NSO CEO exclusively responds to allegations: "The list of 50,000 phone numbers has nothing to do with us"

“I'll give you a simple statement: Journalists, human rights activists, and civil organizations are all off-limits,” said Shalev Hulio

Omer Kabir and Hagar Ravet 10:2020.07.21
The revelations published on Sunday following an investigation by 17 media organizations showed once more the problematic ways in which governments are using the Pegasus spyware developed by Israeli offensive cybersecurity company NSO. It also once more raised ethical and legal questions regarding the use of NSO's software.


At the center of the investigation, reported by 17 media partners led by the Paris-based journalism nonprofit Forbidden Stories, is a list of 50,000 phone numbers that were allegedly under the surveillance of governments and organizations across the world through Pegasus. The list includes the phone numbers of journalists, senior politicians, and businesspeople.


However, the list at the center of the investigation raises many question marks among anyone who is familiar with NSO's activity. First, the source of the list wasn't clarified in any of the reports on the topic. In The Guardian, for example, it was claimed that "the leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016."
NSO founder and CEO Shalev Hulio. Photo: Orel Cohen and Avital Peleg NSO founder and CEO Shalev Hulio. Photo: Orel Cohen and Avital Peleg


In no place was it explained what the source of the list was and why it was attributed to NSO, a basic detail that should have been open to the readers (for example, was it received from a reliable source that can't be identified?). In fact, The Washington Post wrote yesterday that the goal of the list can't be determined with certainty.


This isn't the first time the problematic use of NSO's powerful software has been exposed. The first investigation was done by the University of Toronto's Citizen Lab Research Institute, and Calcalist, which was the first to reveal the company's activity, has also dealt many times with the inappropriate use of Pegasus. However, the investigation published on Sunday, largely due to its massive magnitude and publication in the world's leading media organizations, generated especially severe responses.


Perhaps due to the magnitude of the media interest in the investigation, NSO executives chose to break the secrecy that usually surrounds their company and answer questions directly. In an interview with Calcalist, NSO chief executive Shalev Hulio denied his software was being used for malicious activity. At the heart of his claims is the list of 50,000 phone numbers on which the investigation is based, and which it is claimed are potential NSO targets. The source of the list wasn't revealed, and according to Hulio, it reached him a month prior to the publication of the investigation, and from a completely different source.


"Around one month ago we received the first approach from an information broker," Hulio told Calcalist. "He said that there is a list circulating in the market and that whoever holds it is saying that the NSO servers in Cyprus were hacked and that there is a list of targets there and that we should be careful. We looked into it. We don't have servers in Cyprus and don't have these types of lists, and the number doesn't make sense in any way so it has nothing to do with us. He insisted that it does. We were later approached by two different clients who said that brokers have come to them claiming that they have a list related to NSO. We eventually received some screenshots of the list the brokers managed to get a hold of and based on that we understood that this doesn't look like the Pegasus system, certainly on the server, and that this is an engineered list unrelated to us. We looked over it with the clients and it slowly became clear to us that it is an HLR Lookup server and has nothing to do with NSO. We understood that this was a joke."


HLR is a network of sorts that connects every cellular device in the world and which allows providers to receive basic information on the devices, for example, were they connected to a network, who the provider was, and in what country they're located. According to a data security expert who previously worked in the engineering department of one of Israel's cellular providers, "if you look on Google you will find many sources selling access to this network for virtually nothing."


"This is an attempt to build something based on a crazy lack of information," said Hulio. "They say that the list was leaked, but where was it leaked from? Don't tell me who leaked it, but where did it leak from? Who does it belong to? Who held it? Why don't we have this information? This is the absurdity here."


According to Hulio, "the average for our clients is 100 targets a year. If you take NSO's entire history, you won't reach 50,000 Pegasus targets since the company was founded. Pegasus has 45 clients, with around 100 targets per client a year. In addition, this list includes countries that aren't even our clients and NSO doesn't even have any list that includes all Pegasus targets - simply because the company itself doesn't know in real-time how its clients are using the system."


But even if there is no evidence that the list is connected directly or exclusively to NSO and Pegasus, this is still not a completely random list of numbers. The editors of the investigation analyzed 67 of the phones on the list and according to forensic analysis by Amnesty International’s security lab, on 37 of them there were traces of Pegasus or of attempts to install the software. In addition, there were several instances in which there was a correlation between the time in which the phone number was entered into the HLR Lookup system and the start of Pegasus' activity on the device. The list shows, perhaps, how intelligence and different law enforcement organizations searched the HLR system, and possibly how they conducted these searches, before penetrating the phone of the Pegasus victim.


"We weren't sent a list of all these 37 numbers that were supposedly attacked by Pegasus. They only sent us some of them, and of that list, none are numbers connected to Pegasus," claims Hulio.


