WEBVTT 00:00:00.000 --> 00:00:06.200 JACK: Hey, I can’t believe we made it to Episode 100. Seriously, I couldn’t have done it without 00:00:06.200 --> 00:00:12.280 all the support from my listeners so truly, thank you so much for tuning in. This has been amazing 00:00:12.280 --> 00:00:17.720 and I can’t wait to see what the next 100 episodes brings. Okay, so real quick before we get started, 00:00:17.720 --> 00:00:22.640 this is the second part of a two-part episode. If you haven’t already, go back and listen to 00:00:22.640 --> 00:00:29.320 the episode just before this, number 99, called The Spy. [MUSIC] There’s this malware called 00:00:29.320 --> 00:00:34.400 Magic Lantern and I find it fascinating. It usually infects a computer through an e-mail 00:00:34.400 --> 00:00:39.240 attachment. You get the e-mail which says to open the attachment and when you do, zang; 00:00:39.240 --> 00:00:44.720 your computer is infected. What Magic Lantern does is it records your keystrokes and sends 00:00:44.720 --> 00:00:51.000 everything you type back to a central system so the hackers can see everything you type. Now, of 00:00:51.000 --> 00:00:56.120 course with a keystroke logger like this, it can pick up any message you send to people; private 00:00:56.120 --> 00:01:03.080 chats and of course, your passwords. So, who’s this shady hacking group that uses Magic Lantern? 00:01:03.080 --> 00:01:09.480 The FBI. Yeah, in 2001, someone issued a Freedom of Information request and got back information 00:01:09.480 --> 00:01:14.920 the FBI uses this Magic Lantern malware to capture keystrokes on target computers. Now, 00:01:14.920 --> 00:01:19.160 I’m under the impression that the FBI would need to get permission to use this software, 00:01:19.160 --> 00:01:23.080 like a search warrant or something, so this would classify Magic Lantern to be 00:01:23.080 --> 00:01:28.720 a lawful intercept mechanism, meaning they had permission to basically wire tap someone. But 00:01:28.720 --> 00:01:34.960 this sparked a debate in the security community. The question was, if the FBI has legal permission 00:01:34.960 --> 00:01:40.280 to eavesdrop on someone by using Magic Lantern, should antivirus and security 00:01:40.280 --> 00:01:46.360 companies detect and report on this activity? Of course, the FBI would like to go unnoticed 00:01:46.360 --> 00:01:51.800 in any kind of stealth mission and would rather antivirus companies not alert when they see this. 00:01:51.800 --> 00:01:56.160 But on the other hand, that’s the whole point of antivirus software, to alert when 00:01:56.160 --> 00:02:01.400 something is going on and shouldn’t be happening. F-Secure, a antivirus company based in Finland, 00:02:01.400 --> 00:02:06.360 said right away that they would absolutely report on this, but they’re in Finland. The 00:02:06.360 --> 00:02:13.240 FBI is in the US. McAfee, an American antivirus tool, said they would not alert the user if 00:02:13.240 --> 00:02:19.240 the tool saw Magic Lantern trigger and that it would ignore it. Later, they denied saying this, 00:02:19.240 --> 00:02:24.920 saying they do in fact alert when Magic Lantern is detected on a computer, but this opens a door 00:02:24.920 --> 00:02:32.280 to a strange world of allies and enemies, and it’s hard to know who to trust when the software 00:02:32.280 --> 00:02:45.017 you buy might be lying to you, or when the FBI is busy infecting people with malware to spy on them. 00:02:45.017 --> 00:02:47.360 (INTRO): [INTRO MUSIC] These are true stories from the dark side of 00:02:47.360 --> 00:03:05.240 the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:03:05.240 --> 00:03:15.100 JACK: For this episode, we’re picking right back up where we left off with John Scott-Railton. 00:03:15.100 --> 00:03:15.860 JOHN: Yeah. 00:03:15.860 --> 00:03:20.040 JACK: This time I want to hear more about the research he’s done specifically on the NSO 00:03:20.040 --> 00:03:24.480 Group. Oh, and there were some recording issues I had during this interview; I lost the primary 00:03:24.480 --> 00:03:28.420 recording and had to use a backup and it’s a bit voipy at times, so I’m sorry about that. 00:03:28.420 --> 00:03:30.920 JOHN: I’m a senior researcher at the Citizen Lab 00:03:30.920 --> 00:03:35.600 at the University of Toronto’s Munk School. For a little bit less than the past decade, 00:03:35.600 --> 00:03:40.586 me and my colleagues have tracked different digital threats against civil society groups. 00:03:40.586 --> 00:03:45.320 JACK: [MUSIC] Tracking digital threats against civil society groups. That sounds fascinating, 00:03:45.320 --> 00:03:49.040 so let’s unpack that for a second. What’s a civil society group? Well, 00:03:49.040 --> 00:03:53.520 it’s essentially non-government organizations or individuals, but some define civil society 00:03:53.520 --> 00:03:59.400 as people who exercise their freedom of speech and the things that make up a democratic society. So, 00:03:59.400 --> 00:04:04.360 having freedom of the press is very important to a civil society, one where journalists are free 00:04:04.360 --> 00:04:09.160 to investigate and write stories criticizing their own government or society, and it’s important that 00:04:09.160 --> 00:04:14.240 their own government or other governments don’t stop them from writing certain stories. But the 00:04:14.240 --> 00:04:19.160 thing is, we live in a world where journalists and human rights activists are being targeted by 00:04:19.160 --> 00:04:25.080 nation state actors. Since it’s important for a civil society to have journalists and activists 00:04:25.080 --> 00:04:29.600 spreading the truth, Citizen Lab helps people out when they’re targeted by digital threats. 00:04:29.600 --> 00:04:32.400 JOHN: Sometimes people get in touch with us and they say hey, 00:04:32.400 --> 00:04:35.160 we’ve heard about you and something strange is happening on my phone, 00:04:35.160 --> 00:04:38.920 on my device. I’m concerned about it. Sometimes our research comes because 00:04:38.920 --> 00:04:44.000 we sort of set ourselves abroad, research mandated, are busy looking at infrastructure. 00:04:44.000 --> 00:04:48.800 JACK: Their goal is to investigate those in civil society who are targeted and report 00:04:48.800 --> 00:04:52.920 publicly about it. This has caused certain groups to go into hiding, 00:04:52.920 --> 00:04:57.320 and other groups have been arrested because of their work. But overall, the public is just made 00:04:57.320 --> 00:05:01.320 more aware that there are certain groups out there who are [00:05:00] targeting activists 00:05:01.320 --> 00:05:06.720 and journalists. At some point, the folks at Citizen Lab were connected with Ahmed Mansoor. 00:05:06.720 --> 00:05:11.460 AHMED: Hello, ladies and gentlemen. My name is Ahmed Mansoor from United Arab Emirates. 00:05:11.460 --> 00:05:14.080 JACK: This is tape of him from 2012. He’s from the 00:05:14.080 --> 00:05:17.000 United Arab Emirates and is a human rights activist there. 00:05:17.000 --> 00:05:20.880 AHMED: I always wanted to see change. I believed a lot in equality. 00:05:20.880 --> 00:05:25.040 JOHN: In the case of Ahmed Mansoor, we’ve been in touch with this guy for 00:05:25.040 --> 00:05:33.440 years [MUSIC] because in 2011 Mansoor was targeted by an e-mail with a Trojan that was FinFisher, 00:05:33.440 --> 00:05:37.900 one of the sort of OG government hacking tools that was being sold. 00:05:37.900 --> 00:05:44.080 JACK: If you listen to Episode 47 called Project Raven, you might remember him. He’s been targeted 00:05:44.080 --> 00:05:49.360 many times by different hacking groups, all because he’s a human rights activist and speaks 00:05:49.360 --> 00:05:55.400 out against the UAE government. After being targeted multiple times, Mansoor eventually 00:05:55.400 --> 00:06:00.780 reached out to Bill Marczak, one of John’s colleagues at the Citizen Lab to get help. 00:06:00.780 --> 00:06:08.240 JOHN: Then in 2012 Mansoor was targeted again via e-mail with a doc and some kind of old 00:06:08.240 --> 00:06:15.000 exploit. This was Hacking Team this time. So, when in 2016 Mansoor reached out to us 00:06:15.000 --> 00:06:19.120 and said hey guys, I think I’m being targeted again, we paid attention because if there’s 00:06:19.120 --> 00:06:23.340 one person who’s likely to be targeted with this stuff, it was Ahmed Mansoor. 00:06:23.340 --> 00:06:27.880 JACK: While Bill Marczak at the Citizen Lab was looking into some phishing reports, 00:06:27.880 --> 00:06:33.040 he found some other suspect domains that seemed to belong to something new. He looked 00:06:33.040 --> 00:06:38.200 into those domains and found some were registered to the NSO Group. At the time, 00:06:38.200 --> 00:06:43.000 Citizen Lab concluded that there was maybe some new kind of malware that the NSO Group had made, 00:06:43.000 --> 00:06:48.000 but they didn’t know who the victims were or what the malware was. The Citizen Lab looked into those 00:06:48.000 --> 00:06:53.240 domains and developed a list and some techniques to find more. When Mansoor got in touch with Bill, 00:06:53.240 --> 00:06:57.840 all he had was a list of domains, but after he saw Mansoor’s text messages, 00:06:57.840 --> 00:07:02.120 remarkably, that led to some infrastructure that Bill found. 00:07:02.120 --> 00:07:09.540 JOHN: We had found links to NSO’s infrastructure and had come up with a list of domains. 00:07:09.540 --> 00:07:13.680 JACK: These domains were thought to be used by the NSO Group to carry out 00:07:13.680 --> 00:07:17.600 certain targeted digital attacks on people. But the team at Citizen Lab 00:07:17.600 --> 00:07:22.240 didn’t have a good understanding of how any of this worked or how it was used. 00:07:22.240 --> 00:07:27.280 JOHN: So, it was a godsend when Mansoor got in touch with us because suddenly we had a person 00:07:27.280 --> 00:07:35.586 who had been receiving links to this, what we thought of as likely infection domain for Pegasus. 00:07:35.586 --> 00:07:39.760 JACK: [MUSIC] Mansoor showed Citizen Lab some text messages. They were in Arabic. They both 00:07:39.760 --> 00:07:46.440 said the same thing, new secrets about torture of Emirates in state prisons. Then it had a link. The 00:07:46.440 --> 00:07:51.860 link was to the same domain that they had just begun analyzing but wasn’t sure how it worked. 00:07:51.860 --> 00:07:54.760 JOHN: The first thing we did was rouse a colleague, 00:07:54.760 --> 00:08:02.080 get him to convince his girlfriend to give up her iPhone which we wiped, and then MitM’d the 00:08:02.080 --> 00:08:07.940 traffic and clicked on that link and were able to get a copy of Pegasus spyware. 