Israel-based NSO Group is pointing the finger at customers who may misuse its Pegasus surveillance software, following reports that a list hacked in Cyprus contained thousands of mobile phone numbers believed to have been be targeted by the proprietary malware to spy on journalists and activists around the globe.
The Pegasus Project investigation based on leaked targeting data was released earlier this week, alleging more than 50,000 mobile phone numbers were believed to have been targeted illegally by malware sold by NSO, an Israeli company that also had a base in the Republic of Cyprus.
Reports on Monday said the information had been leaked to the Paris-based nonprofit Forbidden Stories and human rights group Amnesty International.
Based on additional reports including a story by the BBC, it emerged that the leaked data may have been housed possibly on a company server in Cyprus before being obtained in the course of the investigation.
But a company spokesperson has told BBC News that no such data existed.
'Firstly, we don't have servers in Cyprus. And secondly, we don't have any data of our customers in our possession,' said the NSO official
"Firstly, we don't have servers in Cyprus. And secondly, we don't have any data of our customers in our possession,” the company official said.
The military-grade malware is known to infect mobile phones, allowing the operator to access messages, photos, emails, and location data as well as surreptitiously control the device's microphones and cameras.
It has been alleged that NSO, which has ties to Israel’s defense forces, has been using its Pegasus software to spy on journalists, human rights activists, and political dissidents.
“Our customers have an average of 100 targets a year. Since the beginning of the company, we didn't have 50,000 targets total," an NSO Group spokesperson was quoted as saying by the BBC.
"If I am the manufacturer of a car and now you take the car and you are driving drunken and you hit somebody, you do not go to the car manufacturer, you go to the driver,” the official said.
NSO points finger at end-users for illegal hackings
The official also said any allegations of misuse and all the finger-pointing should be at the customer and not the software seller.
"You know, if a customer decides to misuse the system, he will not be a customer anymore,” the spokesperson added.
But critics have accused NSO of providing powerful spy software to repressive governments to hack innocent people, including those close to murdered Washington Post columnist Jamal Khashoggi.
Earlier this month, NSO said in a transparency report that “we must hold ourselves to a higher standard and act with stewardship and transparency... to ensure public safety and concern for human rights and privacy."
The media consortium says 67 people whose phone numbers were on the hacked list agreed to give Forbidden Stories their actual physical phones for forensic analysis, with Amnesty International Security Labs reportedly finding evidence of potential targeting by Pegasus on 37 of them.
NSO says it had no knowledge of how some phones on the list contained remnants of spyware.
It could be "a coincidence", the spokesperson said.
In November 2019, local politicians in Cyprus raised concern over media reports about a super-pimped-out ride in Larnaca, a converted ambulance truck that was also featured in a Forbes story about Tal Dilian, an Israeli former intelligence officer and well known investor in the high-tech industry.
Police immediately launched an investigation against Dilian's company WS WiSpear, an Israeli Cypriot high-tech that sells long range mission intelligence vehicles, amid allegations that politicians and others arriving on the island could have been targets of illegal surveillance.
WiSpear said that the “spy van” was used in Cyprus only for demonstration purposes, adding that the business aim of the company was to sell surveillance systems to clients and it did not spy on anyone.
Dilian’s company has also vehemently denied breaching privacy laws or targeting individuals in the Republic, except individuals taking part in the company’s field tests.
In the Forbes video, two men are told to walk away some 100 metres with Dilian forcing the mock target’s Huawei phone to connect to his Wi-Fi hub. The veteran then proceeded into hacking into the device for demonstration purposes and silently installing surveillance software.
The company went on to say that it was registered in 2013 in Cyprus but began operation in late 2017. One of Dilian’s companies was said to have been be affiliated with NSO before the Group fired all staff and left the island in summer 2020.
Reports say clients including Saudis met in Cyprus
But this week foreign media reported on meetings in Cyprus and other locations back in 2017, alleging that a senior Saudi intelligence official was “amazed” by what he saw during a presentation on the island in June of that year.
According to The Guardian, businesspeople who represented the NSO Group made it their mission to sell Pegasus, the weapons–grade spyware system, to a Saudi senior intelligence official.
After a lengthy and technical discussion, the Saudi spy who had brought a new iPhone, was shown how Pegasus could infect the phone and then be used to remotely operate its camera,” The Guardian said citing a person who attended the meeting.
“You don’t need to understand the language to see they were amazed and excited and that they saw what they needed to,” the person said.
“We are not the policemen of the world"
But the Israelis insist they have only sold Pegasus to governments or agencies fighting terrorism and serious crime.
WiSpear provides end-to-end intelligence solutions for law enforcement and intelligence agencies, according to a company statement.
“We are not the policemen of the world and we are not the judges of the world,” Dilian said during the Forbes interview.
The consortium of 16 media organizations said it was able to identify more than 1000 individuals in 50 countries who were allegedly selected for potential surveillance by NSO clients.