Written by Austin Myhre
Throughout the summer, story after story broke about a little-known company called NSO Group and a piece of their spyware called Pegasus. These reports alleged that the Pegasus spyware had infected and targeted people across the world, including journalists, human rights activists, and even heads of state. In a coordinated information campaign known as “The Pegasus Project,” a coalition of news outlets, non-profits, and non-governmental organizations sought to illuminate the shadowy underbelly of Pegasus.
What is Pegasus?
Pegasus is a spyware program developed by NSO Group, an Israel-based private contractor, for government agencies. The spyware infects a target’s phone and steals personal data, including passwords, photos, messages, contacts, and audio/video recordings. Recent versions of Pegasus can reportedly infect a target’s phone without the user even clicking a link. One of its major selling points was that the software and its activities could not be traced back to the government using it. Put simply, Pegasus and programs like it allow governments to covertly spy on private citizens—journalists, activists, dissidents, etc.
On its website, NSO Group described its technology as a tool for “government intelligence and law enforcement agencies to fight crime and terror.” In response to allegations of wrongdoing, the firm told The Washington Post that Israel’s Ministry of Defense approves the export of NSO products. It also said that NSO Group only works with government agencies and revokes access to Pegasus if it finds evidence of abuse.
What is The Pegasus Project?
Investigating and reporting on the Pegasus spyware and its use, The Pegasus Project is a coalition of news outlets, non-profits, and non-governmental organizations. Forbidden Stories, a France-based non-profit journalism organization, and Amnesty International, an international non-governmental human rights organization, initially had access to a list of 50,000 phone numbers allegedly targeted by the Pegasus spyware and shared it with 16 media organizations. Some key news organizations include U.S.-based The Washington Post, France-based Le Monde, and U.K.-based The Guardian. In addition, Amnesty’s Security Lab administered forensic analyses on the data.
In 2021, a data leak provided a list that contains 50,000 phone numbers. Although NSO Group claims it has nothing to do with the list, obfuscating the list’s purpose, recent reporting by The Pegasus Project alleges that these numbers belong to individuals targeted by the Pegasus spyware. However, The Washington Post says the list does not contain information about who added numbers to it or whether people linked to the numbers were under surveillance. When The Pegasus Project analyzed the list, it linked over 1,000 numbers to their owners, finding scores of people technically off-limits for government spying under NSO standards. This list contains 85 human rights activists, 189 journalists, three presidents (including French President Emmanuel Macron), ten former and current prime ministers, and the king of Morocco. In further contradiction to NSO Group’s statements, Amnesty International analyzed 67 phones connected to the numbers, finding that the spyware targeted at least 37 phones and successfully hacked 23 phones. The French National Agency for the Security of Information Systems (ANSSI), France’s intelligence agency, confirmed that Pegasus spyware infected the phones of three French journalists, which was the first time an official authority corroborated the findings of The Pegasus Project.
Concerns over Governments’ Use of Pegasus
Although it is widely understood that governments spy on their citizens, there is some expectation that governments limit the spying to suspected terrorists and criminals—for national security purposes. Given that hundreds of human rights activists and journalists were on the list, The Pegasus Project’s reporting raises concerns about the ulterior motives behind governments using Pegasus.
In 2016, Arab human rights activist Ahmed Mansoor received a text message promising "secrets" about torture occurring in prisons in the United Arab Emirates if he followed a link. Mansoor sent the link to Citizen Lab and Lookout Security, digital forensics researchers, which found that it would implant the spyware into his phone if Mansoor clicked the link. Lookout Security explained in a blog post that this spyware “has been in the wild for a significant amount of time,” dating back to iOS 7. These revelations are alarming, especially considering that U.S. phone maker Apple touts its iPhone as impervious to hacking. Confirming the lab’s analysis, The New York Times and The Times of Israel both reported that the United Arab Emirates used the spyware as early as 2013.
Although a 2018 Citizen Lab report claims that 45 countries use Pegasus, The Pegasus Project identified at least ten governments believed to be NSO customers: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates (UAE). Although some of these governments deny using Pegasus, many of these countries are authoritarian regimes, further raising questions about the spyware’s use beyond combatting terrorism and criminal activities. Of the named countries, Hungary, India, Morocco, and Rwanda denied using Pegasus to hack the phones on the list. Furthermore, the Moroccan government’s lawyers filed defamation claims against Amnesty International and Forbidden Stories. However, these allegations align with the repressive track records of these regimes. In Hungary, for example, it is now alleged that Hungarian Prime Minister Viktor Orban’s government used Pegasus in its extensive, brutal crackdown on press and activists.
In 2016, Mexican journalists began reporting that the Mexican government used Pegasus to surveil its citizens, particularly government critics. First purchasing the spyware in 2011, Mexico became a testbed for Pegasus, NSO Group’s first state client outside Israel. From then until 2018, according to Mexico’s Public Security Ministry, the Mexican government spent $160 million on Pegasus. In 2017, after journalists revealed more harrowing truths, Mexico’s then-President Enrique Pena Nieto said alleged victims ‘could not prove they had been harmed by the practice.’ Now, with four years to investigate the explosive allegations, Mexican prosecutors still cannot say who ordered the mass surveillance, and there are no arrests or firings to date. Even though government documents indicate that the central government was the sole purchaser, Mexican authorities wasted crucial time determining if any of Mexico’s 2,000 municipalities, most of which could not afford the spyware’s multimillion-dollar price tag, purchased Pegasus. The special prosecutor in the government investigation, Ricardo Sanchez Perez del Pozo, defended his office’s efforts. However, the same attorney general’s office is one of the first entities to purchase and then abuse the software. In 2019, National Institute for Transparency, Access to Information and Personal Data Protection (INAI), an independent Mexican watchdog, said the attorney general’s office broke data protection law. One Mexican official allegedly responsible for buying the Israeli software, Tomas Zeron, is now in Israel and remains the subject of an extradition request by Mexican authorities. Mexican authorities struggled to get information from both NSO Group and the Israeli Foreign Ministry.
In 2020, according to the Israeli newspaper Haaretz, NSO Group sold Pegasus spyware for hundreds of millions to the United Arab Emirates and the other Gulf States for surveillance of anti-regime activists, journalists, and political leaders from rival nations. A few months later, Al Jazeera exclusively covered Pegasus and its penetration into the phones of its journalists.
Examples of Pegasus’ Potential Abuse
In their exclusive reporting, The Washington Post highlighted multiple potential cases of targeting. In 2018, Princess Latifa, daughter of UAE Prime Minister Sheikh Mohammad bin Rashid Al Maktoum, attempted to gain political asylum and escape the United Arab Emirates on a yacht. She was promptly stopped and allegedly kidnapped when armed commandos hijacked the yacht. Her phone number, along with some of her friends, was on that leaked list. In another case, assassins located and killed a freelance Mexican reporter, Cecilio Pineda Birto, at a carwash. Authorities never found his phone, making it impossible to test whether it was infected. However, his phone number was on that list. In a case affecting a citizen outside the public light, a female employee of the Supreme Court of India accused the former Chief Justice of India, Ranjan Gogoi, of sexual harassment. Later, 11 phone numbers associated with her and her immediate family joined that list.
In the most salient case, some numbers on the list belonged to people close to Jamal Khashoggi, a Washington Post journalist murdered in 2018. Assassins employed by NSO Group client Saudi Arabia killed and dismembered Khashoggi in Turkey. While it does not appear that Khashoggi was on the list, The Washington Post reported that people close to him were, one such being Khashoggi’s fiancé, who was targeted before his death. After Khashoggi’s death, Saudi Arabia and the United Arab Emirates used Pegasus to monitor his associates and the Turkish murder investigation, even targeting Turkey’s chief prosecutor.
Although The Pegasus Project’s recent reporting places the spotlight on NSO Group, the spyware was in the news for years beyond the aforementioned instances. In 2019, messaging app WhatsApp filed a lawsuit against NSO Group for an alleged role in hacking around 1,400 devices. Cisco, Google, Microsoft, and other tech companies emphasized their support for WhatsApp’s lawsuit. As of April 2021, the case was ongoing. In 2020, the FBI reportedly investigated NSO Group in connection with the 2018 hack of Jeff Bezos’ cellphone.
NSO Group’s Ties to Washington
After investigations alleged that governments used Pegasus to target dissidents, NSO Group sought the assistance of many high-level U.S. officials. Initially, NSO Group reached out to WestExec Advisors, a consulting firm founded by current Secretary of State Tony Blinken and staffed by national-security experts from the Obama administration. With Biden appointing 15 members of the firm to his administration, the group has close ties to the Biden administration, as well. Although WestExec turned them down, Dan Shapiro, a WestExec consultant based in Israel and Obama’s former ambassador to the country, already worked for NSO Group. Months before they founded WestExec in 2017, Shapiro independently consulted for NSO Group. According to The New York Times, Shapiro advised them to stop selling to Saudi Arabia. At first, NSO Group ceased sales to Saudi Arabia. However, months later, under new ownership (Novalpina), and with the encouragement of the Israeli government and the Trump administration, NSO Group once again sold to Saudi Arabia. Shapiro assisted NSO Group through the end of 2018 and participated in Biden campaign strategy calls in 2020. He is now under consideration to be President Biden’s special envoy to the Middle East. Considering that a consulting firm like WestExec rejected NSO Group, despite working for other defense and technology firms, it demonstrates the severity of NSO’s products.
