Since then, the firm has been banned and sued in some countries, while other government have garnered shame, scandal and even protest for their use of the tool.
NSO Group’s Pegasus spyware was so nefarious because it was almost undetectable. Without a beep or even a buzz, it’s masters could gain access to almost every aspect of the targets devices, from monitoring daily phone calls and text conversations to remotely activating cameras or microphones for more intimate view into the users lives.
More than 50,000 hacked phone numbers were leaked to a consortium of investigative journalists and investigated by 17 media organizations including OCCRP and several of its partner centers. The numbers included everyone from journalists in Mexico to religious leaders in India and even royal family members in Morocco and the UAE. Among the numbers tapped were those of 15 current and former heads of state.
In response to the Pegasus Project, NSO group, the shadowy firm which designed and operates Pegasus on behalf of its clients, has been blacklisted by the U.S. Department of Commerce, making it illegal for American companies to conduct business with the company.
U.S.-based companies like Amazon Web Services shut down any cloud accounts linked to NSO, while Apple has filed a lawsuit against the firm, holding it responsible for the targeting of Apple’s users and seeking an injunction against NSO continuing to use Apple based products and services.
This month, Apple announced that it is launching a “lockdown mode” that would help protect against Pegasus-like programs.
In the U.K., parliamentarians called for the sanctioning of NSO group as an organization, and for companies which helped deploy the program to be held accountable.
Even in Israel, despite the government, military and Intelligence apparatus long standing relationships with the firm – NSO group deals with government approved clients only – the Knesset established a task force to reexamine the country’s policy on exporting cyber security tools. Israeli products make up 10% of the global cyber security market.
Since the project put an international spotlight on NSO, the Israeli government has scaled back the number of countries they are able to business with, cutting it from 102 to 37.
Morocco, the UAE and Saudi Arabia were all removed from the list. Saudi Arabia used the software to spy on the family of Washington Post journalist Jamal Kashoggi, before he was murdered in the Saudi consulate in Istanbul.
Nations like India, who used the program to surveil local journalists, activists and religious leaders, remained free to do business with.
However, despite the impact of the revelation, one year later the spyware continues to proliferate world wide, largely without impunity. Just this week, it was discovered on the phones of Thai activists who participated in mass protests against the Thai monarchy in 2020 and 2021, Amnesty International reported.
“We can now officially add Thailand to the growing list of countries where people peacefully calling for change, expressing an opinion, or discussing government policies may trigger invasive surveillance with a profound toll on an individual’s freedom of expression, privacy, and sense of security,” Etienne Maynier, a technologist at Amnesty International said. “It is worth remembering that this is only what has been found so far, and the scale of surveillance attempts could be bigger and more damaging.”
On Monday, Indian media reported that Rupesh Kumar Singh, a journalist whose name and number was among those 50,000 in the Pegasus leak, was arrested by Indian authorities in response to his reporting on human rights and marginalized communities.
It has also been reported that the phone of the nephew of Paul Rusesabagina, the Rwandan dissident whose actions during the African country’s genocide in the 1990s were made famous by the film Hotel Rwanda, was also hacked.
As NSO Group defends itself before an EU commission, they have revealed that at least five EU member states have used the program.
