The Full Story behind the NSO Hack: The Israeli-Military-Allied Surveillance Industry and Transnational Repression

The recent investigation into the NSO Group exposed a widespread global targeting of journalists and human rights activists and revealed evidence that their smart phones were hacked using The Pegasus spyware sold by the Israeli firm. The collaborative investigation was conducted by the Pegasus Project—named after NSO’s hacking software—which is a consortium of 17 media organizations in ten countries. The project is coordinated by Paris-based journalism nonprofit Forbidden Stories, with technical support and forensic analysis by Amnesty International’s Security Lab and independent corroboration by University of Toronto’s research project Citizen Lab.

Amnesty International obtained a leaked list of 50,000 phone numbers that may have been targeted by Pegasus spyware since 2014. Through research and interviews, reporters identified more than 1,000 people in more than 50 countries, including 85 human rights activists, 189 journalists, 65 business executives, and more than 600 politicians and government officials from Arab royal family members to cabinet ministers, diplomats, military and security officers, and heads of state and prime ministers. The list of phone numbers is concentrated in at least ten countries that are known for surveilling their citizens and are identified by Citizen Lab as clients of NSO Group, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates.

From this list, an analysis of 67 smartphones provided evidence that 37 belonging to journalists, human rights activists, business executives, and two women close to Saudi activists and Washington Post columnist Jamal Khashoggi were targeted or successfully infected by the Pegasus spyware. The tests for the remaining 30 were inconclusive either because phones were replaced or because Android devises do not log the needed information for the investigation. What is remarkable about Pegasus malware is that it is engineered to evade the usual defenses and privacy measures by iPhone and Android devises. Known as zero-click attacks, the spyware can attack a smartphone without any warning, knowledge, or action by the user, gain access to everything on the phone including location, social media posts, messages, emails, photos, recordings, call logs, passwords, and contacts, and even control the camera and microphone.

The Pegasus hacking revelations unveil a growing, transnational, and largely unregulated Israeli surveillance industry that exports offensive cyber products to repressive regimes worldwide.

The NSO hacking revelation, while only one piece of the puzzle, has perhaps been the most prominent due to the scale and scope of the violation as well as the level of individuals targeted by the Pegasus software. These included French President Emmanuel Macron, the presidents of Iraq and South Africa, Qatar’s royal family members, Morocco’s King Mohammed VI, the current prime ministers of Pakistan, Egypt, and Morocco, and seven former prime ministers. Khashoggi’s killing has gained international prominence for its brutal and lawless nature, but it also has shed light on the role of tech firms in transnational repression, as many of his family members and friends were targeted by Pegasus or hacked before and after his assassination. While these revelations by The Pegasus Project are not new and the problem is not unique to the NSO Group, the use of these Israeli offensive cyber programs persists around the world, targeting activists, human rights defenders, opposition figures, and LGBTQ+ individuals.

The Pegasus hacking revelations unveil a growing, transnational, and largely unregulated Israeli surveillance industry that continues to operate secretly and export its products and services to repressive regimes worldwide with no accountability. This problematic industry exposes not only the role of Israeli tech firms in transnational repression and grave human rights violations, but also its ties to the Israeli military state apparatus. It also highlights the absence of effective international and multilateral measures to curb this industry’s growing reach and its authoritarian and illegal cyber operations around the globe. This paper outlines the landscape of this industry, discusses its problematic relations to the Israeli military, explores its role in transnational repression and threats to democracy, and proposes policy recommendations to address its disturbing prevalence.

Transnational Repression Threatens Global Human Rights and Democracy

Transnational repression has become more prevalent in the last few years, with technology playing a major role in facilitating the geographical reach of authoritarian governments across national borders to silence dissent and crack down on human rights activists and critics around the world. Abetted by technological development and offensive cyber capabilities, the scale and scope of transnational repression have been on the rise as it has become a mainstream phenomenon. While transnational repression can take the form of physical attacks like assassinations, which are not new, developments in surveillance technology have exponentially increased governments’ capacities to reach and control people far beyond their borders. Digital transnational repression has become widespread and includes tactics like online harassment and intimidation, social media monitoring, disinformation, surveillance, and espionage.