Beacon Global Strategies, a consulting firm founded by former CIA and Pentagon official Jeremy Bash, Hillary Clinton adviser Andrew Shapiro, and former House aide Michael Allen, advised NSO Group until 2019. Daniel Jacobson, who just joined the Biden administration as general counsel for the Office of Administration, provided legal services to a subsidiary of NSO’s parent company. Rod Rosenstein, who served as deputy attorney general, counseled NSO Group in the WhatsApp lawsuit. Jeh Johnson and Juliette Kayyem, both Obama homeland security officials, advised NSO Group. Mercury Public Affairs, where former Senator Barbara Boxer is a co-chair and former Los Angeles Mayor Antonio Villaraigosa is a partner, currently handles public relations for NSO Group, receiving $120,000 monthly.
Despite the extensive list of former Washington officials involved with NSO Group, significant focus remains on one current White House official, Anita Dunn. Taking a leave of absence from her consulting firm SKDKnickerbocker, Dunn joined the Biden administration as a senior adviser after advising Biden’s presidential campaign. In 2019, SKDKnickerbocker advised NSO Group. However, it remains unclear whether she personally worked for the company. Dunn circumvented federal ethics rules that require financial disclosures by serving as a temporary employee and taking a salary below a threshold that would require public filings. Even if Dunn did not directly work for NSO Group, her firm, which bears her name (the D in SKDK), worked to repair and rebuild the company’s shaky reputation.
The list of former and current U.S. officials who had/have business dealings with NSO Group is long, and it has not necessarily hurt their careers. Nevertheless, these revelations are troubling, especially as the Pegasus spyware jeopardizes U.S. national security.
With The Pegasus Project placing the spotlight on NSO Group, greatly damaging its public reputation, the future of NSO Group is up in the air. In the private sphere, NSO Group faces financial uncertainty. According to Sky News, private equity firm Novalpina Capital, which has majority ownership of NSO Group, is in utter disarray due to significant disagreements among its founders. In response, Novalpina’s largest investors, including the Oregon state employee pension fund, the Alaska Permanent Fund Corporation, and England’s South Yorkshire Pensions Authority, considered picking consulting firm Berkeley Research Group to replace Novalpina. Now, the Oregon Investment Council, which oversees the state’s $90 billion state employee pension fund, intends to intervene. If Novalpina’s investors appoint Berkeley Research Group, it will face a mandate to return investors’ money by selling the three companies Novalpina owns, including NSO Group.
NSO Group also faces potential scrutiny from governments. Despite NSO Group’s connections to former and current U.S. officials, the Biden administration raised concerns with top Israeli officials about NSO Group. Brett McGurk, a top Biden administration adviser on the Middle East, privately questioned Zohar Palti, a senior Israeli defense ministry official, about NSO Group. Palti reportedly told McGurk that Israel would examine whether it needed to change rules around how cyber weapons were sold to other countries. Other governments, including France, already plan to pursue criminal investigations into the matter. Israel reportedly launched its own investigation, with officials inspecting NSO’s offices. This visit came while the defense minister, Benny Gantz, arrived in France to discuss the Pegasus news, among other topics. Early media reports described the ‘visit’ as a “raid,” but NSO Group countered that it was not a raid and that they work “in full transparency with the Israeli authorities.”
Although NSO Group and the aforementioned governments denied the allegations of wrongdoing, they released no contradictory evidence to date. Either way, The Pegasus Project’s reporting emphasizes a crucial truth: if a bad actor can abuse advancements in technology, they will. In the 21st century, immense technological strides fuel social movements and democratize access to information across the world. If used properly, technology can protect and even promote human rights. Unfortunately, in the same stroke, the most powerful and corrupt can exploit that same technology for their gain, abusing human rights in the process. From the Snowden leaks to the recent revelations of The Pegasus Project, these abuses never cease; the corrupt abused technology in the past, abuse it in the present, and will undoubtedly abuse it in the future. Pegasus is only one spyware among many, and NSO Group is only one company among many; however, with the world’s attention focused on NSO Group and Pegasus, there is yet another opportunity to hold the powerful accountable. Whether or not these discoveries will lead to greater accountability is unknown, but it is a testament to the importance of investigative journalism in challenging the status quo, uncovering dark truths, and ultimately protecting the bedrock of free societies: human rights.