NSO Group’s Spyware Operations: A Continuous Cycle of Exposure and Controversy

On Thursday, Amnesty International released a comprehensive report highlighting attempted cyberattacks against two journalists from the Balkan Investigative Reporting Network (BIRN) in Serbia. These attacks were allegedly executed using NSO Group’s Pegasus spyware, raising significant concerns around digital security and privacy for journalists and activists worldwide.

Details of the Cyberattacks

The two journalists received suspicious text messages containing links, which were identified as phishing attempts. According to Amnesty International, their researchers safely clicked on one of these links, revealing that it directed to a domain previously linked to NSO Group’s infrastructure.

Insights from Amnesty International

Donncha Ó Cearbhaill, the head of Amnesty’s Security Lab, emphasized the organization’s extensive monitoring of NSO Group’s spyware usage against activists and journalists. He stated, “This technical research has allowed Amnesty to identify malicious websites used to deliver the Pegasus spyware, including the specific Pegasus domain used in this campaign.”

Expert Opinions on NSO Group’s Invisibility

Security researchers, including Ó Cearbhaill, have become adept at recognizing NSO’s spyware indicators. John Scott-Railton, a senior researcher at The Citizen Lab, noted that NSO Group struggles to maintain operational security, stating, “NSO has a basic problem: they are not as good at hiding as their customers think.”

The Impact of Pegasus Spyware

Evidence supports the claims made by Ó Cearbhaill and Scott-Railton. In 2016, Citizen Lab published the first technical report on a Pegasus attack against a dissident in the United Arab Emirates. Since then, researchers have documented at least 130 individuals globally who have been targeted or hacked using NSO Group’s spyware, according to ongoing research by security expert Runa Sandvik.

The Pegasus Project

The extensive number of victims can partly be attributed to the Pegasus Project, a collaborative journalistic effort investigating NSO Group’s spyware abuses based on a leaked list of over 50,000 phone numbers allegedly targeted by the company. Numerous victims have also been identified by organizations such as Amnesty, Citizen Lab, and Access Now, which independently verified cases beyond the leaked data.

Response from NSO Group

Despite multiple inquiries, an NSO Group spokesperson did not respond to requests for comments regarding the visibility of Pegasus spyware or potential concerns from their clients. Additionally, Apple has been actively notifying victims of spyware attacks, prompting them to seek assistance from organizations like Access Now, Amnesty, and Citizen Lab.

The Operational Security Dilemma

Ó Cearbhaill pointed out a critical operational security mistake made by NSO Group: “The OPSEC mistake that NSO Group is making here is continuing to sell to countries that are going to keep targeting journalists and end up exposing themselves.” This trend raises serious ethical considerations regarding the sale of surveillance technology to countries known for human rights abuses.

For those seeking more information about NSO Group or other spyware companies, please reach out to Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb.