Pegasus is a piece of spyware that can infiltrate your phone and steal its secrets. This week we learned how governments are using it.
Claudia Williams: Hi, I’m Claudia – and this is Sensemaker.
One story, every day to make sense of the world.
Today, the man behind the world’s most infamous – and invasive – spyware.
“It’s been reported that you yourself went to Riyadh. You yourself sold Pegasus to the Saudi’s for 55 million dollars.”
“Don’t believe newspapers.”Lesley Stahl and Shalev Hulio, CBS News
That’s Shalev Hulio co-founder and CEO of an Israeli cybersecurity company called NSO Group…being accused of going to Saudia Arabia to sell his company’s premier spyware product -Pegasus.
Pegasus is a piece of what’s known as malware. It can remotely take over your phone without you even realising.
And back when that clip was recorded – in 2019 – Saudi Arabia was being accused of using Pegasus to hack into the phones of people close to a journalist called Jamal Khashoggi. You might remember him – he was brutally murdered by Saudi state security inside their embassy in Turkey.
“Khashoggi murder is horrible. Really horrible. And therefore when I first their accusations that our technology being used on Jamal Khashoggi or on his relatives I started an immediate check about it and I can tell you very clear we had nothing to do with this horrible murder.”Shalev Hulio, CBS News
But this week – those newspapers Shalev Hulio told everyone not to believe – may be harder for him and his company to avoid.
A collaboration between 16 newsrooms around the world has revealed that Pegasus spyware has been abused by authoritarian governments on a previously unknown scale.
The ‘Pegasus Project’ discovered that over 50,000 phone numbers had been targeted.
Hundreds of journalists, pro-democracy activists, government critics and politicians… including French president Emmanuel Macron.
So who is the man behind Pegasus?
And what does it mean when the 3.8 billion people who own a smartphone have a potential spy in their pocket?
Well the story of Shalev Hulio and Pegasus really starts with a text message.
It was sent to a human rights activist in the United Arab Emirates in 2016. His name is Ahmed Mansoor.
The message promised to reveal “secrets” about people allegedly being tortured in the UAE. But…
“Because I have been hit by several spywares in the past I was very careful in dealing with the new suspicious message that I received and I forwarded them basically to the right people in Citizen Lab that examined these messages and could tell easily that those were spyware.”Ahmed Mansoor, BBC
That spyware was Pegasus.
If Ahmed Mansoor had clicked the link in the text he would have downloaded malware that would have taken over his phone.
His messages could have been read, his phone calls recorded, the microphone could have been activated to listen in to his conversations. Even the camera could have been turned on. That’s what Pegasus can do.
Citizen Lab – who Ahmed Mansoor got to investigate the mysterious message…well, they’re a research group based at the University of Toronto. At the time they said they’d never seen anything like Pegasus before.
So the story hit the headlines – and suddenly the world wanted to know more about this mysterious Israeli company behind the dangerous tech.
But that was easier said than done. In 2016 NSO Group didn’t even have a website – and almost nothing was known about the deals it had struck to distribute its products.
So what do we know now about the company and its dealings?
NSO group was set up in 2010 by Shulev Hulio and two colleagues.
They all had a background in cyberwarfare and intelligence in the Israeli military.
Officially NSO say they “create technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.”
They say they work with 40 countries – they don’t say which ones – and the company is reckoned to be worth about 2 billion dollars.
It’s grown fast – but managed to stay out of the public eye.
Until it got dragged into the spotlight after the murder of Jamal Khashoggi.
That was only a small taste of what was to come. Because this week – thanks to that big collaboration between all those newsrooms – the lid really came off…
“NSO is a company, it is an Israeli company that is selling a software called Pegasus to state actors, to governments who want to spy. Officially this software is used against criminals, against terrorists – but what we are discovering, what we are revealing with the pegasus project that this software has been massively misused against civil society.”Laurent Richards, Journalist and Founder of Forbidden Stories, FRANCE 24
As everyone says these days, our lives are on our phones. And Pegasus can infiltrate them. So is there anything to stop governments and intelligence services accessing our phones and – through them – basically, our lives?
NSO say they just sell Pegasus, they don’t use it themselves. If the people they sell it to want to do bad things with it, that’s not their responsibility.
Israel – where NSO is based, remember – says it’s not its responsibility either.
After the murder of Jamal Khashoggi, it does look as if Saudi Arabia might have been stopped from using Pegasus for a while. But only for about a year.
Then it was business as usual again. And that means not too many controls on what a company like NSO can do.
Here’s the former Israeli prime minister Benjamin Netanyahu in 2017.
“We are committed and I am committed to the continued growth of the cybersecurity industry so the first don’t is don’t overregulate.”Benjamin Netanyahu
It’s not a free-for-all, though. One thing we have learned is that no countries considered to be enemies of Israel have been allowed to buy NSO’s products.
So what next for Shalev Hulio and the NSO?
Well the secrecy of NSO in its early years is no more – and the Pegasus Project are promising more revelations.
But we still don’t know about the relationship between the company and the countries it sells to.
And all the time the firm’s technology is getting smarter and more invasive – including a new “zero click” feature where Pegasus can infiltrate your phone without you even touching it.
But thanks to the Pegasus Project we know a lot more this week than we did last.
Those 50,000 journalists, activists and politicians know they’re on a list of targets. And many thousands more will know they could be.
They’ll be much more careful if a mysterious message from an unknown sender suddenly appears on their phone.
Today’s story was written by Phoebe Davis and produced by Imy Harper.
Book, listen, read
The porn headmaster
In the internet age, anyone with a camera can make and sell porn. But what happens when a shoot goes wrong? In the second episode in our
#PornPlanet series investigating online pornography, we look into the world of porn production