ANALYSIS - Notorious Pegasus spyware continues to be debated

NSO, producer of Pegasus, continues to deny allegations of misuse as global cyberweapons industry expands to frightening proportions

Ersin Cahmutoglu   | 28.07.2021
ANALYSIS - Notorious Pegasus spyware continues to be debated

The author is a researcher at the Security Studies department of the Center for Iranian Studies in Ankara (IRAM) with a focus on intelligence in cybersecurity and state-sponsored cyber activities.


The cyberespionage software Pegasus, which dominates the international cyberweapons market, has once again topped the international agenda with shocking claims. The allegations brought to the agenda by 16 different media outlets, including The Guardian, the Washington Post, AFP, CNN, and Reuters, sparked debate about why and by whom the Israeli-made Pegasus is being used on a global scale.

Most of the allegations about the spyware have been floating around for years. Pegasus, which was first detected in technical research reports in 2016, was found in over 50 countries, including Saudi Arabia, the United Arab Emirates (UAE), Morocco, Pakistan, India, Sudan, Mexico, Spain, France, and Hungary, and it was claimed that high-level politicians, journalists, activists, lawyers, and non-governmental organization (NGO) representatives were being followed in these countries. At the time, NSO Group, the Herzliya-based manufacturer of the Pegasus, denied all allegations.

It was also claimed that Pegasus had been discovered in Turkey and that certain figures had been targeted. However, the issue gained prominence when it was revealed that Jamal Khashoggi had been tracked with Pegasus prior to his brutal murder in October 2018. Omar Abdulaziz, Khashoggi's close friend, stated several times in 2019 that the Saudi Crown Prince Mohammed bin Salman's administration had targeted both him and Khashoggi. NSO, on the other hand, stated that the allegations were false and that their products had played no role in Khashoggi's death.

The company, which has denied numerous international press reports on the misuse of Pegasus software, continues to deny all allegations. The claims that “50,000 phones worldwide were infected with Pegasus,” compiled by the International Consortium of Investigative Journalists, Forbidden Stories, and Amnesty International and shared with 80 journalists from 16 media outlets, have been refuted by the company in multiple statements. It is also being debated in the international arena whether or not the responses to these allegations are convincing. So, do these claims hold any water? Before we answer that question, we need to discuss the NSO Group and the Pegasus spyware.

Bad reputation

NSO Group, Israel’s best-known cyber espionage and technology company, was founded in 2010 by three Israelis in the city of Herzliya. The eleven-year-old company has made a name for itself around the globe thanks to its flagship product, the Pegasus spyware. Pegasus, on the other hand, has brought notoriety to NSO by causing it to be associated with lawsuits involving various scandals and human rights violations.

NSO was founded by three (former) members of Unit 8200, a unit that plays a key role in the technical intelligence activities of Israel’s Military Intelligence Directorate (AMAN). The company was founded by Niv Carmi, Shalev Hulio, and Omri Lavie, and its name is an acronym for the founders' initials. Niv Carmi later left the team, and NSO was acquired in 2019 by the UK-based investment firm Novalpina Capital, which effectively replaced Niv Carmi. Hulio and Lavie are still serving as senior executives for the company.

NSO, which has received increasing attention since 2016, could be described as Israel's largest cyber technology company in terms of current value. Although it is best known for its cyberespionage products, such as Pegasus, NSO is also working on a “counter-drone” system called Eclipse. In early 2020, the company paid $60 million for Convexum, another Israeli company that develops anti-drone technologies. After this acquisition, NSO created its own product, Eclipse, in just six months.

In addition to Pegasus and Eclipse, the company offers two other products: Pixcell, a wiretapping and technical tracking device, and Landmark, a strategic tool that also serves as a model for military technologies used in Geospatial Intelligence (GEOINT). It is not possible to access any information on these two products (Pixcell and Landmark) except during “private” meetings.

According to the official document exposed, Pegasus, NSO's most famous and (probably) most expensive product, is known to be the company's most strategic product. Pegasus, which is available in 45 countries, was mostly purchased by countries' intelligence services, according to 2021 data. Although the exact value of Pegasus is unknown, figures ranging from $30 to $50 million have been reported in various sources.

