Darknet Diaries - 100: NSO
Episode Date: August 31, 2021The NSO Group creates a spyware called Pegasus which gives someone access to the data on a mobile phone. They sell this spyware to government agencies around the world. How is it used and wha...t kind of company is the NSO Group?Thanks to John Scott-Railton and Citizen Lab for investigating this and sharing their research.SponsorsSupport for this show comes from Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNETSupport for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.For a full list of sources used in this episode and complete transcripts visit https://darknetdiaries.com.
Transcript
Discussion (0)
Hey, I can't believe we made it to episode 100. And seriously, I couldn't have done it without
all the support from my listeners. So truly, thank you so much for tuning in. This has been
amazing. And I can't wait to see what the next 100 episodes brings. Okay, so real quick before
we get started, this is the second part of a two part episode. If you haven't already,
go back and listen to the episode just before this, number 99, called The Spy.
There's this malware called Magic Lantern, and I find it fascinating.
It usually infects a computer through an email attachment.
You get the email, which says to open the attachment, and when you do, zang, your computer is infected.
And what Magic Lantern does is it records your keystrokes and sends everything you
type back to a central system. So the hackers can see everything you type. Now, of course,
with a keystroke logger like this, it can pick up any message you send to people, private chats,
and of course, your passwords. So who's the shady hacking group that uses Magic Lantern?
The FBI. Yeah, in 2001, someone issued a freedom of
information request and got back information that the FBI uses this Magic Lantern malware to capture
keystrokes on target computers. Now, I'm under the impression that the FBI would need to get
permission to use this software, like a search warrant or something. So this would classify
Magic Lantern to be a lawful intercept mechanism,
meaning they had permission to basically wiretap someone. But this sparked a debate in the security community. The question was, if the FBI has legal permission to eavesdrop on someone by using Magic
Lantern, should antivirus and security companies detect and report on this activity? Of course,
the FBI would like to go unnoticed
in any kind of stealth mission and would rather antivirus companies not alert when they see this.
But on the other hand, that's the whole point of antivirus software, to alert when something is
going on and shouldn't be happening. F-Secure, an antivirus company based in Finland, said right
away that they would absolutely report on this. But they're in Finland. The FBI is in the US. McAfee, an American antivirus tool, said they
would not alert the user if the tool saw Magic Lantern trigger and that it would ignore it.
Later, they denied saying this, saying they do in fact alert when Magic Lantern is detected on a computer. But this opens a door to a strange world
of allies and enemies. And it's hard to know who to trust when the software you buy
might be lying to you. Or when the FBI is busy infecting people with malware to spy on them.
These are true stories from the dark side of the internet. I'm Jack Recider. This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work,
what kind of car you drive, it's endless.
And it's not a fair fight.
But I realized I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information
from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because
Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things. It was great to have someone on my team when it comes
to my privacy. Take control of your data and keep your private life private by signing up for
Delete.me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me
plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at
checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter
code darknet at checkout. That's joindeleteme.com slash darknetdiaries. enter code Darknet at checkout. That's join, delete me.com slash
Darknet Diaries. Use code Darknet. Support for this show comes from Black Hills Information
Security. This is a company that does penetration testing, incident response, and active monitoring
to help keep businesses secure. I know a few people who work over there and I can vouch they do very good work. If you want to improve the security of your
organization, give them a call. I'm sure they can help. But the founder of the company, John Strand,
is a teacher and he's made it a mission to make Black Hills Information Security world-class
in security training. You can learn things like penetration testing, securing the cloud,
breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing
your skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com
to learn more about what services they offer and find links to their webcasts to get some
world-class training. That's BlackHillsInfosec. dot com. Blackhillsinfosec.com.
For this episode, we're picking right back up where we left off with John Scott Railton.
Yeah.
This time, I want to hear more about the research he's done specifically on the NSO group.
Oh, and there were some recording issues I had during this interview.
I lost the primary recording and had to use a backup, and it's a bit voipy at times, so I'm sorry about that.
I'm a senior researcher at the Citizen Lab at the University of Toronto's
Munk School, and for a little bit less than the past decade,
me and my colleagues have tracked different digital threats against civil society groups.
Tracking digital threats against civil society groups. That sounds fascinating,
so let's unpack that for a second.
What's a civil society group?
Well, it's essentially non-government organizations or individuals,
but some define civil society as people who exercise their freedom of speech and the things that make up a democratic society.
So like having freedom of the press is very important to a civil society.
One where journalists are free to investigate and write stories
criticizing their own government or society. And it's important that their own government or other governments
don't stop them from writing certain stories. But the thing is, we live in a world where
journalists and human rights activists are being targeted by nation state actors. And since it's
important for a civil society to have journalists and activists spreading the truth, Citizen Lab
helps people out when they're targeted by digital threats.
Sometimes people get in touch with us and they say,
hey, we've heard about you and something strange is happening on my phone, on my device.
I'm concerned about it.
Sometimes our research comes because we've sort of set ourselves a broad
research mandate and are busy looking at infrastructure.
And their goal is to investigate those in civil society who are targeted
and report publicly about it. This has caused certain groups to go into hiding and other groups
have been arrested because of their work. But overall, the public is just made more aware that
there are certain groups out there who are targeting activists and journalists. At some point,
the folks at Citizen Lab were connected with Ahmed Mansour.
Hello, ladies and gentlemen. My name is Ahmed Mansour from United Arab Emirates.
This is tape of him from 2012. He's from the United Arab Emirates and is a human rights activist there.
I always wanted to see change. I believed a lot in equality. Bachman Mansour, we've been in touch with this guy for years because in 2009, Mansour was targeted via email with a Trojan that was Finfisher, one of these sort of OG government hacking tools
that was being sold. If you listen to episode 47 called Project Raven, you might remember him.
He's been targeted many times by different hacking groups, all because he's a human rights activist and speaks out against the UAE government.
After being targeted multiple times, Mansour eventually reached out to Bill Marzak, one of John's colleagues at the Citizen Lab, to get help.
Then in 2012, Mansour was targeted again via email with like a doc and some kind of old exploit.
This was hacking team this time.
And so when in 2016, Mansour reached out to us and said, hey, guys, I think I'm being targeted again.
We paid attention because if there's one person who's likely to be targeted with this stuff, it was Ahmed Mansour. While Bill Marzak at the Citizen Lab was looking into some phishing reports,
he found some other suspect domains that seemed to belong to something new.
He looked into those domains and found some were registered to the NSO group.
At the time, Citizen Lab concluded that there was maybe some new kind of malware
that the NSO group had made, but they didn't know who the victims were or what the malware was.
The Citizen Lab looked into those domains and developed a list and some techniques to find more.
When Mansoor got in touch with Bill, all he had was a list of domains. But after he saw Mansoor's
text messages, remarkably, that led to some infrastructure that Bill found.
We had found links to NSO's infrastructure and had come up with a list of domains.
