| URL | https://Persagen.com/docs/nso_group.html | |
| Sources | Persagen.com | Wikipedia | other sources (cited in situ) | |
| Source URL | https://en.wikipedia.org/wiki/NSO_Group | |
| Date published | 2021-11-08 | |
| Curation date | 2021-11-08 | |
| Curator | Dr. Victoria A. Stuart, Ph.D. | |
| Modified | ||
| Editorial practice | Refer here | Date format: yyyy-mm-dd | |
| Summary | NSO Group Technologies (NSO standing for Niv, Shalev and Omri, the names of the company's founders) is an Israeli technology firm primarily known for its proprietary | |
| Related | ||
| Keywords | Show | |
| Named entities | Show | |
| Ontologies | Show | |
NSO Group Technologies Ltd.
|
|
| Name | NSO Group Technologies Ltd. |
| Abbreviation | NSO |
| Founded | 2010 |
| Founders |
|
| Type | Privately held company |
| Industry | Technology |
| Location | Israel |
| Headquarters | Tel Aviv, Israel |
| Areas served | Global |
| CEO | Shalev Hulio (see also) |
| Board of Directors | website | Archive.org | local copy |
| Known for |
|
| Products | Pegasus spyware |
| Owners |
|
| Website | NSOGroup.com |
NSO Group Technologies (NSO standing for Niv, Shalev and Omri, names of company's founders) is an Israeli technology firm known for its proprietary spyware Pegasus spyware, which is capable of remote zero-click surveillance of smartphones. It was founded in 2010 by Niv Karmi [also known as: Niv Carmi], Omri Lavie [see also], and Shalev Hulio [see also]. It reportedly employed almost 500 people as of 2017, and is based in Herzliya, near Tel Aviv, Israel.
NSO Group is a subsidiary of the Q Cyber Technologies group of companies. Q Cyber Technologies is the name the NSO Group uses in Israel, OSY Technologies in Luxembourg, and in North America it has a subsidiary formerly known as Westbridge - a former technology company now part of Progress Software. NSO Group has operated through other companies around the world.
According to several reports, software created by NSO Group was used in targeted attacks against human rights activists and journalists in various countries, was used in state espionage against Pakistan, and played a role in the murder of Saudi Arabia dissident Jamal Kashoggi by agents of the Saudi Arabia government. In October 2019, instant messaging company WhatsApp and its parent company Facebook sued NSO and Q Cyber Technologies under the U.S. Computer Fraud and Abuse Act (CFAA). NSO claims that it provides authorized governments with technology that helps them combat terror and crime.
The Pegasus spyware is classified as a weapon by Israel and any export of the technology must be approved by the government.
Annual revenues were around US$40 million in 2013 and $150 million in 2015. In June 2017, the company was put up for sale for $1 billion by Francisco Partners. NSO Group founders Omri Lavie and Shalev Hulio - partnering with European private equity fund Novalpina Capital [defunct, 2021-08] - purchased a majority stake in NSO in February 2019.
On 3 November 2021 the United States added the NSO Group to its Entity List, for acting "contrary to the foreign policy and national security interests of the U.S." and it effectively bans the sale of hardware and software to the company.
NSO's founders are ex-members of Unit 8200, the Israeli Intelligence Corps unit responsible for collecting signals intelligence. NSO Group's start-up funding came from a group of investors headed by Eddy Shalev [Chairman of F2 Venture Capital | local copy], a partner in venture capital fund Genesis Partners. The group invested a total of $1.8 million for a 30% stake.
In 2012, the government of Mexico announced the signing of a $20 million contract with NSO. It was later revealed by a New York Times investigation that NSO's product was used to target journalists and human right activists in the country. In 2015, the company sold surveillance technology to the government of Panama. The contract became the subject of a Panamanian anti-corruption investigation following its disclosure in a leak of confidential information from Italian firm Hacking Team.
In 2014, the American private equity firm Francisco Partners bought the company for $130 million. In 2015 Francisco was seeking to sell the company for up to $1 billion. The company was officially put up for sale for more than $1 billion in June 2017, roughly ten times what Francisco originally paid in 2014. At that time, NSO had almost 500 employees, up from around 50 in 2014.
On August 1, 2018, the human rights group Amnesty International accused NSO Group of helping Saudi Arabia spy on a member of the organization's staff.
Citizen Lab researchers reported in October 2018 that they were being targeted by undercover operatives connected to NSO. In response to an Associated Press report, NSO denied any involvement.
In early February 2019, one of the operatives targeting Citizen Lab researchers was identified as Aharon Almog-Assouline, a "former Israeli security official living in the Tel Aviv suburb of Ramat HaSharon."
On February 14, 2019, Francisco Partners sold a 60% majority stake of NSO back to co-founders Shalev Hulio and Omri Lavie, who were supported in the purchase by Novalpina Capital [defunct, 2021-08]. Hulio and Lavie invested $100 million, with Novalpina Capital acquiring the remaining portion of the majority stake, thus valuing the company at approximately $1 billion. The day after the acquisition, Novalpina Capital attempted to address the concerns raised by Citizen Lab with a letter, stating their belief that NSO operates with sufficient integrity and caution.
In April 2019, NSO froze its deals with Saudi Arabia over a scandal alleging NSO software's role in tracking murdered journalist Jamal Khashoggi in the months before his death.
In May 2019, messaging service WhatsApp alleged that a spyware injection exploit targeting its calling feature was developed by NSO. Victims were exposed to the spyware payload even if they did not answer the call. WhatsApp told the Financial Times that "the attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems." NSO denied involvement in selecting or targeting victims, but did not explicitly deny creating the exploit. In response to the alleged cyberattack, WhatsApp sued NSO under the Computer Fraud and Abuse Act (CFAA) and other U.S. laws in a San Francisco court on 2019-10-29. WhatsApp stated that the exploit targeted 1,400 users in 20 countries, including "at least 100 human-rights defenders, journalists and other members of civil society."
NSO employees had complained to WhatsApp about improved security, according to the court filings by WhatsApp and its parent company Facebook.
On or about May 13, 2019, Facebook publicly announced that it had investigated and identified a vulnerability involving the WhatsApp Service (CVE-2019-3568). WhatsApp and Facebook closed the vulnerability, contacted law enforcement, and advised users to update the WhatsApp app. Defendants subsequently complained that WhatsApp had closed the vulnerability. Specifically, NSO Employee 1 stated, "You just closed our biggest remote for cellular ... It's on the news all over the world."
WhatsApp also alerted the 1,400 targeted users. In at least one case, the surveillance was authorized by a judge.
In April 2020, NSO Group blamed hacking of 1,400 WhatsApp users including journalists and human rights activists on its government clients. However, the firm did not disclose the names of its clients which, as Citizen Lab stated, include authorities in Saudi Arabia, UAE, Bahrain, Kazakhstan, Morocco, and Mexico. In court filings WhatsApp alleged that its investigation into how NSO's Pegasus was used against 1,400 users in 2019 showed that the hacks originated from NSO Group servers rather than its clients' servers. WhatsApp said "NSO used a network of computers to monitor and update Pegasus after it was implanted on users' devices. These NSO-controlled computers served as the nerve centre through which NSO controlled its customers' operation and use of Pegasus." WhatsApp said that NSO gained "unauthorised access" to WhatsApp servers by reverse-engineering the WhatsApp app to be able to evade security features. NSO responded "NSO Group does not operate the Pegasus software for its clients."
In 2014, the surveillance firm Circles merged with the NSO Group. Circles is capable of identifying the location of a phone in seconds, anywhere in the world. It was identified that 25 countries across the world were customers of Circles. The firm has two systems. One operates by connecting to the purchasing country's local telecommunications companies' infrastructure. The other separate system, known as the "Circles Cloud, is capable of interconnecting with telecommunications country across the globe. In December 2020, the Citizen Lab reported that Supreme Council on National Security (SCNS) of the United Arab Emirates was set to receive both these systems. In a lawsuit filed against the NSO Group in Israel, email exchanges revealed links between Circles and several customers in the United Arab Emirates. Documents also revealed that Circles sent targets' locations and phone records to the United Arab Emirates' SCNS. Aside from Israel and the United Arab Emirates, the report named the governments of Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Vietnam, Zambia, and Zimbabwe as likely customers of Circles surveillance technology.
In September 2021, Forensic News published shipping records showing that in 2020 Circles supplied equipment to Uzbekistan's State Security Service (SGB).
In late 2020, Vice Media published an article in which it reported that NSO Group had closed the Cyprus-based offices of Circles, the company it had acquired in 2014. The article, based on interviews with two former employees, described the integration between the two companies as "awful" and stated that NSO would rely on Circles' Bulgarian office instead. According to Vice, this came just over a year after an activist group known as Access Now wrote to authorities in both Cyprus and Bulgaria, asking them to further scrutinise NSO exports. Access now had stated that they had received denials from both the Bulgarian and Cypriot authorities, with both countries stating that they had not provided export licenses to the NSO Group. Despite this, an article written by The Guardian during the 2021 Pegasus scandal quoted NSO Group as saying that it had been "regulated by the export control regimes of Israel, Cyprus and Bulgaria." NSO's own "Transparency and Responsibility Report 2021," published about a month before the scandal, makes the same statement, adding that those were the three countries through which NSO exported its products. Circles' Bulgarian office, in particular, was stated to have been founded as a "bogus phone company" in 2015 by Citizen Lab citing IntelligenceOnline, a part of Indigo Publications. This report was reprinted by the Bulgarian investigation publication Bivol in December 2020, which appended it with public registry documents which indicated that the company's Bulgarian office had grown to employ up to 150 people and had received two loans worth about 275 million American dollars in 2017 from two offshore companies and a Swiss bank registered in the Cayman Islands.
