from the truly-an-unsurprising-development dept
Malware merchant NSO Group’s year of embarrassment continues. Leaked data published in July appeared to show NSO malware (namely its phone-hijacking malware Pegasus) had been used to target dissidents, journalists, religious leaders, and prominent politicians.
NSO reacted by first claiming the data showed nothing of the sort or at least was unrelated to its malware and its customers. Then it made contradictory claims, saying it terminated contracts when it discovered abuse of its products and that it had no visibility into its customers’ actions. Puzzling.
Then things somehow got worse. Countries accused of using NSO Group malware to target critics and journalists decided to sue critics and journalists. Israel’s government opened an investigation into the Israeli company. Another investigation found the government of Bahrain was engaging in exactly the kind of abuse NSO claimed it didn’t allow. And, thanks to some pretty ugly divorce proceedings, it came to light that the Dubai’s king had used the malware to spy on his ex-wife and her lawyer.
The debacle continues. An investigation by Citizen Lab — which has uncovered previous misuse of NSO’s software — reveals an American journalist was targeted multiple times by NSO’s hacking tools.
New York Times journalist Ben Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.
The investigators aren’t sure who targeted Hubbard, but they do note that complaining to NSO about being targeted in violation of the company’s guidelines has zero deterrent effect on future targeting.
The targeting resulted in Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus operator in June 2018.
While it would seem the most likely suspect is the Saudi government (or perhaps the prince himself, given what we now know about individual misuse of NSO spyware), Citizen Lab doesn’t have enough information to definitively say who’s behind the second round of targeting. And, given government/government officials’ willingness to sue journalists over accusations of spying, Citizen Lab is wise to play it safe when it comes to attribution.
The in-depth report is worth reading, detailing how Citizen Lab arrived at these conclusions, as well as noting the similarities between these attacks (which utilized both malicious links and zero-click exploits) and ones observed targeting a Saudi activist earlier this year. And it shows NSO is still months away from being able to put this in the rearview mirror. A change of culture is needed at NSO and it needs to cancel all contracts with countries whose governments whose abuses of human rights and hacking tools have already been the subject of years of reporting.