These domains were thought to be used by the NSO group to carry out certain targeted digital attacks on people.
But the team at Citizen Lab didn't have a good understanding of how any of this worked or how it was a godsend when Mansour got in touch with us, because suddenly we had a person who had been receiving links to this, what we thought of as, you know, likely infection domain for Pegasus.
Mansour showed Citizen Lab some text messages. They were in Arabic. They both said the same thing, new secrets about torture of Emiratis in state prisons. Then it had a link. The link was to the same domain that they
had just begun analyzing, but wasn't sure how it worked. The first thing we did was rouse a colleague,
get him to convince his girlfriend to give up her iPhone, which we wiped, and then MITM'd the
traffic and clicked on that link, and were able to get a copy of Pegasus spyware.
The colleagues had access to an iPhone they could use to test with. Now for them to test something
like this, they have to be pretty careful. If they just visit the link, it's hard to tell exactly
what's happening. So they set up all kinds of monitors and sensors. This is what a lab is for,
right? First, they set up a method to capture all
network traffic coming in and out of that phone. And they did this in such a way that they can even
capture encrypted traffic and look at that too. Then they took snapshots of the phone to compare
before and after to see what's changed on the phone. They probably even filmed the whole thing
just in case the phone did something like flash a message across the screen real quick. This way,
they can go back and look at what happened.
Exactly.
So we clicked on the link and waited.
And browser crashed.
And then something began happening.
We saw the phone beaconing out and establishing communication with NSO's servers.
And we realized that we had just observed a remote jailbreak on this iPhone.
So it was a big deal because it was the first of its kind that we had certainly seen.
And we realized, OK, we've got our hooks into this infection infrastructure.
And we were actually able to grab the payload, the actual Pegasus deployment.
It took them a while to figure out what happened. In fact, they teamed up with Lookout Security to help investigate this.
Lookout makes the security software for mobile phones, and together they were able to dissect this malware and see what was going on.
They realized right away that this was something that nobody had seen before, which made it an amazing discovery.
It was a very exciting time because we really felt like, okay, here's a new major piece
of spyware. It's super sophisticated. It's got all these capabilities. It's pretty stealthy,
and it's using this chain of zero days. Yes, a whole chain of zero day exploits. And I want to
break this down for you because it's fascinating to look at a little bit more in depth. So
specifically, this worked with iPhones, which were fully patched and the latest and greatest
models. And this exploit had three stages to the attack. First, it required the user to click a
malicious link using their phone. Clicking the link opens the Safari browser and the user visits
the website. Safari uses a thing called WebKit, which is like the browser's engine.
When a user clicks the link, a JavaScript program runs. That JavaScript program tries to exploit a
bug in WebKit, which would allow it to write data to the phone. Through this bug in WebKit,
the JavaScript program downloads a malicious program. This brings us to stage two of the
exploit chain.
Apple has locked down their iPhone pretty well to prevent stuff like this from happening.
The only apps that are allowed to run on an iPhone
are those that are downloaded from the official Apple App Store.
There's simply no way to put a new app on it
through any other way and run it.
This means the malicious program that was just downloaded
cannot execute unless the iPhone is jailbroken.
And that's exactly what this stage of the implant does.
The malware uses an exploit to jailbreak the iPhone, which allows it to run any app that's on the phone, not just the ones downloaded through the App Store.
And in order for this program to jailbreak the phone, it used two totally different exploits in the iPhone's kernel,
which were completely unknown to Apple at the time.
Once it's jailbroke, then the last step is just for it to run the malicious app.
And at this point, the app is just a normal iPhone app,
and it can be started like any other app.
The app itself doesn't use any exploits or bugs.
It just takes advantage of the features on the phone.
The app does things like turn on the microphone, the camera, and read WhatsApp messages,
or listen to calls, or track location.
And then it sends all that data back to the attackers
without the victim knowing that any of this happened.
This is crazy.
And I'd say a pretty amazing exploit chain.
I mean, it was using three zero-day exploits
to get this going.
Bugs that the trillion-dollar tech giant Apple
could not even
catch through their bug bounty program, which is very impressive work. To create this exploit took
a lot of work, probably a lot of money and a lot of time went into making this. Exploits like this
can be sold for hundreds of thousands of dollars, probably over a million dollars. But what makes
it so good is how easy it is for the attackers to use. All they need to do is get someone to click that link and boom, that victim is now being
spied on through their phone.
So someone spent a great deal of time and money to make this and not only make it, but
turn it into an easy to use point and shoot type of an attack.
It's elegant, it's slick, but it's extremely dangerous.
The feeling that we had,
if I remember right, other than being a little bit underslept during that week, that this was
high stakes because this was an order of magnitude more sophisticated than the hacking team and
Finfisher stuff that we had looked at in the past. It was also mobile, which was really interesting
to us. And we really felt at the time like, oh man,
we've cracked another dimension of the way that surveillance is happening online. And I think
we're both excited, but there's also this sense that comes with this of like, okay, we need to
make sure that we have our own house in order, that we're reasonably secure because we're playing
with some very sophisticated, very dangerous stuff. We also experienced a lot of gratitude towards Mansour.
He was a guy who, just by virtue of his wits,
had managed to catch something that had eluded us for almost a year
and that eluded other researchers and investigators.
And he had just done it because a text message didn't feel right,
which highlights the kind of symbiosis and
synergy that usually exists between Citizen Lab and the groups that we work with and support,
which is we count on them and their intuition to help us get started. We don't have a global
network of sensors. We're not running antiviruses on a bunch of phones, but with people. They become
the firewall and the human antivirus that gets us what we need to get ourselves started. But now what do you do with this information? I mean, yeah, sure, this confirms
Mansoor's hunch that something wasn't right with those texts. And it's nice to know he was right.
But what do you do when you find an exploit like this? Well, you want to work as fast as you can
to get it fixed. We then worked really quickly. We got in touch with Apple. We let them know what
was going on. Apple immediately began spinning up to do investigation and then patching. And we worked
as fast as we could to try to characterize the malware and get ready to do a public report.
And then co-timed with Apple releasing its CV and patching, we published. What we didn't realize at
the time is just how big of a deal NSO was going to be for our next year or two as cases just started pouring out of the woodwork.
I found an interesting side story here.
Citizen Lab discovered this exploit and malware in August of 2016.
The exploit used a methodology outlined in the latest Frack magazine, which came out three months earlier.
And apparently the same WebKit browser engine is used on the Nintendo Switch
and is also vulnerable to this exploit.
So people who are trying to hack into and jailbreak the Nintendo Switch
started using this exploit to get their Nintendo to do things it wasn't supposed to do.
It's crazy that once an exploit becomes known, where things end up.
But anyway, how did this link back to the NSO group?
Well, Citizen Lab kept investigating this
and discovered a network of IPs and domains that were involved with this malware.