The Israeli Ministry of Defense licenses the export of Pegasus spyware to foreign governments, but not to private entities.
Early versions of Pegasus were used to surveil the phone of Joaquín Guzmán, known as El Chapo. In 2011, Mexican president Felipe Calderón reportedly called NSO to thank the company for its role in Guzmán's capture.
On August 25, 2016, Citizen Lab and Lookout revealed that Pegasus was being used to target human rights activist Ahmed Mansoor in the United Arab Emirates. Mansoor informed Citizen Lab researchers Bill Marczak and John Scott-Railton that his iPhone 6 had been targeted on 2016-08-10, by means of a clickable link in an SMS text message.
Analysis by Citizen Lab and Lookout discovered that the link downloaded software to exploit three previously unknown and unpatched zero-day vulnerabilities in iOS. According to their analysis, the software can jailbreak an iPhone when a malicious URL is opened, a form of attack known as spear phishing. The software installs itself and collects all communications and locations of targeted iPhones, including communications sent through iMessage, Gmail Viber, Facebook, WhatsApp, Telegram, and Skype. The software can also collect Wi-Fi passwords. The researchers noticed that the software's code referenced an NSO Group product called "Pegasus" in leaked marketing materials. Pegasus had previously come to light in a leak of records from Hacking Team, which indicated the software had been supplied to the government of Panama in 2015. The researchers discovered that Mexican journalist Rafael Cabrera had also been targeted, and that the software could have been used in Israel, Turkey, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, and Bahrain.
Citizen Lab and Lookout notified Apple Inc.'s security team, which patched the flaws within ten days and released an update for iOS. A patch for macOS was released six days later.
In 2017, Citizen Lab researchers revealed that NSO exploit links may have been sent to Mexican scientists and public health campaigners. The targets supported measures to reduce childhood obesity, including Mexico's "Soda Tax."
In April 2017, after a Lookout report, Google researchers discovered Android malware "believed to be created by NSO Group Technologies" and naming it Chrysaor (Pegasus' brother in Greek mythology). According to Google, "Chrysaor is believed to be related to the Pegasus spyware."
In July 2017, the international team assembled to investigate the 2014 Iguala mass kidnapping publicly complained they thought they were being surveilled by the Mexican government. They stated that the Mexican government used Pegasus to send them messages about funeral homes containing links which, when clicked, allowed the government to surreptitiously listen to the investigators. The Mexican government has repeatedly denied any unauthorized hacking.
In June 2018, an Israeli court indicted a former employee of NSO Group for allegedly stealing a copy of Pegasus and attempting to sell it online for $50 million worth of cryptocurrency.
In October 2018 Citizen Lab reported on the use of NSO software to spy on the inner circle of Jamal Khashoggi just before his murder. Citizen Lab's 2018-10 report stated, with high confidence, that NSO's Pegasus had been placed on the iPhone of Saudi Arabia dissident Omar Abdulaziz, one of Khashoggi's confidantes, months before. Abdulaziz stated that the software revealed Khashoggi's "private criticisms of the Saudi royal family," which according to Abdulaziz "played a major role" in Khashoggi's death. In December 2018, a New York Times investigation concluded that Pegasus software played a role in the Khashoggi's murder, with a friend of Khashoggi stating in a filing that Saudi authorities had used the Israeli-made software to spy on the dissident. NSO CEO Shalev Hulio stated that the company had not been involved in the "terrible murder," but declined to comment on reports that he had personally traveled to the Saudi capital Riyadh for a $55 million Pegasus sale.
In July 2019, it was reported that NSO Group had sold Pegasus software to Ghana in around 2016.
In June 2020, an investigation by Amnesty International alleged that Moroccan journalist Omar Radi was targeted by the Moroccan government using the Israeli spyware Pegasus. The rights group claimed that the journalist was targeted three times and spied on after his device was infected with an NSO tool. Meanwhile, Amnesty International also claimed that the attack came after the NSO Group updated their policy in September 2019.
According to an investigation by The Guardian and El País, Pegasus software was used by the government of Spain to compromise the phones of several politicians active in the Catalan independence movement, including President of the Parliament of Catalonia Roger Torrent, and former member of the Parliament of Catalonia Anna Gabriel i Sabaté. The results of a joint investigation by The Guardian and Le Monde alleged that people targeted by Pegasus software included six critics of the government in Togo, journalists in India and Morocco, and political activists in Rwanda.
Pegasus has been used to target and intimidate Mexican journalists by drug cartels and cartel-entwined government actors.
A report by The Citizen Lab revealed in December 2020 that the NSO Group shifted towards zero-click exploits and network-based attacks. It allowed the government customers to break into the target phones without interaction and without leaving any visible traces. According to the report, Saudi Arabia and the United Arab Emirates used the zero-click tool of the Pegasus spyware and deployed it through an opening in iMessage, to target two London-based reporters and 36 journalists at the Al Jazeera television network in Qatar.