Khashoggi’s case is a prominent example of how these intelligence surveillance tactics are connected to transnational repression and actual physical harm. 

These forms of digital transnational repression can also be linked to physical attacks and assassinations, as in the case of coercion by proxy where governments monitor activities of exiled critics and physically threaten, attack, or imprison their family members in their home country, which has been shown to silence critics and activists abroad. Khashoggi’s case is a prominent example of these tactics being connected to physical harm. United Nations Special Rapporteur on extrajudicial, summary or arbitrary execution Agnès Callamard discusses evidence in her report connecting Khashoggi’s killing to surveillance of his friend and Saudi activist Omar Abdulaziz, who is a Canadian permanent resident. Adbulaziz’s cellphone was infected with NSO’s Pegasus spyware by Saudi Arabia before Khashoggi was killed and dismembered at the Saudi Embassy in Istanbul. The spyware allowed Saudi Arabia to intercept WhatsApp communications between Abdulaziz and Khashoggi as they were discussing human rights in Saudi Arabia and criticizing the policies of Crown Prince Mohammed bin Salman. The phone of Khashoggi’s wife Hanan al-Atar was also pasted into the Pegasus software months before his murder, while his fiancée Hatice Cengiz and his friends’ phones were targeted days after his death and his son Abdullah’s device weeks after the murder.

But Jamal Khashoggi is not the first journalist killed by his government following digital surveillance. For example, NSO also sold its Pegasus software to Mexico, where journalist Cecilio Pineda was assassinated weeks after his phone was entered as a target. The United Arab Emirates (UAE), also a client of NSO, has used the Pegasus spyware to target activists including internationally-recognized human rights defender Ahmed Mansoor, whose phone was hacked in 2016. He was arrested in the UAE in 2018 and is currently serving a 10-year sentence for his criticism of government policies, reportedly in an isolation cell deprived of basic necessities and rights. Emirati human rights activist Alaa Siddiqi’s phone was also found on the list. She escaped the UAE and was granted asylum in the United Kingdom in 2018, before becoming the executive director of the London-based human rights group ALQST. Siddiqi died in a car crash in June 2021, but activists are calling on UK authorities to conduct an investigation to rule out targeted killing as her life was under threat.

The large-scale Israeli state-sanctioned sales of offensive surveillance programs to totalitarian governments has institutionalized the practice of digital transnational repression

Another problematic aspect of this surveillance industry is in helping patriarchal regimes further infringe on women’s rights and freedoms. For example, these technologies were used to target Emirati Princess Latifa, daughter of Dubai Ruler and Emirati Prime Minister Mohammed bin Rashid al Maktoum, as well as one of his wives, half-sister of Jordanian King Abdullah II Princess Haya. The phone numbers of Princes Latifa, Princess Haya, and those belonging to their friends and associates were found in the database of potential targets by Pegasus spyware. Princess Latifa attempted to escape her father’s abuse in 2018 on a yacht but was captured by UAE commandos off the coast of India. The spyware is believed to have led them to her location. Princess Haya escaped to Britain in 2019; her phone and the phones of her half-sister, assistant, horse trainer, and legal and security teams were targeted by Pegasus after she left the UAE. Women are also being targeted by spyware and threatened with sexual exploitation, extortion, and blackmail. The phones of prominent Arab female journalists critical of Saudi Arabia and the UAE, such as Ola Fares and Ghada Oweis, were also hacked by the two countries using NSO’s spyware services. More so, the Saudi government used hacked private photographs of the women and orchestrated an organized Twitter campaign of sexual harassment, misogyny, and smear attacks against them.

This alarming asymmetrical warfare granting wealthy governments and elites more power against innocent citizens presents a threat to human rights and the pillars of democracy worldwide.