00:08:07.940 --> 00:08:13.280 JACK: The colleagues had access to an iPhone they could use to test with. Now, 00:08:13.280 --> 00:08:16.880 for them to test something like this, they have to be pretty careful. If 00:08:16.880 --> 00:08:20.520 they just visit the link, it’s hard to tell exactly what’s happening, 00:08:20.520 --> 00:08:24.280 so they set up all kinds of monitors and sensors. This is what a lab is for, 00:08:24.280 --> 00:08:29.600 right? First they set up a method to capture all network traffic coming in and out of that phone, 00:08:29.600 --> 00:08:33.320 and they did this in such a way that they could even capture encrypted traffic and look at that, 00:08:33.320 --> 00:08:37.720 too. Then they took snapshots of the phone to compare before and after to see what’s changed 00:08:37.720 --> 00:08:42.160 on the phone. They probably even film the whole thing just in case the phone did something like 00:08:42.160 --> 00:08:46.740 flash a message across the screen real quick. This way they can go back and look at what happened. 00:08:46.740 --> 00:08:52.760 JOHN: Exactly, so we clicked on the link and waited. Browser crashed, 00:08:52.760 --> 00:08:59.160 and then something began happening. We saw the phone beaconing out and establishing 00:08:59.160 --> 00:09:06.040 communication with NSO’s servers. We realized that we had just observed a remote jailbreak 00:09:06.040 --> 00:09:12.480 on this iPhone. It was a big deal because it was the first of its kind that we had certainly seen, 00:09:12.480 --> 00:09:17.360 and we realized okay, we’ve got our hooks into this infection infrastructure 00:09:17.360 --> 00:09:21.500 and we were actually able to grab the payload, the actual Pegasus deployment. 00:09:21.500 --> 00:09:27.360 JACK: It took them a while to figure out what happened. In fact, they teamed up with Lookout 00:09:27.360 --> 00:09:32.320 Security to help investigate this. Lookout makes the security software for mobile phones, 00:09:32.320 --> 00:09:36.960 and together they were able to dissect this malware and see what was going on. They realized 00:09:36.960 --> 00:09:42.320 right away that this was something that nobody had seen before which made it an amazing discovery. 00:09:42.320 --> 00:09:46.600 JOHN: It was a very exciting time because we really felt like okay, 00:09:46.600 --> 00:09:53.360 here’s a new major piece of spyware. It’s super sophisticated, it’s got all these capabilities, 00:09:53.360 --> 00:09:58.000 it’s pretty stealthy, and it’s using this chain of zero-days. 00:09:58.000 --> 00:10:02.360 JACK: Yes, a whole chain of [00:10:00] zero-day exploits. I want to break this 00:10:02.360 --> 00:10:06.840 down for you because it’s fascinating to look at a little bit more in-depth. [MUSIC] So, 00:10:06.840 --> 00:10:11.400 specifically this worked with iPhones which were fully patched and the latest and greatest 00:10:11.400 --> 00:10:17.200 models. This exploit had three stages to the attack. First, it required the user to click 00:10:17.200 --> 00:10:22.480 a malicious link using their phone. Clicking the link opens the Safari browser and the user visits 00:10:22.480 --> 00:10:28.680 the website. Safari uses a thing called WebKit which is like the browser’s engine. When a user 00:10:28.680 --> 00:10:34.320 clicks the link, a JavaScript program runs. That JavaScript program tries to exploit a 00:10:34.320 --> 00:10:40.640 bug in WebKit which would allow it to write data to the phone. Through this bug and WebKit, the 00:10:40.640 --> 00:10:47.280 JavaScript program downloads a malicious program. This brings us to stage two of the exploit chain. 00:10:47.280 --> 00:10:51.960 Apple has locked down their iPhone pretty well to prevent stuff like this from happening. The 00:10:51.960 --> 00:10:56.520 only apps that are allowed to run on an iPhone are those that are downloaded from the official 00:10:56.520 --> 00:11:02.080 Apple App Store. There’s simply no way to put a new app on it through any other way and run it. 00:11:02.080 --> 00:11:08.760 This means the malicious program that was just downloaded cannot execute unless the iPhone is 00:11:08.760 --> 00:11:14.880 jailbroken. That’s exactly what this stage of the implant does. The malware uses an exploit 00:11:14.880 --> 00:11:19.840 to jailbreak the iPhone which allows it to run any app that’s on the phone, not just 00:11:19.840 --> 00:11:24.680 the ones downloaded through the App Store. In order for this program to jailbreak the phone, 00:11:24.680 --> 00:11:29.920 it used two totally different exploits in the iPhone’s kernel which were completely unknown to 00:11:29.920 --> 00:11:34.680 Apple at the time. Once it’s jailbroke, then the last step is just for it to run the malicious app 00:11:34.680 --> 00:11:39.600 and at this point, the app is just a normal iPhone app and it can be started like any other app. The 00:11:39.600 --> 00:11:44.320 app itself doesn’t use any exploits or bugs; it just takes advantage of the features on the phone. 00:11:44.320 --> 00:11:48.880 The app does things like turn on the microphone, the camera, and read WhatsApp messages or listen 00:11:48.880 --> 00:11:53.640 to calls or track location, and then it sends all that data back to the attackers without the 00:11:53.640 --> 00:11:59.760 victim knowing that any of this happened. This is crazy and I’d say a pretty amazing exploit 00:11:59.760 --> 00:12:04.440 chain. I mean, it was using three zero-day exploits to get this going, bugs that the 00:12:04.440 --> 00:12:08.960 trillion-dollar tech giant Apple could not even catch through their bug bounty program, 00:12:08.960 --> 00:12:14.400 which is very impressive work. To create this exploit took a lot of work. Probably a lot of 00:12:14.400 --> 00:12:19.520 money and a lot of time went into making this. Exploits like this can be sold for hundreds of 00:12:19.520 --> 00:12:24.000 thousands of dollars, probably over a million dollars, but what makes it so good is how easy 00:12:24.000 --> 00:12:30.080 it is for the attackers to use. All they need to do is get someone to click that link and boom, 00:12:30.080 --> 00:12:35.400 that victim is now being spied on through their phone. Someone spent a great deal of 00:12:35.400 --> 00:12:41.480 time and money to make this. Not only make it, but turn it into an easy to use point-and-shoot 00:12:41.480 --> 00:12:46.460 type of an attack. It’s elegant, it’s slick, but it’s extremely dangerous. 00:12:46.460 --> 00:12:52.120 JOHN: The feeling that we had, if I remember right – other than being a little bit underslept during 00:12:52.120 --> 00:12:58.200 that week – that this was high stakes because this was an order of magnitude more sophisticated than 00:12:58.200 --> 00:13:03.120 the Hacking Team and FinFisher stuff that we had looked at in the past. It was also mobile which 00:13:03.120 --> 00:13:10.520 was really interesting to us. We really felt the time like oh man, we’ve cracked another dimension 00:13:10.520 --> 00:13:17.040 of the way that surveillance is happening online. I think we’re both excited but there’s also this 00:13:17.040 --> 00:13:20.840 sense that comes with this of like, okay, we need to make sure that we have our own house in order, 00:13:20.840 --> 00:13:24.640 that we’re reasonably secure, because we’re playing with some very sophisticated, 00:13:24.640 --> 00:13:30.000 very dangerous stuff. We also experienced a lot of gratitude towards Mansoor. 00:13:30.000 --> 00:13:36.640 Here was a guy who, just by virtue of his wits, had managed to catch something that 00:13:36.640 --> 00:13:41.920 had eluded us for almost a year and that eluded other researchers and investigators and he had 00:13:41.920 --> 00:13:47.080 just done it because a text message didn’t feel right, which highlights the kind of symbiosis 00:13:47.080 --> 00:13:52.600 and synergy that usually exists between Citizen Lab and the groups that we work with and support, 00:13:52.600 --> 00:13:58.120 which is we count on them and their intuition to help us get started. We don’t have a global 00:13:58.120 --> 00:14:02.960 network of sensors, we’re not running antivirus on a bunch of phones, but with people – may 00:14:02.960 --> 00:14:06.900 become the firewall and the human antivirus that gets us what we need to get ourselves started. 00:14:06.900 --> 00:14:09.840 JACK: But now what do you do with this information? I mean yeah, 00:14:09.840 --> 00:14:13.920 sure, this confirms Mansoor’s hunch that something wasn’t right with those texts, 00:14:13.920 --> 00:14:17.480 and it’s nice to know he was right, but what do you do when you find an exploit 00:14:17.480 --> 00:14:21.200 like this? Well, you want to work as fast as you can to get it fixed. 00:14:21.200 --> 00:14:25.720 JOHN: We then worked really quickly. We got in touch with Apple, we let them 00:14:25.720 --> 00:14:30.120 know what was going on. Apple immediately began spinning up to do investigation and 00:14:30.120 --> 00:14:35.320 then patching. We worked as fast as we could to try to characterize the malware and get 00:14:35.320 --> 00:14:41.200 ready to do a public report. Then co-timed with Apple releasing its CV in patching, 00:14:41.200 --> 00:14:47.320 we published. What we didn’t realize at the time is just how big of a deal NSO was 00:14:47.320 --> 00:14:56.586 gonna be for our next year or two as cases just started pouring out of the woodwork. 00:14:56.586 --> 00:15:00.120 JACK: [MUSIC] I found an interesting side story here. Citizen Lab discovered this exploit and 00:15:00.120 --> 00:15:05.000 malware [00:15:00] in August of 2016. The exploit used a methodology outlined in the 00:15:05.000 --> 00:15:10.200 latest Phrack magazine which came out three months earlier, and apparently the same WebKit 00:15:10.200 --> 00:15:15.720 browser engine is used on the Nintendo Switch and is also vulnerable to this exploit. So, 00:15:15.720 --> 00:15:21.080 people who are trying to hack into and jailbreak the Nintendo Switch started using this exploit 00:15:21.080 --> 00:15:25.800 to get their Nintendo to do things it wasn’t supposed to do. It’s crazy that once an exploit 00:15:25.800 --> 00:15:31.840 becomes known where things end up. But anyway, how did this link back to the NSO Group? Well, 00:15:31.840 --> 00:15:36.360 Citizen Lab kept investigating this and discovered a network of IPs and domains 00:15:36.360 --> 00:15:41.560 that were involved with this malware. From there they did WHOIS lookups, reverse DNS lookups, 00:15:41.560 --> 00:15:46.880 and other searches which eventually led them to two domains which they knew were owned by the 00:15:46.880 --> 00:15:53.400 NSO Group. They felt pretty confident that the NSO Group was behind this and published all this in a 00:15:53.400 --> 00:16:00.840 report. So, who exactly is the NSO Group? Well, it’s an Israeli company started by three guys; 00:16:00.840 --> 00:16:06.640 Niv, Shalev, and Omri. The initials of those names are what give NSO its name. 00:16:06.640 --> 00:16:13.280 JOHN: So, NSO is a company that sometimes flies under the flag of other names like Q Cyber 00:16:13.280 --> 00:16:21.480 Technologies, and they sell really sophisticated mobile spyware. Their customers are governments. 00:16:21.480 --> 00:16:25.360 JACK: They meet with these governments and basically say look, you have legal ways of 00:16:25.360 --> 00:16:30.400 intercepting communications for criminals in your countries, like you can do wire taps or whatever, 00:16:30.400 --> 00:16:34.320 but we know you have trouble collecting data on encrypted mobile devices. 