The company had previously stated it cannot target Israeli numbers - a new report by Calcalist demonstrates otherwise

Protest outside NSO Groups offices in Herzliya, Israel, July 2021. REUTERS/Nir Elias

Over the past few years, sporadic research regarding NSO Group’s activities has been published, managing to grab headlines here and there. Following the publication of the Pegasus Project in July 2021 the floodgates have opened.

Now, hardly a week goes by without new information regarding the Israeli cyber-espionage company’s alleged involvement in worldwide hacking attempts – from Saudi Arabia to the Palestinian territories, Mexico to France.

NSO Group has tarnished Israel’s image as the start-up nation, the Silicon Valley of the Middle East. Yet, Israelis generally assumed they were safe, immune from the company’s far-reaching Pegasus Spyware.

After all, in April 2019, then co-president of NSO Group, Tami Mazel Shachar, asserted at a Calcalist conference that “we are banned from using American and Israeli numbers. This was our decision as an Israeli company with American owners.” (until two months prior, the company was owned by Francisco Partners)

And now…

A new report by leading Israeli economic news website Calcalist reveals that the Israeli police used Pegasus to remotely hack phones of Israeli citizens and extract information from them.

Targets included leaders of political protests and movements against former Prime Minister Benjamin Netanyahu and former government employees. Police also used it for intelligence phishing and other surveillance purposes.

Calcalist learned that the hacking wasn’t done under court supervision, and police didn’t request a search or bugging warrant to conduct the surveillance,” writer correspondent Tomer Ganon, who also mentions that there was no supervision on the data collected or how it has been used by police or distributed to other investigative agencies.

While the report also mentions that the spyware was useful in solving crimes (such as locate murder suspects), it emphasizes the fact that it was employed without any legal approval. Calcalist does not provide any details regarding how it obtained the information.

Pegasus said in response that it “sells its products under license and supervision to be used by national security and law enforcement agencies to prevent crime and terror in a legal manner.” The Israeli police said that the claims are untrue, and that they act “according to the authority granted by law”, adding that they do not intend “to comment on the tools they use.”

Israel’s Minister of Public Security, Omer Ba Lev, quickly tweeted that “following an inquiry, there is no practice of wiretapping or device hacking by the Israeli police without a judge’s approval”, adding that at the same time, he intends to take a closer look into the matter.”

“If the police used NSO’s technologies to track Israeli citizens without supervision or regulation – this is an earthquake,” tweeted the Israel Internet Association.

“If any illegal wiretapping was done against the democratic protest activists – this is a practice of the worst, darkest regimes,” Crime Minister, one of the leading movements which protested to oust Netanyahu from the PM office last year, wrote on their Facebook page, calling for an immediate investigation into the claims.

New reports find Pegasus traces in El Salvador, Bahrain and Jordan

Last week, Toronto University’s Citizen Lab published another report on NSO Group, following an investigation with various partners, in which they state that at least 35 journalists and members of civil society in El Salvador had their phones successfully infected with the Pegasus spyware between July 2020 and November 2021. The report mentions all 35 names and provides insight as to how the information was obtained.

Meanwhile in Poland a senate commission opened an investigation into the alleged use of Pegasus against government critics. The Associated Press reports that John Scott-Railton and Bill Marczak, senior researchers at Citizen Lab (which investigated this story together with AP) discussed their finding with the commission, at one point comparing targeting of opposition figures under the right-wing government to methods the Kremlin has used against its critics.

And lastly (for this moment in time), a new report by Frontline Defenders titled “Unsafe anywhere” reveals that that phones of two female human rights activists from Bahrain and Jordan were also hacked using Pegasus on separate incidents in 2019 and 2021.

“The impact of surveillance on women is particularly egregious and traumatizing given how governments have weaponized personal information extracted through spyware to intimidate, harass, and publicly smear the targets’ reputations,” says the report.

“As a result, women targets of surveillance live in a perpetual state of fear, become socially isolated and restricted in their social lives, work, and activism.”

The report also calls on all states to place an immediate moratorium on the use and sale of surveillance technologies manufactured by private firms until “adequate human rights safeguards and regulation is in place”, and to hold surveillance companies accountable.

**

Update: Following yesterday's publication in Calcalist, Israel's Attorney General Avichai Mandelblit sent an official letter to the Chief of Police, Yaakov Shabtai, requesting clarifications regarding the matter at hand.