In July 2021, a joint investigation conducted by seventeen media organisations, revealed that Pegasus spyware was used to target and spy on heads of state, activists, journalists, and dissidents, enabling "human rights violations around the world on a massive scale." The investigation, dubbed "the Pegasus Project", was launched after a leak of 50,000 phone numbers of potential surveillance targets. Amnesty International carried out forensic analysis of mobile phones of potential targets. The investigation identified 11 countries as NSO clients: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates. The investigation also revealed that journalists from multiple media organizations including Al Jazeera, CNN, the Financial Times, the The Associated Press, The New York Times, The Wall Street Journal, Bloomberg News, and Le Monde were targeted, and identified at least 180 journalists from 20 countries who were selected for targeting with NSO spyware between 2016 and June 2021. The investigation further revealed that Azerbaijan, Hungary, India, and Morocco were among the states that used Pegasus to spy on journalists. The spyware was found to have been used to target three family members of the murdered Saudi Arabia journalist Jamal Khashoggi prior to his murder by agents of the Saudi state (despite repeated denials of involvement by NSO Group). The investigation discovered in mid-2021 that Koregaon Bhima activists were also successfully targeted by an as yet unidentified hacker who planted "evidence" on their computers.
On 24 August 2021, according to the Citizen Lab, the NSO Group spyware was used to successfully hack the mobile phones of nine Bahraini human rights defenders between June 2020 and February 2021. Of the nine activists, four were believed with a "high degree of confidence" by the Citizen Lab to have been targeted by Bahrain's government using a Pegasus operator, LULU. Two zero-click iMessage exploits, the 2020 KISMET exploit, and a 2021 exploit called FORCEDENTRY, were also used to hack some of the activists. On 2021-09-07, Citizen Lab reported new findings to Apple regarding the FORCEDENTRY vulnerability, leading to Apple quickly releasing patches through iOS and iPadOS 14.8 on 2021-09-13.
On 24 October 2021, reports revealed that The New York Times journalist Ben Hubbard was targeted multiple times using the Pegasus spyware over a three-year period. The targeting reportedly took place between June 2018 to June 2021, while he was reporting on Saudi Arabia, and writing a book about the Saudi Crown Prince Mohammed bin Salman. In 2018, Hubbard was targeted twice with a suspicious text message likely sent by Saudi Arabia and an Arabic text message on WhatsApp inviting him for a protest at a Saudi Embassy in Washington. This was followed by the 2020 KISMET exploit zero-click exploit in July 2020. Lastly, on 13 June 2021, an iPhone belonging to Ben Hubbard was successfully hacked using the FORCEDENTRY exploit.
[ProPublica.org, 2022-07-12] Pegasus Spyware Maker NSO Is Conducting a Lobbying Campaign to Get Off U.S. Blacklist. The
[Calcalistech.com (Wikipedia:
[ ... snip ... ]
[APNews.com, 2021-12-21] Polish opposition duo hacked with NSO spyware. | Discussion: Hacker News: 2021-12-22
The aggressive
Citizen Lab could not say who ordered the hacks and NSO does not identify its clients, beyond saying it works only with legitimate
Lawyer Roman Giertych and prosecutor Ewa Wrzosek join a list of government critics worldwide whose phones have been hacked using the company's Pegasus product. The
[ ... snip ... ]
[Reuters.com, 2021-12-03] U.S. State Department phones hacked with Israeli company spyware - sources. | Discussion: Hacker News: 2021-12-03
Apple Inc. iPhones of at least nine United States Department of State [U.S. State Department] employees were
The iPhone hacks, which took place in the last several months [2021], hit
The intrusions, first reported here, represent the widest known
[ ... snip ... ]
[Apple.com, 2021-11-23] Apple sues NSO Group to curb the abuse of state-sponsored spyware. Apple also announced a $10 million contribution to support cybersurveillance researchers and advocates. | Discussion: Hacker News: 2021-11-23
[NPR.org, 2021-11-10] They got hacked with NSO spyware. Now Israel wants Palestinian activists' funding cut.
On Tuesday [2021-11-09], reflecting broad international concern, United Nations officials accused Israel of targeting human rights and humanitarian work with its ban. And on Wednesday [2021-11-10], an Israeli military court convicted a Spanish citizen affiliated with a separate Palestinian organization for secretly fundraising for a terrorist movement which Israel alleges the six banned Palestinian activist groups are closely linked with.
The U.S. had already voiced its surprise at Israel's move to ban the groups, which include internationally regarded civil society organizations. Israel says it has shared intelligence with U.S. and European officials, but that does not appear to have quelled their concerns that Palestinian human rights activists were deemed a threat.
Israel is trying to convince some European countries to stop funding the Palestinian groups. "We will make sure these organizations will not get money," an Israeli security official said, speaking on condition of anonymity because Israel prohibits certain security operatives from identifying themselves. The alleged involvement of NSO Group - which the U.S. sanctioned this month for equipping states with tools to spy on activists around the world - could further complicate Israel's campaign to ostracize the Palestinian groups.
