Investigating the Company Behind WhatsApp Spyware

Israeli tech firm’s malware has been found on servers in 45 countries. We followed its trail around the world to speak to those who were hacked.

When a story went viral this week that WhatsApp was used to covertly hack into phones, I wasn’t surprised that NSO Group was behind the scandal. The Israeli spyware company’s technology, Pegasus, exploits flaws in apps with to remotely and secretly take over a target’s smartphone. Coincidentally, abuse of Pegasus is the subject of our latest Fault Lines episode, “Targeted by a Text”. For six months, we’ve investigated how governments have licensed Pegasus from NSO Group and used it to spy on journalists, lawyers, human rights activists and their family and friends.

NSO Group first popped on my radar in 2016, when my colleague, Andréa Schmidt, and I were reporting on a debate between Apple and the FBI on whether the tech giant should give law enforcement a back door to the iPhone’s encryption in the aftermath of the San Bernardino shooting. A number of hackers we interviewed for the Fault Lines episode “Crypto Wars” agreed on one point: to hack an iPhone you needed to have an unlocked device in your possession.

But that was before they found out about Pegasus.

After days of interviewing computer experts and hackers, I spoke to Bill Marczak, a researcher with Citizen Lab, a world-renowned digital rights group based out of the University of Toronto.

He told me that he’d recently received a message from Ahmed Mansoor, a democracy activist in the UAE who had been hacked at least twice before by what appeared to be UAE government agents. Mansoor had forwarded him a suspicious text he’d received containing a link. On a hunch Marczak set up a rigged phone from which he could safely watch the text trap unfold. He was stunned as the malware compromised almost every function of the phone: the camera, microphone, GPS and encrypted messaging apps all fell prey to a remote operator. It was clear that this technology was the harbinger of a new era in cyber surveillance. He likened it to seeing a unicorn in the wild.

I Skyped with Mansoor, who told me that he was under constant harassment and surveillance by the government of UAE for his work. In recent weeks, he had been beaten up by strangers, picked up and harassed by police and had $140,000 disappear out of his bank account. While he was at the bank trying to find out what happened, someone stole his car off the street.

We now know Pegasus wasn’t the only attempt to surveil Mansoor. He made the hit list of Project Raven, code name for a team of American cyber spies with NSA experience. Contracted to boost UAE’s digital reach into the dark side, the Americans hacked into Mansoor’s baby monitor in one of their many intrusions into his life.

Of Pegasus he said, “It could not only land people in jail, it could also cause some people to be killed or assassinated.”

His concerns were prescient: A year and a half after we spoke, Mansoor was sentenced to 10 years in prison for publicly criticizing the UAE government. And worse yet, he has been held in solitary confinement for the past two years. Amnesty International reports that Mansoor has been on a hunger strike and his health is deteriorating.

NSO Group argues that they sell Pegasus only to security agencies in countries approved by the Israeli government. They also claim that Pegasus has saved thousands of lives in preventing terrorist attacks, and has led to the arrest of high-level criminals.

The company is quick to point out that Pegasus can be shut down if a country abuses its malware. To explore the veracity of this claim for “Targeted by a Text” we traveled to Mexico, where a series of controversies involving Pegasus have drawn international attention.

We caught up with one of the country’s most famous journalists Carmen Aristegui on the set of her show Aristegui Noticias in Mexico City. In 2015, she broke a story about corruption involving then-president Enrique Peña Nieto with the type of hard-hitting journalism that can bring down an administration. Aristegui said she quickly felt the backlash. “Nieto’s government unleashed a persecution against me,” she told us. “They wanted to harm me in different ways.”

Aristegui was fired from her wildly popular radio program. Not long after, she and her 16-year-old son Emilio, studying at a private high school in Massachusetts, began receiving text messages designed to intrigue them. One such text to Emilio claimed to be a message from the US consulate office instructing him to click a link to take care of a visa issue. To be clear, malware impersonating the US government was deployed against a minor on American soil.

Aristegui was concerned about the sensitive information stored in her phone, including the identities and contact information of her sources, but the threat to Emilio felt deeply personal.

“Pegasus is affecting when it attacks you as a journalist, but it affects you much more when your son is attacked,” Aristegui told me.

Pegasus exploded into a full-blown national scandal when Citizen Lab revealed that the government had not only spied on Aristegui, but also on lawyers representing the families of 43 students who were disappeared enroute to a demonstration. When the Mexican government failed to conduct a credible investigation into the disappearances, international investigators from the Inter-American Commission on Human Rights were invited in only to have their phones hacked also by someone within the Mexican government. In response to public outrage, Mexico’s Attorney General’s office promised an investigation into Pegasus, but it’s the same agency that licensed the malware for at least $32 million. So far, no one has been held accountable.

Mexico’s abuses of Pegasus led to international headlines offering the perfect opportunity for NSO Group to demonstrate to the world it would cut off bad actors, but bloody events would prove this promise hollow when on May 15, 2017, Javier Valdez, a journalist famous for his unflinching coverage of cartels, was gunned downed by cartel hitmen near the offices of Riodoce, a newspaper he founded in Culiacán, the capital of Sinaloa. Within days, two of his colleagues at the paper were texted links that Citizen Lab traced to NSO Group servers.

