Tracking NSO, the media shy Israeli firm behind Pegasus

October ended with the news that an Israeli spyware called Pegasus was used to snoop around two dozen Indian users of WhatsApp, including notable journalists, lawyers and activists. The news came in the background of a lawsuit filed in a US federal court by the Facebook owned company against NSO, an Israeli firm which also goes by the name Q Cyber Technologies. The lawsuit filed by WhatsApp claims that around 1400 users of the app was snooped upon globally using the spyware built by NSO. This is not the first time Pegasus and its maker NSO has made headlines. Back in 2016, Pegasus had hit the news for what the medias then called as ‘one of the most sophisticated attack in the world of private espionage’. Pegasus which was built to be undetected was only detected because of a vigilant target. On August 10, 2016, Ahmed Mansoor, a human rights activist based in United Arab Emirates received message with the text “New secrets about torture of Emiratis in state prisons,” followed by a link.
Mansoor who was already the victim of attacks using various other spyware tools from firm such as Hacking Team, sent the message to Bill Marczak of the Citizen Lab, a digital rights watchdog at the University of Toronto’s Munk School of Global Affairs, rather than clicking it. Citizen Lab was already in the trail of NSO but were unable to find a sample of the Pegasus malware itself to corroborate any of their findings. Ahmed Mansoor is currently imprisoned in UAE but his vigilance led to the discovery of a spyware infection which exploited three zero-days(unknown bugs) in the iPhone. NSO had developed the ability to remotely hack one of the most robust consumer products in the market, Apple’s iPhone and that too with just a simple click on a link by the victim. It is believed that NSO had gained this ability from iPhone 5 onwards and continued to have it till iPhone 7, after which the zero-day vulnerabilities were discovered and patched.
As Mike Murray the VP of Research at mobile security company Lookout, the company Citizen Lab had associated with to report about Pegasus, had told Vice in 2016,

“We’re not going to put NSO out of business by patching these vulnerabilities.”

Reports that Saudi Arabia used Pegasus to aid the murder of journalist Jamal Khashoggi and the latest WhatsApp snooping scandal proves that his words were true as Pegasus seems to have grown in it’s capabilities or was much more capable than what was initially thought.
When talking about Pegasus, it is also important to talk about its elusive makers. While Pegasus is infamous now, there isn’t a whole lot of details available about the company behind it, the NSO Group. Founded in 2010 in Herzliya, Israel, its initial funding likely came from Israel’s ‘elite 8200 Intelligence Unit’, a military funded scheme for startups. Reports suggests that elite 8200 Intelligence Unite was heavily involved in funding and providing the required expertise for the Stuxnet attack against Iran. The founders of NSO Omrie Lavie and Shalev Hulio runs a tight ship. The fact that there isn’t much about them in the medias is deliberate.

“I do not give interviews.”

This is what Omri Lavie usually says when the medias asks him anything about his firms. The reasoning behind their media shyness was made clear by Mr Lavie in a rare interview he had given to Defense News back in 2013.
“If you want to work successfully in the cloak and dagger battlefield of cyber, you don’t want just anyone Googling your information.”
In 2014, US private equity fund Francisco Partners acquired a majority stake in the firm for around $120 million. Under the new ownership NSO truly went international with several acquisitions and mergers including with the Israeli firm Circles. Backed by European private equity fund Novalpina, the founders Hulio and Lavie bought back the majority shares from Francisco Partners in 2019.
What is ironic is that Lavie and most of his NSO employees are also part of Kaymera, a company which is the complete opposite of NSO. Kaymera provides tools to protect personal devices such as phones from cyber attacks. With this, the founders of NSO are are playing both sides of cyber wars, being both the devil and the angels.
Leaked NSO marketing material showing the kinds of data Pegasus can grab
NSO’s most premium product Pegasus does everything expected of a spyware which targets mobile phones- gaining access to device’s microphone, camera, text messages(both traditional and the ones sent via WhatsApp), contact lists etc.
But the most impressive feature of Pegasus is it’s ability to stay hidden. NSO has gone to great lengths to keep Pegasus hidden from it’s victims as it snoops on their daily activities. This is underlined by some of the comments Lavie made to Defense News in 2013.

“We’re a complete ghost.. We’re totally transparent to the target, and we leave no traces.”

As it was revealed after the iPhone snooping incident, Pegasus once it infects a phone can withstand factory data resets and even operating system upgrades. The patch that Apple brought out only prevented the spyware attack using same zero day bugs to infect more devices. Among the marketing materials that were leaked as a result of its competition Hacking Team’s servers getting hacked themselves, was a document in which NSO explains the two methods it has to infect a target. First method is called a ‘one click vector’, which requires some kind of interaction with the victim. This was seen in the attacks against iPhones exposed in 2016. The second method, called ‘zero click vector’ requires no interaction from the victim. This method was employed in the recently revealed attacks.
In the latest attacks, Pegasus has used a zero day exploit in WhatsApp’s VoIP calling feature. As per a security advisory from Facebook, Pegasus has exploited an extremely common type of bug known as ‘buffer overflow’. While WhatsApp bases its end-to-end encryption on the infamous Signal Protocol, its VoIP calling functionally most probably also includes other proprietary code as well. Signal has said that its service is not vulnerable to this calling attack.

The most dangerous part of the latest attack is that the victim is helpless. Unlike the previous attacks, the victim doesn’t have to click on a link for the malware to install itself in the device. The malware is transferred through a WhatsApp call and it doesn’t matter if the victim picks up the call or not.

Even though it has denied any involvement, the amount of activists, lawyers and journalists who are critical of the government included in the list of Indians snooped upon raises doubts over the Indian government. Among the documents filed by Facebook attached to the lawsuit is a signed contract with Ghana’s National Communications Authority which states that Pegasus could be only deployed with written permission from the Ministry of Defense of Israel. Also, the NSO group has long maintained that it sells its software only to governments. Further, Pegasus requires an estimated period of 4 weeks to test on local networks, uninterrupted access to local networks for such long periods of time would be much harder without the support of state machinery.
If Indian government is indeed being truthful and it played no part in snooping on it’s citizens, that would mean an even more disturbing scenario. That a foreign government, with the approval of Israel’s Ministry of Defense, was snooping on Indian citizens using a state of the art spyware. Unfortunately for WhatsApp, its downloads in India have declined by 80%, an inevitable outcome of the scandal. As users are looking for alternate messengers that provides more security, downloads of Signal and Telegram have seen increase of 63% and 10% respectively.

Similar Articles:

Researchers Find Google Play Store Apps Were Actually Government Malware

Researchers Find Google Play Store Apps Were Actually Government Malware

How Hackers Broke WhatsApp With Just a Phone Call

How Hackers Broke WhatsApp With Just a Phone Call

WhatsApp exploit let attackers install government-grade spyware on phones

WhatsApp exploit let attackers install government-grade spyware on phones

15 Months of Fresh Hell Inside Facebook

15 Months of Fresh Hell Inside Facebook