The first time most Indians probably heard of Pegasus was in 2019. That was the year news broke that the military-grade spyware had been used to surveil the phones of 121 academics, lawyers, activists and journalists.
The malware, developed by the Israeli cyber intelligence company NSO Group, was sneaked in through what is called an “exploit link”. A link was sent to the snooping targets which, once clicked, installed the software and extracted their private data, including passwords and text messages.
Before long, even the need to click on the link was dispensed with. Just sending the malicious link to the target phone was sufficient, in what is called “zero-click attacks”.
This July, a consortium of news organisations around the world – working with the French journalism non-profit Forbidden Stories and Amnesty International – reported that the phones of scores of journalists, opposition leaders and activists might have been hacked using Pegasus.
The source of the reportage was a leak to Forbidden Stories and Amnesty International of a list of 50,000 phone numbers that had allegedly been “selected for surveillance” using Pegasus.
On the list were the numbers of Congress President Rahul Gandhi, political strategist Prashant Kishor, as well as journalists from news publications such as The Wire, The Hindustan Times and Indian Express. Also on the list were phone numbers linked to French President Emmanuel Macron, Pakistani Prime Minister Imran Khan and South African President Cyril Ramaphosa.
In the wake of the revelations, at least 12 petitions were filed in the Indian Supreme Court, some by the journalists who were spied on. Several hearings were held on the matter, but for months, the Indian government obfuscated on the question of whether it employed Pegasus against detractors. Finally, on October 27, the court formed a three-member committee to investigate the claims.
For its part, the NSO Group has called the revelations an “international conspiracy”. “The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources,” the company said in the statement.
Omer Benjakob has followed the Pegasus scandal closely. The tech editor at Haaretz.com, Benjakob and Amitai Ziv, a tech reporter at Haaretz’s financial supplement TheMarker, were part of the Pegasus Project investigation, which won EU’s top journalism prize.
Benjakob wrote at least four articles in the Pegasus Project series for Haaretz. He has also written about the NSO Group and other digital intelligence companies in Israel, such as Cellebrite. In one of his articles, he said:
“Long member of the historically pro-Palestinian, nonaligned bloc of the international world order, Indian Prime Minister Narendra Modi broke with tradition and fully embraced Israel. This may be linked to the face that Modi shares the same right-wing, nationalist, ethnocentric brand of populism pushed out by [Benjamin] Netanyahu. But it is almost certainly also the result of the flourishing bilateral ties forged between the two countries, which included ‘flower tech,’ irrigation and cyber deals.”
In an interview, Benjakob speaks about the NSO Group, Israeli diplomacy’s new incarnation, and the strains on cyber surveillance companies that provide a different perspective on the Pegasus scandal. The interview has been edited for clarity and concision:
In your investigations, what did you learn about the NSO Group?
What’s tricky about NSO [is that] it is torn between the defence world and the high-tech world. In an ideal scenario, it would sell only to the Americans and maybe the police forces in the European Union. That would make things less contentious, especially when it’s time to float an IPO.
It sounds paradoxical, but I think NSO gains from the Pegasus investigation. It would never say this, [but] it wants to sell to small-fry clients; it doesn’t want to sell to evil regimes. Now, after the global revelations, it can say, ‘We don’t want to do this. Can we please sell to the Arkansas police force again?’ I mean, it has leverage to say no to deals that it may be politically pressured to make.
Journalists don’t know where the leak came from. [For all you know] it may have come from NSO. The company wants to go public and pursue an IPO. It wants to make a billion dollars in shares. It doesn’t want to be complicit in mass murders. That’s just bad business.
Investigations by media organisations revealed that more than 300 phone numbers in India might have been spied on using NSO’s Pegasus software...
If you look at the dates when the [phone] numbers were selected as potential targets, you see a certain correlation with Modi’s meetings with [former Israeli PM Benjamin] Netanyahu. We saw that happen in Hungary as well. I can only prove correlation, not causality. It correlates well.
What’s [also] interesting about the story about India is that this [capability] is something India could develop by itself over a long period. But because Netanyahu and Modi are moving closer, there was a desire to create connections. There are countries that don’t have developed tech sectors and they are [usually] the bread-and-butter [clients] of companies like NSO.
Can you describe the cyber security space in Israel and companies like NSO? You’ve written about the “offensive cyberspace”. What does that look like?
A lot of the offensive cyber security industry should be seen the way the arms industry is seen. [A surveillance software company] is like a private arms contractor who functions within the security-defence-police complex. There are certain clients it can sell to and can’t sell to.
The story is less technological than people like to believe. There isn’t a bonanza of private companies doing something new. The technology might [admittedly] be new. [But] in a sense, 15%-20% of what they do is the technology – the rest is opposition research or intelligence. [Viewed holistically] they are private intelligence firms that provide services with possible technological aspects. If we look at the reports of NSO, we see something similar.
There are different levels of services [in the industry]. NSO is expensive and a high-end service. There are cheaper services like Quadream that work more at scale. So, if NSO can track one phone number, Quadream gets a whole bunch of numbers and provides different levels of accuracy.
What is the interaction between this industry and Israeli diplomacy? What is the relationship between the NSO Group and the Israeli government?
To put it plainly, an Israeli cannot get on a plane to Morocco and sell military-grade spyware to the Moroccan intelligence service without someone higher up signing off on it or at least being in the know.
From the European perspective, [the question] initially was, why is a private firm spying on European citizens? The Israeli perspective [on the question is], yes, it is a private company and they want to function as a private company. It isn’t a shell company for the defence establishment – but it does exist by the good graces of the Israeli defence establishment.
This is just diplomatic currency that Israel uses. [Technology is] reincarnating old models of business and diplomacy. It’s not different from agriculture technology, [with] Israel and India moving closer over irrigation technology. If we’ve sold firearms to places before, we already have that connection, and at the ministerial level, it becomes easy to fold in other stuff.
You’ve written about the Israeli company Cellebrite extensively. Can you talk about what it exemplifies?
Cellebrite sells a digital investigation suite – software and hardware – that helps police forces organise digital evidence. One key aspect of it is a device that can be plugged into the phone by the police to scrape information. It’s not even that high-tech. The phone has to be in their possession.
I think this is a good example to understand how companies are torn with a desire to be run-of-the-mill tech companies. They want ridiculously-sized IPOs, they want good clients. NSO does not want the Wall Street Journal writing about how they played a role in the murder of [Saudi Arabian dissident Jamal] Khashoggi.
[But] as technology companies, they sell something that over time looks less and less like anything that anyone should ever have. It’s almost impossible not to be abused. We have seen Cellebrite technology appearing more and more in search warrants. You use it in a phishing expedition. It just raises the question, is that legitimate? Should anyone suspected of anything have their phone broken into?
Is there anything else you would like to add?
What makes this story so interesting is that you get exposed to the logic of governments and security apparatuses. There were 50,000 numbers in the [Pegasus] leak, [but] we don’t think there were 50,000 targets. NSO is really expensive and if it had 50,000 active targets, it would have much more money.
[The leak] just shows you wish lists. This is what [the buyers of the spyware] wanted to do with it and it’s off the charts, it’s insane. In India, it was the political opposition and journalists and NGO workers [that were on the list].
Karishma Mehrotra is an independent journalist. She is a Kalpalata Fellow for Technology Writings for 2021.