And from there, they did WhoIs lookups, reverse DNS lookups, and other searches,
which eventually led them to two domains which they knew were owned by the NSO
group. So they felt pretty confident that the NSO group was behind this and published all this in a
report. So who exactly is the NSO group? Well, it's an Israeli company started by three guys,
Niv, Shalev, and Omri. And the initials of those names are what give NSO its name. So NSO is a company that
sometimes flies under the flag of other names like QCyber Technologies, and they sell really
sophisticated mobile spyware. Their customers are governments. And they meet with these governments
and basically say, look, you have legal ways of intercepting communications for criminals in your countries, like you can do wiretaps or whatever, but we know you have
trouble collecting data on encrypted mobile devices. We're going to help you regain visibility,
and we're going to do it by selling you a powerful mobile phone hacking solution. And part of their
pitch is like, you don't need much sophistication, just sit at this console, enter a phone number, and presto, you can start pulling data from that phone.
Their business model is kind of somewhere between hacking as a service and the provision of software.
We've learned about them more recently as they often play a fairly active role in setting up and operating some of the exploit servers that are used.
And basically what they're offering to
their customers is the ability to target an arbitrary cell phone and gain access and persistence.
And that's what the Pegasus spyware is. It's the malware that Citizen Lab discovered
from Ahmed Mansour's text messages. It's the flagship software that NSO sells.
It's not the only product they sell,
but it's their main one. Now, one thing I hate doing is talking about someone for like an hour
without them being part of the conversation. It just feels wrong. So I reached out to NSO,
first with Omri, who's the O part of NSO. I invited him on the show back in 2018.
And he told me, actually, he listened to my episode on Unit 8200 and liked it.
And I was like, great, come on, let's do an interview then.
He said, and I quote, every major media outlet in the world wants to interview me.
Why should I do your podcast?
Smiley face, end quote.
I'm like, because you actually listen to my show and like it?
Duh.
But really, you should come on
because I'm going to talk about NSO for an hour and you can either be part of this conversation
or not. That was 2018. For three years, I've been trying to convince him to be interviewed.
I later moved on to going through their official PR channel. I contacted them asking for an
interview. I went back and forth with them for a long time. They wanted to know exactly what questions I was going to ask. And more importantly, they wanted to know what
sources I was talking with for this story. We went back and forth for months. I kept saying,
look, do you want to give your side and be part of this conversation or not? And they ultimately
left me hanging. I also contacted another PR person involved with them, and they denied me too. In the end, NSO had every single opportunity to have their voice in this episode, but they refused.
Which means all I can go on is what's been reported by victims, researchers, and news agencies.
I really wanted to have them on this show for episode 100, but it just didn't work out.
But NSO has given multiple interviews
with other news agencies in the past. They've been interviewed by Forbes, New York Times,
and some Israeli news outlets. But the interview I find the most interesting is the one that
happened in 2019, where Leslie Stahl from 60 Minutes went to Israel and interviewed them in their own office. Headquartered in the
Israeli city of Herzliya, NSO Group operates in strict secrecy. In the company's eight-year
history, they have never let cameras in, but they wanted to show us they're like any high-tech
company, with PlayStations and Pilates. But there was a lot we couldn't show. Notice, no faces.
The work is top secret, and some employees are ex-military intelligence and Mossad. Pegasus is
such a sensitive spy tool, NSO has to get approval before it can be licensed to any client from the Israeli Defense Ministry,
as though it's an arms deal.
Why would the government of Israel want, you know, what seems to be an enemy to have this technology?
I'm not going to talk about specific customer. Can you say that you won't and haven't sold Pegasus to a country that is known to violate human rights and imprison journalists and go after activists?
I only say that we are selling Pegasus in order to prevent crime and terror.
That's Shalev Julio, the S in NSO.
And that's the typical response from the NSO group.
What they do is they sell their software to governments and intelligence agencies to help prevent crime and terrorism.
How many lives do you think Pegasus has saved?
Ten of thousands of people.
Really?
Yes.
Ah, it's interesting.
NSO has made so many claims about their product that turned out not to be accurate.
I want to believe that it's true, that they've saved lives. And I have to imagine that this is
how the smart people who work at that company continue to come to their desks every day,
which is their management shows them cases and says, look, here's a case where we did some good. What concerns me is that that narrative is used to paper over
these really problematic cases of abuse.
And at the end of the day, the measure of any technology
is how it winds up getting used against vulnerable people,
not just how it helps.
What really concerns me is the idea that you can just sort of say,
you know, here's a
technology that saves lives. Well, no. What saves lives is police and security forces doing their
jobs. They may be enabled by technology, but doing their jobs. What takes lives is when those same
security services abuse their power and abuse the technology that they have to harm people. And we don't
have many public cases of NSO successes. We've got a lot of cases of harm.
We know about cases where NSO has done harm because when things go wrong for NSO,
it becomes known. It's big news. And when things go right, it's kept quiet and the
secrets are retained. But there is one story that we do know of where Pegasus actually helped.
Let's talk about Mexico.
So from that initial discovery of Ahmed Mansour,
a lot of things followed.
We found evidence that the spyware
was potentially active in Mexico.
So before John at Citizen Lab
even had a copy of the Pegasus spyware,
the Mexican government likely purchased Pegasus spyware, the Mexican government
likely purchased Pegasus to aid them in catching cartel leaders and drug lords. Because it's hard
to know where their hideouts are or how they're organizing since they use phones and encrypted
messaging apps to communicate. Again, here's Leslie Stahl with 60 Minutes talking with one
of the founders of NSL. It's been reported that Mexican authorities used Pegasus to capture drug lord Joaquin Guzman, better known as El Chapo, by tapping the phones
of a few people he talked to while he was on the lam. I read it in the newspaper, the same as you,
in order to catch El Chapo, for example, they had to intercept a journalist, an actress, and a lawyer.
Now, by themselves, they, you know, they're not criminals, right?
Right.
But if they are in touch with a drug lord, and in order to catch them, you need to intercept them,
that's a decision that intelligence agencies should get.
What if you can prevent the 9-11 terror attack? And for that, you had to
intercept the son, the 16-year-old son of bin Laden. Would that be legit or not? And that is an
interesting ethical issue. If you're trying to capture a really dangerous person, you might have
to go through someone they trust to get to him. And so
now you have people who are totally innocent getting spied on and infected with the Pegasus
malware. Well, it's a really interesting case. And one funny feature about it is that NSO has
made a bunch of claims about the use of Pegasus targeting El Chapo, which have been contradicted
by many statements by the Mexican government. So the truth, who knows exactly where it lies in that case.
But to the greater point, which is the question about off-center targeting.
Now, it's obviously the case that investigations sometimes proceed that way, right?
You climb your way or it's a potential target.
The issue really is cases of success don't falsify the problem of
abuse. And at the end of the day, even if a technology like this can be used for good,
there's really good evidence that it's susceptible to abuse. And the conclusion that I think people
should draw is not hacking is, you know, it should never be technologically empowered to conduct investigations,
but rather their behavior needs to be carefully overseen.