00:16:34.320 --> 00:16:39.480 JOHN: We’re gonna help you regain visibility and we’re gonna do it by selling you a powerful 00:16:39.480 --> 00:16:45.320 mobile phone hacking solution. Part of their pitch is you don’t need much sophistication; 00:16:45.320 --> 00:16:50.800 just sit at this console, enter a phone number, and presto, you can start pulling data from that 00:16:50.800 --> 00:16:57.480 phone. Their business model is kind of somewhere between hacking as a service and the provision of 00:16:57.480 --> 00:17:01.960 software. We’ve learned about them more recently as they often play a fairly active role in setting 00:17:01.960 --> 00:17:07.240 up and operating some of the exploit servers that are used. Basically what they’re offering to their 00:17:07.240 --> 00:17:14.240 customers is the ability to target an arbitrary cell phone and gain access and persistence. 00:17:14.240 --> 00:17:20.520 JACK: That’s what the Pegasus spyware is. It’s the malware that Citizen Lab discovered from 00:17:20.520 --> 00:17:26.080 Ahmed Mansoor’s text messages. It’s the flag ship software that NSO sells. It’s not the 00:17:26.080 --> 00:17:31.360 only product they sell, but it’s their main one. Now, one thing I hate doing is talking 00:17:31.360 --> 00:17:37.160 about someone for like an hour without them being part of the conversation. It just feels wrong, 00:17:37.160 --> 00:17:44.040 so I reached out to NSO first with Omri who’s the O part of NSO. I invited him on the show back in 00:17:44.040 --> 00:17:50.880 2018 and he told me actually he listened to my episode on Unit 8200 and liked it. I was like 00:17:50.880 --> 00:17:55.840 great; come on, let’s do an interview then. He said and I quote, “Every major media outlet in 00:17:55.840 --> 00:18:02.360 the world wants to interview me. Why should I do your podcast? :)” end quote. I’m like, 00:18:02.360 --> 00:18:08.000 because you actually listen to my show and like it; duh. But really, you should come on because 00:18:08.000 --> 00:18:12.280 I’m going to talk about NSO for an hour and you could either be part of this conversation or 00:18:12.280 --> 00:18:18.080 not. That was 2018. For three years I’ve been trying to convince him to be interviewed. I 00:18:18.080 --> 00:18:23.760 later moved on to going through their official PR channel. I contacted them asking for an interview. 00:18:23.760 --> 00:18:28.480 I went back and forth with them for a long time. They wanted to know exactly what questions I was 00:18:28.480 --> 00:18:32.560 going to ask and more importantly, they wanted to know what sources I was talking with for 00:18:32.560 --> 00:18:37.840 this story. We went back and forth for months. I kept saying look, do you want to give your side 00:18:37.840 --> 00:18:43.160 and be part of this conversation or not? They ultimately left me hanging. I also contacted 00:18:43.160 --> 00:18:49.040 another PR person involved with them and they denied me, too. In the end, NSO had every single 00:18:49.040 --> 00:18:55.440 opportunity to have their voice in this episode, but they refused which means all I can go on is 00:18:55.440 --> 00:19:01.800 what’s been reported by victims, researchers, and news agencies. I really wanted to have them 00:19:01.800 --> 00:19:09.000 on this show for Episode 100 but it just didn’t work out. But NSO has given multiple interviews 00:19:09.000 --> 00:19:13.760 with other news agencies in the past. They’ve been interviewed by Forbes, New York Times, 00:19:13.760 --> 00:19:19.240 and some Israeli news outlets. But the interview I find the most interesting is the one that happened 00:19:19.240 --> 00:19:27.920 in 2019 where Lesley Stahl from 60 Minutes went to Israel and interviewed them in their own office. 00:19:27.920 --> 00:19:31.000 LESLEY: [BACKGROUND STREET NOISE/TALK] Headquartered in the Israeli city of Herzliya, 00:19:31.000 --> 00:19:36.960 NSO Group operates in strict secrecy. In the company’s eight-year history, 00:19:36.960 --> 00:19:43.720 they have never let cameras in, but they wanted to show us they’re like any high-tech company, 00:19:43.720 --> 00:19:53.160 with PlayStations and Pilates. But there was a lot we couldn’t show. Notice no faces. The 00:19:53.160 --> 00:20:00.120 work is top-secret and some employees are ex-military intelligence and Mossad. Pegasus 00:20:00.120 --> 00:20:04.760 is [00:20:00] such a sensitive spy tool, NSO has to get approval before it can be 00:20:04.760 --> 00:20:11.520 licensed to any client from the Israeli Defence Ministry as though it’s an arms deal. Why would 00:20:11.520 --> 00:20:18.720 the government of Israel want what seems to be an enemy to have this technology? 00:20:18.720 --> 00:20:21.360 SHALEV: I’m not gonna talk about specific customer. 00:20:21.360 --> 00:20:29.360 LESLEY: But can you say that you won’t and haven’t sold Pegasus to a country 00:20:29.360 --> 00:20:35.640 that is known to violate human rights and imprison journalists and go after activists? 00:20:35.640 --> 00:20:41.620 SHALEV: I only say that we are selling Pegasus in order to prevent crime and terror. 00:20:41.620 --> 00:20:46.720 JACK: That’s Shalev Hulio, the S in NSO, and that’s the typical response 00:20:46.720 --> 00:20:50.040 from the NSO Group. What they do is they sell their software to 00:20:50.040 --> 00:20:54.020 governments and intelligence agencies to help prevent crime and terrorism. 00:20:54.020 --> 00:20:57.200 LESLEY: How many lives do you think Pegasus has saved? 00:20:57.200 --> 00:20:59.120 SHALEV: Ten of thousands of people. 00:20:59.120 --> 00:21:00.160 LESLEY: Really? 00:21:00.160 --> 00:21:01.320 SHALEV: Yes. 00:21:01.320 --> 00:21:06.280 JOHN: It’s interesting; NSO has made so many claims about their product that turn 00:21:06.280 --> 00:21:13.440 out not to be accurate. I want to believe that it’s true that they’ve saved lives, 00:21:13.440 --> 00:21:18.640 and I have to imagine that this is how the smart people who work at that company continue to come 00:21:18.640 --> 00:21:23.560 to their desks everyday, which is their management shows them cases and says look, 00:21:23.560 --> 00:21:30.120 here’s a case where we did some good. What concerns me is that that narrative is used 00:21:30.120 --> 00:21:36.240 to paper over these really problematic cases of abuse. At the end of the day, 00:21:36.240 --> 00:21:41.160 the measure of any technology is how it winds up getting used against vulnerable people, 00:21:41.160 --> 00:21:47.000 not just how it helps. What really concerns me is the idea that you can just sort of say you know, 00:21:47.000 --> 00:21:52.920 here’s a technology that saves lives. Well, no; what saves lives is police and security 00:21:52.920 --> 00:21:59.680 forces doing their jobs. They may be enabled by technology, but doing their jobs. What takes lives 00:21:59.680 --> 00:22:06.440 is when those same security services abuse their power and abuse the technology that they have to 00:22:06.440 --> 00:22:12.580 harm people. We don’t have many public cases of NSO successes. We’ve got a lot of cases of harm. 00:22:12.580 --> 00:22:17.440 JACK: We know about cases where NSO has done harm because when things go wrong for NSO, 00:22:17.440 --> 00:22:22.920 it becomes known. It’s big news and when things go right, it’s kept quiet and the secrets are 00:22:22.920 --> 00:22:27.960 retained. But there is one story that we do know of where Pegasus actually helped. 00:22:27.960 --> 00:22:35.760 JOHN: [MUSIC] Let’s talk about Mexico. So, from that initial discovery of Ahmed Mansoor, 00:22:35.760 --> 00:22:42.340 a lot of things followed. We found evidence that the spyware was potentially active in Mexico. 00:22:42.340 --> 00:22:46.760 JACK: So, before John at Citizen Lab even had a copy of the Pegasus spyware, 00:22:46.760 --> 00:22:50.920 the Mexican government likely purchased Pegasus to aid them in catching cartel 00:22:50.920 --> 00:22:55.600 leaders and drug lords, because it’s hard to know where their hideouts are or how 00:22:55.600 --> 00:23:00.640 they’re organizing since they use phones and encrypted messaging apps to communicate. Again, 00:23:00.640 --> 00:23:04.120 here’s Lesley Stahl with 60 Minutes talking with one of the founders of NSO. 00:23:04.120 --> 00:23:08.880 LESLEY: It’s been reported that Mexican authorities used Pegasus to capture drug 00:23:08.880 --> 00:23:12.920 lord Joaquin Guzman, better known as El Chapo, 00:23:12.920 --> 00:23:17.780 by tapping the phones of a few people he talked to while he was on the lam. 00:23:17.780 --> 00:23:20.580 SHALEV: I read it in the newspaper, the same as you. 00:23:20.580 --> 00:23:21.040 LESLEY: Okay. 00:23:21.040 --> 00:23:27.200 SHALEV: In order to catch El Chapo, for example, they had to intercept a journalist, an actress, 00:23:27.200 --> 00:23:33.240 and a lawyer. Now, by themself, they’re not criminals, right? 00:23:33.240 --> 00:23:33.700 LESLEY: Right. 00:23:33.700 --> 00:23:39.160 SHALEV: But if they are in touch with a drug lord and in order to catch them you need to 00:23:39.160 --> 00:23:44.560 intercept them, that’s a decision that intelligence agencies should get. What 00:23:44.560 --> 00:23:51.800 if you can prevent the 9/11 terror attack? For that, you had to intercept the son, 00:23:51.800 --> 00:23:57.240 the sixteen-years-old son of Bin Laden. [MUSIC] Would that be legit or not? 00:23:57.240 --> 00:24:02.800 JACK: That is an interesting ethical issue. If you’re trying to capture a really dangerous 00:24:02.800 --> 00:24:08.360 person, you might have to go through someone they trust to get to him. So, now you’ll have 00:24:08.360 --> 00:24:15.028 people who are totally innocent getting spied on and infected with the Pegasus malware. 00:24:15.028 --> 00:24:19.000 JOHN: Well, that’s a really interesting case and one funny feature about it is that NSO has 00:24:19.000 --> 00:24:23.280 made a bunch of claims about the use of Pegasus targeting El Chapo which have been contradicted 00:24:23.280 --> 00:24:28.800 by many statements by the Mexican government, so the truth – who knows exactly where it lies 00:24:28.800 --> 00:24:34.360 in that case? But to the greater point which is the question about off-center targeting; now, 00:24:34.360 --> 00:24:41.720 it’s obviously the case that investigations sometimes proceed that way, right? You climb 00:24:41.720 --> 00:24:50.200 your way towards a potential target. The issue, really, is cases of success don’t falsify the 00:24:50.200 --> 00:24:58.720 problem of abuse. At the end of the day, even if a technology like this can be used for good, 00:24:58.720 --> 00:25:03.120 there’s really good evidence [00:25:00] that it’s susceptible to abuse, and the conclusion 00:25:03.120 --> 00:25:08.320 that I think people should draw is not hacking is – you know, they should never be technologically 00:25:08.320 --> 00:25:14.920 empowered to conduct investigations, but rather their behavior needs to be carefully overseen, 00:25:14.920 --> 00:25:20.960 otherwise there will be abuses and those abuses will have deleterious effects on our democracy. 00:25:20.960 --> 00:25:25.360 It’s the same as police in the United States and anywhere else. It’s not that we don’t need them; 00:25:25.360 --> 00:25:31.000 it’s that they need to be carefully overseen and legally accountable. What we saw in Mexico was 00:25:31.000 --> 00:25:35.600 that when you shook that tree, you just found more cases of abuses than you could count. 