[ ... snip ... ]
[FrontLineDefenders.org, 2021-11-08] Six Palestinian human rights defenders hacked with NSO Group's Pegasus Spyware. | Investigation | local copy | Discussion: Hacker News: 2021-11-08
On 19 October 2021, Israeli Minister of Defense, Benny Gantz, announced the designation of six leading Palestinian civil society organizations in the Occupied Palestinian Territory [Palestinian territories as "terrorist organizations" under Israel's Anti-Terrorism Law 2016. The groups named are Addameer; Al-Haq; Defense for Children - Palestine; the Union of Agricultural Work Committees; Bisan Center for Research and Development; and the Union of Palestinian Women Committees.
This move is intended to not only criminalize these organizations, but to cut off their funding and other forms of support they receive from international partners and supporters. Front Line Defenders condemns Israel's effort to criminalize support for well-respected and long-serving human rights defenders and their organizations, as it has when other such measures were introduced in countries like Russia, Egypt and Nicaragua.
While this latest move by the Israeli government is part of an alarming trend that is designed to try to stop the work of human rights organisations and human rights defenders, the timing and method of the designation suggests that it is also an effort to legitimate the surveillance and infiltration of the devices of Palestinian human rights defenders using Pegasus spyware, as discovered by a Front Line Defenders forensic investigation (see timeline below).
On 16 October 2021, Front Line Defenders was contacted by Al-Haq, a human rights organisation in Palestine, about the device of a Jerusalem-based staff member and a possible infection with spyware. Front Line Defenders immediately conducted a technical investigation, and found that the device had been infected in July 2020, with spyware sold by Israel-based NSO Group. Front Line Defenders began investigating other devices belonging to members of the 6 designated Palestinian civil society organizations, and found that five additional devices were hacked with the same spyware. Front Line Defenders shared the data it gathered from the phones with Citizen Lab and Amnesty International's Security Lab for independent peer review. Both confirmed, with high confidence, Front Line Defenders conclusion that the phones were hacked with Pegasus.
[ ... snip ... ]
[theVerge.com, 2021-11-03] Pegasus spyware group blacklisted by the U.S. government. American companies are restricted from exporting their goods and services to NSO Group, the company that built Pegasus.
The United States Department of Commerce has ordered American companies to not sell their tech to NSO Group Technologies, citing reports that the group's Pegasus spyware is used against journalists, government officials, activists, and more. In its press release, the regulator says that the company is being added to the Entity List because its tool threatens "the rules-based international order" when its sold to repressive foreign governments.
Pegasus is a program designed to infect targets without notice, allowing police and intelligence agencies to get access to a phone's text messages, photos, and passwords, all without leaving a trace. The Washington Post reported in July 2021 that the spyware could infect someone's phone with a single, invisible text message: a target wouldn't have to click on a link or take any action for their fully updated phone to be infected.
NSO's PegasusPegasus spyware was recently in the spotlight because of the Pegasus Project, a collection of journalists who revealed a list of names seemingly connected to the spyware. That list included journalists, activists, heads of state, and others from across the globe, people that NSO says its software shouldn't be used to target. The Pegasus Project also analyzed a handful of journalists' phones and found evidence that the spyware had been installed on them - almost certainly by a government agency, as NSO says those are the only clients it'll sell its software and services to.
Pegasus had made headlines before this year, too. Journalists in Mexico were reportedly targeted with the tool, WhatsApp sued NSO for using an exploit in the messaging app to hack people's phones, and the FBI is said to have at least looked into the company in relation to Jeff Bezos' phone being hacked.
The U.S. Department of Commerce says that NSO being added to the Entity List, which restricts U.S. companies from exporting products to it because the company "poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States." This likely relates to U.S. affairs outside its actual borders - NSO has said that its tool can't be used to target American phone numbers, and the Department of Commerce and Pegasus Project haven't contested that fact.
NSO isn't the only company being added to the entity list on Thursday [2021-11-04]. Candiru, another Israeli IT firm that sells spyware (that's reportedly used for similar purposes), is also being blacklisted. The Department of Commerce cited two more companies - one from Russia and one from Singapore - that it says are involved in selling hacking tools.
[CitizenLab.ca, 2021-10-24] New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts. | Discussion, Hacker News: 2021-10-24
The New York Times journalist Ben Hubbard was repeatedly targeted with NSO Group's Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while Hubbard was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.
The targeting resulted in Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Ben Hubbard complained to NSO Group that Ben Hubbard was targeted by the Saudi-linked kingdom's Pegasus operator in June 2018.
While we attribute the 2020 and 2021 infections to NSO Group's Pegasus spyware with high confidence, we are not conclusively attributing this activity to a specific NSO Group customer at this time. However, we believe that the operator responsible for the 2021 hack is also responsible for the hacking of a Saudi activist in 2021.
