Saturday, May 14, 2022

FBI aimed to use Pegasus spyware for 

operations with Israel's approval, 

report reveals

May 14, 2022 

The website of Israel-made Pegasus spyware at an office on July 21, 2021 

[MARIO GOLDMAN/AFP via Getty Images]

May 14, 2022 

The United States' Federal Bureau of Investigation (FBI) had intended to use Israel's infamous Pegasus spyware for its ongoing operations, a report by The New York Times has revealed.

According to the report, the FBI reportedly wrote to the Israeli government back in 2018 of its intention to use Pegasus to collect phone data of those it had already been monitoring and investigating. The agency told the Israeli Defence Ministry that its purchase of the spyware was "for the collection of data from mobile devices for the prevention and investigation of crimes and terrorism, in compliance with privacy and national security laws."

The Pegasus spyware – developed and owned by the Israeli NSO Group – was made infamous over the past few years due to its hacking scandals, particularly in July last year when the University of Toronto's internet watchdog Citizen Lab exposed its client governments' misuse of the spyware through the hacking of around 50,000 phones and devices belonging to journalists, human rights activists, and political critics worldwide.

Phones and devices infected with Pegasus spyware become fully compromised, with the users' data, pictures, messages, and location being made accessible to the governments and agencies targeting them. Even the cameras and microphones on their devices can be activated without the users' knowledge. The infection of the devices can be achieved through the user clicking or opening a message or link, or even without any interaction at all through the latest 'zero-click' malware.

READ: From Pegasus to Blue Wolf: how Israel's 'security' experiment in Palestine went global

Since the FBI's acquisition of the Pegasus spyware was revealed and confirmed earlier this this year, the agency has insisted that it only purchased it for "product testing and evaluation", particularly in order to assess how rivals of Washington would use it if they acquired it. This latest revelation of the FBI's intention to put the spyware to use in its operations, however, contradicts that claim.

A spokesperson for the bureau, Cathy L. Milhoan, told The New York Times that "The FBI purchased a license to explore potential future legal use of the NSO product and potential security concerns the product poses…As part of this process, the FBI met the requirements of the Israeli Export Control Agency. After testing and evaluation, the FBI chose not to use the product operationally in any investigation".

Despite the bureau's purchase, testing, and intention to use the spyware, the US government sanctioned its developer the NSO Group and placed it on a trade blacklist. A month later, however, it was reported that the Pegasus spyware would be shut down and sold to the US, with the product apparently only to be used for cyber defence.

Rogues And Spyware: Pegasus Strikes In Spain – OpEd

By 

Weapons, lacking sentience and moral orientation, are there to be used by all.  Once out, these creations can never be rebottled.  Effective spyware, that most malicious of surveillance tools, is one such creation, available to entities and governments of all stripes.  The targets are standard: dissidents, journalists, legislators, activists, even the odd jurist.

Pegasus spyware, the fiendishly effective creation of Israel’s unscrupulous NSO Group, has become something of a regular in the news cycles on cyber security.  Created in 2010, it was the brainchild of three engineers who had cut their teeth working for the cyber outfit Unit 8200 of the Israeli Defence Forces: Niv Carmi, Shalev Hulio and Omri Lavie. 

NSO found itself at the vanguard of an Israeli charm offensive, regularly hosting officials from Mossad at its headquarters in Herzliya in the company of delegations from African and Arab countries.  Cyber capabilities would be one way of getting into their good books.

The record of the company was such as to pique the interest of the US Department of Commerce, which announced last November that it would be adding NSO Group and another Israeli cyber company Candiru (now renamed Saito Tech) to its entity list “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”   

In July 2021, the Pegasus Project, an initiative of 17 media organisations and civil society groups, revealed that 50,000 phone numbers of interest to a number of governments had appeared on a list of hackable targets.  All had been targets of Pegasus.  

The government clients of the NSO Group are extensive, spanning the authoritarian and liberal democratic spectrum.  Most notoriously, Pegasus has found its way into the surveillance armoury of the Kingdom of Saudi Arabia, which allegedly monitored calls made by the murdered Saudi journalist Jamal Khashoggi and a fellow dissident, Omar Abdulaziz.  In October 2018, Khashoggi, on orders of Saudi Arabia’s Crown Prince Mohammed bin Salman, was butchered on the grounds of the Saudi consulate in Istanbul by a hit squad. NSO subsequently became the subject of a legal suit, with lawyers for Abdulaziz arguing that the hacking of his phone “contributed in a significant manner to the decision to murder Mr Khashoggi.”  

Spain’s Prime Minister Pedro Sánchez, Defence Minister Margarita Robles, Interior Minister Fernando Grande-Marlaska, and 18 Catalan separatists are the latest high-profile targets to feature in the Pegasus canon.  Sánchez’s phone was hacked twice in May 2021, with officials claiming that there was at least one data leak.  This was the result of, according to the government, an “illicit and external” operation, conducted by bodies with no state authorisation.

Ironically enough, Robles herself had defended the targeting of the 18 Catalan separatists, claiming that the surveillance was conducted with court approval.  “In this country,” she insisted at a press conference, “no-one is investigated for their political ideals.”

The backdrop of the entire scandal is even more sinister, with Citizen Lab revealing last month that over 60 Catalan legislators, jurists, Members of the European Parliament, journalists and family members were targeted by the Pegasus spyware between 2015 and 2020.  (Citizen Lab found that 63 individuals had been targeted or infected with Pegasus, with four others being the victims of the Candiru spyware.)  Confirmed targets include Elisenda Paluzie and Sònia Urpí Garcia, who both work for the Assemblea Nacional Catalana, an organisation that campaigns for the independence of Catalonia.  

The phone of Catalan journalist Meritxell Bonet was also hacked in June 2019 during the final days of a Supreme Court case against her husband Jordi Cuixart.  Cuixart, former president of the Catalan association Òmnium Cultural, was charged and sentenced on grounds of sedition.

The investigation by Citizen Lab did not conclusively attribute “the operations to a specific entity, but strong circumstantial evidence suggests a nexus with Spanish authorities.”  Amnesty International Technology and Human Rights researcher Likhita Banerji put the case simply. “The Spanish government needs to come clean over whether or not it is a customer of NSO Group.  It must also conduct a thorough, independent investigation into the use of Pegasus spyware against the Catalans identified in this investigation.” 

Heads were bound to roll, and the main casualty in this affair was the first woman to head Spain’s CNI intelligence agency, Paz Esteban.  Esteban’s defence of the Catalan hackings proved identical to that of Robles: they had been done with judicial and legal approval.  But she needed a scalp for an increasingly embarrassing situation and had no desire to have her reasons parroted back to her.  “You speak of dismissal,” she stated tersely, “I speak of substitution.”  

While the implications for the Spanish government are distinctly smelly, one should not forget who the Victor Frankenstein here is.  NSO has had a few scrapes in Israel itself.  It survived a lawsuit by Amnesty International in 2020 to review its security export license.  But there is little danger of that company losing the support of Israel’s Ministry of Defence.  In Israel, cybersecurity continues to be the poster child of technological prowess, lucrative, opaque and distinctly unaccountable to parliamentarians and the courts.


Binoy Kampmark

Binoy Kampmark was a Commonwealth Scholar at Selwyn College,

Cambridge. He lectures at RMIT University, Melbourne.

Email: bkampmark@gmail.com

No comments:

Post a Comment