They found evidence of traces of Pegasus.


"The claim that they found something forensic is incorrect. Furthermore, they gave specific statements regarding the editor of the FT, claiming that she was also a target. We checked and she was never a target of any client. Regarding the wife of Saudi journalist Jamal Khashoggi, they said that they found forensic evidence on her phone. We checked and she was not a target."


You say that she was not a target, but we have no way to verify that. All we have is your word.


"What do you mean you have my word? They claim that 'there is a list of targets. We checked several phones and found traces of Pegasus'. Where are they saying they found these traces of Pegasus? On the phone of the wife of Jamal Khashoggi. Excellent, I'm telling you that this is not true. There are no traces of Pegasus on her phone because she was not a target."


You have 45 Pegasus clients across the world. It's not that you can run a query on the central system and receive an answer within minutes. Did you check with each of the 45 clients if she was a target?


"We checked. This has been ongoing for a week. During this week we managed to complete many checks because we received some of the numbers. That is the absurdity of it all. And yes, we checked the numbers we were given with every client, including past clients which we requested permission to search their systems."


So the evidence from Amnesty is fabricated?


"There is something fundamentally wrong with this investigation. Perhaps she was the target of something else and appears in HLR searches. But what has that got to do with NSO?"


Amnesty explained its methodology and verified it with independent investigators from Citizen Lab. From the NSO side, all we have is your word. You don't present any document, for example, a report on the analysis you conducted.


"It will always be my word against the evidence and their words. How can you prove something that didn't happen? You want us to take you to the clients to conduct a search so that you can search the number yourself and see that this never happened?."


No, but I assume that there is an internal report which sums up your examination.


"There is a chart that shows what we checked and what we didn't check. This was a technological review. The client needs to cooperate and allow us to conduct a search. But in this search, the client can't lie because this is an analysis that we conduct in his systems. We checked all the numbers that we were sent and we will look into every number we receive. So far all the numbers that we were given had nothing to do with Pegasus in any way."


Can you promise that journalists aren't being tracked by regimes with Pegasus?


"I'll give you a simple statement: Journalists, human rights activists, and civil organizations are all off-limits. A client that will target a journalist or human rights activist, is, from that moment on, no longer our client. Why? Because that is not the goal of the system. We have disconnected systems in the past and you know that. We will do anything in order to prevent the misuse of the systems. We are being blamed for so many things, and we will certainly be continued to be blamed throughout the rest of the week. But the foundation on which this investigation is based is a list which no one knows is actually true. This investigation is based on a list that has nothing to do with NSO."


Let's leave the list aside. They managed to find phones with traces of Pegasus on them, so maybe you are everywhere.


"Out of 50,000 numbers they succeeded in verifying that 37 people were targets. Even if we go with that figure, which is severe in itself if it were true, we are saying that out of 50,000 numbers, which were examined by 80 journalists from 17 media organizations around the world, they found that 37 are truly Pegasus, so something is clearly wrong with this list. I'm willing to give you a random list of 50,000 numbers and it will probably also include Pegasus targets."


That isn't accurate. Out of the 50,000 numbers they physically checked only 67 phones and in 37 of them, they found traces of Pegasus. It isn't 37 out of 50,000. And there were 12 journalists among them. That is 12 too many.


"Undoubtedly. We changed our human rights policy in 2020 and entered the UN's standard. This is data from 2017 and 2018 and we have since disconnected five systems. We will check everything, and if there is an existing client that is targeting a journalist he will no longer be a client."


Last Thursday we published in Calcalist an investigation on Candiru , which seems to have practices similar to yours. Is this the legacy you have left for the Israeli cybersecurity industry?


"Our legacy is opposite to this. I believe that we are learning and improving all the time. When we founded the company in 2010 no one was thinking in this direction. I'm always learning and improving, learning how to place security mechanisms, how to prevent misuse, how to investigate, and how to select clients with which the chance of them misusing the system is limited. That is why the majority of the 45 countries with which we work are in Europe. There are 90 countries with which we chose not to work. There are companies that base their entire business model on selling to countries which NSO has disconnected or doesn't sell to because they know it will be easier for them to sell there. They don't even compete with us in the countries in which we operate because we are setting the standard."


Standard? This isn't the first time the problematic use of your systems has been exposed.


"Perhaps there were some not-so-good cases in the past and we are correcting them. We take the issue of human rights and journalists very seriously. We are selling systems to prevent crime and terror, and ultimately what alternative do law enforcement, intelligence and police have when acting against pedophiles? They say this isn't good and that these tools should not be used. But hold on, the question is what's the alternative? Is there an alternative without catching intelligence in real-time from phones in a world of end-to-end encryption?"