00:25:35.600 --> 00:25:38.480 JACK: Let’s take a look at some of those cases. John and the team 00:25:38.480 --> 00:25:43.800 at Citizen Lab were seeing lots more cases of Pegasus being used on people in Mexico. 00:25:43.800 --> 00:25:52.840 JOHN: We found that a consumer advocate, a public health scientist, and a health advocacy 00:25:52.840 --> 00:26:01.960 organization had all been targeted with Pegasus spyware. [MUSIC] This really caught our attention 00:26:01.960 --> 00:26:06.160 because one of the people, the public health researcher, was the director of a national public 00:26:06.160 --> 00:26:11.160 health lab, a government lab in Mexico. Why were these people being targeted with Pegasus? Well, 00:26:11.160 --> 00:26:15.560 it turned out that the thread that sort of connected them together was that they had 00:26:15.560 --> 00:26:22.440 all been advocating for more taxes on soda as a means to reduce childhood obesity. Now, 00:26:22.440 --> 00:26:27.280 why on earth, you might say, are a bunch of people who are concerned about childhood obesity 00:26:27.280 --> 00:26:33.440 being targeted with this creepy nation state tool? We don’t really know, but the most likely 00:26:33.440 --> 00:26:41.320 explanation is that somebody linked to the Mexican Pegasus operator was doing a favor for business, 00:26:41.320 --> 00:26:48.710 business that saw this kind of taxation as a potentially serious threat to their bottom line. 00:26:48.710 --> 00:26:53.600 JACK: Hm, that’s some shady stuff. I mean, we know about lobbyist groups that pay or bribe 00:26:53.600 --> 00:26:58.920 government officials so they can vote a specific way on issues like increasing soda tax. This is 00:26:58.920 --> 00:27:04.520 along those lines, but it takes it a step further. It sounds like certain big businesses who would 00:27:04.520 --> 00:27:10.880 be hurt by this soda tax were somehow getting the Mexican government to use Pegasus to spy on people 00:27:10.880 --> 00:27:17.560 who wanted to raise the tax. This is obviously not used to fight terrorism or crime. In fact, 00:27:17.560 --> 00:27:22.420 it’s the opposite; it’s using the spyware to actually conduct criminal behavior. 00:27:22.420 --> 00:27:30.560 JOHN: From that initial case of three, we found a dozen cases of Mexican reporters; 00:27:30.560 --> 00:27:36.360 their minor children located in the United States, lawyers representing the families of victims of 00:27:36.360 --> 00:27:43.720 cartel kidnappings, the wife and colleagues of a journalist who had been slain by a cartel, 00:27:43.720 --> 00:27:50.480 and so many other people in Mexico all targeted with Pegasus. The way that that research worked 00:27:50.480 --> 00:27:54.640 kind of encapsulate our approach at the lab, which is we worked with a bunch of local organizations, 00:27:54.640 --> 00:27:58.520 gave them guidance on the kinds of things that we were looking for, messages that might 00:27:58.520 --> 00:28:04.880 look like this, and then worked through large sets of messages comparing them and examining 00:28:04.880 --> 00:28:09.760 them against lists that we had previously developed of NSO exploit infrastructure, 00:28:09.760 --> 00:28:14.600 and this allowed us to quickly parse through large volumes of potentially suspect messages. 00:28:14.600 --> 00:28:20.800 JACK: I just want to recap something here for a second for clarity; NSO doesn’t operate the 00:28:20.800 --> 00:28:25.720 Pegasus spyware. They just make it and then license it or sell it to governments 00:28:25.720 --> 00:28:31.160 around the world. Then from there it’s then operated by law enforcement entities, military, 00:28:31.160 --> 00:28:38.200 and intelligence agencies. In this case, NSO sold the tool to the Mexican government and from there, 00:28:38.200 --> 00:28:43.720 it’s now someone within the Mexican government or affiliated organization who has control of 00:28:43.720 --> 00:28:49.080 it. They must first send a text message to their target to get them to click the link. 00:28:49.080 --> 00:28:54.680 Once the victims click the link, the phone becomes infected with spyware, unveiling their location, 00:28:54.680 --> 00:28:59.920 turning on their mic, and everything. But then that data is not sent to NSO; 00:28:59.920 --> 00:29:05.080 it’s sent to their Mexican government or whoever’s operating the tool. So, NSO is really hands-off on 00:29:05.080 --> 00:29:09.620 the whole operation and claims they don’t know how the tool is used or who it’s being used on. 00:29:09.620 --> 00:29:13.800 JOHN: The first case that we found was a Mexican journalist named Rafael Cabrera. 00:29:13.800 --> 00:29:18.680 [MUSIC] He was tweeting that he had been getting these messages masquerading as Uno TV, 00:29:18.680 --> 00:29:24.920 so masquerading as a TV station providing updates, and they were specifically referring to updates 00:29:24.920 --> 00:29:30.480 around a presidential scandal, the so-called Casa Blanca scandal. So, it’s a big scandal in Mexico, 00:29:30.480 --> 00:29:36.400 Watergate scale, and these messages were purporting to be information about that scandal. 00:29:36.400 --> 00:29:41.160 We actually learned later that the primary journalist who discovered that whose name was 00:29:41.160 --> 00:29:46.760 Carmen Aristegui, a tenacious investigator, she had also been targeted with this kind of message, 00:29:46.760 --> 00:29:52.800 and much of the targeting that we saw in Mexico wasn’t just tailored and relevant; some of it 00:29:52.800 --> 00:30:00.280 was gross. So, one of the victims of Pegasus, of targeting, was sent messages saying [00:30:00] 00:30:00.280 --> 00:30:05.120 your daughter has just been in a car accident. Here’s the hospital she was taken to, naming his 00:30:05.120 --> 00:30:08.600 daughter by name. I mean, these messages were ridiculous. One of them was like, you don’t 00:30:08.600 --> 00:30:15.080 have the balls to watch how I make-out with your partner. Look at how good we’re – in bed. 00:30:15.080 --> 00:30:20.600 Just ridiculous jokey stuff, like things that would be preposterous. Some of this stuff is just 00:30:20.600 --> 00:30:25.080 like boring, super untargeted, like a purchase notification; your card has been charged with the 00:30:25.080 --> 00:30:32.200 amount of $3,500. Please see details here, right, or stuff about – dear client, there’s a payment 00:30:32.200 --> 00:30:38.120 problem associated with your service; please see here. But then it would get really pretty direct, 00:30:38.120 --> 00:30:43.280 so for example, one of the messages coming from usembassy.gov sent to a person who had an 00:30:43.280 --> 00:30:48.680 embassy – who had a Visa application with the US embassy in Mexico City, and it was usembassy.gov; 00:30:48.680 --> 00:30:53.880 we detected a problem with your Visa. Please go to the embassy quickly. See details here. 00:30:53.880 --> 00:30:57.520 Right? That’s the kind of thing that’s gonna get discovered pretty quickly. But it again suggested 00:30:57.520 --> 00:31:02.000 the operators doing this were pretty brazen. Then you get stuff that’s fairly personalized, right? 00:31:02.000 --> 00:31:07.720 So like, Carlos; hi. Again, they’re spreading rumors about you and supposedly they took pictures 00:31:07.720 --> 00:31:12.960 of you and put them on TV. Here, have a look. Or hey, Juan, my father died this morning and we’re 00:31:12.960 --> 00:31:16.040 devastated. I’m sending you information about the funeral. I hope you can come. 00:31:16.040 --> 00:31:21.000 Or Carmen, my daughter has been missing for five days and we’re desperate. I would be so grateful 00:31:21.000 --> 00:31:27.920 if you could help me by sharing a photograph of her. Or people pretending to be sources, so like, 00:31:27.920 --> 00:31:32.400 hey, I have key and trustworthy evidence against public service. Please help me do something with 00:31:32.400 --> 00:31:38.840 this information. Like, they even sent messages to the minor child of Carmen Aristegui who’s 00:31:38.840 --> 00:31:45.760 away at boarding school in the United States. He was a kid, okay? Messages that he got included; 00:31:45.760 --> 00:31:52.000 beheaded journalist found in Veracruz threatening narcos. Details in photos. Link; right? This is a 00:31:52.000 --> 00:31:58.880 kid whose mother is a journalist. Obviously, I’m – these are my janky translations from Spanish, 00:31:58.880 --> 00:32:03.800 but the point is the messages are crude, but in many ways they’re effective. It makes my 00:32:03.800 --> 00:32:09.040 blood pressure bump up just reading some of this stuff, which to me pointed to the broader issue 00:32:09.040 --> 00:32:13.960 which was this technology was in the hands of a bunch of operators who were behaving like 00:32:13.960 --> 00:32:19.380 thugs and who couldn’t resist sexual taunts even as they were trying to infect people. 00:32:19.380 --> 00:32:23.560 JACK: The point of all these messages were simply to get someone to tap on 00:32:23.560 --> 00:32:28.520 the link on their phone. It sounds like there was no ethical line that 00:32:28.520 --> 00:32:31.620 they couldn’t cross when trying to get people to click a link. 00:32:31.620 --> 00:32:33.320 JOHN: One thing worth keeping in mind, right; 00:32:33.320 --> 00:32:39.360 human behavior is the forever day and clearly the security people who were behind this were 00:32:39.360 --> 00:32:44.420 trying to sort of amp up the emotional con to their messages in order to get a click. 00:32:44.420 --> 00:32:48.980 JACK: Mexico seems to have used this tool for much more than just catching drug traffickers. 00:32:48.980 --> 00:32:55.800 JOHN: What’s interesting about the Mexican case is its scope. It’s like, every sector of 00:32:55.800 --> 00:33:00.240 what we would call civil society in Mexico, from reporters to people trying to hold the government 00:33:00.240 --> 00:33:06.160 accountable, to people defending the families of kids who had been abducted by narco gangs, 00:33:06.160 --> 00:33:10.680 to the family members of people who had been assassinated. Everybody got targeted with this 00:33:10.680 --> 00:33:19.400 stuff. The case though that really has stuck with me the most in Mexico was the case of 00:33:19.400 --> 00:33:30.720 Javier Valdez. Valdez was the publisher of a small newspaper called Riodoce based in Sinaloa. Riodoce 00:33:30.720 --> 00:33:38.680 did the very dangerous thing of exposing official corruption and contacts with narco gangs. Not a 00:33:38.680 --> 00:33:45.880 very safe thing, but this guy was tenacious and he was well-known and he was absolutely without fear. 00:33:45.880 --> 00:33:53.400 One day as he was just outside of his office, he was pulled from his vehicle, riddled with bullets, 00:33:53.400 --> 00:33:56.960 and then his laptop and phone were taken and he was left lying in the middle of the street. 00:33:56.960 --> 00:34:03.240 JACK: Since his phone and laptop were taken, we don’t know what was on it but we do know 00:34:03.240 --> 00:34:10.040 the days after his death, his grieving wife and his colleagues were all targeted by Pegasus. 