How Pegasus spyware ‘infected’ the phones of Jeff Bezos, El Chapo and No 10

The controversial tool has become a must-have for autocratic regimes as well as many democratic governments, making its Israeli developer, NSO, millions. But have its powers gone too far, asks Anshel Pfeffer

Anshel Pfeffer, The Times
April 24, 2022

It is the must-have eavesdropping system for the world’s autocrats — as well as many democratic governments. Last week it was reported that some officials at No 10 and the Foreign Office had had their smartphones “infected” with Pegasus, a powerful Israeli-developed cybertool. Not only does it give spies access to all data on the phone but also, by hacking its camera and microphone, turns it into a watching and listening device.

President Emmanuel Macron and Jeff Bezos, the billionaire founder of Amazon, have been previous targets. In the latest case, according to the Canadian research centre Citizen Lab, UK government officials had been targeted by the United Arab Emirates (UAE), possibly linked to the divorce proceedings between Sheikh Mohammed bin Rashid al-Maktoum, the ruler of Dubai, and Princess Haya Bint al-Hussein, who has found sanctuary with her children in Britain. The sheikh has been found in a High Court ruling to have used Pegasus to track his ex-wife and her British lawyers.

Pegasus was not developed by the Israeli NSO Group to help spouses in divorce cases. It is marketed as a key tool in fighting terrorists and organised crime and counts the FBI and Germany’s federal police as customers. It is credited with helping the Mexican authorities to capture the drug baron El Chapo and has allowed Isis operatives to be arrested before they carried out attacks in Europe. One Palestinian would-be terrorist said in his interrogation that “the Israelis knew what I was dreaming of before I even dreamt it”. But uses have been more sinister, such as Saudi Arabia’s tracking of the dissident journalist Jamal Khashoggi before his gruesome murder in Istanbul.

How has this controversial tool become such big business?

Pegasus is not your average hack or phishing scam. It makes “zero-click” attacks: phone users don’t need to click on a dodgy link to get infected. It targets system vulnerabilities unknown to the developers — known as “exploits” or “zero-days” — and leaves no trace. Zero-days are hard to find — and can be sold for large sums.

“There’s a black market in zero-days, which are found and then sold by criminal syndicates,” says an expert in a western government who has spent ten years monitoring the cyberindustry.

“Someone who is willing to pay a lot of money, and we’re talking in some cases about millions to hack a single smartphone, can usually find on the dark web an anonymous hacker who can do it. But a government which doesn’t want to work through criminals and wants to have a tool like this at its constant disposal doesn’t have many places to go.” Which is where NSO, a firm founded near Tel Aviv in 2010, comes in.

Binyamin Netanyahu, the former Israeli prime minister, authorised the sale of Pegasus to the Saudis

“There are two types of zero-click systems,” says a former Israeli intelligence official. “The most sophisticated ones are developed by the electronic intelligence services of major countries, like the NSA[National Security Agency] in America and Britain’s GCHQ. You’ll never hear about them as they’re top secret and jealously guarded and will never be sold or distributed to other countries.

“Then there’s hacks which are developed by large crime syndicates in Russia or China, with the unofficial blessing of the regimes there. Those are the two types of developers who have the massive resources you need for employing big teams of hackers who are constantly looking for vulnerabilities. And then you have NSO.”

NSO is ostensibly a non-governmental, private software company operating under Israeli law. It is majority-owned by Novalpina Capital, a London-based private equity fund that has Cherie Blair, the former prime minister’s wife, on its advisory ethics committee. But it is no ordinary private company. NSO develops surveillance software used by Israeli intelligence and its ties to Israel’s government and security establishment are the secret of its success. The hundreds of researchers working at NSO learnt their trade as soldiers and officers in Israel’s military intelligence apparatus.

NSO’s main profits come from exports — which are controlled by the Israeli state. It cannot sell its flagship Pegasus system to private customers, only governments approved by Israel. The list of Pegasus clients ends up looking like a map of Israel’s foreign policy interests. It includes countries in Latin America such as Mexico and Panama, which in recent years relinquished their pro-Palestinian voting patterns at the UN. Then there are the populist governments of Poland and Hungary, which have become Israel’s most strident defenders in the European Union.

Over the past decade Pegasus has also helped Israel build an anti-Iran coalition in the Middle East. The UAE, which used Pegasus against dissidents at home and, reportedly, the British government, has become Israel’s closest ally in the region along with Bahrain and Morocco. The latter is reported to have used Pegasus to target Macron.

Saudi Arabia does not have diplomatic relations with Israel but is a key member of the anti-Iran alliance. Binyamin Netanyahu, the former Israeli prime minister, personally authorised the sale of Pegasus to the Saudis.

“When Netanyahu wanted to seal an agreement with another world leader, he would often offer them access to Pegasus to seal the deal,” says one senior Israeli diplomat.

But there is a fightback. Citizen Lab, based at the University of Toronto, has developed software that can detect Pegasus on infected smartphones, and together with a consortium of newspapers has published reports of the system’s misuse, including the No 10 attack and the targeting of Catalan activists, probably by the Spanish government.

NSO is being sued by Apple and Meta, the owner of Facebook, for breaching their security and in November the US commerce department put the company on its trade blacklist. Meanwhile, Novalpina is embroiled in a legal battle between shareholders for control of NSO.

Industry insiders are divided over the company’s troubles. Some Israeli tech executives accused NSO of going too far in its pursuit of profits and turning a blind eye to what its customers were doing with Pegasus. Others accuse the American administration and tech giants of hypocrisy in taking on a relatively small Israeli company that challenged their dominance.

The Israeli government’s promised investigation is yet to get off the ground.

“NSO knows too many secrets of too many governments,” said one Israeli government official last week. “Even if they force the company to break up, it will be resurrected in one way or another. There’s simply too much demand from governments for these capabilities and if they don’t buy them from NSO, there will be others offering similar services.”