Otherwise, there will be abuses, and those abuses will have deleterious effects on our democracy.
It's the same as police in the United States and anywhere else.
It's not that we don't need them.
It's that they need to be carefully overseen
and legally accountable.
And what we saw in Mexico was that when you shook that tree,
you just found more cases of abuses than you could count.
Let's take a look at some of those cases.
John and the team at Citizen Lab were seeing lots more cases
of Pegasus being used on people in Mexico.
And we found that a consumer advocate,
a public health scientist,
and a health advocacy organization
had all been targeted with Pegasus spyware.
And this really caught our attention
because one of the people,
the public health researcher,
was like the director of a national public health lab,
government lab in Mexico.
Why were these people being targeted with Pegasus?
Well, it turned out that the thread
that sort of connected them together
was that they had all been advocating
for more taxes on soda
as a means to reduce childhood obesity.
Now, why on earth, you might say,
are a bunch of people who are concerned
about childhood obesity being targeted with this creepy nation state tool?
We don't really know.
But the most likely explanation is that somebody linked to the Mexican Pegasus operator was doing a favor for business.
Business that saw this kind of taxation as a potentially serious threat to their bottom line.
That's some shady stuff.
I mean, we know about lobbyist groups that pay or bribe government officials so they
can vote a specific way on issues, like increasing soda tax.
This is along those lines, but it takes it a step further.
It sounds like certain big businesses who would be hurt by this soda tax were somehow getting the Mexican government to use Pegasus
to spy on people who wanted to raise the tax?
This is obviously not used to fight terrorism or crime.
In fact, it's the opposite.
It's using the spyware to actually conduct criminal behavior.
From that initial case of three, we found dozen cases of Mexican reporters. They're
minor children located in the United States, lawyers representing the families of victims
of cartel kidnappings, the wife and colleagues of a journalist who'd been slain by a cartel,
and so many other people in Mexico Mexico all targeted with Pegasus.
And the way that that research worked kind of encapsulated our approach to the lab,
which is we worked with a bunch of local organizations,
gave them guidance on the kinds of things that we were looking for,
messages that might look like this,
and then worked through large sets of messages,
comparing them and examining them against lists that we had previously developed
of NSO exploit infrastructure. And this allowed us to quickly parse through large volumes of
potentially suspect messages. I just want to recap something here for a second for clarity.
NSO doesn't operate the Pegasus spyware. They just make it and then license it or sell it to
governments around the world.
And from there, it's then operated by law enforcement entities, military, and intelligence agencies.
In this case, NSO sold the tool to the Mexican government.
And from there, it's now someone within the Mexican government or affiliated organization
who has control of it.
They must first send a text message to their target to get
them to click the link. And once the victims click the link, the phone becomes infected with spyware,
unveiling their location, turning on their mic, and everything. But then that data is not sent
to NSO, it's sent to their Mexican government or whoever's operating the tool. So NSO is really
hands-off on the whole operation and claims they don't know
how the tool is used or who it's being used on. The first case that we found was a Mexican
journalist named Rafael Cabrera. And he was tweeting that he had been getting these messages
masquerading as UNO TV, so masquerading as a TV station, providing updates. And they were
specifically referring to updates around a presidential scandal,
so-called Casablanca scandal. This is a big scandal in Mexico, Watergate scale. And these messages were purporting to be information about that scandal. We actually learned later that the
primary journalist who discovered that, whose name was Carmen Arestiqui, a tenacious investigator,
she had also been targeted with this kind of message. And much of the targeting that we saw in Mexico wasn't just like tailored and relevant.
Some of it was gross.
So one of the victims of Pegasus targeting was sent messages saying,
your daughter has just been in a car accident.
Here's a hospital she was taken to, naming his daughter by name.
And I mean, these messages were ridiculous. One of them was like, you know, you don't have the balls to watch
how I like, you know, make out with your partner. Look at how good we're in bed, right? Just like
ridiculous, jokey stuff, like things that would be preposterous. You know, some of this stuff is
just like boring, super untargeted, like purchase notification. Your card has been charged with the
amount of, you know, 3,500. Please see details here, right? Or, you know, stuff about, you know, dear client,
there's a payment problem associated with your service. Please see here. But then it would get
really pretty direct. So for example, one of the messages coming from us embassy.gov
sent to a person who had an embassy who had had a visa application with the U.S. Embassy in Mexico City.
And it was usembassy.gov.
We detected a problem with your visa.
Please go to the embassy quickly.
See details here, right?
That's the kind of thing that's going to get discovered pretty quickly.
But it again suggests that the operators doing this
were pretty brazen.
And then you get stuff that's fairly personalized, right?
So like, Carlos, hi.
Again, they're spreading rumors about you.
And supposedly they took pictures of you and put them on TV. Here, have a look.
Or, you know, hey, Juan, my father died this morning and we're devastated.
I'm sending you information about the funeral. I hope you can come.
Or Carmen, my daughter has been missing for five days and we're desperate.
I would be so grateful if you could help me by sharing a photograph of her.
Or people pretending to be sources.
So like, hey, I have key and
trustworthy evidence against public service. Please help me do something with this information.
Link. They even sent messages to the minor child of Carmen Aristegui, who was away at
boarding school in the United States. So he's a kid, okay? And messages that he got included,
beheaded journalist found in Verru's
threatening narco message, details and photos, link, right?
This is a kid whose mother is a journalist.
And obviously, you know, these are my sort of janky translations
from Spanish.
But the point is, the messages are crude,
but in many ways they're effective, right?
Like, it makes my blood pressure bump up
just reading some of this stuff,
which to me pointed to a broader issue,
which was this technology was in the hands of a bunch of operators
who were behaving like thugs and who couldn't resist sexual taunts,
even as they were trying to infect people.
The point of all these messages were simply to get someone to tap on the link on their phone.
It sounds like there was no ethical line that they couldn't cross
when trying to get people to click a link.
One thing worth keeping in mind, right, human behavior is the forever day.
And clearly the security people who were behind this
were trying to sort of amp the emotional con to their messages in order to get a click.
Mexico seems to have used this tool for much
more than just catching drug traffickers. What's interesting about the Mexican case
is its scope. It's like every sector of what we'd call civil society in Mexico,
from reporters to people trying to hold the government accountable to people defending
the families of kids who'd been abducted by narco gangs to the family members of people who'd been
assassinated. Everybody got targeted with this stuff. The case though, that really has stuck
with me the most in Mexico was the case of Javier Valdez. So Valdez was the publisher of a small newspaper called Rio Doce, based in Sinaloa.
And Rio Doce did the very dangerous thing of exposing official corruption
and contacts with narco gangs, not only a very safe thing,
but this guy was tenacious and he was well-known and he was absolutely without fear.
One day, as he was just outside of his office,
he was pulled from his vehicle, riddled with bullets, and then his laptop and phone were taken.