Some forensic artifacts that we connect to NSO Group are present on Hubbard's device as early as April 2018, although we are unable to confirm whether this represents a genuine infection attempt or a feasibility test.
A phone number belonging to Hubbard also reportedly appeared on the Pegasus Project list in July 2019. Unfortunately, forensic evidence is not available for this timeframe.
[Tehnologijaviews.xyz, 2021-10-09] NSO Pegasus Spy Software: Why One of the Pegasus Inventors Became A Dropout. | local copy
Three Israelis founded NSO Group. A lot is known about two, but the third got out early. For the first time he speaks about his story.
The third man, who helped develop the Pegasus spy software, is sitting in the meeting room of a law firm in Zurich and is trying to be open-minded. The late summer promenade of Lake Zurich is only one block away. Modern art hangs on the walls, there are two spy thrillers on the shelf - one of the firm's two lawyers writes them under a pseudonym. Thematically, that's entirely appropriate. Because the tall, slim person who holds out his hand to greet them was probably a secret service himself in the past and is still a phantom today. More than ten years ago he co-founded the Israeli company NSO Group, which has been criticized worldwide for its surveillance trojan Pegasus. He got out after a short time, but the company logo still contains his name. His first name Niv contributed the N contained therein. Together with the initials of the first names of the co-founders Shalev Hulio and Omri Lavie, it became NSO. But because Niv spells his last name differently than previously known, hardly anything could be learned about himself. His name is always "Carmi' in Wikipedia and articles about NSO. He himself, however, writes to K ["Karmi"]. Why is that wrongly reproduced everywhere? No one who has written about him has asked him, he says.
So Niv Karmi. He is in his late 30s, looks sporty, has dark hair and a dark beard that turns gray at the corners. He has rolled up his shirt sleeves and is smiling cautiously in a friendly manner. It's the first interview he's given about his past, and he's obviously feeling insecure about it, which is why it all starts in his lawyer's office.
Finding Karmi was not so easy due to the different spelling. Colleagues at the Schweizer Wochenzeitung (WOZ: WOZ Die Wochenzeitung) came across him by chance while researching the licenses of the local government for arms exports. Because Karmi has lived in Switzerland for six years and has set up her own company there. Polus Tech designs and sells portable cell towers. They can be used, for example, to quickly install a radio network in a disaster area if the public network has collapsed - just like during the floods on the Ahr. Even after an earthquake: People who have been buried can be located using the mobile phone signals if they have their mobile phone with them. Because technically, the devices work like so-called man-in-the-middle attack.' href="https://en.wikipedia.org/wiki/IMSI-catcher">IMSI-catchers used by law enforcement agencies to find and identify suspects' cell phones. Therefore, Polus Tech needs an official export license from the Swiss government for each of its businesses. Such products are called dual-use because they can be useful tools and dangerous weapons at the same time.
[ ... snip ... ]
[CitizenLab.ca, 2020-12-20] The Great iPwn. Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit. | local copy
In July and August 2020, government operatives used NSO Group's Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby television network was also hacked.
The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple's then-latest iPhone 11.
Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.
The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.
We do not believe that KISMET works against iOS 14 and above, which includes new security protections. All iOS device owners should immediately update to the latest version of the operating system.
Given the global reach of NSO Group's customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a miniscule fraction of the total attacks leveraging this exploit.
Infrastructure used in these attacks included servers in Germany, France, U.K., and Italy using cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean.
We have shared our findings with Apple and they have confirmed to us they are looking into the issue.
NSO Group's Pegasus spyware is a mobile phone surveillance solution that enables customers to remotely exploit and monitor devices. The company is a prolific seller of surveillance technology to governments around the world, and its products have been regularly linked to surveillance abuses.
Pegasus became known for the telltale malicious links sent to targets via SMS for many years. This method was used by NSO Group customers to target Ahmed Mansoor, dozens of members of civil society in Mexico, and political dissidents targeted by Saudi Arabia, among others. The use of malicious links in SMSes made it possible for investigators and targets to quickly identify evidence of past targeting. Targets could not only notice these suspicious messages, but they could also search their message history to detect evidence of hacking attempts.
More recently, NSO Group is shifting towards zero-click exploits and network-based attacks that allow its government clients to break into phones without any interaction from the target, and without leaving any visible traces. The 2019 WhatsApp breach, where at least 1,400 phones were targeted via an exploit sent through a missed voice call, is one example of such a shift. Fortunately, in this case, WhatsApp notified targets. However, it is more challenging for researchers to track these zero-click attacks because targets may not notice anything suspicious on their phone. Even if they do observe something like "weird" call behavior, the event may be transient and not leave any traces on the device.
The shift towards zero-click attacks by an industry and customers already steeped in secrecy increases the likelihood of abuse going undetected. Nevertheless, we continue to develop new technical means to track surveillance abuses, such as new techniques of network and device analysis.