00:34:10.040 --> 00:34:14.080 JOHN: They were targeted during a time period when they were arguing that the 00:34:14.080 --> 00:34:16.800 official investigation was not proceeding forward. 00:34:16.800 --> 00:34:22.720 JACK: This is definitely strange, that instead of them investigating the narco gang that did this, 00:34:22.720 --> 00:34:27.960 the Mexican government was spying on his colleagues and his widowed wife. I mean, 00:34:27.960 --> 00:34:33.640 this is no way to run an investigation, that’s for sure. If you want to get answers from his wife, 00:34:33.640 --> 00:34:40.480 sit her down and talk with her. Don’t place spyware on her phone. The question arises now, 00:34:40.480 --> 00:34:45.120 is this NSO’s fault for spying on these innocent people or is it the 00:34:45.120 --> 00:34:49.800 Mexican government’s fault? One person stands out in the Mexican government; 00:34:49.800 --> 00:34:56.880 Tomas Zeron. He was the director of Mexico’s equivalent of the FBI when all this was happening. 00:34:56.880 --> 00:35:01.700 EDWARD: [MUSIC] It was Zeron’s office that had purchased a license [00:35:00] of NSO’s Pegasus. 00:35:01.700 --> 00:35:05.920 JACK: Yeah, that’s Edward Snowden’s voice. Citizen Lab, Amnesty International, 00:35:05.920 --> 00:35:10.920 and Forensic Architecture put together an interactive site to explore this timeline and 00:35:10.920 --> 00:35:16.840 to hear stories from victims of Pegasus. This site is called digitalviolence.org and there 00:35:16.840 --> 00:35:22.800 you can watch a video about Pegasus spyware. Yeah, they have Snowden narrate it. Anyways, 00:35:22.800 --> 00:35:28.020 it was this Zeron guy who was working for the Mexican government who probably bought Pegasus. 00:35:28.020 --> 00:35:32.800 EDWARD: Zeron was subsequently charged by the incoming Mexican administration 00:35:32.800 --> 00:35:37.920 with torture and enforced disappearance. He was issued an Interpol arrest warrant 00:35:37.920 --> 00:35:43.240 and has fled Mexico. Incidentally, his last recorded movement is to have 00:35:43.240 --> 00:35:50.060 entered Israel in August of 2019 where he’s believed to be currently hiding. 00:35:50.060 --> 00:35:55.680 JACK: We’re gonna take a quick break, but when we come back we’ll learn how 00:35:55.680 --> 00:36:06.280 Saudi Arabia uses Pegasus. NSO has also sold their spyware to the government 00:36:06.280 --> 00:36:11.160 of Saudi Arabia and there’s a case that made world news which involves Pegasus. 00:36:11.160 --> 00:36:14.660 HOST1: As investigators try to find out what happened to Jamal Khashoggi… 00:36:14.660 --> 00:36:18.360 HOST2: Saudi Arabia confirms that the journalist Jamal Khashoggi is dead. 00:36:18.360 --> 00:36:22.360 HOST3: Jamal Khashoggi’s loved ones want some form of closure. 00:36:22.360 --> 00:36:25.480 HOST4: Saudi foreign minister saying this was all a terrible mistake. 00:36:25.480 --> 00:36:31.160 JACK: Jamal Khashoggi was a journalist from Saudi Arabia. He was close to the royal family until 00:36:31.160 --> 00:36:37.040 Mohammed bin Salman was appointed Crown Prince. After that, Khashoggi was banned from writing 00:36:37.040 --> 00:36:42.200 and tweeting and was facing repression from the government of Saudi Arabia. He then fled 00:36:42.200 --> 00:36:46.120 the country and started speaking out against the repression of Saudi Arabia. [MUSIC] In 00:36:46.120 --> 00:36:51.600 October 2018 he went to Turkey and was lured to the Saudi consulate building to arrange 00:36:51.600 --> 00:36:57.120 for papers for a safe return to Saudi Arabia. As soon as he entered the consulate building, 00:36:57.120 --> 00:37:03.160 he was strangled, killed, and dismembered. A month later, the CIA determined that it was an 00:37:03.160 --> 00:37:08.800 assassination ordered by the Crown Prince Mohammed bin Salman. At that same time, 00:37:08.800 --> 00:37:12.840 the team at Citizen Lab was busy trying to figure out new ways to find who was 00:37:12.840 --> 00:37:17.720 infected with Pegasus spyware, and this led them to a Saudi living in Montreal, 00:37:17.720 --> 00:37:23.520 Canada whose phone was infected with Pegasus. So, Citizen Lab reached out to this person and 00:37:23.520 --> 00:37:30.800 it turned out that he was in close contact with Jamal Khashoggi, texting with him frequently. 00:37:30.800 --> 00:37:37.400 If Khashoggi’s close friend had Pegasus on his phone and if Saudi Arabia had bought Pegasus to 00:37:37.400 --> 00:37:43.720 use as they wish, and adding it up, the theory is that the Saudi government used Pegasus to spy on 00:37:43.720 --> 00:37:49.400 Khashoggi in order to ultimately assassinate him. After his assassination, his phone was 00:37:49.400 --> 00:37:54.840 not recovered so we don’t know for sure if it was infected or targeted, but if so, this is a 00:37:54.840 --> 00:38:01.240 case when a human rights activist or journalist was killed with the help of Pegasus. It’s a bit 00:38:01.240 --> 00:38:05.920 strange to me because his killers didn’t need to know where Khashoggi was because he had an 00:38:05.920 --> 00:38:10.680 appointment to meet them at the Saudi consulate building in Turkey. Instead, it’s more likely that 00:38:10.680 --> 00:38:16.960 they used Pegasus to see what he was going to do next and who else connected with him. Having this 00:38:16.960 --> 00:38:23.320 kind of information is likely what they used to make the case to assassinate a journalist. 00:38:23.320 --> 00:38:26.880 JOHN: It highlighted something that later became increasingly apparent which is 00:38:26.880 --> 00:38:32.160 there was a troubling nexus between cases of physical violence and the use of this kind of 00:38:32.160 --> 00:38:40.106 targeted spyware, adding a new dimension to the concept of find, fix, and finish. 00:38:40.106 --> 00:38:42.440 JACK: [MUSIC] Looking at all the times Pegasus was used, 00:38:42.440 --> 00:38:47.320 there’s a common thread that some kind of physical action often takes place after a 00:38:47.320 --> 00:38:53.040 victim is targeted. In this case someone was murdered, but in other cases there’s jail time, 00:38:53.040 --> 00:38:58.200 physical threats, attacks, and intimidation that happens to Pegasus’ targets. 00:38:58.200 --> 00:39:06.542 LESLEY: The word is that you sold Pegasus to them and then they turned it around to get Khashoggi. 00:39:06.542 --> 00:39:13.880 SHALEV: Khashoggi murder is horrible, really horrible, and therefore when I first heard 00:39:13.880 --> 00:39:21.160 their accusations that our technology had been used on Jamal Khashoggi or on his relatives, 00:39:21.160 --> 00:39:27.480 I started an immediate check about it and I can tell you very clear, 00:39:27.480 --> 00:39:31.500 we had nothing to do with this horrible murder. 00:39:31.500 --> 00:39:35.920 LESLEY: It’s been reported that you yourself went to Riyadh in 00:39:35.920 --> 00:39:43.632 Saudi Arabia. You yourself sold Pegasus to the Saudis for 55 million dollars. 00:39:43.632 --> 00:39:44.860 SHALEV: Don’t believe newspapers. 00:39:44.860 --> 00:39:48.840 LESLEY: Is that a denial? No. 00:39:48.840 --> 00:39:53.720 JACK: The Washington Post published an article which said that Khashoggi’s wife’s 00:39:53.720 --> 00:39:59.200 phone was analyzed after his death and it was discovered that his wife’s phone 00:39:59.200 --> 00:40:02.560 received multiple [00:40:00] messages that if she clicked it would infect 00:40:02.560 --> 00:40:07.200 her phone with Pegasus. But she does not remember if she clicked the link or not, 00:40:07.200 --> 00:40:14.040 and there’s no forensic evidence that her phone was infected. Khashoggi also had a fiance and her 00:40:14.040 --> 00:40:21.840 phone was in fact infected with Pegasus days after Jamal’s murder. So, we have a conflicting story 00:40:21.840 --> 00:40:27.960 here. Shalev told us that they had nothing to do with the murder, and then there are three phones 00:40:27.960 --> 00:40:34.500 of family and friends of Khashoggi that were targeted. Someone’s not telling the whole truth. 00:40:34.500 --> 00:40:38.880 LESLEY: We asked Shalev Hulio if his investigation explored the 00:40:38.880 --> 00:40:41.820 wider circumference around the slain journalist. 00:40:41.820 --> 00:40:47.840 SHALEV: I can tell you that we’ve checked and we have a lot of ways to check, 00:40:47.840 --> 00:40:54.560 and I can guarantee to you our technology was not used on Jamal Khashoggi or his relatives. 00:40:54.560 --> 00:40:55.720 LESLEY: Or the dissidents? 00:40:55.720 --> 00:40:56.866 SHALEV: Or the relatives. 00:40:56.866 --> 00:40:58.940 LESLEY: Like, Omar Abdulaziz and… 00:40:58.940 --> 00:41:02.720 SHALEV: I’m not going to get into specific. I’ll tell you that if we 00:41:02.720 --> 00:41:07.560 will figure out that somebody’s misused the system, we will shut down the system 00:41:07.560 --> 00:41:11.800 immediately. We have the right to do it and we have the technology to do it. 00:41:11.800 --> 00:41:15.660 LESLEY: It begs the question, did you shut down the Saudis? 00:41:15.660 --> 00:41:19.200 SHALEV: I’m not gonna talk about customers and I’m 00:41:19.200 --> 00:41:28.600 not gonna go into specific. We do what we need to do. We help create a safer world. 00:41:28.600 --> 00:41:33.840 JOHN: My big concern is that there is a market that is pushing companies like NSO to put their 00:41:33.840 --> 00:41:40.600 technology in the hands of as many people as they can. When that happens, abuse is just a certainty. 00:41:40.600 --> 00:41:46.720 JACK: Hm, obviously NSO is a for-profit company and wants to make money from their software. 00:41:46.720 --> 00:41:50.560 Obviously there are people around the world who want this software to make it easier to 00:41:50.560 --> 00:41:56.640 spy on people. But there’s no good regulations on who can sell software like this and who can 00:41:56.640 --> 00:42:01.520 buy it. Snowden wants there to be a ban on all mobile spyware. I personally think something 00:42:01.520 --> 00:42:06.480 is wrong when a company’s business model is not to sell the cure but instead to sell the 00:42:06.480 --> 00:42:11.480 virus. But since there’s no international law forbidding this, it means we have to 00:42:11.480 --> 00:42:17.180 rely on the ethical and moral judgments made by NSO Group’s staff and leadership. 00:42:17.180 --> 00:42:22.520 LESLEY: What do you do when your customer has a definition of terrorist that isn’t 00:42:22.520 --> 00:42:27.220 our definition? In some countries, the opposition are terrorists. 00:42:27.220 --> 00:42:35.800 SHALEV: No such thing. Every customer that we sold had a very clear definition of what terrorism is, 00:42:35.800 --> 00:42:44.040 and it’s basically bad guys doing bad things in order to kill innocent people in order to change 00:42:44.040 --> 00:42:50.660 the political agenda. I never met with a customer that told me that oppositions are terrorists. 