He was left lying in the middle of the street. Since his phone and laptop were taken, we don't
know what was on it. But we do know that days after his death, his grieving wife and his colleagues were all targeted by Pegasus.
And they were targeted during a time period when they were arguing that the official investigation was not proceeding forward.
This is definitely strange that instead of them investigating the narco gang that did this,
the Mexican government was spying on his colleagues and his widowed wife? I mean,
this is no way to run an investigation, that's for sure. If you want to get answers from his wife,
sit her down and talk with her. Don't place spyware on her phone. So the question arises now,
is this NSO's fault for spying on these innocent people? Or is it the Mexican government's fault? One person stands
out in the Mexican government, Tomas Zerón. He was the director of Mexico's equivalent of the FBI
when all this was happening. It was Zerón's office that had purchased a license of NSO's Pegasus.
Yeah, that's Edward Snowden's voice. Citizen Lab, Amnesty International, and Forensic Architecture
put together an interactive site to explore this timeline
and to hear stories from victims of Pegasus.
This site is called digitalviolence.org,
and there you can watch a video about Pegasus spyware,
and yeah, they have Snowden narrate it.
So anyways, it was this Zerone guy who was working for the Mexican government
who probably bought Pegasus.
Zerón was subsequently charged by the incoming Mexican administration with torture and enforced disappearance.
He was issued an Interpol arrest warrant and has fled Mexico.
Incidentally, his last recorded movement is to have entered Israel in August of 2019, where he's believed to be currently
hiding. We're going to take a quick break, but when we come back, we'll learn how Saudi Arabia
uses Pegasus.
This episode is sponsored by Vanta. Trust isn't just earned, it's demanded.
Whether you're a startup founder navigating your first audit or a seasoned security professional scaling your GRC program, proving your commitment to security has never been more critical or more complex.
And that's where Vanta to establish trust by automating compliance needs across over 35 frameworks like SOC 2 and ISO 27001, centralized security workflows, complete questionnaires up to five times faster, and proactively manage vendor risk.
Vanta helps you start or scale your security program by connecting you with auditors and experts to conduct your audit and set up your security program quickly.
Plus, with automation and AI throughout the platform, Vanta gives you time back so you can focus on building your company. Join over 9,000 global
companies like Atlassian, Quora, and Factory who use Vanta to manage risk and prove security in
real time. For a limited time, listeners get $1,000 off Vanta at vanta.com. That's spelled
V-A-N-T-A, v dot com slash darknet for $1,000 off.
NSO has also sold their spyware to the government of Saudi Arabia,
and there's a case that made world news which involves Pegasus.
As investigators try to find out what happened to Jamal Khashoggi.
Saudi Arabia confirms that the journalist Jamal Khashoggi is dead.
Jamal Khashoggi's loved ones want some form of closure.
Saudi foreign minister saying this was all a terrible mistake.
Jamal Khashoggi was a journalist from Saudi Arabia.
He was close to the royal family until Mohammed bin Salman was appointed crown prince. After that, Khashoggi was banned from writing
and tweeting and was facing repression from the government of Saudi Arabia. He then fled the
country and started speaking out against the repression of Saudi Arabia. In October 2018,
he went to Turkey and was lured to the Saudi consulate building to arrange for papers for
a safe return to Saudi Arabia. As soon as he entered the consulate building,
he was strangled, killed, and dismembered.
A month later, the CIA determined that it was an assassination
ordered by the Crown Prince Mohammed bin Salman.
At that same time, the team at Citizen Lab
was busy trying to figure out new ways
to find who was infected with Pegasus spyware.
And this led them to a Saudi living in Montreal, Canada, whose phone was infected with Pegasus spyware. And this led them to a Saudi
living in Montreal, Canada, whose phone was infected with Pegasus. So Citizen Lab reached
out to this person, and it turned out that he was in close contact with Jamal Khashoggi,
texting with him frequently. And if Khashoggi's close friend had Pegasus on his phone,
and if Saudi Arabia had bought Pegasus to use as they wish.
And adding it up, the theory is that the Saudi government used Pegasus to spy on Khashoggi in order to ultimately assassinate him.
After his assassination, his phone was not recovered, so we don't know for sure if it was infected or targeted.
But if so, this is a case when a human rights activist
or journalist was killed with the help of Pegasus. And it's a bit strange to me because his killers
didn't need to know where Khashoggi was because he had an appointment to meet them at the Saudi
consulate building in Turkey. Instead, it's more likely that they used Pegasus to see what he was
going to do next and who else connected with him. Having this kind
of information is likely what they used to make the case to assassinate a journalist. And it
highlighted something that later became increasingly apparent, which is there is a troubling nexus
between cases of physical violence and the use of this kind of targeted spyware, adding kind of a new dimension to the concept of find, fix, and finish.
Looking at all the times Pegasus was used,
there's a common thread that some kind of physical action
often takes place after a victim is targeted.
In this case, someone was murdered.
But in other cases, there's jail time, physical threats,
attacks, and intimidation that happens to Pegasus' targets.
And the word is that you sold Pegasus to them, and then they turned it around to get Khashoggi.
Khashoggi or on his relatives,
I started an immediate check about it.
And I can tell you very clear, we had nothing to do with this horrible murder.
It's been reported that you yourself went to Riyadh in Saudi Arabia. You yourself sold
Pegasus to the Saudis for $55 million. Don't believe newspapers. Is that a denial? No.
The Washington Post published an article which said that Khashoggi's wife's phone was analyzed after his death and it was
discovered that his wife's phone received multiple messages that if she clicked it would infect her
phone with Pegasus. But she does not remember if she clicked the link or not and there's no
forensic evidence that her phone was infected. Khashoggi also had a fiancé, and her phone was in fact infected with Pegasus days after Jamal's murder.
So we have a conflicting story here.
Shalev told us that they had nothing to do with the murder.
Then there are three phones of family and friends of Khashoggi that were targeted.
Someone's not telling the whole truth. We asked Shalev Julio if his investigation
explored the wider circumference around the slain journalist. I can tell you that we've checked,
and we have a lot of ways to check, and I can guarantee to you our technology was not used
on Jamal Khashoggi or his relatives. Or the dissidents?
Or the relatives.
Like Omar Abdelaziz and...
I'm not going to get into specific.
I'll tell you that if we will figure out that somebody misused the system,
we will shut down the system immediately.
We have the right to do it and we have the technology to do it.
It begs the question, did you shut down the Saudis?
I'm not going to talk about customers and I'm not going to go into specific. We do what we need to do. We help
create a safer world. And my big concern is that there is a market that is pushing companies like
NSO to put their technology in the hands of as many people as they can.
And when that happens, abuse is just a certainty.
Obviously, NSO is a for-profit company and wants to make money from their software.
And obviously, there are people around the world who want this software to make it easier to spy on people.
But there's no good regulations on who can sell software like this and who can buy it.
