Since news broke that WhatsApp is suing an Israeli spyware company for exploiting a vulnerability in WhatsApp to plant spyware in users’ phones just by ringing the target’s device, people are wondering who and what NSO is.

What is the NSO Group?

According to its website, NSO Group, which also goes by Q Cyber Technologies, develops technology to “help government agencies detect and prevent terrorism and crime”. As per the website, the products are used exclusively by government intelligence and law enforcement agencies to fight crime and terror. News that at least 20 Indians were targeted by the Pegasus software (more on it below) is especially damning because it suggests the government of India bought the product to surveil its own citizens who disagreed with the government.

In a 2016 email to Forbes, the NSO group had said that it did not operate any of its systems and was strictly a technology companies. “The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner. Specifically, the products may only be used for the prevention and investigation of crimes,” the email said.

As per WhatsApp’s lawsuit, NSO Group was incorporated in Israel in 2010 and had a marketing and sales arm in the US, WestBridge Technologies, Inc. Between 2014 and 2019, a San Francisco-based private equity firm, Francisco Partners Management LLC, acquired a controlling stake in the NSO Group for $120 million. Now, however, it has been reacquired by its founders and management, a European private equity firm called Novalpina Capital, and Q Cyber is listed as the only active director of the Group and its majority shareholder.

Who is part of the NSO Group?

It was founded by two Israelis — Shalev Hulio and Omri Lavie. Both of them are on the company’s board. Lavie also co-founded Kaymera, a company that creates super-secure phones for government officials. So NSO Group and Kaymera offer complementary products. According to Forbes, Kaymera and NSO’s offices are located next to each other.

Its other directors include citizens of the USA, UK, Germany and Israel. Its senior advisors include Tom Ridge, the first American Secretary of Homeland Security, Gerard Araud, a French diplomat, Juliette Kayyem, faculty chair of Harvard’s Homeland Security Programme, and Daniel Reisner, the former head of Israel Defence Forces’ International Law Department.

What is Pegasus?

Pegasus is a malware that NSO Group developed, which, when installed on a phone, hoovers all communications (iMessage, WhatsApp, Gmail, Viber, Facebook, Skype) and locations. It can be installed on a target’s phone through a few different means: exploiting vulnerabilities such as the WhatsApp one, sending infected links to targets (spear phishing), social engineering. (Read more about other methods here.) This isn’t a new malware, and has been around since at least 2016.

What Pegasus can do:

  • Intercept communications sent to and from a device, including communications over iMessage, WhatsApp, Skype, Telegram, etc.
  • Remotely turn on phone’s camera and microphone to capture activity in phone’s vicinity
  • Use GPS functions to track a target’s location and movements.

All that Pegasus can do. Source: Pegasus Product Description

“This malware is designed to evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by operators,” according to Citizen Lab.

In 2016, the NSO Group used Pegasus to exploit three unpatched iOS vulnerabilities. As a result, they broke into iPhones with just one click of a link in a text. These vulnerabilities were patches with iOS 9.3.5.

In a July 2019 sales pitch for Pegasus, the NSO Group said that it could “surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft”, the Financial Times had reported.

Whom has Pegasus targeted?

Analyses from University of Toronto-based Citizen Lab and cybersecurity firm Lookout revealed that NSO had supplied spyware products to UAE, Saudi Arabia and Mexico. Over 100 cases of abusive targeting of human rights defenders and journalists have been identified in at least 20 countries across the globe.

In India, the more than two dozen targeted users include Nagpur-based Human Rights lawyer Nihalsingh Rathod, Adivasi activists Bela Bhatia and Degree Prasad Chauhan, Shalini Gera of Jagdalpur Legal Aid Group, Anand Teltumbde, a former BBC journalist Shubhranshu Choudhary, amongst others. (Read the more detailed list here.)

Perhaps the best known case would be that of a close confidant of Jamal Khashoggi — Omar Abdulaziz, a Saudi activist and Canadian permanent resident, back in 2018. On whether Khashoggi himself was targeted, NSO’s CEO Hulio had said, “Khashoggi was not targeted by any NSO product or technology, including listening, monitoring, location tracking and intelligence collection.”

Watch this video to know more about the case:

***Update (November 1, 2019 11 am): This article was updated with more details about what Pegasus can do, a video explaining the case, and with a digital copy of Pegasus’s product description from the lawsuit.