Spyware Marketed by Israeli Company NSO Detected in 45 Countries

According to a new report, activity related to the mobile spyware was found in countries including the U.S., U.K., Canada, the UAE, Saudi Arabia, Egypt, Jordan, Lebanon, Israel, and the Palestinian territories

Omer Kabir 13:3118.09.18

Spyware by Israeli cyber surveillance company NSO Group is used in 45 countries, including in Israel, according to a new report published Tuesday by The University of Toronto's Citizen Lab, a digital and human rights research group. 


In comments sent to Calcalist Monday, NSO said it "does not operate in many of the countries listed" by Citizen Lab.


For daily updates, subscribe to our newsletter by clicking here.


The new report is the most extensive to date, detailing the widespread global adoption of NSO’s trojan horse. Dubbed Pegasus, the spyware gives operators access to users’ calls and messages and remote control of the mobile device on which it is installed. NSO develops and sells cyber attack tools that can be used to gather intelligence from mobile phones and other devices to clients including governments and law enforcement agencies.

NSO offices in Israel. Photo: Orel Cohen NSO offices in Israel. Photo: Orel Cohen


In July, Calcalist reported the cancellation of a merger deal between NSO and another Israeli surveillance company, Nasdaq-listed Verint Systems Inc. The deal would have seen Verint pay $1 billion for NSO.


Among the countries where Citizens Lab detected activity by Pegasus operators are the U.S., U.K., Canada, India, Singapore, the Netherlands, Brazil, the UAE, Saudi Arabia, Egypt, Jordan, Lebanon, France, Uganda, Algeria, Uzbekistan, South Africa, Bangladesh, Oman, Togo, Tunisia, Zambia, Morocco, Poland, Qatar, Ruanda, Yemen, Kenya, Switzerland, Bahrain, Israel, and the Palestinian territories.


In its comments, NSO did not specify the countries on the list in which it does not operate.


In a Tuesday comment sent to Calcalist, Bill Marczak, a senior research fellow at Citizen Lab, said that countries listed in the report were the location of specific targets, not implying that "the government of that country is using the spyware."

"That person could be targeted by another government," Marczak noted.


Between August 2016 and August 2018, Citizens Lab discovered 1091 IP addresses and 1014 domain names which the research group was able to match with 36 distinct Pegasus systems, each thought to be run by a different operator. According to the report, 12 operators appear to be focused on Middle Eastern countries, five each on Africa, Asia, and Europe, and four on the Americas, three of whom appear to focus exclusively on Mexico.


In Mexico, Citizens Lab discovered that dozens of lawyers, journalists, and human rights advocates were targeted by NSO’s Pegasus in 2016. Published in 2017, the discovery sparked a political scandal and ensued a criminal investigation. Citizens Lab also tracked an expansion of spyware activity in Gulf countries, with six operators detected which are focused on Bahrain, the UAE, and Saudi Arabia.


In 2016, researchers from Citizen Lab reported that spyware developed and marketed by NSO was used in the UAE to target human rights activist Ahmed Mansoor.


Of the five operators active in Africa, the researchers identified one that appears to be focused on Togo, a West African country with a history of human rights violations.


In NSO’s home turf, Israel, the researchers uncovered four operators working domestically and an additional operator working both in Israel and in the Palestinian territories, Qatar, Turkey, U.S., and the Netherlands.


In May, Citizen Lab sent an open letter to San Francisco-based private-equity firm Francisco Partners Management LLC, which bought a majority stake in NSO in 2014, calling on the firm to address “the serious human rights impacts of the products and services" of its portfolio companies.



In the comments sent to Calcalist, NSO said the company "develops products that are licensed only to legitimate government agencies for the sole purpose of investigating and preventing crime and terror. The company works in full compliance with all applicable laws, including export control laws."


"Our products have saved the lives of thousands of people, prevented suicide terror attacks, helped convict drug cartel lords, facilitated complex crime investigations, and returned kidnapped children to their parents. NSO’s Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use," NSO said in its comments.


The company further said it had sought to meet with CItizen Lab's team but its approaches went unanswered.  


Marczak, on behalf of Citizen Lab, said the research group does not have "any record of them offering to meet with us," prior to the request for comment made by Calcalist.


In December 2017, Citizen Lab revealed that Israeli defense contractor Elbit Systems Ltd. has provided the Ethiopian government with a spyware it used to track journalists and dissidents as part of a cyber campaign targeting advocates of the Oromo ethnic group. According to the report, the Ethiopian government infected the computers of its targets in 20 countries worldwide using a commercial spyware tool called PC Surveillance System (PSS), which is developed by a subsidiary of Elbit called Cyberbit Ltd.

Cancel Send
    To all comments