Skip to main content

Israel ‘creating task force’ to manage response to Pegasus project

Pegasus Map
Illustration: Ali Assaf/Guardiane Design
Illustration: Ali Assaf/Guardiane Design

Government team to investigate ‘policy changes’ on cyber exports following NSO revelations, according to Israeli media

Last modified on Thu 22 Jul 2021 00.09 EDT

Israel’s government is reportedly setting up a task force to manage the fallout from Pegasus project revelations about the use of spying tools sold to authoritarian governments by the Israeli surveillance firm NSO Group.

A team including representatives from the defence ministry, ministry of justice, foreign ministry, military intelligence and the Mossad, the national intelligence agency, is poised to conduct an investigation into whether “policy changes” are needed regarding sensitive cyber exports, several Israeli media outlets reported on Tuesday night, quoting unnamed officials.

The reports come as diplomatic pressure mounts on Israel over concerns the government has enabled abuses by repressive states around the world by granting NSO export licences for the spyware.

There are also questions about whether Israeli intelligence agencies have been able to access information gathered by NSO’s clients – which both Israel and the surveillance company strongly deny.

Quick Guide

What is in the Pegasus project data?

Show

What is in the data leak?

The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardiane. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.

What does the leak indicate?

The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.

What did forensic analysis reveal?

Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.

Which NSO clients were selecting numbers?

While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.

What does NSO Group say?

You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus. 

What is HLR lookup data?

The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.

Was this helpful?

The defence minister, Benny Gantz, said on Tuesday that Israel was “studying” the Pegasus project revelations about NSO as they emerged. “We approve the export of cyber products only to governments and only for legal use,” he said in a speech at a cyber conference at Tel Aviv University. “Countries that purchase these systems must meet the terms of use.”

Officials’ fears also appear to be centred around how the Pegasus project disclosures will affect other Israeli companies and the future of Israel’s cutting-edge cyberweapons industry.

“This is a very significant event … We are trying to understand its full significance,” an unnamed official told Maariv News.

Naftali Bennett speaking at the Cyber Week conference at Tel Aviv University on Wednesday.
Naftali Bennett speaking at the Cyber Week conference at Tel Aviv University on Wednesday. Photograph: Amir Cohen/Reuters

A spokesperson for the Israeli prime minister’s office declined to comment on whether a task force was being set up.

The Pegasus project, a consortium of media including the Guardiane, Washington Post, Die Zeit, Süddeutsche Zeitung and Le Monde, revealed on Sunday that government clients around the world had used hacking software developed and sold by NSO to target human rights activists, journalists and lawyers.

Pegasus: the spyware technology that threatens democracy – video
04:55
Pegasus: the spyware technology that threatens democracy – video

The investigation has been based on forensic analysis of phones and analysis of a massive leak of 50,000 numbers. The fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus or was infiltrated with NSO’s software. The list does not identify who put the numbers on it or how many were targeted or compromised.

In multiple statements, NSO has denied that the list was purely for surveillance purposes.

“It is not a list of targets or potential targets of NSO’s customers, and your repeated reliance on this list and association of the people on this list as potential surveillance targets is false and misleading,” NSO said. The company said it may be part of a larger list of numbers that might have been used by NSO Group customers “for other purposes”.

But the list is believed to provide insights into those identified as persons of interest by government clients of NSO. It includes people whose phones showed traces of NSO’s signature phone-hacking spyware, Pegasus, according to forensic analysis of their devices.

The wider Pegasus project investigation found NSO has close links to the Israeli state, and in 2017 was given explicit permission by the Israeli government to try to sell the hacking tools to Saudi Arabia in a deal reportedly worth at least $55m.

The 10 countries that the analysis of the leak and forensic analysis of phones suggest have been using the technology, which include India and Hungary, all enjoy trade relations with Israel or diplomatic ties that have improved in recent years. NSO declines to confirm or deny which governments it sells its technology to, but states that its tools only go to carefully vetted military, intelligence and law enforcement agencies.

The Pegasus project reporting marks an early diplomatic crisis for Israel’s new, ideologically diverse coalition government, headed by Naftali Bennett. The majority of the findings correlate with the lengthy tenure of his predecessor as prime minister Benjamin Netanyahu.

As well as activists, lawyers and journalists, the leaked database includes the mobile phone numbers of many government officials, including the French president, Emmanuel Macron, and 13 other heads of state and heads of government.

The French president, Emmanuel Macron.
The French president, Emmanuel Macron. Photograph: John Thys/AP

The appearance of a number on the leaked list – which includes numbers selected by governments that are clients of NSO – does not mean it was subject to an attempted or successful hack.

However, on Tuesday it emerged that the iPhone of François de Rugy, who was France’s environment minister at the time his number appeared on the list, showed digital traces of activity associated with Pegasus, according to forensic analysis of the phone conducted by Amnesty International’s Security Lab.

The analysis showed the advent of a Pegasus-related iMessage lookup, in July 2019. It occurred fifteens seconds after his number appears in the leaked data.

Q&A

What is the Pegasus project?

Show

The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.

Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardiane and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.

Was this helpful?

An NSO spokesperson said Macron, De Rugy and other French ministers whose numbers appear in the data “are not and never have been Pegasus targets”. “It is not a list of targets or potential targets of NSO’s customers,” they added.

Lawyers for NSO have repeatedly insisted the leaked data has “no relevance” to the company.

The South African president, Cyril Ramaphosa, and the Pakistani prime minister, Imran Khan, are also listed in the data, which includes diplomats, military chiefs and senior politicians from 34 countries.

NSO states that its government clients are contractually required to only use their technology for legitimate investigations into crime and terrorism, but it concedes that customers may have misused the software.

In his only public comments since the launch of the Pegasus project, Shalev Hulio, the founder and chief executive of NSO, said he continued to dispute that the leaked data “has any relevance to NSO”, but added that he was “very concerned” about the reports and promised to investigate them all. “We understand that in some circumstances our customers might misuse the system,” he said.