00:42:50.660 --> 00:42:52.160 LESLEY: Well, they’re not gonna tell you. 00:42:52.160 --> 00:42:54.099 SHALEV: But if they will act like that… 00:42:54.099 --> 00:42:54.112 LESLEY: Yeah. 00:42:54.112 --> 00:42:58.440 SHALEV: …they will – not gonna be a customer. There are more than a hundred countries, 00:42:58.440 --> 00:43:04.640 hundred countries that we will never sell our technologies to. I can tell you that in the 00:43:04.640 --> 00:43:13.920 last eight years that the company exist, we only had real three cases of misuse. Three cases out 00:43:13.920 --> 00:43:21.880 of thousands of cases of saving lives. Three were the misuse, and those people or those organization 00:43:21.880 --> 00:43:26.080 that misused the system, they are no longer a customer. They will never be a customer again. 00:43:26.080 --> 00:43:30.960 JACK: Well, in Mexico alone, Citizen Lab discovered twenty-five cases of abuse, 00:43:30.960 --> 00:43:34.880 so all they need to do is read Citizen Lab’s report to find more, 00:43:34.880 --> 00:43:39.520 and they do read Citizen Lab’s report and have said publicly that those reports are not accurate. 00:43:39.520 --> 00:43:44.960 JOHN: I think one of the interesting things about NSO is that NSO has lost a lot of credibility 00:43:44.960 --> 00:43:51.040 among reporters and others because they keep issuing denials that later prove to be falsified. 00:43:51.040 --> 00:43:57.640 Part of the problem is I would prefer a world in which the developers of spyware acknowledge 00:43:57.640 --> 00:44:03.200 that there was a problem and try and work to limit that problem. Instead of which, 00:44:03.200 --> 00:44:07.840 you have a company that basically denies the problem until they can’t deny it anymore, 00:44:07.840 --> 00:44:11.680 then they fall silent and switch to talking about something else. Right? That’s exactly 00:44:11.680 --> 00:44:16.080 what we don’t need if as a society we’re gonna figure out how to live in a world 00:44:16.080 --> 00:44:19.940 where this kind of sophisticated technology is used by police and security services. 00:44:19.940 --> 00:44:24.880 JACK: There’s one more clip from this 60 Minutes interview I want to play for you. In this part, 00:44:24.880 --> 00:44:28.620 Lesley Stahl is interviewing Tami Shachar, NSO’s co-president. 00:44:28.620 --> 00:44:36.160 LESLEY: To protect against misuse, she says, NSO has three layers of vetting potential customers. 00:44:36.160 --> 00:44:43.380 One by the Israeli Defense Ministry, a second by its own business ethics committee, and thirdly… 00:44:43.380 --> 00:44:48.360 TAMI: Our contractual agreements have our customers sign that the 00:44:48.360 --> 00:44:52.063 only intended use of the system will be against terror and crime. 00:44:52.063 --> 00:44:56.040 LESLEY: Oh, they sign. Come on. You have an autocratic government and they say oh, 00:44:56.040 --> 00:44:58.680 we’re not gonna use it except against criminals, 00:44:58.680 --> 00:45:01.074 and you just believe them? [00:45:00] No. Come on. Come on. 00:45:01.074 --> 00:45:05.360 TAMI: As I said, the contractual agreement comes after two layers, and you know, 00:45:05.360 --> 00:45:10.960 I would love for you to sit in one of our business ethics committee. We have a tough discussion, 00:45:10.960 --> 00:45:16.040 because imagine a country is facing major terrorist threats. At the same time, 00:45:16.040 --> 00:45:22.240 they have some corruption issues and you have to sit in that room and weigh what is more important; 00:45:22.240 --> 00:45:26.200 to help them fight terror or maybe there is a chance that it’s gonna 00:45:26.200 --> 00:45:31.380 be misused. It’s not a black and white answer. It’s a tough ethical question. 00:45:31.380 --> 00:45:36.920 JOHN: This language of like, saving lives and stopping terrorists, we know that language. 00:45:36.920 --> 00:45:42.080 We know it because it was the same language that was used right after September 11th to 00:45:42.080 --> 00:45:48.840 push the Patriot Act and it’s the same language that tyrants have used to promote nationalism 00:45:48.840 --> 00:45:57.320 and authoritarianism. So, what scares me is that we inadvertently – if we buy into that language 00:45:57.320 --> 00:46:02.440 without being critical about it, without thinking critically, we inadvertently play into it and we 00:46:02.440 --> 00:46:09.440 inadvertently support that world. I think there’s absolutely room for smart people to work with 00:46:09.440 --> 00:46:17.960 authorities to do lawful targeting, absolutely. In fact, it happens every day. What’s concerning to 00:46:17.960 --> 00:46:23.240 me about players like NSO is that they’re totally unaccountable. In fact, they’re in court right now 00:46:23.240 --> 00:46:27.560 denying that they should even be accountable for hacking a US company and its users. 00:46:27.560 --> 00:46:30.345 JACK: Ah, yes. So, let’s talk about that court case. 00:46:30.345 --> 00:46:31.760 PETER: [MUSIC] Hello, and welcome to the program. 00:46:31.760 --> 00:46:36.626 I am Peter Dobbie. NSO has faced a number of lawsuits, one of them from WhatsApp. 00:46:36.626 --> 00:46:45.480 JOHN: [MUSIC] This was a really interesting case. In the spring of 2019 it became apparent to us 00:46:45.480 --> 00:46:54.080 that something was going on with WhatsApp. We had been working with a lawyer who was 00:46:54.080 --> 00:47:02.120 representing some victims of Pegasus spyware, and he had been getting these bizarre missed 00:47:02.120 --> 00:47:07.240 video call notifications. As he described it, something really weird would happen. 00:47:07.240 --> 00:47:12.120 He would get woken up in the middle of the night and look at his phone and see a missed 00:47:12.120 --> 00:47:18.640 video call. He’d go back to sleep, he’d wake up in the morning, he’d look at his phone… 00:47:18.640 --> 00:47:22.920 JACK: But there were no missed video calls when he looked at his phone. 00:47:22.920 --> 00:47:26.680 This would happen over and over; attempted video call on WhatsApp, 00:47:26.680 --> 00:47:30.720 he wouldn’t answer the call, and then it wouldn’t show him that someone tried to call. 00:47:30.720 --> 00:47:38.720 JOHN: So, we began monitoring his device to try to figure out what might be going on. It turned out 00:47:38.720 --> 00:47:47.680 that he was targeted with what we now know to have been a zero-click exploit against WhatsApp users. 00:47:47.680 --> 00:47:57.080 JACK: A zero-click exploit. Oh man, this just got so much worse. Now you don’t even need to click a 00:47:57.080 --> 00:48:03.240 link. NSO found a way to exploit WhatsApp to take over someone’s phone without them needing to do 00:48:03.240 --> 00:48:08.040 anything. Of course, once the phone is taken over, they can go back and delete all traces, 00:48:08.040 --> 00:48:14.000 like that missed video call where the infection took place. A zero-click exploit like this means 00:48:14.000 --> 00:48:21.120 there is nothing you can do to protect yourself against this. There’s no link that you need to 00:48:21.120 --> 00:48:27.680 click and your phone is infected automatically even if you have the latest and greatest model and 00:48:27.680 --> 00:48:33.960 software. Citizen Lab reported this to WhatsApp but WhatsApp was already investigating similar 00:48:33.960 --> 00:48:38.920 attacks through its protocol. They patched the app so this couldn’t be exploited anymore and as it 00:48:38.920 --> 00:48:44.160 turned out, NSO was in fact selling this exploit to its customers which I guess makes sense; 00:48:44.160 --> 00:48:48.520 WhatsApp is a wildly popular chat app that exists on a good percentage of all phones 00:48:48.520 --> 00:48:54.160 worldwide. NSO sorta needs multiple exploits depending on who the target is. They already 00:48:54.160 --> 00:48:58.280 had a way to exploit iPhone users but now they have a way to exploit WhatsApp users. 00:48:58.280 --> 00:49:04.720 JOHN: Since the time of that initial discovery, WhatsApp has sued NSO… 00:49:04.720 --> 00:49:09.320 JACK: Keep in mind, WhatsApp is owned by Facebook, so they have quite the team of lawyers. 00:49:09.320 --> 00:49:14.680 JOHN: …and has, in some recent court filings, published some kinda bombshells 00:49:14.680 --> 00:49:20.680 suggesting that NSO owned and operated the servers that were used for the exploitation. 00:49:20.680 --> 00:49:24.920 JACK: Whoa, if NSO owns the hacking systems and servers 00:49:24.920 --> 00:49:29.520 that these exploits are carried out from, then this changes a lot. 00:49:29.520 --> 00:49:34.480 JOHN: Because for years, NSO – these other spyware companies have kind of said whenever 00:49:34.480 --> 00:49:39.440 they’re questioned about abuses, look, we don’t run this stuff. We sell it to customers and they 00:49:39.440 --> 00:49:45.840 do their thing. What WhatsApp’s latest filings in this case have shown is that NSO does appear 00:49:45.840 --> 00:49:49.920 to run some of this infrastructure which makes it look like they’re doing something more like 00:49:49.920 --> 00:49:54.000 hacking as a service. This is interesting for a number of reasons. It’s interesting 00:49:54.000 --> 00:49:57.960 because it challenges the idea that NSO wouldn’t know what its customers are doing 00:49:57.960 --> 00:50:02.200 and wouldn’t be able to exercise some oversight. [00:50:00] From a national security standpoint, 00:50:02.200 --> 00:50:04.800 it’s also really interesting because it suggests that NSO might be able to look 00:50:04.800 --> 00:50:08.520 over its customers’ shoulders and see who they were infecting with this technology. 00:50:08.520 --> 00:50:13.800 JACK: It also means that NSO isn’t being honest when they explain how this software works, 00:50:13.800 --> 00:50:19.760 that they just sell it and have nothing to do with it after. This lawsuit was issued in October 2019 00:50:19.760 --> 00:50:26.340 in San Francisco, but as of this recording in 2021, the case has not yet gone to trial. 00:50:26.340 --> 00:50:32.440 JOHN: So, what’s happened with that case is that NSO has tried to appeal the case perhaps 00:50:32.440 --> 00:50:40.720 in a strategy to stop discovery. So, right now the effort by NSO to basically have the case dismissed 00:50:40.720 --> 00:50:48.760 is currently underway. Both sides have presented their arguments. In addition, a who’s-who of tech 00:50:48.760 --> 00:50:56.240 companies and civil society organizations have all thrown weight behind the WhatsApp/Facebook case. 00:50:56.240 --> 00:50:59.280 JACK: Companies joining in on this case are Microsoft, 00:50:59.280 --> 00:51:02.220 Cisco, GitHub, Google, LinkedIn, and VMware. 00:51:02.220 --> 00:51:06.800 JOHN: Major players have all come in and said look, this case is really important 00:51:06.800 --> 00:51:13.160 and we think that this is a really critical case. You have a whole bunch of tech companies 00:51:13.160 --> 00:51:18.600 plus a bunch of civil society organizations all coming in and saying to the judge look, 00:51:18.600 --> 00:51:22.800 don’t let this case be dismissed. This is super important. Besides, NSO’s legal claims don’t 00:51:22.800 --> 00:51:28.986 hold water. Citizen Lab isn’t a part of that case but we’re of course watching it really closely. 