Riodoce is tucked into a nondescript office building not far from an elaborate shrine to Jesus Malverde, a legendary 20th century drug runner. Inside, stacks of paper, years’ worth of reporting from the frontlines of the drug war, bend the shelves. After Valdez’s murder, Andres Villareal, his friend and colleague, received several Pegasus-infected texts.

I asked him what worried him more: the narcos responsible for Valdez’s murder or the government behind the hacking. He said, “Sometimes they’re one and the same. The frontier between authority and crime is weak. Who’s scarier? I believe either one of them. In Mexico you have to watch out for both.” Villarreal keeps Valdez’s memory alive at Riodoce by re-running his old columns in every edition.

Griselda Triana, Valdez’s widow, was also targeted with Pegasus in the wake of his assassination. She agreed to give us her first interview about Pegasus since the murder from a small library known as a safe place for journalists to meet and work. It also serves as a memorial to Valdez, housing his many books. She showed me the iPhone and text messages written specifically to ensnare her. While she now has a new phone that she doesn’t believe is infected, she said, “the feeling of being of watched remains.”

And maybe for good reason: despite NSO’s claim of shutting down malware abusers, Mexico remains one of 45 countries found by Citizen Lab to have Pegasus infections on their networks. Mexico’s new administration claims to have deleted Pegasus from its servers.

Pegasus’s Mexican scandals were recently overshadowed after it emerged that the malware was sent to associates of slain Saudi journalist Jamal Khashoggi. One of them was Yahya Assiri, a Saudi human rights activist living in exile in London, where he runs an NGO that relays information about the abuses happening within Saudi Arabia to the rest of the world. We walked in his office to find the former Royal Saudi Air Force officer filming an Internet show about freedom and democracy. Since Crown Prince Mohammed bin Salman’s, also known as MBS, rise to power, conditions within Saudi Arabia have become dire for Assiri’s sources.

In the absence of a free press, Assiri relies on people armed with smartphones to report information about what’s actually happening on the ground in Saudi Arabia, but they do so with great risk. “They have been tortured and ill-treated and faced sexual harassment just because they contacted myself or another NGO and because they told the world about violations inside the country,” he said. “All of that came from surveillance on their mobiles.”

Assiri choked back tears as he showed us Khashoggi’s final WhatsApp message to him, in which Khashoggi suggested they try to convince bin Salman that releasing political prisoners could gain him international goodwill. Within days, Khashoggi’s body would be dismembered by a Saudi hit team inside their consulate in Turkey.

We don’t know if Khashoggi was hacked by Pegasus, but we do know that it was used to target Assiri and at least two of the slain journalists’ friends.

NSO Group claims that their malware is used only against high-level targets such as human traffickers, drug lords and terrorists. However Assiri explained that the bar for consideration as a terrorist has been lowered so far in Saudi Arabia that anyone criticizing the crown meets the criteria. He and his NGO could certainly be considered terrorists in the eyes of MBS.

Pegasus’ bad press has done nothing but add to NSO Group’s bottom line. Francisco Partners, an investment firm out of San Francisco, purchased a 70 percent stake in NSO Group for a reported $120 million in 2014 and then sold it back to its founders and a London-based investment group for roughly $800 million.

After refusing multiple requests for a sit down interview, I rang the doorbell of one of NSO’s three founders, Omri Lavie, at his $4 million house just outside Manhattan. Lavie’s response struck me as ironic, “This is private property. If you don’t leave, I’ll call the police.” It’s understandable that Lavie felt intruded upon, privacy offers a veil of protection. But Pegasus vaporizes that cloak, presenting authoritarian governments with a dream scenario: they no longer have to expend resources devising elaborate surveillance schemes when everyone not only carries a recording device with GPS locator, but pays handsomely for the privilege to do so.

Recognizing the profound stakes imperiled by the loss of privacy, echoes another “Crypto Wars” interview. It was with Moxie Marlinspike. He had been the head of security for Twitter before resigning and designing his own end-to-end encryption protocols. I was surprised to learn that Marlinspike considers himself a digital pessimist. He sees encryption as a last gasp effort to hold off a dystopian future without privacy or protection from those with power.

Today more than a billion people use Marlinspike’s encryption whether they realize it or not, as his protocols were adopted by WhatsApp. I can only imagine his reaction to news this week that his work served as Pegasus’ Trojan horse through the app.

Welcome to the dystopian now.

Josh Rushing is a correspondent for Fault Lines, an Emmy Award-winning current affairs and documentary program on Al Jazeera English.

This was reported with Andréa Schmidt in 2016 and Mark Scialla in 2018, with editing and contributions by Laila Al-Arian and Paige Rushing.

Investigating the Company Behind WhatsApp Spyware

Research & References of Investigating the Company Behind WhatsApp Spyware|A&C Accounting And Tax Services
Source

Share on Facebook

Tweet

Follow us