Snowden wants there to be a ban on all mobile spyware. I personally think something is wrong
when a company's business model is not to sell the cure, but instead to sell the virus. But since
there's no international law forbidding this, it means we have to rely on the ethical and moral
judgments made by NSO groups, staff and leadership.
What do you do when your customer has a definition of terrorist that isn't our definition? In some
countries, the opposition are terrorists. No such thing. Every customer that we sold
has a very clear definition of what terrorism is. And it's basically bad guys doing bad things
in order to kill innocent people, in order to change the political agenda. I never met
with a customer that told me that oppositions are terrorists. Well, they're not going to tell you.
But if they will act like that, they will not going to be a customer. There are more than 100 countries, 100 countries that we will never sell our technologies to.
And I can tell you that in the last eight years that the company exists, we only had real three cases of misuse.
Three cases.
Out of thousands of cases of saving lives, three were the misuse. Three cases. Out of thousands of cases of saving lives, three were the misuse.
And those people or those organizations that misuse the system, they are no longer a customer
and they will never be a customer again. Well, in Mexico alone, Citizen Lab discovered 25 cases
of abuse. So all they need to do is read Citizen Lab's report to find more. And they do read
Citizen Lab's report and have said publicly that those reports are not accurate.
I think one of the interesting things about NSO is that NSO has lost a lot of credibility among spyware acknowledge that there was a problem and try and work to limit that problem.
Instead of which, you have a company that basically denies the problem until they can't deny it anymore.
Then they fall silent and switch to talking about something else.
That's exactly what we don't need if as a society we're going to figure out how to live in a world where this kind of sophisticated technology is used by police and security services.
There's one more clip from this 60 Minutes interview I want to play for you.
In this part, Leslie Stahl is interviewing Tommy Shahar, NSO's co-president.
To protect against misuse, she says, NSO has three layers of vetting potential customers. One by the Israeli Defense
Ministry, a second by its own business ethics committee, and thirdly... Our contractual
agreements have our customers sign that the only intended use of the system will be against
terror and crime. Oh, they sign. Come on. You have an autocratic government and they say, oh, we're not going to use it except against criminals. And you just believe them? No. Because imagine a country is facing major terrorist threats. In the same time, they have some corruption issues.
And you have to sit in that room and weigh what is more important,
to help them fight terror, or maybe there is a chance that it's going to be misused.
It's not a black and white answer.
It's a tough ethical question.
This language of, like, saving lives and stopping terrorists, we know that language. We know it because it was the same language that was used right after September 11th to push the Patriot Act. And it's the same language that tyrantsently, if we buy into that language without being critical about it,
without thinking critically, we inadvertently play into it.
And we inadvertently support that world.
I think there's absolutely room for smart people
to work with authorities to do lawful targeting.
Absolutely.
And in fact, it happens every day. What's concerning to me about
players like NSO is that they're totally unaccountable. And in fact, they're in court
right now denying that they should even be accountable for hacking like a US company and
its users. Yes. So let's talk about that court case. Hello and welcome to the program. I'm Peter
Dobby. NSO has faced a number of lawsuits, one of them from WhatsApp.
This was a really interesting case. In the spring of 2019, it became apparent to us that something was going on with WhatsApp.
We had been working with a lawyer who was representing the victims of Pegasus spyware.
And he had been getting these bizarre missed video call notifications.
And as he described it, something really weird would happen.
He would get woken up in the middle of the night and look at his phone and see a missed video call.
He'd go back to sleep.
He'd wake up in the morning. He'd go back to sleep. He'd wake up in the morning.
He'd look at his phone.
But there were no missed video calls
when he looked at his phone.
This would happen over and over.
Attempted video call on WhatsApp.
He wouldn't answer the call.
And then it wouldn't show him that someone tried to call.
And so we began monitoring his device
to try to figure out what might be going on.
It turned out that he was targeted with what we now know to have been a zero-click exploit against WhatsApp users.
A zero-click exploit.
Oh man, this just got so much worse.
Now you don't even need to click a link. NSO
found a way to exploit WhatsApp to take over someone's phone without them needing to do
anything. And of course, once the phone is taken over, they can go back and delete all traces,
like that missed video call where the infection took place. A zero-click exploit like this means there is nothing you can do to protect yourself against this.
There's no link that you need to click, and your phone is infected automatically,
even if you have the latest and greatest model and software.
Citizen Lab reported this to WhatsApp, but WhatsApp was already investigating similar attacks through its protocol.
They patched the app so this couldn't be exploited anymore. And as it turned out,
NSO was in fact selling this exploit to its customers, which I guess makes sense. WhatsApp
is a wildly popular chat app that exists on a good percentage of all phones worldwide.
NSO sorta needs multiple exploits depending on who the target is. They already had a way to
exploit iPhone users, but now they had a way to exploit iPhone users,
but now they have a way to exploit WhatsApp users.
Since the time of that initial discovery,
WhatsApp has sued NSO.
And keep in mind, WhatsApp is owned by Facebook,
so they have quite the team of lawyers.
And has, in some recent court filings,
published some kind of bombshells suggesting that NSO owned and operated the servers that were used for the exploitation.
Oh, if NSO owns the hacking systems and servers that these exploits are carried out from, then this changes a lot.
Because for years, NSO, these other spyware companies, have kind of said whenever they're questioned about abuses,
look, we don't run this stuff, we sell it to customers and they do their thing.
And what WhatsApp's latest filings in this case have shown is that NSO does appear to run some of this infrastructure,
which makes it look like they're doing something more like hacking as a service.
This is interesting for a number of reasons.
It's interesting because it challenges the idea that NSO wouldn't know what its customers are doing and wouldn't be able to exercise some
oversight. From a national security standpoint, it's also really interesting because it suggests
that NSO might be able to look over its customers' shoulders and see who they were infecting with
this technology. It also means that NSO isn't being honest when they explain how this software
works, that they just sell it and have nothing to do with it after. This lawsuit was issued in October 2019 in San Francisco. But as of this recording in 2021,
the case has not yet gone to trial. So what's happened with that case is that NSO has tried
to appeal the case, perhaps in a strategy to stop discovery. So right now, the effort by NSO to basically have
the case dismissed is currently underway. And both sides have presented their arguments. In addition,
a who's who of tech companies and civil society organizations have all thrown weight behind
the WhatsApp Facebook case.
Companies joining in on this case are Microsoft, Cisco, GitHub, Google, LinkedIn, and VMware.
Major players have all come in and said, look, this case is really important.
And we think that this is a really critical case. And so you have a whole bunch of tech companies,
plus a bunch of civil society organizations all coming in and saying to the judge, look, don't let this case be dismissed.
This is super important.
Besides, NSO's legal claims don't hold water.
Citizen Lab isn't a part of that case, but we're, of course, watching it really closely.
Just a few weeks ago, NSO hit the news again.