The killings, arrests, and threats underscore the reach and deadly impact of transnational surveillance and digital intimidation techniques. The large-scale Israeli state-sanctioned sales of offensive surveillance programs to totalitarian governments has institutionalized the practice of digital transnational repression by numerous governments targeting millions of people around the world. The revelations of The Pegasus Project confirm the scale of this international industry, allowing regimes to employ aggressive tactics in targeting their rivals, both citizens and foreigners inside and outside their national borders, violating their basic human rights and in many cases leading to physical harm, murder, abduction, arrests, and harassment. This trend presents an alarming asymmetrical warfare granting wealthy governments and elites even more power against innocent citizens, opposition figures, activists, and human rights defenders. Not only is this unlawful targeting violating the rights and threatening the security and lives of these individuals and Human Rights Defenders (HRDs), but it is also contributing to a growing global crisis of democracy and human rights. Cyber tools are deployed against the pillars of democracy such as the right to privacy, freedom of expression and the press, and the presumption of innocence and due process. Ending digital transnational repression and confronting the secretive and unregulated cyber-surveillance industry requires a collective global effort of instituting accountability, transparency, and multilateral oversight.

More than NSO: The Israeli Cyber-Surveillance Industry

The media outrage involving the NSO Group and its Pegasus spyware misses the broader picture of an Israeli offensive surveillance industry encompassing hundreds, possibly thousands, of cyber companies. Several Israeli surveillance firms have been the subject of research by centers like Citizen Lab, Amnesty International’s Security Lab, and Privacy International and the Haaretz newspaper. While the NSO Group has been engulfed in scrutiny and lawsuits over the last few years, many others continue to operate in secret while some received their fair share of scandal.

The media outrage involving the NSO Group and its Pegasus spyware misses the broader picture of an Israeli offensive surveillance industry encompassing hundreds, possibly thousands, of cyber companies.

The Israeli firm Black Cube drew international attention for allegedly working for the Trump Administration to discredit Obama Administration officials who helped negotiate the Iran nuclear deal, and for gathering information on behalf of client Harvey Weinstein about the women who had been sexually assaulted by him. Another company, Psy-Group, conducted social media influence and manipulation campaigns, elaborate false identities to manipulate targets, smear operations, honey traps, and secretive HUMINT (human intelligence) activities in the United states, including Project Butterfly to spy on and embarrass and intimidate Palestinian rights activists. The company shut down in 2018 following its implication in the Mueller investigation into Russian election interference for pitching psychological operations (hence the name Psy-Group) and social media manipulation campaigns to the Trump team in 2016 in order to influence election results.

A secretive Israeli company, Quadream, operates a spyware technology called Reign, which like Pegasus has zero-click capabilities to infect smartphones and gain access to all data and documents stored on the phone as well as control over the camera and microphone. However, unlike Pegasus which maintains the ability to destroy the spyware if it is being abused, Reign cannot be remotely turned off. This additional feature may be the reason why the Saudi regime has been working with Quadream since 2019, in addition to its deals with the NGO Group. Archimedes Group operates political campaigns on social media and was caught using fake accounts and spreading disinformation in order to influence and disrupt elections in various countries in sub-Saharan Africa, Southeast Asia, and Latin America. An investigation by Facebook revealed that Archimedes spent some $800,000 on fake ads between 2012 and 2019.