Since at least 2016, spyware vendors appear to have successfully deployed zero-click exploits against iPhone targets at a global scale. Several of these attempts have been reported to be through Apple's iMessage app, which is installed by default on every iPhone, Mac, and iPad. Threat actors may have been aided in their iMessage attacks by the fact that certain components of iMessage have historically not been sandboxed [sandbox] in the same way as other apps on the iPhone.
For example, Reuters reported that United Arab Emirates (UAE) cybersecurity company DarkMatter Group, operating on behalf of the UAE Government, purchased a zero-click iMessage exploit in 2016 that they referred to as "Karma," which worked during several periods in 2016 and 2017. The UAE reportedly used Karma to break into the phones of hundreds of targets, including the chairmen of Al Jazeera and Al Araby TV.
A 2018 Vice Motherboard report about a Pegasus product presentation mentioned that NSO Group demonstrated a zero-click method for breaking into an iPhone. While the specific vulnerable app in that case was not reported, a 2019 Haaretz report interviewed "Yaniv," a pseudonym used by a vulnerability researcher working in Israel's offensive cyber industry, who seemed to indicate that spyware was sometimes deployed to iPhones via Apple Push Notification Service [see also: push technology], the protocol upon which iMessage is based.
"An espionage program can impersonate an application you've downloaded to your phone that sends push notifications via Apple's servers. If the impersonating program sends a push notification and Apple doesn't know that a weakness was exploited and that it's not the app, it transmits the espionage program to the device."
The Gulf Cooperation Council countries is one of the most significant customer bases for the commercial surveillance industry, with governments reportedly paying hefty premiums to companies that provide them special services, including analysis of intelligence that they capture with the spyware. The UAE apparently became an NSO Group customer in 2013, in what was described as the "next big deal" for NSO Group after its first customer, Mexico. In 2017, Saudi Arabia (which the Citizen Lab calls KINGDOM) and Bahrain (PEARL) appear to have also become customers of NSO Group. Haaretz has also reported that Oman is an NSO Group customer, and that the Israeli Government [Cabinet of Israel] prohibits NSO Group from doing business with Qatar.
[ ... snip ... ]
[MIT TechnologyReview.com, 2020-08-19] The man who built a spyware empire says it's time to come out of the shadows. Shalev Hulio, co-founder and CEO of NSO, says his industry is full of companies trying to avoid scrutiny.
[Sky.com, 2021-07-27] Pegasus spyware owner Novalpina to be liquidated after failure to resolve internal bust-up. The London-headquartered private equity firm is to be wound up following a months-long dispute between its three principals and controversy over its ownership of the surveillance technology provider NSO Group, Sky News (U.K.) learns.
[Financial Times: FT.com, 2021-07-27] Private equity owner of spyware group NSO stripped of control of €1bn fund. Novalpina Capital investors' vote follows months of turmoil amid disagreements between co-founders. | Archive.today snapshot | local copy
[Comment: defunct: http://Novalpina.pe/, 2021-11-08 | last Internet Archive snapshot: 2021-08-14]
The private equity firm that owns the military spyware manufacturer NSO Group has been stripped of control of its own fund after a dispute between its co-founders. Investors in Novalpina Capital's €1bn fund voted this month to seize control after a tense three-hour video call, people involved in the process said. The dramatic intervention leaves the ownership of the firm behind the spying software Pegasus hanging in the balance.
The fund [Novalpina Capital] owns Israel-based NSO as well as the Estonian gambling company Olympic Entertainment Group and the French pharmaceutical business Laboratoire X.O. Its investors, which include public pension funds, have until 2021-08-06 to decide whether to liquidate the fund with a fire sale of its assets, or appoint a third party to take control of it.
[ ... snip ... ]
The vote to strip Novalpina Capital of control of the fund was the culmination of months of turmoil at the private equity firm amid disagreements between its co-founders, Stephen Peel [Novalpina Capital biography | local copy], Bastian Lueken and Stefan Kowski, people involved in the process said.
[ ... snip ... ]
Stephen Peel, a former partner at TPG Capital, resigned from the board of human rights group Global Witness in early 2019 after investing in NSO. Stephen Peel's wife Yana Peel resigned as chief executive of London's Serpentine Galleries - which she had described as her "dream job" - over Novalpina Capital's links to NSO.
[ ... snip ... ]
[The Associated Press: AP.org, 2019-02-27] Aharon Almog-Assoulin">Court filing links spy exposed by The Associated Press to Israel's Black Cube.
A Canadian attorney says he appears to have been targeted by the same undercover operative unmasked by The Associated Press at a New York hotel last month , drawing a line between the man and the notorious Israeli intelligence firm Black Cube. In a court filing made public last week [2019-02], Toronto attorney Darryl Levitt says that the spy, whose real name is Aharon Almog-Assouline, "bears a striking similarity" to a man he identified as an alleged Black Cube operative.
