NSO spyware accused of exploiting WhatsApp vulnerability

CEO of Israeli spyware-maker NSO on fighting terror, Khashoggi murder and Saudi Arabia

NSO Group – the controversial Israeli cyber-firm making some of the world's most sophisticated spyware – has been accused of a new hack using WhatsApp. The popular messaging app, a Facebook subsidiary with some 1.5 billion users, discovered in early May that "an advanced cyber actor" had infected an unknown number of smart phones by exploiting a vulnerability in its voice calling feature, according to the Financial Times. Even if the target didn't pick up the call, the malware was able to infect the phone and expose the user's personal information.  WhatsApphas urged all users to update their operating systems and has involved human rights organizations and law enforcement in the investigation.

NSO Group has denied any involvement in the WhatsApp hack. The cyber-surveillance company leases its highly sophisticated malware to intelligence agencies and law enforcement to penetrate the smartphones of criminals and terrorists. But the company has been accused of also providing its technology to autocratic and corrupt regimes trying to crack down on dissidents. In March, 60 Minutes sat down with the cofounder and CEO of NSO Group to discuss the ethics of their work and some of the allegations against them.


Tonight we'll take you inside the growing, shadowy global market of cyber espionage. We looked specifically at a controversial Israeli company called the NSO Group, valued at nearly a billion dollars, that says it developed a hacking tool that can break into just about any smartphone on Earth.

NSO licenses this software, called Pegasus, to intelligence and law enforcement agencies worldwide, so they can infiltrate the encrypted phones and apps of criminals and terrorists. Problem is this same tool can also be deployed by a government to crush dissent. And so it is that Pegasus has been linked to human rights abuses, unethical surveillance, and even to the notoriously brutal murder of the Saudi Arabian critic Jamal Khashoggi.

Headquartered in the Israeli city of Herzliya, NSO Group operates in strict secrecy. But co-founder and CEO, Shalev Hulio, has been forced out of the shadows and not into a good light, accused of selling Pegasus to Saudi Arabia despite its abysmal record on human rights.  

Lesley Stahl: And the word is that you sold Pegasus to them, and then they turned it around to get Khashoggi.

Shalev Hulio: Khashoggi murder is horrible. Really horrible. And therefore, when I first heard there are accusations that our technology been used on Jamal Khashoggi or on his relatives, I started an immediate check about it. And I can tell you very clear, we had nothing to do with this horrible murder.

Shalev Hulio, co-founder and CEO of NSO Group, speaks with correspondent Lesley Stahl

Lesley Stahl: It's been reported that you yourself went to Riyadh in Saudi Arabia, you yourself sold Pegasus to the Saudis for $55 million.

Shalev Hulio: Don't believe newspapers.

Lesley Stahl: Is that a denial? No?

Pegasus is so expensive because it lets authorities do what they long couldn't: break into smart-phones remotely, making everything in them completely visible. All emails, contacts, and texts – new, old, encrypted or not. Pegasus allows detectives and agents to track locations, listen in to and record conversations, basically turning the phone against its user.

In the company's eight-year history, they've never let cameras in, but they wanted to show us they're like any high-tech company, with PlayStations and Pilates. But there was a lot we couldn't show. Notice: no faces. The work is top secret, and some employees are ex-military intelligence and Mossad. Pegasus is such a sensitive spy tool NSO has to get approval before it can be licensed to any client, let alone Saudi Arabia, from the Israeli Defense Ministry, as though it's an arms deal.

Lesley Stahl: Why would the government of Israel want, you know, what seems to be an enemy to have this technology? 

Shalev Hulio: I'm not gonna talk about specific customer.

Lesley Stahl: But can you say that you won't and haven't sold Pegasus to a country that is known to violate human rights and imprison journalists and go after activists?

Shalev Hulio: I only say that we are selling Pegasus in order to prevent crime and terror.

Penetrating an iPhone was an issue in the terrorist attack in San Bernardino, California, in 2015. The FBI said it couldn't get into the shooter's phone and Apple refused to help over privacy concerns, an issue that had come up before.

Shalev Hulio: Intelligence agencies came to us and say, "We do have a problem. With the new smartphones-- we cannot longer get valuable intelligence."

Lesley Stahl: They were encrypted?

Shalev Hulio: Yeah, exactly.

Lesley Stahl: How many lives do you think Pegasus has saved?

Shalev Hulio: Ten of thousands of people.

Lesley Stahl: Really?

Shalev Hulio: Yes.

Hulio referred us to the head of a Western European intelligence agency who, off camera, confirmed that Pegasus is a game-changer in foiling attacks by European Jihadists, as well as shutting down drug and human trafficking rings. But here's the question: how often has Pegasus also been used to go after a government's critics?

Lesley Stahl: If you were in Saudi Arabia, you'd be in jail--

Ghanem Almasarir: Well, I don't think I would be in jail. I don't think anyone would find my body like what Jamal Khashoggi has faced.

Ghanem Almasarir, a Saudi comic, who criticizes Crown Prince Mohammed bin Salman

Ghanem Almasarir is a Saudi comic living in London, who has a popular YouTube satire show that takes aim at Crown Prince Mohammed bin Salman. Last year, as the regime was kidnapping, locking up, and torturing Saudi dissidents, Ghanem says he and other critics abroad got text messages like this fake DHL notice that, if clicked, would download Pegasus onto their phones, so they could be spied on.

Lesley Stahl: And you clicked on it? 

Ghanem Almasarir: Of course. Yeah, "Who's sending me a package?" Now, Pegasus is designed to catch terrorists. So who define the terrorist? Do you think I am a terrorist? Do I look like a terrorist? I don't know what it--

Lesley Stahl: I don't know what a terrorist looks like.