The Israeli company, Verint Systems, sold software to Azerbaijan and Indonesia that were used to track and arrest LGBTQ+ individuals and activists and religious minorities. Verint products were also sold to Bahrain and used for surveillance and collecting information from social media sites, and to South Sudan, Peru, and Columbia where they “were used for eavesdropping on regime opponents.” Cellebrite offers services to retrieve data deleted from devices and was used in Belarus, Hong Kong, and Russia to target pro-democracy activists including Russian opposition leader Alexey Navalny. Even US schools are using Cellebrite software to unlock student phones. An NSO sister company, Circles Technologies, sold services to UAE’s Supreme Council for National Security which kept tabs on and intercepted conversations of members of the Qatari royal family, the editor of the Qatari Al Arab newspaper, and other Qatari citizens. Circles also sold capabilities to Nigerian governors ahead of the 2015 elections to monitor rivals and their family members and to arrest regime critics. Elbit Systems, Israel’s largest military company known for manufacturing weapons and technologies used in attacks against Palestinian civilians, supplied the Nigerian government with espionage programs while Cyberbit, formerly part of Nice Systems and acquired by Elbit Systems, sold spyware to Ethiopia and was used against dissidents in the United States and Britain. Candiru, which is another secretive Israel-based company that sells spyware exclusively to governments, sold remote spying software to Saudi Arabia, Hungary, and Indonesia, among others. It’s not only the Israeli companies that are involved in these digital transnational repression operations, but veterans of the Israeli Unit 8200 that focuses on military intelligence operations are also moving on to other surveillance companies around the world, employing and spreading their repressive military skills. For example, Abu Dhabi intelligence firm, DarkMatter, is known for recruiting Unit 8200 graduates and offering them high salaries and beachfront accommodations in Cyprus.

This intricate web of hundreds of Israeli military-grade surveillance companies represents a worrying trend of Israeli firms that are closely connected to Israeli military intelligence units.

The examples are numerous and too many to list. These firms are knowingly involved in selling offensive military-grade cyber surveillance systems and weapons to non-democratic and oppressive regimes around the world for use against innocent citizens, critics, and activists. This intricate web of Israeli military-grade surveillance companies represents a worrying growing trend of Israeli intelligence firms that are self-described as “private Mossads” but are essentially connected to the Israeli military intelligence units and often intersect on many levels and work closely together.

Mossad for Hire: Industry Ties to the Israeli State Military Apparatus

Israeli spyware companies like Archimedes, Black Cube, Candiru, Carbyne, Cellebrite, Cyberbit, Elbit Systems, NSO Group, Psy-Group, Quadream, Toka, Verint, White Knight, Wikistrat, among many others, have been selling surveillance technologies around the world for years. What these companies have in common is that they are trained by the Israeli military and sanctioned by the Israeli state. The majority of their founders and personnel are graduates of Unit 8200, an intelligence unit of the Military Intelligence Directorate of the Israeli Defense Forces (IDF), sometime referred to as the Central Collection Unit of the Intelligence Corps or the Israeli SIGINT (signal intelligence) National Unit (ISNU). According to a study cited by Haaretz in 2018, 80 percent of the 2,300 people who founded the 700 Israeli cybersecurity companies at the time came from IDF intelligence units.

Unit 8200 is known for its widespread surveillance of Palestinians by using the most sophisticated technologies as methods of social control to infiltrate and control every aspect of Palestinian life.

Unit 8200 is known for its widespread surveillance of Palestinians by using the most sophisticated technologies, not for purposes related to terrorism or Israel’s security, but as methods of social control to infiltrate and control every aspect of Palestinian life. Through intercepting phone calls on landlines and smartphones, reading text messages and emails, and drone-watching their target’s everyday activities, Unit 8200 agents collect damaging information on innocent Palestinians such as sexual preference, marital discord, infidelities, financial troubles, or family illnesses to be used for extortion and blackmail and to recruit collaborators. In a public letter in 2014, 43 serving and former Unit 8200 reservists proclaimed their refusal to serve in operations involving the Occupied Palestinian Territories because of the widespread surveillance of innocent Palestinians, detailing the coercive spying tactics employed by Unit 8200 for “political persecution” and creating social divisions. The modus operandi of Unit 8200 is that of repressive regimes with no rules, limits, or ethical standards governing the targeting of Palestinians. These notorious operations carry very familiar resemblance to the products and services that the Israeli surveillance companies sell to authoritarian regimes worldwide and the ruthless transnational repression tactics employed against human rights defenders, lawyers, political opposition figures, and activists.

What these companies have in common is that they are trained by the Israeli military and sanctioned by the Israeli state; the majority of founders and personnel are graduates of the notorious Unit 8200.