Since 2016, when NSO first gained public attention, a number of criminal complaints have been filed against the company on a global scale. The most well-known of these was WhatsApp's lawsuit in 2019. To this day, the company is dealing with dozens of lawsuits filed by various states and companies.

What sets Pegasus apart from the others?

The Pegasus spyware, which could be categorized as a strategic cyber weapon, is only sold to national intelligence services and law enforcement agencies of states, not to individuals or businesses. All sales and other negotiations are conducted directly with NSO experts. These sales must also be approved by the Israeli Ministry of Defense. In other words, Pegasus can only be sold to states that Tel Aviv approves of.

Pegasus, which is said to be in use in 45 countries today, is not being sold to five countries at the request of the Tel Aviv administration: Russia, China, Israel, Iran, and the United States. In fact, Pegasus is said to self-destruct as soon as it enters the borders of these five countries, which is one of its most notable characteristics. This is a strategic feature for a technological product used for intelligence purposes. In addition, NSO has so far rejected requests from a total of 90 countries to buy Pegasus. The interests of the Tel Aviv administration appear to be taken into consideration at this point.

Pegasus infects the target in two ways. While the first requires user interaction (clicking, etc.), the second is organized around applications such as WhatsApp, also known as a “zero-click” exploit. In these two ways, the Pegasus spyware can infiltrate and completely control all known mobile devices in the world (including the most secure). It can not only read messages and access the camera, microphone, and applications, but it can also take complete control of the target device.

According to information from the NSO document exposed years ago, the information obtained by Pegasus from a targeted device could be listed as follows:

  • Phone calls (listens to and records phone calls in real-time)
  • Camera and microphone (collects visual and auditory data from the surroundings in real-time)
  • Text messages (can access and read all messages)
  • Chatting apps (reads conversations in applications like WhatsApp)
  • Emails (reads incoming and outgoing emails and attachments)
  • Location information (tracks location in real-time and records location data)
  • Device properties, settings, and network information
  • Contacts
  • Web browser records (views all web browsers in real-time)
  • Calendar activities
  • File transfers (reads the files that are sent and received).

This indicates that Pegasus is more than just spyware; a strategically produced cyberweapon. We should also emphasize that Pegasus has been described by Israeli experts as “military-grade spyware”. In conclusion, the following quote about Pegasus sums it all up: “If your device becomes infected with Pegasus, it no longer belongs to you.”

Pegasus to track 50,000 people?

After discussing NSO and Pegasus, we have arrived at the crux of this analysis. The claim that Pegasus infected 50,000 devices worldwide and was potentially monitoring all of them in real-time was the most shocking issue in the news in recent days, which was simultaneously pushed to the agenda by several media outlets under the title “The Pegasus Project”. These allegations are known to have come from Forbidden Stories and Amnesty International. When the allegations made by Forbidden Stories and Amnesty International based on their technical analyses were later reported by other international media outlets, the international public's attention was suddenly drawn to this issue.

The aforementioned organizations did not reveal how or where the 50,000-phone-number list was obtained. They also did not provide specifics on the type of evidence they had on which they based these claims.

The 50,000-person list, which is said to include dozens of high-ranking state officials such as French President Emmanuel Macron and Pakistani Prime Minister Imran Khan, as well as business people, journalists, activists, and academics, is actually considered as a list of potential targets. Although there was some limited information on the contents of this list, the technical report and documents presented are far from convincing in their current forms.

Shalev Hulio, the CEO and co-founder of NSO, also made a statement denying the allegations. Hulio stated that they received word from a reliable source that a list of 50,000 people had been circulated. He emphasized that they found out that the NSO servers in Cyprus had been hacked and that the list in question was subsequently obtained, but that there was no findings/evidence after the investigations that such a list existed in the first place.

We need to expand on something here: NSO is said to have offices in Cyprus and Bulgaria, in addition to Israel. Another Israeli firm, Circles, was a cyber-intelligence company operating in Cyprus. Tal Dilian, the company’s founder, left Unit 8200 after serving as a senior executive and founded Circles.

