Testimony from NSO Group raises questions about its culpability for spyware abuses
Recently released court documents appear to show that spyware maker NSO Group plays a much deeper role in loading its surveillance tools onto devices than it previously acknowledged, raising questions about how much distance the company has from its customers, their abuses of the spyware and the data they collect from targets.
In a series of sworn depositions, executives at NSO Group explain how clients played only a small role in deploying its powerful Pegasus spyware against 1,400 users of WhatsApp, the messaging platform owned by Meta. A Northern California federal judge overruled NSO Group and ordered the unredacted court filings be published last week in a case that WhatsApp filed against the spyware manufacturer.
The NSO Group has long claimed that the spyware it sells is operated by government clients and not by the company itself, an assertion that is significant because the company has used its alleged distance from the hacking as legal cover whenever Pegasus has been abused by autocratic regimes to spy on and sometimes jail human rights activists, journalists and opposition politicians.
The company also has maintained that it does not know whom its clients are targeting with the spyware.
However, NSO Group executives testifying in the WhatsApp case appear to suggest the company, and not its customers, was responsible for operating Pegasus in those incidents.
“NSO’s customers’ role is minimal,” one WhatsApp filing says, citing evidence gleaned from NSO executives’ depositions. “NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus.”
Customers only need to enter the target device’s number and “press Install, and Pegasus will install the agent on the device remotely without any engagement,” one of the filings says, quoting Josh Shaner, a former employee of Westbridge Technologies, Ltd., a U.S.-based affiliate of NSO Group.
“The rest is done automatically by the system,” Shane said, according to the filing.
The spyware manufacturer’s CEO also appeared to say that the company controlled how Pegasus functioned in the WhatsApp hacks.
“NSO admits the actual process for installing Pegasus through WhatsApp was ‘a matter for NSO and the system to take care of, not a matter for customers to operate,’” the filing says, quoting Yaron Shohat, who was the company’s chief operating officer at the time of the WhatsApp hacks.
The filing also says that Ramon Eshkar — NSO’s vice president of client executives, whom WhatsApp says was responsible for setting up infrastructure and accounts for clients at the time of the hack — testified that the company “secured the WhatsApp accounts used by Pegasus for customer installations … and set up and controlled all the server infrastructure used to implant Pegasus and deliver the exfiltrated data to a customer.”
Gil Lainer, a spokesperson for NSO, said in a statement that the company “stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system.”
“We are confident that these claims, like many others in the past, will be proven wrong in court, and we look forward to the opportunity to do so,” the statement added, referring to WhatsApp’s filing.
What does NSO know about Pegasus targets?
Human rights advocates say the court filings do appear to contradict what NSO Group has said in the past.
“This goes against NSO’s claims that they never operate Pegasus itself and have no knowledge of customers’ operations,” Natalia Krapiva, senior tech legal counsel at the digital rights nonprofit Access Now, said of the filing.
“While we don’t know what NSO knows about the targets of the hacking prior to targeting of their devices … the testimony suggests that because they apparently control every aspect of the data retrieval and delivery process, they may indeed have access to the intelligence gathered from the devices which would reveal the targeted individuals’ identities and the nature of their work,” she added.
NSO’s apparent acknowledgment that it operates Pegasus is significant because it establishes liability and could help more victims win lawsuits against NSO and not just its government clients, Krapiva said.
In September, the company told a court in Thailand that it “does not operate or utilize its products. Instead, our government clients do so under strict contractual agreements.”
“These agreements are designed to ensure that our technology is used solely for legitimate and lawful purposes, such as combating terrorism and serious crime,” the company said in a letter to the court, which is overseeing a lawsuit by a pro-democracy activist there who says his phone was infected with Pegasus. “The focus on NSO Group in this legal context, despite the absence of direct evidence linking our products to the alleged misuse, underscores a significant misunderstanding of our role and responsibilities.” The Thailand case did not involve Pegasus deployments through WhatsApp.
The Citizen Lab, a University of Toronto-based research institute that has documented Pegasus cases around the world, found that the plaintiff in that case, Jatupat Boonpattararaksa, was one of at least 30 Thailand-based activists whose devices were infected with Pegasus between 2020 and 2021.
A Thai court will issue a decision in that case Thursday.
Financing Pegaus
One of the unredacted court filings suggests a U.S.-based private equity firm that owned NSO Group until February 2019 was briefed on the WhatsApp hacks and pushed the company to expand into the U.S. market.
The San Francisco firm, Francisco Partners (FP), has a history of working with surveillance companies, although it announced in August that it had decided to relinquish its ownership stake in Sandvine, which the U.S. government had blacklisted earlier this year. Sandvine was removed from the blacklist last month after working with the government to address concerns.
According to NSO Group’s director of research and development Tamir Gazneli, the Pegasus manufacturer used the private equity firm’s capital to develop the malware vectors responsible for the hacks. He also testified that NSO Group executives briefed FP on its progress in the hacks.
Shohat, now NSO’s CEO, also testified that FP suggested the company create its American affiliate Westbridge for “the purpose . . . [of] penetrat[ing] North America and generat[ing] sales” for NSO’s products.
NSO charged clients up to $6.8 million for a one-year license giving them use of its WhatsApp malware vectors, receiving at least $31 million in revenue in 2019, the WhatsApp court filing says, quoting testimony from a damages expert.
A media contact for FP did not respond to a request for comment.
Daryna Antoniuk contributed to this story.
Editor's Note: Story updated 11 a.m. Eastern to state that Sandvine has been removed from the U.S. government blacklist.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.