These private companies are marketed as prestigious intelligence firms due to their close ties to the Israeli military and their training by Unit 8200. The influence of the unit is very pervasive in the Israeli tech industry as well as in the multinational companies that are tied to them and have hired the unit’s alumni. Some reports indicate that a Netanyahu policy after he returned to office in 2009 led to the merging of military intelligence operations into the private Israeli tech industry as well as large multinational corporations in the United States and elsewhere, in addition to exporting Unit 8200 alumni who maintain consistent ties with the military and continue Israeli military objectives after leaving the service into the global high tech industry. For example, they hold executive positions at companies like Microsoft, Google, and Facebook. This policy was designed to combat the Boycott, Divestment, and Sanctions (BDS) movement’s effort through ensuring Israel’s cyber dominance and influence in the global tech industry but possibly also Israel’s access to data. Camouflaged as private sector enterprises, these Israeli military-grade services, essentially developed to subjugate Palestinians, are now being weaponized by the Israeli government and exported to both authoritarian regimes and democratic nations throughout the world.

The fact that these companies are implementing Israeli government policy and their exports are governed by Israeli licensing agreements makes Israel complicit in the hacking and surveillance of civil society activists around the world.

Not only does the Israeli spyware industry have deep ties with the Israeli military intelligence structure, but the Defense Exports Control Agency (DECA), a unit in the Israeli Defense Ministry, approves these exports. The fact that these companies are implementing Israeli government policy and their exports are governed by Israeli licensing agreements makes Israel involved and even complicit in the hacking and surveillance of civil society activists around the world, especially when these companies and Israel continue to approve sales to those countries despite knowledge and years of repeated warnings of violations by human rights organizations. Furthermore, the State of Israel has every interest and motivation to protect these companies from legal action and accountability. In 2016, Israel had the highest per capita ratio of surveillance companies in the world, accounting for 10-20 percent of the global market and 20 percent of the total startup investment in the industry worldwide. By 2018, the Israeli cyber industry’s collective sales reached $1 billion annually. The Israeli Supreme Court Chief Justice Esther Hayut was quoted in 2016 in response to a court request in Israel to suspend NSO’s export permit as saying: “Our economy, as it happens, rests not a little on that export.”

Israel uses these seemingly private cyberweapon sales as political leverage, works proactively to ensure deals in exchange for political favors.

Additionally, and perhaps most importantly, Israel uses these seemingly private cyberweapon sales as political leverage. While the Israeli Ministry of Defense does not disclose information about export licenses which are considered state secrets, these sales are believed to be military agreements between governments. An analysis by Haaretz details the correlations between the countries on NSO’s client list and development of diplomatic ties between Israel and these governments. Then-Israeli Prime Minister Benjamin Netanyahu visited India, Hungary, Azerbaijan, Mexico, and Rwanda during the same periods the phone numbers in those countries started appearing on the NSO list. Defense companies accompanied Israeli officials on a diplomatic visit to Morocco, a semi-secret visit by Netanyahu to Saudi Arabia, and the signing of the Abraham Accords with Bahrain and the UAE. All these countries are clients of NSO and hold strategic geopolitical interest for Israel. Reports show that the Israeli government was directly involved in these sales and works proactively to ensure deals in exchange for political favors. For example, the Israeli government intervened in 2019 to push NSO to resume sales to Saudi Arabia after suspension in 2018 following the Khashoggi murder and despite the potential role played by NSO’s spyware. Netanyahu even said at a press conference in Hungary in 2017 “Markets dictate what works, I don’t dictate … the only place I have actually intervened … is cybersecurity.” In response to the investigation by the Pegasus Project, the Defense Ministry confirmed this view by saying that it takes “national security and strategic considerations” into account when considering military and intelligence exports, in accordance with its 2007 Defense Export Control Act.

