Monitoring tool maker Haim Gelfand’s general counsel declined to answer specific questions about the company’s clients during a European Parliament committee meeting on Thursday.
Instead, he repeatedly said the company says that NSO sells its spyware exclusively to government agencies – not private companies or individuals – and only “for the purpose of preventing and investigating terrorism and other serious crimes.”
Generally, a target identified by an NSO customer has their phone or other device infected with hidden spyware by exploiting one or more vulnerabilities. Once installed, this software can secretly spy on that person’s calls, messages, and other activities. The code is installed, for example, by sending a booby-trapped message to the victim which when automatically received and processed by their device causes the spyware to spread and run silently.
These tools are “licensed only to law enforcement and government agencies,” Gelfand said, adding that these are “limited in number, and carefully contracted to allow only legitimate use.”
Well kind of
But he later added that sometimes private companies get involved. The government agency is “always the end user,” Gelfand said.
“There are sometimes external commercial parties involved in the deal for security reasons,” he added. “These commercial third parties will often be in the middle as an intermediary between the NSO and the government on the contractual side of things. They never receive use of the system itself, and they never have access to the system.”
The US ban damaged the notorious Israeli software provider last year. European lawmakers this year opened an investigation into spyware in general, and Pegasus more specifically, after the code was reportedly found on mobile phones linked to the prime ministers of the United Kingdom and Spain, Spain’s defense minister, and dozens of Catalan politicians and members of civil society groups.
Gelfand declined to answer whether his company sold spyware or revoked licenses to countries including Saudi Arabia, the United Arab Emirates, Hungary and Poland while he was questioned for two and a half hours by eurozone lawmakers. However, they were able to extract some interesting details about Pegasus during interrogation.
Previously, the monitoring tools maker had 60 customers in 45 countries, but “that number is down,” Gelfand said. In addition, NSO investigated “more than 20” customers who were allegedly abusing the software.
And while Project Pegasus reported a list of more than 50,000 phone numbers targeted by the touchscreen spyware, Gelfand told the commission that the most accurate number “in a given year is roughly 12,000 to 13,000 targets.”
Saving Lives Worldwide Since 2010
Remember: NSO Group claimed to have developed a data theft program to help law enforcement agencies prevent terrorist attacks and dismantle child sexual exploitation crime syndicates. In Gelfand’s words: “This technology has been invented and designed to save lives around the world… [and] Make the world a safer place.”
However, its most prevalent uses, by governments around the world, include spying on journalists, activists, private citizens, elected officials and their political opponents.
During this month’s RSA conference, Heather Mahalik, senior director of digital intelligence at the SANS Institute, described Pegasus as one of today’s most serious cyber threats.
“This attack is literally flying through the air, landing on your iOS or Android device,” Mahlick said. “You don’t click on it, and it instantly self-installs, as my job becomes very difficult. It also self-destructs.”
The flying malware can be installed on the victim’s phone without any user intervention. Once deployed, the NSO client controlling this example from Pegasus can access everything on the victim’s device, including emails, passwords, and photos.
How NSO Register Countries
The Israel-based company says it registers countries before selling Pegasus to them, claiming [PDF] These scores take into account things like a country’s record on human rights and freedom of expression, as well as political stability and perceived corruption.
If a country scores 20 points or less, the NSO says it will not sell it spyware; “We’ve since raised that limit,” Gelfand added.
Asked by EU lawmakers about the scores for “different countries”, Gelfand said Saudi Arabia received “about 30”. For comparison: Belgium has a score of around 80, Spain comes in at around 75, and Poland and Hungary come in at 65 or 64, according to Gelfand.
If a customer violates the terms of its agreement with NSO — we wonder if snooping on Amazon founder Jeff Bezos spoils deals — the seller says it can stop the customer’s Pegasus deployment remotely.
He notes that NSO has fired “more than eight” clients over the “past several years,” and that some of these misbehaving agencies came to light due to whistleblowers and the Pegasus Papers.
“We have terminated contracts with EU member states,” Gelfand said.
Gelfand noted that ending contracts with or refusing to sell Pegasus to customers outright cost the beleaguered company more than $300 million. “We always put ethics over revenue, and the amount of money we’ve costed this in contracts we didn’t do is huge,” he said.
What about those takeover rumors?
Speaking of lost revenue, President Joe Biden’s crackdown on the NSO was another financial blow to the poor spyware developer. When asked about rumors that US defense company L3Harris and data mining company Palantir have expressed interest in buying NSO, Gelfand refused to answer again.
“The company always has different negotiations with different companies around the world,” he said. “Regarding acquisitions: more than that, something I can’t get into because of classified information.” ®