Dilian, who was the subject of news reports titled “Spy Van” in 2019, was arrested along with three other people after it was discovered that he had been conducting technical intelligence activities in Cyprus through his company. When the company joined NSO, all of its activities were taken over by NSO experts. However, due to the problems the company was facing, NSO laid off all Circles employees last year and shut down the Cyprus office.

NSO’s CEO, Hulio, has repeatedly denied all allegations about the 50,000-person list. “Even if you took NSO’s entire history, you couldn’t reach a target list of 50,000 people at Pegasus since the company was founded,” said Hulio. He went on to say that Pegasus has 45 customers and about 100 targets per customer per year. According to Hulio, NSO does not have a list of all Pegasus targets, because the company cannot know in real-time how its customers are using the system.

In addition to these statements, Hulio also stated: “The people that are not criminals, not the Bin Ladens of the world—there’s nothing to be afraid of.” However, there is also a contradictory sentence in Hulio’s statements: “We have no way to monitor what those governments do... But if those governments misuse the system, we have a way to investigate. We will shut them down...” From these statements, we can understand that NSO ultimately knows who the Pegasus operators (states) are targeting, and could intervene and shut the system down whenever it wants to.

Moreover, Amnesty International (one of the sources that put forward the list of 50,000 people allegedly targeted by Pegasus) also made contradictory statements. Amnesty International’s representative in Israel announced in an official document that they did not associate the list in question with the NSO in any way. According to the representative, they simply retweeted the claim, which was first published on an Israeli news site, and that it sparked an extraordinary reaction around the world as a result. The international office of Amnesty International, on the other hand, continues to blame the NSO, while the Israeli office disagrees. Therefore, the question of whether or not NSO really targeted a total of 50,000 people remains a controversial issue due to these confusing statements.

The Turkish figures on the list

Since 2016, technical reports have revealed information about the names that Pegasus is said to have targeted around the world. It is known that dozens of journalists, activists, lawyers, politicians, criminal leaders and terrorists have been tracked so far. Despite claiming that Pegasus was created solely to combat terrorism and international crime, NSO executives have been unable to provide convincing explanations as to why opposition journalists, politicians, and other professional groups are being targeted.

When it comes to the 50,000-person list, we face the same problem. According to reports, none of the names on the list are members of a terrorist or criminal organization. It is said that some Turkish figures are also included in the list, which includes heads of state, politicians, and senior bureaucrats from around the world.

After Jamal Khashoggi was brutally murdered in 2018, it was announced that the phones of his close friend and journalist Omar Abdulaziz, his ex-wife Hanan El-Atr and his fiancée Hatice Cengiz, were targeted with Pegasus. Abdulaziz, who lives in Canada, has confirmed these claims many times. Hulio, on the other hand, denies these and other allegations.

The allegations have also piqued the interest of the Turkish public following the recent announcement of some of the names on the list. The list's well-known names included former Istanbul Chief Public Prosecutor Irfan Fidan (who investigated the Khashoggi murder), Adviser to the AK Party chairman Yasin Aktay, and journalist Turan Kislakci.

The NSO Group is the only authority that knows for certain whether the allegations are true or not. However, the names mentioned may also have information on the subject. In addition, intelligence agencies are also thought to have information on the activities of Pegasus in Turkey.

Where are Pegasus and other spyware headed?

The point reached by the global cyberweapons market is quite alarming. There are significant risks not only to individuals and states but also to businesses and international organizations. States are especially vulnerable because it is unclear for what purpose and by whom these cyber-espionage tools, such as Pegasus, are used.

Such cyberweapons, which could be seen as a matter of national security, could be used by two hostile states against each other. Because of their practicality and speed, states may turn to such "digital spies" for intelligence gathering even during times of peace.

What we have discussed so far may be applicable not only to Pegasus but also to other spyware. This demonstrates the frightening trajectory of the cyberweapons industry. The only actors who could put an end to this frightening trend, on the other hand, are the states themselves.

*Opinions expressed in this article are the author’s own and do not necessarily reflect the editorial policy of Anadolu Agency.

*Translated from Turkish by Can Atalay

Anadolu Agency website contains only a portion of the news stories offered to subscribers in the AA News Broadcasting System (HAS), and in summarized form. Please contact us for subscription options.