Officials’ fears centre around how the Pegasus project disclosures will affect other Israeli companies and the future of Israel’s cutting-edge cyberweapons industry. “This is a very significant event … We are trying to understand its full significance”
Israel’s government is reportedly setting up a task force to manage the fallout from Pegasus project revelations about the use of spying tools sold to authoritarian governments by the Israeli surveillance firm NSO Group.
A team including representatives from the defence ministry, ministry of justice, foreign ministry, military intelligence and the Mossad, the national intelligence agency, is poised to conduct an investigation into whether “policy changes” are needed regarding sensitive cyber exports, several Israeli media outlets reported on Tuesday night, quoting unnamed officials.
The reports come as diplomatic pressure mounts on Israel over concerns the government has enabled abuses by repressive states around the world by granting NSO export licences for the spyware.
There are also questions about whether Israeli intelligence agencies have been able to access information gathered by NSO’s clients – which both Israel and the surveillance company strongly deny.
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.