that NSO has fired "over eight" customers during the "past several years," and that some of these misbehaving agencies came to light because of whistleblowers and the Pegasus Papers. 

"We have terminated contracts with EU member states," Gelfand said.

Terminating contracts with or outright refusing to sell Pegasus to customers has cost the beleaguered company more than $300 million, Gelfand noted. "We're always putting ethics over revenue, and the amount of money that this has cost us in contracts that we have not entered is huge," he said.

Cue the violins.

How about those acquisition rumors?

Speaking of lost revenue, President Joe Biden's crackdown on NSO has been another financial blow to the poor spyware developer. And when asked about rumors that US defense contractor L3Harris and data-mining firm Palantir had both expressed interest in buying NSO, Gelfand again declined to answer.

"The company is always in various negotiations with different companies around the world," he said. "Regarding acquisitions: more than that is something that I can't get into because of confidential information." ®

Broader topics


Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022