As such, these exports of Israeli cyber intelligence products and services are used to locate and detain human rights activists, persecute members of the LGBTQ+ community, and silence government critics with complicity of the Israeli state. What is even more alarming is the likely possibility that the Israeli government has access to all the information being collected by these surveillance products, which is extremely harrowing and calls for further investigation.

The Need for Accountability, Transparency, and Oversight  

While some of these companies, especially NSO, have been the target of several lawsuits in Israel and elsewhere (for example by Omar Abdulaziz, Facebook and other tech giants like Microsoft and Google, Amnesty International, Mexican activists and a Qatari citizen, and Israeli anti-weapons activists), they continue to operate freely and sell their products to non-democratic regimes everywhere. As these companies are licensed by Israel, its government thus bears the responsibility to protect the victims of their surveillance technologies—in fact, Israel announced it will set up an inter-ministerial team and review its export policies following The Pegasus Project revelations. However, this industry seems to be a front for the Israeli military intelligence global agenda and Israel has no motivation to regulate it whether for political, economic, or strategic reasons. The Israeli justice system has repeatedly protected these companies from accountability and even moved to block further petitions on the issue. Moreover, the corporate structures of these companies are described as “maze-like”; they have offshoots and operations offices registered in multiple countries. The mounting evidence points to an ecosystem of Israeli corporations that operate in a tangled web of private companies, government agencies, and NGO’s set up in multiple countries, which allows them to evade accountability and enjoy the protections of state actors in beneficiary countries in a largely unregulated international marketplace. It is, therefore, clear that serious and international oversight is required of this dangerous global spyware industry that enables human rights violations and threatens democratic principles around the world.

This industry seems to be a front for the Israeli military intelligence global agenda and Israel has no motivation to regulate it whether for political, economic, or strategic reasons.

This is not to say that states and companies should not be required to adopt public mechanisms and safeguards to protect against unlawful surveillance of innocent citizens in accordance with international human rights law. Indeed, governments should institute and implement transparent requirements for the use of spyware that are consistent with human rights principles and international law, and sign and comply with relevant international frameworks and treaties governing this domain. Similarly, businesses must be required to adhere to international law and provide transparency and regular reporting for their surveillance products, services, and sales. The UN Guiding Principles on Business and Human Rights, for example, is an available framework but is non-binding and does not necessitate independent review or scrutiny. As the industry is not capable of policing itself and governments misuse these technologies under the pretext of security and counterterrorism, there is a pressing need for international regulations to govern this industry’s operations and practices.

As the industry is not capable of policing itself and governments have no motivation to do so, only a multilateral multi-stakeholder can reign in the Israeli cyber-surveillance industry.

The first step would be to heed calls by organizations like Amnesty International and Reporters without Borders, for an immediate global moratorium on this industry’s sales and use of surveillance technology until international regulatory measures that are human rights-compliant are in place. At the same time, countries, spyware firms, and investors involved in human rights abuses through cyber surveillance must be held accountable, including through targeted sanctions by democratic nations and multilateral bodies to raise the cost of repression for authoritarian regimes as well as universal due processes that punish extraterritorial abuses and cybercrimes and allow victims to sue governments and companies involved in their abuse beyond the limitations of domestic law. But these measures are only temporary and on a case-by-case basis. There is a need for international regulatory frameworks that institute oversight and transparency and put an end to the surveillance of journalists, HRDs, and civil society activists. For one, the secrecy surrounding this arms industry is very problematic, and governments need to agree on an international mechanism that requires full transparency on products, licenses, export criteria, sales, and uses of cyber surveillance products and enables public review and human rights assessment. The international community should also collaborate to reach a global code of conduct to restrict the use of spyware in human rights abuses and transnational repression. As such, only a multilateral multi-stakeholder effort involving mechanisms at corporate, state, regional, and international levels can reign in the dangerous impact of Israeli intelligence firms and the cyber-surveillance industry at large.

Tamara Kharroub

is the Assistant Executive Director and Senior Fellow at Arab Center Washington DC. To learn more about Tamara and read her previous publications click here

* Photo credit: Pexels/NikAff