Something called the Pegasus Project, which is a group made up of 80 journalists and 17
media companies in 10 different countries. They all came together to compile and investigate
all reported cases of Pegasus infections. During their research, they somehow got a hold of a
leaked list of 50,000 phone numbers who they claim are possible targets for Pegasus spyware.
These potential targets include activists,
human rights defenders, journalists, and even government officials like the president of France
and the daughter and ex-wife of the ruler of Dubai. But I feel like this news story was slightly
misreported. The 50,000 phone numbers on this list were potential targets. It doesn't mean that they
actually were targeted by Pegasus. It just means that people who had access to the Pegasus spyware were interested in these 50,000 people.
Shalev Julio, who is the S in NSO, was questioned about this in an Israeli news outlet called
Kalkalist. He said that this list of 50,000 phone numbers has nothing to do with the NSO group,
and they wouldn't even have such a list like this to begin with. He thinks the list was probably derived from some kind of HLR lookup
system. HLR stands for Home Location Register, and it's like a database that phone companies have
that you can use to look up phone numbers to see if those are registered phone numbers.
Someone familiar with how Pegasus works said that Pegasus has HLR lookup capabilities within the tool.
But Shalev Julio said something else that's really interesting to me. He said he was first notified
of this weeks before the list was announced, and that someone notified him that one of his servers
in Cyprus was hacked, and the entire NSO target list was stolen. And I confirmed they do have
servers in Cyprus. But Shalev said it's impossible to have the NSO target list stolen since NSO target list was stolen. And I confirmed they do have servers in Cyprus. But Shalev said
it's impossible to have the NSO target list stolen since NSO doesn't have such a database or list of
targets because each customer runs their own instance and infrastructure for Pegasus to run
and there's no central repository of data. But something isn't adding up here. Why is there a
list of 50,000 phone numbers? And why would Shalev admit
that the NSO was breached and tell us the entire NSO target list was stolen, but then deny that
such a list even exists? A few months ago, the NSO group put out their very first transparency
and responsibility report. In it, they say that customers are contractually obligated to provide
logs to NSO, which includes which NSO
product they used, how the process was done, why they used it, the duration of use, and who was
targeted. So, if that's the case, then the NSO does have a way to collect logs from its customers,
and maybe they do have a central place to store those logs. Amnesty International is who initially
released this report about the 50,000 phone numbers, but they won't say how they got it, they do have a central place to store those logs. Amnesty International is who initially released
this report about the 50,000 phone numbers, but they won't say how they got it since that could
put certain people in danger or burn their source. The Pegasus Project does list 11 countries which
show signs that they probably have Pegasus. Those countries are Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates.
Oh, and I learned more about Rwanda's use of Pegasus.
If you know the story of Hotel Rwanda, then you might have heard that the manager of the hotel was arrested last year on terrorism charges.
He is not a terrorist. He's a human rights activist.
Now, I don't know what's going on with his phone,
but a report from The Guardian recently came out and said
that the American daughter of the manager of the hotel was targeted with Pegasus.
This leads me to believe that the Rwanda government is using it to spy on activists.
Officially, the Rwanda government says they deny that they have Pegasus or use it at all,
but one of the former
heads of Rwanda's national intelligence was actively spied on with Pegasus when he became
an opposition for the current administration. On top of that, there's a Financial Times article
that came out which also outlined how over six Rwanda activists were targeted by Pegasus.
And the article goes on to say that people who are opposed or outspoken of the current government party of Rwanda
sometimes become missing or go to prison
or have to flee the country because of threats
or end up killed.
This just adds to the pattern of abuse
that follows this spyware around.
The transparency report that the NSO group put out said they have 60 customers
in 40 countries. 40 countries are their customers. That's 20% of the countries in the world have
access to this Pegasus spyware. The NSO transparency report says the NSO group has a list of 55
countries that they refuse to do business with because of human rights abuse, corruption, or regulatory restrictions. And they do say in the report
over and over how much they support human rights. And they say they continually investigate their
customers, looking for signs where their customers have abused the tool. And they say that they've
found that the tool has been abused only half a percent of the time, which would mean that one out of every
200 targets is a misuse of the tool, which I find to be an unbelievable statistic. Because in one
interview with Forbes, Shalev Julio from NSO said the average customer has only 100 targets.
And we know of over 20 instances where in Mexico alone this tool was misused.
But this Pegasus project highlights hundreds of cases of misuse.
Overall, this NSO transparency report seems like PR fluff to me.
There's nothing transparent about it.
Like Leslie Stahl from 60 Minutes asked Shalev point blank if he cut ties with Saudi Arabia
after it came out that Khashoggi was spied on with Pegasus and murdered.
But Shalev refused to talk about any customers.
Well, this transparency report refuses to talk about customers too.
It would have been nice if they highlighted the same instances of abuse that the Pegasus Project highlighted.
And pointed out that these are the specific reasons why we cut ties with these specific countries
and listed those countries by name.
That would be transparent.
But that's not what was in this report.
So I'm hesitant to believe any of the stuff written in this transparency report is even true.
But when this bombshell allegation came out that there's a list of 50,000 potential targets of Pegasus,
NSO got mad and posted a new article on their website titled
Enough is Enough. And it said the Pegasus Project report had complete disregard of the facts
and the NSO will no longer be responding to media inquiries. And I've got to laugh at that part.
No longer responding to media inquiries? Are you kidding me? I've been inquiring for three years
now and you've refused to talk
before this was happening. Now you're telling me your official stance is to refuse to talk about
it because another report came out. I don't know how you think this makes you look, but it doesn't
make you look good. Anyway, the article goes on to say that there are no connections between the
50,000 phone numbers and NSO and any claim that there is a connection is erroneous and false.
And they give a flip-flop statement saying that they don't have any of their customers' data, and NSO and any claim that there is a connection is erroneous and false.
And they give a flip-flop statement saying that they don't have any of their customers' data,
but their customers are obligated to provide data if the NSO group asks for it.
NSO, this means you do have customer data.
You need to pick a side here.
You either don't have any customer data or you have total access to customer data.
You can't say it's both then they end by
saying nso's mission is to save lives by helping governments around the world prevent terror
attacks break up pedophilia sex and drug trafficking rings and locate missing children and people and
protect airspace from unauthorized drones flying over and yeah that's great but again if countries
use the tool for good it doesn't negate the fact that the tool is frequently used to spy on the wrong people and do harm to civil society.
Someone needs to hold NSO accountable for getting this tool into the wrong customer's hands.
Think about it like this.
A while back, I did an episode on the butterfly botnet.
The people who use this botnet to attack
with and cause destruction with they got arrested and okay that makes sense they did a criminal act
but the person who made the butterfly botnet got even more prison time than the criminals
and that's because he created malware with the intent to do harm with it. Here we have NSO creating malware to hack into people's phones.
But the only difference is NSO says they make the tool to help save lives. But if they continue to
do multi-million dollar deals with oppressive regimes who use the malware to attack civil
society over and over, then the NSO group needs to be held accountable for that.