00:51:28.986 --> 00:51:34.240 JACK: [MUSIC] Just a few weeks ago, NSO hit the news again, something called the Pegasus Project, 00:51:34.240 --> 00:51:38.480 which is a group made up of eighty journalists and seventeen media companies in ten different 00:51:38.480 --> 00:51:43.440 countries. They all came together to compile and investigate all reported cases of Pegasus 00:51:43.440 --> 00:51:49.840 infections. During their research, they somehow got ahold of a leaked list of 50,000 phone 00:51:49.840 --> 00:51:55.800 numbers who they claim are possible targets for Pegasus spyware. These potential targets 00:51:55.800 --> 00:52:00.600 include activists, human rights defenders, journalists, and even government officials 00:52:00.600 --> 00:52:06.160 like the president of France and the daughter and ex-wife of the ruler of Dubai. But I feel 00:52:06.160 --> 00:52:11.480 like this news story was slightly misreported; the 50,000 phone numbers on this list were potential 00:52:11.480 --> 00:52:16.160 targets. It doesn’t mean that they actually were targeted by Pegasus. It just means that 00:52:16.160 --> 00:52:23.040 people who had access to the Pegasus spyware were interested in these 50,000 people. Shalev Hulio, 00:52:23.040 --> 00:52:29.280 who is the S in NSO, was questioned about this in an Israeli news outlet called Calcalist. 00:52:29.280 --> 00:52:33.960 He said that this list of 50,000 phone numbers has nothing to do with the NSO Group and they 00:52:33.960 --> 00:52:37.800 wouldn’t even have such a list like this to begin with. He thinks the list was probably 00:52:37.800 --> 00:52:44.080 derived from some kind of HLR lookup system. HLR stands for Home Location Register and it’s 00:52:44.080 --> 00:52:47.760 like a database that phone companies have that you can use to look up phone numbers 00:52:47.760 --> 00:52:53.080 to see if those are registered phone numbers. Someone familiar with how Pegasus works said 00:52:53.080 --> 00:52:59.720 that Pegasus has HLR lookup capabilities within the tool. But Shalev Hulio said something else 00:52:59.720 --> 00:53:04.680 that’s really interesting to me. He said he was first notified of this weeks before the list was 00:53:04.680 --> 00:53:11.200 announced and that someone notified him that one of his servers in Cyprus was hacked and the entire 00:53:11.200 --> 00:53:17.400 NSO target list was stolen. I confirmed they do have servers in Cyprus, but Shalev said it’s 00:53:17.400 --> 00:53:22.200 impossible to have the NSO target list stolen since NSO doesn’t have such a database or list 00:53:22.200 --> 00:53:27.400 of targets because each customer runs their own instance and infrastructure for Pegasus to run, 00:53:27.400 --> 00:53:33.520 and there’s no central repository of data. But something isn’t adding up here. Why is there a 00:53:33.520 --> 00:53:38.560 list of 50,000 phone numbers and why would Shalev admit that the NSO was breached and 00:53:38.560 --> 00:53:44.720 tell us the entire NSO target list was stolen but then deny that such a list even exists? 00:53:44.720 --> 00:53:50.480 A few months ago, the NSO Group put out their very first transparency and responsibility report. In 00:53:50.480 --> 00:53:56.160 it, they say that customers are contractually obligated to provide logs to NSO which includes 00:53:56.160 --> 00:54:01.640 which NSO product they use, how the process was done, why they used it, the duration of use, 00:54:01.640 --> 00:54:09.600 and who was targeted. So, if that’s the case, then the NSO does have a way to collect logs from its 00:54:09.600 --> 00:54:15.280 customers and maybe they do have a central place to store those logs. Amnesty International is who 00:54:15.280 --> 00:54:19.520 initially released this report about the 50,000 phone numbers, but they won’t say how they got it 00:54:19.520 --> 00:54:24.440 since that could put certain people in danger or burn their source. The Pegasus Project does list 00:54:24.440 --> 00:54:30.160 eleven countries which show signs that they probably have Pegasus. Those countries are 00:54:30.160 --> 00:54:39.000 Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, 00:54:39.000 --> 00:54:44.120 and the United Arab Emirates. Oh, and I learned more about Rwanda’s use of Pegasus. If you know 00:54:44.120 --> 00:54:49.200 the story of Hotel Rwanda, then you might have heard that the manager of the hotel was arrested 00:54:49.200 --> 00:54:54.040 last year on terrorism charges. He is not a terrorist; he’s a human rights activist. Now, 00:54:54.040 --> 00:54:58.880 I don’t know what’s going on with his phone, but a report from The Guardian recently came out and 00:54:58.880 --> 00:55:04.840 said that the American [00:55:00] daughter of the manager of the hotel was targeted with Pegasus. 00:55:04.840 --> 00:55:10.000 This leads me to believe that the Rwanda government is using it to spy on activists. 00:55:10.000 --> 00:55:14.880 Officially, the Rwanda government says they deny that they have Pegasus or use it at all, 00:55:14.880 --> 00:55:19.360 but one of the former heads of Rwanda’s national intelligence was actively spied 00:55:19.360 --> 00:55:25.320 on with Pegasus when he became an opposition for the current administration. On top of that, 00:55:25.320 --> 00:55:30.360 there’s a Financial Times article that came out which also outlined how over six Rwanda 00:55:30.360 --> 00:55:34.800 activists were targeted by Pegasus, and the article goes on to say that people who are 00:55:34.800 --> 00:55:40.800 opposed or outspoken of the current government party of Rwanda sometimes become missing or go 00:55:40.800 --> 00:55:47.560 to prison or have to flee the country because of threats or end up killed. This just adds to 00:55:47.560 --> 00:55:56.000 the pattern of abuse that follows this spyware around. The transparency report that the NSO 00:55:56.000 --> 00:56:02.160 Group put out said they have sixty customers in forty countries. Forty countries are their 00:56:02.160 --> 00:56:09.240 customers. That’s 20% of the countries in the world have access to this Pegasus spyware. The 00:56:09.240 --> 00:56:13.960 NSO transparency report says the NSO Group has a list of fifty-five countries that they refuse 00:56:13.960 --> 00:56:19.280 to do business with because of human rights abuse, corruption, or regulatory restrictions. 00:56:19.280 --> 00:56:25.120 They do say in the report over and over how much they support human rights, and they say they 00:56:25.120 --> 00:56:29.200 continually investigate their customers, looking for signs where their customers have abused the 00:56:29.200 --> 00:56:34.320 tool, and they say that they’ve found that the tool has been abused only half a percent of the 00:56:34.320 --> 00:56:40.520 time, which would mean that one out of every two hundred targets is a misuse of the tool, which I 00:56:40.520 --> 00:56:47.320 find to be an unbelievable statistic because in one interview with Forbes, Shalev Hulio from NSO 00:56:47.320 --> 00:56:52.760 said the average customer has only one hundred targets and we know of over twenty instances 00:56:52.760 --> 00:56:59.000 where in Mexico alone this tool was misused. But this Pegasus Project highlights hundreds 00:56:59.000 --> 00:57:06.800 of cases of misuse. Overall, this NSO transparency report seems like PR fluff to me. There’s nothing 00:57:06.800 --> 00:57:12.680 transparent about it. Like, Lesley Stahl from 60 Minutes asked Shalev point-blank if he cut ties 00:57:12.680 --> 00:57:19.000 with Saudi Arabia after it came out that Khashoggi was spied on with Pegasus and murdered. But Shalev 00:57:19.000 --> 00:57:24.480 refused to talk about any customers. Well, this transparency report refuses to talk about 00:57:24.480 --> 00:57:29.600 customers, too. It would have been nice if they highlighted the same instances of abuse that the 00:57:29.600 --> 00:57:35.000 Pegasus Project highlighted and pointed out that these are the specific reasons why we cut ties 00:57:35.000 --> 00:57:40.680 with these specific countries and listed those countries by name. That would be transparent. 00:57:40.680 --> 00:57:45.000 But that’s not what was in this report, so I’m hesitant to believe any of the stuff written in 00:57:45.000 --> 00:57:49.920 this transparency report is even true. But when this bombshell allegation came out that there’s 00:57:49.920 --> 00:57:57.560 a list of 50,000 potential targets of Pegasus, NSO got mad and posted a new article on their website 00:57:57.560 --> 00:58:03.640 titled Enough is Enough, and it said the Pegasus Project report had complete disregard of the facts 00:58:03.640 --> 00:58:09.280 and that NSO will no longer be responding to media inquiries. I’ve gotta laugh at that part; 00:58:09.280 --> 00:58:14.360 no longer responding to media inquiries? Are you kidding me? I’ve been inquiring for three years 00:58:14.360 --> 00:58:18.760 now and you’ve refused to talk before this was happening. Now you’re telling me your official 00:58:18.760 --> 00:58:23.080 stance is to refuse to talk about it because another report came out. I don’t know how you 00:58:23.080 --> 00:58:28.360 think this makes you look, but it doesn’t make you look good. Anyway, the article goes on to say 00:58:28.360 --> 00:58:33.040 that there are no connections between the 50,000 phone numbers and NSO and any claim that there 00:58:33.040 --> 00:58:38.920 is a connection is erroneous and false. They give a flip-flop statement saying that they don’t have 00:58:38.920 --> 00:58:44.240 any of their customers’ data, but their customers are obligated to provide data if the NSO Group 00:58:44.240 --> 00:58:50.120 asks for it. NSO, this means you do have customer data. You need to pick a side here; you either 00:58:50.120 --> 00:58:56.320 don’t have any customer data or you have total access to customer data. You can’t say it’s both. 00:58:56.320 --> 00:59:00.200 Then they end by saying NSO’s mission is to save lives by helping governments 00:59:00.200 --> 00:59:04.640 around the world prevent terror attacks, break up pedophilia, sex and drug trafficking rings, 00:59:04.640 --> 00:59:08.480 and locate missing children and people, and protect airspace from unauthorized 00:59:08.480 --> 00:59:15.000 drones flying over. Yeah, that’s great, but again, if countries use the tool for good, 00:59:15.000 --> 00:59:21.600 it doesn’t negate the fact that the tool is frequently used to spy on the wrong people 00:59:21.600 --> 00:59:27.800 and do harm to civil society. Someone needs to hold NSO accountable for getting this tool 00:59:27.800 --> 00:59:32.360 into the wrong customers’ hands. Think about it like this; a while back I did an episode 00:59:32.360 --> 00:59:37.880 on the Butterfly Botnet. The people who used this botnet to attack with and cause destruction with, 00:59:37.880 --> 00:59:43.880 they got arrested. Okay, that makes sense; they did a criminal act. But the person who made the 00:59:43.880 --> 00:59:49.720 Butterfly Botnet got even more prison time than the criminals, and that’s because he created 00:59:49.720 --> 00:59:58.040 malware with the intent to do harm with it. Here we have NSO creating malware to hack into people’s 00:59:58.040 --> 01:00:04.720 phones. But the only difference [01:00:00] is NSO says they make the tool to help save lives. 