Levitt says he was targeted because of his involvement in a long-running legal battle between two Canadian private equity firms, Catalyst Capital and West Face Capital. Previous media reports have hinted at a link between Almog-Assouline and Black Cube, but Levitt's Feb. 21 claim before Ontario's Superior Court of Justice is the first attempt to substantiate the connection by requesting receipts and surveillance footage.
Black Cube has previously acknowledged doing work on the Catalyst case, which centers on allegations of stock market manipulation. In an email, Black Cube's Canadian lawyer, John Adair, said he had no comment on Levitt's filing. Almog-Assouline also didn't immediately return messages Wednesday [2019-02-27].
Darryl Levitt made his claim after reading The Associated Press' account of how Aharon Almog-Assouline was caught trying to extract information from an employee of Citizen Lab (a cybersecurity research group) at the Peninsula Hotel in New York on 2019-01-24. Levitt declined to comment for this article, but in his 115-page filing he said the photograph published by The Associated Press bore a powerful resemblance to a man he knew as "Victor Petrov."
[TimesOfIsrael.com, 2019-02-11] Exposed Israeli spy linked to apparent effort by NSO Group to derail lawsuits. AP investigation uncovers alleged sprawling undercover bid by Israeli firm, which is under fire for its spyware sales to foreign governments. | A man who identified himself as "Michel Lambert" but whose real name is Aharon Almog Assoulin and was linked in investigations with an alleged undercover operation targeting critics of the Israeli tech firm NSO Group.
When mysterious operatives lured two cybersecurity researchers to meetings at luxury hotels over the past two months, it was an apparent bid to discredit their research about an Israeli company that makes smartphone hacking technology used by some governments to spy on their citizens. The Associated Press (AP) has now learned of similar undercover efforts targeting at least four other individuals who have raised questions about the use of the Israeli firm's spyware.
The four others targeted by operatives include three lawyers involved in related lawsuits in Israel and Cyprus alleging that the company, NSO Group, sold its spyware to governments with questionable human rights records. The fourth is a London-based journalist who has covered the litigation. Two of them - the journalist and a Cyprus-based lawyer - were secretly recorded meeting the undercover operatives; footage of them was broadcast on Israeli television just as the AP was preparing to publish this story.
All six of the people who were targeted said they believe the operatives were part of a coordinated effort to discredit them. "There's somebody who's really interested in sabotaging the case," said one of the targets, Mazen Masri, who teaches at City, University of London and is advising the plaintiffs' attorney in the case in Israel. Masri said the operatives were "looking for dirt and irrelevant information about people involved."
The details of these covert efforts offer a glimpse into the sometimes shadowy world of private investigators, which includes some operatives who go beyond gathering information and instead act as provocateurs. The targets told the AP that the covert agents tried to goad them into making racist and anti-Israel remarks or revealing sensitive information about their work in connection with the lawsuits.
NSO Group has previously said it has nothing to do with the undercover efforts "either directly or indirectly." NSO Group did not return repeated messages asking about the new targets identified by the AP. American private equity firm Francisco Partners, which owns NSO, did not return a message from the AP seeking comment.
The undercover operatives' activities might never have been made public had it not been for two researchers who work at Citizen Lab, an internet watchdog group that is based out of the University of Toronto's Munk School of Global Affairs. In December 2018, one of the researchers, John Scott-Railton, realized that a colleague had been tricked into meeting an operative at a Toronto hotel, then questioned about his work on NSO. When a second operative calling himself "Michel Lambert" approached Scott-Railton to arrange a similar meeting at the Peninsula Hotel in New York, Scott-Railton devised a sting operation, inviting AP journalists to interrupt the lunch and videotape the encounter.
The story drew wide attention in Israel. Within days, Israeli investigative television show Uvda and The New York Times identified "Michel Lambert" as Aharon Almog-Assouline, a former Israeli security official living in the plush Tel Aviv suburb of Ramat HaSharon. By then, John Scott-Railton and the AP had determined the undercover efforts went well beyond Citizen Lab.
Within hours of the story's publication, Mazen Masri wrote to the AP to say that he and Alaa Mahajna, who is pursuing the lawsuit against NSO in Israel, had spent weeks parrying offers from two wealthy-sounding executives who had contacted them with lucrative offers of work and insistent requests to meet in London. "We were on our guard and did not take the bait," Masri wrote.
Masri's revelation prompted a flurry of messages to others tied to litigation involving NSO. Masri and Scott-Railton say they discovered that Christiana Markou, a lawyer representing plaintiffs in a related lawsuit against NSO-affiliated companies in Cyprus, had been flown to London for a strange meeting with someone who claimed to be a Hong Kong-based investor. Around the same time, Masri found out that a journalist who had written about NSO was also invited to a London hotel - twice - and questioned about his reporting. "Things are getting more interesting," Masri wrote as the episodes emerged.
[ ... snip ... ]
Return to Persagen.com