They obviously know how dangerous this malware is,
and if they had any kind of notice that a person they're selling it to
may use it to commit some non-lawful activity with it,
then that alone should be enough to get them in trouble for what they've been doing.
Anyway, in July 2021, Israeli government officials visited the offices of the NSO group.
It looks like they came to review their export licenses and audited NSO to see if they've done anything wrong.
It's fuzzy and we're not sure what actually happened here or what's going to happen,
but it's not a good sign when your government comes to your offices and starts looking through your documents. Now, you might be wondering, wait a
minute, haven't all these Pegasus vulnerabilities been fixed? Like, didn't Apple fix that one when
John reported it and WhatsApp fixed theirs? Is this even an issue still? Actually, yeah,
it is an issue still. They have a new version of Pegasus. Apparently, NSO has many different exploits that they can use to get the Pegasus spyware
onto phones.
Every time there's an exposure like this, NSO makes a bunch of brave claims in public
and off the record to people that they came right back online with some new exploits.
And their narrative is that they've always got something in the pipe.
I think one thing to consider here is that we know, of course,
you burn an exploit chain,
you make something public.
There's a big technological cost
to getting back online.
Moreover, you may have like a whole lot of customers
with devices that are already infected out there,
but that are now beaconing to infrastructure
that is known by security researchers and others.
So the huge cost to customers of getting back online.
I think we're still learning as we watch the NSO example, just what constitutes real disruption
and what constitutes a cost of doing business.
And it seems to be in the same way that, you know, certain cowboy capitalist firms view
fines.
I'm tempted to say NSO may view the exposure of
some of its exploits as part of its cost of doing business. Certainly it's not, it seems, in want
for capital. And I guess this is one reason why NSO is so focused on Citizen Lab, because Citizen
Lab has fixed these vulnerabilities that Pegasus uses a few times. And it's extremely costly for
NSO whenever Citizen Lab discovers a new one and reports it. And so it extremely costly for NSO whenever Citizen Lab discovers a new one and
reports it. And so it makes sense for NSO to be very interested in what John and his colleagues
are doing at Citizen Lab because they're exposing a very powerful organization. But this isn't just
the work of Citizen Lab. Lots of other organizations have all researched and published articles about
NSO spyware.
Lookout Security has analyzed malware and published reports.
Amnesty International has also publicly exposed other things that NSO Group has done.
And so that brings us back to Black Cube spying on John Scott Railton and Citizen Lab.
Why would they do that?
Well, Black Cube is just a for-hire spy agency, so they likely didn't come up with this idea themselves.
Somebody probably hired them to send a spy to the U.S. to meet with John.
As John was thinking about who could have possibly hired Black Cube to spy on him, some news came out with more information. After we realized that both myself and my colleague Bahar were targeted, the AP uncovered four more people who all were supporting victims,
including a journalist and lawyers.
And it appeared part of a coordinated effort
to get information about legal cases against an SO. And ultimately,
if you look at it, right, to frustrate the ability of victims to get justice.
You know, these were lawyers representing like the parents and people, you know, parents of
children who had been disappeared by the Mexican government. I mean, these were not
lawyers for wealthy people. These were lawyers for victims. And the case really, to me,
highlighted the extent to which somebody with deep pockets was trying to basically blunt
any attempt by those victims to gain justice. So John and his colleague at Citizen Lab were
targeted by Black Cube spies. And they asked a bunch of questions about Citizen Labs' interest with the NSO group.
And then there were a few lawyers of victims of NSO who were also spied on by Black Cube.
And so, if you connect these dots together, does this answer the question of who paid Black Cube
to spy on John? Well, I think, you know, I'll let your listeners make the judgment
of what this might indicate.
Okay, but let's do
a thought experiment here.
If the NSO group paid Black Cube
to spy on its critics,
then what does that mean?
Well, in my opinion,
it puts the NSO group in an ethically indefensible area.
Because NSO just sells spy tools.
They claim they don't do any of the spying themselves.
And so every time you try to put your finger on some action that the NSO group did wrong,
they just step aside and put blame on their customer.
And since they are so secret and hidden about what they do,
you really don't know how much they should be blamed for.
But in this case, where Black Cube spied on Citizen Lab
and lawyers of victims of the Pegasus software,
if the NSO group is who paid Black Cube to do that,
then this is a clear case of where the NSO group themselves did something
unethical. Not their customers, but them. And if that's the case, does that show their true colors
of what kind of company they really are? Because if they are an unethical company, you can't believe what they tell you. And you can't trust them to make
ethical choices, like who to sell their spyware to. Oh, and I also want to mention that the spyware
might be coming to a police department near you. Joseph Cox at Motherboard wrote a story last year
that the NSO group tried to sell its spyware to the San Diego Police Department. An NSO group goes
by many names. Here in the U.S., they call themselves Westbridge Technologies and OMRI. The O in NSO
has spearheaded NSO's presence in the U.S. In fact, his office is in New York. And it also
sounds like the FBI might be conducting an investigation on the NSO group. Joseph Min
at Reuters wrote an article saying that the FBI was trying to determine if the NSO group. Joseph Min at Reuters wrote an article saying that the FBI was trying to determine
if the NSO group got any of its exploits from Americans. But I also imagine that the FBI would
be concerned about whether or not foreign entities use Pegasus to spy on Americans. I mean, it should
be a crime under the Computer Fraud and Abuse Act to gain unauthorized access to someone's phone or
computer. Because you can't just hack into someone's device without their express consent.
That's illegal.
So I do hope U.S. authorities are collecting information on what Americans have been targeted
and whoever is doing it get in a lot of trouble for it.
But this is the sort of gray area of this whole thing.
NSO claims that what they're doing is selling a lawful intercept technology
and should only be used when law permits and there's permission to do so.
But there doesn't seem to be any consequences to governments who abuse this tool.
I just hope that my country has my best interest in mind and that if I get spied on illegally using this tool, that the authorities care enough about it and punish those behind it. Because I'll never be
able to win a security battle, which is me versus a billion dollar company like the NSO Group.
I can do things to be safer, but I Railton from Citizen Lab for doing all this research,
being fearless in the face of the enemy and publishing countless reports on threats towards
civil society.
You can learn more about his work by visiting citizenlab.ca.
Okay, so I made it to
episode 100. And with that, I'm going to take a break, but just for two weeks. So I'm sorry,
but there will just not be an episode in two weeks. If you're wondering, I'm headed to the
beach and I'm just going to unplug and be as low tech as I can for a while. If I add up all the episodes, I've written
about 15 novels worth of stories now. My fingers are sore, but look for another episode in four
weeks. This show is made by me, the Spaghetti Coder, Jack Reciter. Our theme music is by the
elusive Breakmaster Cylinder. And even though I'll be on break next week, I'm still going to
my hacker support group that I'm in. It's called Anonymous Anonymous.
This is Darknet Diaries.