01:00:04.720 --> 01:00:11.880 But if they continue to do multi-million dollar deals with oppressive regimes who use the malware 01:00:11.880 --> 01:00:19.080 to attack civil society over and over, then the NSO Group needs to be held accountable for that. 01:00:19.080 --> 01:00:24.200 They obviously know how dangerous this malware is and if they had any kind of notice that a 01:00:24.200 --> 01:00:31.480 person they’re selling it to may use it to commit some non-lawful activity with it, then that alone 01:00:31.480 --> 01:00:37.840 should be enough to get them in trouble for what they’ve been doing. Anyway, in July 2021, 01:00:37.840 --> 01:00:43.360 Israeli government officials visited the offices of the NSO Group. It looks like they came to 01:00:43.360 --> 01:00:49.520 review their export licenses and audited NSO to see if they’ve done anything wrong. It’s fuzzy 01:00:49.520 --> 01:00:53.720 and we’re not sure what actually happened here or what’s going to happen, but it’s not a good 01:00:53.720 --> 01:00:59.760 sign when your government comes to your offices and starts looking through your documents. Now, 01:00:59.760 --> 01:01:03.960 you might be wondering wait a minute, haven’t all these Pegasus vulnerabilities been fixed? Like, 01:01:03.960 --> 01:01:08.920 didn’t Apple fix that one when John reported it and WhatsApp fixed theirs? Is this even an issue 01:01:08.920 --> 01:01:15.040 still? Actually, yeah, it is an issue still. They have a new version of Pegasus. Apparently 01:01:15.040 --> 01:01:20.140 NSO has many different exploits that they can use to get the Pegasus spyware onto phones. 01:01:20.140 --> 01:01:25.920 JOHN: Every time there’s an exposure like this, NSO makes a bunch of brave claims in public and 01:01:25.920 --> 01:01:30.280 off the record to people that they came right back online with some new exploits, and their 01:01:30.280 --> 01:01:36.400 narrative is that they’ve always got something in the pipe. I think one thing to consider here is 01:01:36.400 --> 01:01:42.520 that we know, of course, you burn an exploit chain, you make something public, there’s a 01:01:42.520 --> 01:01:47.640 big technological cost to getting back online. Moreover, you may have a whole lot of customers 01:01:47.640 --> 01:01:52.800 with devices that are already infected out there but that are now beaconing to infrastructure that 01:01:52.800 --> 01:01:59.200 is known by security researchers and others. It’s a huge cost to customers of getting back online. 01:01:59.200 --> 01:02:05.320 I think we’re still learning as we watch the NSO example just what constitutes real disruption and 01:02:05.320 --> 01:02:12.240 what constitutes the cost of doing business. It seems to be in the same way that certain cowboy 01:02:12.240 --> 01:02:17.680 capitalist firms view fines; I’m tempted to say NSO may view the exposure of some of its exploits 01:02:17.680 --> 01:02:22.200 as part of its cost of doing business. Certainly it’s not – it seems – in want for capital. 01:02:22.200 --> 01:02:27.920 JACK: I guess this is one reason why NSO is so focused on Citizen Lab, because Citizen Lab has 01:02:27.920 --> 01:02:34.440 fixed these vulnerabilities that Pegasus uses a few times, and it’s extremely costly for NSO 01:02:34.440 --> 01:02:40.640 whenever Citizen Lab discovers a new one and reports it. So, it makes sense for NSO to be 01:02:40.640 --> 01:02:45.640 very interested in what John and his colleagues are doing at Citizen Lab, 01:02:45.640 --> 01:02:49.800 because they’re exposing a very powerful organization. But this isn’t just the work 01:02:49.800 --> 01:02:54.920 of Citizen Lab. Lots of other organizations have all researched and published articles about NSO’s 01:02:54.920 --> 01:03:00.440 spyware. Lookout Security has analyzed malware and published reports. Amnesty International has 01:03:00.440 --> 01:03:05.680 also publicly exposed other things that NSO Group has done. So, that brings us back to 01:03:05.680 --> 01:03:13.000 Black Cube spying on John Scott-Railton and Citizen Lab. Why would they do that? Well, 01:03:13.000 --> 01:03:18.440 Black Cube is just a for-hire spy agency, so they likely didn’t come up with this idea themselves. 01:03:18.440 --> 01:03:24.760 Somebody probably hired them to send a spy to the US to meet with John. As John was thinking about 01:03:24.760 --> 01:03:30.320 who could have possibly hired Black Cube to spy on him, some news came out with more information. 01:03:30.320 --> 01:03:35.880 JOHN: After we realized that both myself and my colleague Bahr were targeted, 01:03:35.880 --> 01:03:46.120 the AP uncovered four more people who all were supporting victims, including a journalist and 01:03:46.120 --> 01:03:56.600 lawyers. It appeared part of a coordinated effort to get information about legal cases against NSO, 01:03:56.600 --> 01:04:03.360 and ultimately if you look at it, to frustrate the ability of victims to get justice. These 01:04:03.360 --> 01:04:08.680 were lawyers representing the parents and – parents of children who had been disappeared 01:04:08.680 --> 01:04:12.680 by the Mexican government. These were not lawyers for wealthy people. These 01:04:12.680 --> 01:04:19.800 were lawyers for victims. The case really to me highlighted the extent to which somebody 01:04:19.800 --> 01:04:27.320 with deep pockets was trying to basically blunt any attempt by those victims to gain justice. 01:04:27.320 --> 01:04:32.400 JACK: John and his colleague at Citizen Lab were targeted by Black Cube spies, 01:04:32.400 --> 01:04:37.400 and they asked a bunch of questions about Citizen Lab’s interest with the NSO Group. 01:04:37.400 --> 01:04:44.600 Then there were a few lawyers of victims of NSO who were also spied on by Black Cube. So, if you 01:04:44.600 --> 01:04:52.580 connect these dots together, does this answer the question of who paid Black Cube to spy on John? 01:04:52.580 --> 01:05:03.731 JOHN: Well, I think I’ll let your listeners make the judgement of what this might indicate. 01:05:03.731 --> 01:05:08.440 JACK: [MUSIC] [01:05:00] Hm, okay, let’s do a thought experiment here. If the NSO Group 01:05:08.440 --> 01:05:14.920 paid Black Cube to spy on its critics, then what does that mean? Well, in my opinion, 01:05:14.920 --> 01:05:22.400 it puts the NSO Group in an ethically indefensible area because NSO just sells spy tools. They claim 01:05:22.400 --> 01:05:26.680 they don’t do any of the spying themselves, and so every time you try to put your finger 01:05:26.680 --> 01:05:33.000 on some action that the NSO Group did wrong, they just step aside and put blame on their customer. 01:05:33.000 --> 01:05:37.960 Since they are so secret and hidden about what they do, you really don’t know how much they 01:05:37.960 --> 01:05:46.720 should be blamed for. But in this case where Black Cube spied on Citizen Lab and lawyers of victims 01:05:46.720 --> 01:05:53.160 of the Pegasus software, if the NSO Group is who paid Black Cube to do that, then this is 01:05:53.160 --> 01:05:59.800 a clear case of where the NSO Group themselves did something unethical. Not their customers, 01:05:59.800 --> 01:06:07.120 but them. If that’s the case, does that show their true colors of what kind of company they 01:06:07.120 --> 01:06:15.280 really are? Because if they are an unethical company, you can’t believe what they tell you 01:06:15.280 --> 01:06:23.160 and you can’t trust them to make ethical choices like who to sell their spyware to. 01:06:23.160 --> 01:06:26.400 Oh, and I also want to mention that this spyware might be coming to a 01:06:26.400 --> 01:06:30.720 police department near you. Joseph Cox at Motherboard wrote a story last year that 01:06:30.720 --> 01:06:35.640 the NSO Group tried to sell its spyware to the San Diego Police Department. NSO Group goes by 01:06:35.640 --> 01:06:41.640 many names. Here in the US they call themselves Westbridge Technologies, and Omri, the O in NSO, 01:06:41.640 --> 01:06:48.080 has spearheaded NSO’s presence in the US. In fact, his office is in New York. It also sounds 01:06:48.080 --> 01:06:53.760 like the FBI might be conducting an investigation on the NSO Group. Joseph Menn at Reuters wrote an 01:06:53.760 --> 01:06:57.920 article saying that the FBI was trying to determine if the NSO Group got any of its 01:06:57.920 --> 01:07:03.600 exploits from Americans. But I also imagine that the FBI would be concerned about whether or not 01:07:03.600 --> 01:07:09.760 foreign entities use Pegasus to spy on Americans. I mean, it should be a crime under the Computer 01:07:09.760 --> 01:07:13.960 Fraud and Abuse Act to gain unauthorized access to someone’s phone or computer, 01:07:13.960 --> 01:07:18.560 because you can’t just hack into someone’s device without their express consent. That’s illegal. 01:07:18.560 --> 01:07:24.200 So, I do hope US authorities are collecting information on what Americans have been targeted 01:07:24.200 --> 01:07:29.880 and whoever’s doing it get in a lot of trouble for it. But this is the sort of grey area of 01:07:29.880 --> 01:07:34.720 this whole thing. NSO claims that what they’re doing is selling a lawful intercept technology 01:07:34.720 --> 01:07:39.600 and should only be used when law permits and there’s permission to do so. But there doesn’t 01:07:39.600 --> 01:07:46.360 seem to be any consequences to governments who abuse this tool. I just hope that my country has 01:07:46.360 --> 01:07:52.600 my best interest in mind and that if I get spied on illegally using this tool that the authorities 01:07:52.600 --> 01:07:57.800 care enough about it and punish those behind it, because I’ll never be able to win a security 01:07:57.800 --> 01:08:03.440 battle which is me versus a billion-dollar company like the NSO Group. I can do things 01:08:03.440 --> 01:08:19.937 to be safer but I will never feel safe, not until my government fully has my back on these issues. 01:08:19.937 --> 01:08:24.360 (OUTRO): [OUTRO MUSIC] A big thank you to JSR, John Scott-Railton, from Citizen Lab for doing 01:08:24.360 --> 01:08:29.640 all this research, being fearless in the face of the enemy, and publishing countless reports on 01:08:29.640 --> 01:08:36.680 threats towards civil society. You can learn more about his work by visiting citizenlab.ca. Okay, 01:08:36.680 --> 01:08:44.640 so, I made it to Episode 100. Whew. With that, I’m gonna take a break, but just for two weeks. So, 01:08:44.640 --> 01:08:49.160 I’m sorry, but there will just not be an episode in two weeks. If you’re wondering, 01:08:49.160 --> 01:08:53.240 I’m headed to the beach and I’m just gonna unplug and be as low-tech as I can for 01:08:53.240 --> 01:08:58.720 a while. If I add up all the episodes, I’ve written about fifteen novels worth of stories 01:08:58.720 --> 01:09:04.960 now. My fingers are sore. But look for another episode in four weeks. This show is made by me, 01:09:04.960 --> 01:09:08.240 the spaghetti coder, Jack Rhysider. Our theme music is by the elusive 01:09:08.240 --> 01:09:12.800 Breakmaster Cylinder. Even though I’ll be on break next week, I’m still going to my 01:09:12.800 --> 01:09:23.720 hacker support group that I’m in. It’s called Anonymous Anonymous. This is Darknet Diaries.