One of the co-founders of the Israeli cyber-intelligence firm behind the powerful phone-surveillance software Pegasus, NSO Group, has denied that their products were involved in the Saudi Arabian government’s torture and murder of journalist in self-imposed exile Jamal Khashoggi at the Saudi consulate in Istanbul last year, the Times of Israel reported on Saturday. However, they would not clarify whether the Saudi government was in possession of the Pegasus system.
Shalev Hulio said in a “rare interview” that his company’s products were only used to track terrorists and criminals and that any misuse would be detected and punished, the Times wrote:
“There was no use on Khashoggi, including listening, monitoring, tracking, collecting info with any product or technology of NSO,” Shalev Hulio told the Yedioth Ahronoth daily in a rare interview... “In the last half year the company’s products have been part of thwarting several large terror attacks in Europe, both with car bombs and suicide bombers,” Hulio said.
... Hulio added that any use of NSO products for activities other than crime and terrorism prevention results in “immediate sanctions by the company, decisively and without compromise.”
Pegasus, a spyware program, uses flaws called “zero day” vulnerabilities—ones that software vendors lack prior awareness of—to gain access to the inner workings of mobile devices. Programs like it can be used to access everything from cellular microphones and cameras to keyboards and stored data, according to CNN. The network reported that researchers at Toronto’s Citizen Lab have tracked the use of Pegasus to at least 45 countries where operators “may be conducting surveillance operations,” including 10 that “appear to be actively engaged in cross-border surveillance.” Citizen Lab researchers found that Saudi officials targeted dissident Omar Abdulaziz, who lives in Canada under an asylum program and communicated with Khashoggi via the encrypted WhatsApp messaging service, and those messages were compromised. CNN wrote:
In the case of Khashoggi, Citizen Lab researchers say the text message went to Abdulaziz, disguised as a shipping update about a package he had just ordered. The link, which Citizen Lab says it traced to a domain connected to Pegasus, led to Abdulaziz’s phone becoming infected with the malware, giving hackers access to virtually his entire phone, including his daily conversations with Khashoggi.
In one text, before his death on October 2 at the Saudi consulate in Istanbul, Khashoggi learned that his conversations with Abdulaziz may have been intercepted. “God help us,” he wrote.
As CNN previously reported, Khashoggi was much more critical of infamously repressive Saudi crown prince Mohammed bin Salman in his messages to Abdulaziz than he was in his columns for the Washington Post, referring to him as a “beast” and stating that “the more victims he eats, the more he wants.” These messages may have served as a pretext for Saudi officials to carry out his torture and execution.
According to CNN, when asked whether NSO Group sold Pegasus to Saud al-Qahtani, a high-ranking and allegedly brutal political adviser to the prince, Hulio denied any such sale had occurred. However, he refused to say whether or not NSO Group had sold the software to the Saudi government in general:
“All sales are authorized by Israel’s Defense Ministry and are only made to states and their police and law enforcement organizations,” he said, and “only for use fighting terrorism and crime.”
Asked point blank if NSO Group sold the system to Saudi Arabia, Hulio said, “We do not comment on any questions about specific clients. We can neither deny or confirm.”
A Washington Post report in December 2018, citing “three former U.S. officials,” stated that Saudi officials had shown significant interest in Pegasus and worked with a Luxembourg-based NSO Group affiliate named Q Cyber to acquire it:
Two sources told me that Q Cyber dealt directly with the Saudis, helping solve problems that arose with cyber-monitoring systems. Q promised that it could access targets in a half-dozen Middle Eastern countries, as well as many of the biggest nations in Europe. Some Israelis were concerned about sharing these super-secret capabilities with a leading Arab nation, but two knowledgeable former U.S. officials told me the Saudi purchase was approved by the Israeli government.
As Gizmodo previously reported in November 2018, human rights nonprofit Amnesty International has asked the Israeli government to revoke NSO Group’s export licenses after reports the firm had met with Saudi officials and that Pegasus was used to target its workers. Abdulaziz is also suing NSO Group, saying that it violated international law by selling its cyber-intelligence tools to repressive governments. Per the Times, his suit was filed in Tel Aviv and asks for $160,000 in damages as well as “an order preventing NSO from selling its technology to Saudi Arabia.”
In a statement to the Post last month, an NSO Group spokesperson said: “While as a matter of security, we will not discuss whether a particular government has licensed our technology, this lawsuit is completely unfounded. It shows no evidence that the company’s technology was used and appears to be founded on a collection of so-called reports and articles that have been generated for the sole purpose of creating news headlines that do not reflect the reality of NSO’s work.”
“We follow an extremely rigorous protocol for licensing our products—which are only provided after a full vetting as well as licensing by the Israeli government,” the spokesperson added.