Ghanem Almasarir: But I mean, the problem is the Saudis consider people asking for freedom for speech as terrorist. They consider anybody who is a threat to their regime is a terrorist.

Lesley Stahl: What do you do when your customer has a definition of "terrorist" that isn't our definition? In some countries, the opposition are-- are terrorists?

Shalev Hulio: No such thing. Every customer that we sold has a very clear definition of what terrorism is. And it's basically bad guys doing bad things in order to kill innocent people, in order to change the political agenda. I never met with a customer that told me that oppositions are terrorists.

Lesley Stahl: Well, they're not gonna tell you.

Shalev Hulio: But if they will act like that-- they will not gonna be a customer. There are more than hundred countries-- hundred countries that we will never sell our technologies to.

Ron Deibert: The problem is, there's there are not proper controls around how this technology is being used.

Correspondent Lesley Stahl speaks with Ron Deibert, head of Citzen Lab

Ron Deibert heads Citizen Lab, a human rights watchdog at the University of Toronto where researchers, like computer scientist Bill Marczak, say they figured out a way to detect if a phone has been targeted by Pegasus – which they did in the case of Ghanem Almasarir and other Saudi dissidents.

Ron Deibert: This technology is being used by autocratic dictators who can mount global cyber espionage operations simply by purchasing the technology.

Lesley Stahl: So you are saying that once they sell this technology, once the Israelis sell it, they know how it's being used?

Bill Marczak: Well, the question is, "Do they care to look?"  I think if they cared to look, they would have the opportunity to see how it was being used.

But Shalev Hulio says NSO is unable to see who their clients are targeting. Only after there's an allegation of misuse can NSO demand target-data in order to investigate.

Shalev Hulio: And I can tell you that in the last eight years that the company exist, we only had real three cases of misuse, three cases. Out of thousands of cases of saving lives, three was a misuse, and those people or those organization that misuse the system, they are no longer a customer and they will never be a customer again.

But Citizen Lab says it was able to find many more cases: 25 in Mexico alone, where Pegasus was used to target political rivals, reporters, and civil rights lawyers. They also say they found the Pegasus link on the phone of this human rights activist, Ahmed Mansoor, from the United Arab Emirates.

Tami Shachar: I think that people that are not part of criminal or terrorist activities have nothing to worry about.

Tami Shachar, co-president of NSO Group

Tami Shachar, NSO's co-president, says Pegasus is used with surgical precision.

Tami Shachar: It's not mass surveillance technology. This is really for the Bin Ladens of the world.

Lesley Stahl: But the reason that your company has been criticized and the reason that we're here doing this interview is because countries have used your technology on human rights activists, on journalists. 

Tami Shachar: There are allegations that have been brought. There are reports that were said. And we take every such allegation very seriously. And we look into it. Nothing has been proven.
 
To protect against misuse, she says, NSO has three layers of vetting potential customers: one by the Israeli Defense Ministry; a second by its own business ethics committee; and thirdly -

Tami Shachar: Our contractual agreements have our customers sign, that the only intended use of the system will be against terror and crime.

Lesley Stahl: Oh, they sign? Come on. You have an autocratic government and they say, "Oh, we're not gonna use it except against criminals," and you just believe them? No, come on.

Tami Shachar:  As I said, the contractual agreement comes after two layers and, you know, I would love for you to sit in one of our business ethics committee. We have a tough discussion because imagine a country is facing major terrorist threats. At the same time, they have some corruption issues and you have to sit in that room and weigh what is more important: to help them fight terror? Or maybe there is a chance that it's going to be misused. It's not a black and white answer. It's a tough ethical question.

There are other ethical questions in deploying Pegasus. To hone in on a target, for instance, authorities often infect the phones of innocent people around them, like family members. It's been reported that Mexican authorities used Pegasus to capture drug-lord Joaquin Guzman, better known as El Chapo, by tapping the phones of a few people he talked to while he was on the lam.

Shalev Hulio: I read it in the newspaper, the same as you--

Lesley Stahl: Okay--

Shalev Hulio: --in order to catch El Chapo, for example, they had to intercept a journalist, an actress, and a lawyer. Now by themself, they-- you know, they are not criminals, right?

Lesley Stahl: Right.

Shalev Hulio: But if they are in touch with a drug lord… and in order to catch them, you need to intercept them, that's a decision that intelligence agencies should get. What if you can prevent the 9/11 terror attack? And for that, you had to intercept the son, the 16-years-old son of bin Laden? Would that be legit or not?

Targeting someone's inner circle has become an issue in the Khashoggi case. Omar Abdulaziz, an influential Saudi online critic based in Canada, was texting with Khashoggi up to his death. Now, Abdulaziz is suing NSO, alleging that the Saudis used Pegasus to hack his phone, and thereby spy on Khashoggi. We asked Shalev Hulio if his investigation explored the wider circumference around the slain journalist.  

Shalev Hulio: I can tell you that we've checked, and we have a lot of ways to check. And I can guarantee to you our technology was not used on Jamal Khashoggi or his relatives.

Lesley Stahl: Or the dissidents? Like--

Shalev Hulio: Or the relatives--

Lesley Stahl: --Omar Abdulaziz and--

Shalev Hulio: I'm not going to get into specific I tell you that if we will figure out that somebody is misused the system, we will shut down the system immediately. We have the right to do it, and we have the technology to do it.

Lesley Stahl: It begs the question, did you shut down the Saudis?

Shalev Hulio: I'm not gonna talk about-- customers and I'm not gonna go into specific. We do what we need to do. We help create a safer world.

Produced by Shachar Bar-On. Associate producer, Natalie Jimenez Peel.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.