[BreachExchange] FBI acknowledges it tested NSO Group’s spyware

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Thu Feb 3 09:38:52 EST 2022


https://www.msn.com/en-us/news/us/fbi-acknowledges-it-tested-nso-group-s-spyware/ar-AATpw9B

The FBI tested Pegasus spyware made by the Israeli company NSO Group for
possible use in criminal investigations, even as the FBI and Justice
Department were investigating whether the NSO software had been used to
illegally hack phones in the United States, people familiar with the events
have told The Washington Post.

Justice Department lawyers at the time discussed that if the FBI were
actually to deploy the tool, it could complicate any subsequent prosecution
if the department brought charges, according to the people, who spoke on
the condition of anonymity because of the matter’s sensitivity.

In a statement to The Post, the FBI confirmed that it had tested the
spyware but stressed it had not been used “in support of any investigation.”

The FBI statement is the first official confirmation that a U.S. law
enforcement agency has tested NSO spyware. The development was first
reported by the New York Times.

“The FBI works diligently to stay abreast of emerging technologies and
tradecraft — not just to explore a potential legal use but also to combat
crime and to protect both the American people and our civil liberties,” the
statement said. “That means we routinely identify, evaluate, and test
technical solutions and problems for a variety of reasons, including
possible operational and security concerns they might pose in the wrong
hands. There was no operational use in support of any investigation, the
FBI procured a limited license for product testing and evaluation only.”

Pegasus is NSO’s most well-known spyware, breathtakingly potent in its
ability to covertly scoop up an iPhone or Android phone user’s calls and
text messages, pictures and whereabouts. NSO says it’s for use only against
bad actors such as gangsters and drug lords, but investigations by civil
society groups have uncovered its use by foreign governments to track
activists, journalists, lawyers and their families.

The Israeli firm has repeatedly said Pegasus cannot be used to target U.S.
phones or devices assigned a +1 U.S. number. But NSO appears to have
created a workaround — a separate product called Phantom — to enable
American law enforcement to monitor U.S. devices, according to documents
obtained by the tech news site Motherboard in 2020.

According to the Times, NSO Group made a presentation of Phantom’s
capability to the FBI in 2019 to show that the spyware “could hack any
number in the United States that the F.B.I. decided to target.”

The Times also reported that the bureau ran up $5 million in fees to NSO
and renewed a contract for the Pegasus software. The FBI declined to
confirm those details.

NSO Group declined to comment for this story.

According to the Times, the FBI decided not to deploy the spyware last
summer, around the time The Post and an international journalism consortium
published a multipart investigation that found Pegasus had been used to
attack the phones of journalists, human rights activists and politicians
around the world.

The company has promised to investigate abuses of its system and cut off
clients who violate NSO rules.

Authorities in Britain, France and Israel have since opened their own
probes into the use of the spyware in their countries. WhatsApp, a
subsidiary of Facebook’s parent Meta, and Apple have sued NSO over its use
of their software to plant Pegasus, and the U.S. government has blacklisted
NSO for activities contrary to U.S. interests. The company now faces
financial peril.

As part of the Pegasus Project investigation, The Post reported that NSO
began pitching U.S. intelligence and police officials on its hacking tool
as early as 2014 and in 2019 hired several well-known U.S. political
figures to help clean up its reputation. But while NSO acknowledged in a
statement to The Post last summer that it had retained “top U.S. counsels”
to help support its “lifesaving mission,” it declined to name its
government customers or answer questions about its pursuit of contracts
inside the United States.

Other agencies in the United States have acknowledged being approached by
NSO. Police departments in San Diego and Los Angeles told The Post last
year that they had been pitched but that the license was too expensive. The
Drug Enforcement Administration, according to emails revealed through a
Freedom of Information Act request and first reported by Motherboard, also
found the program too expensive.

The agencies declined to offer details on the pitches, but public records
show they were sent brochures boasting that Phantom could “remotely and
covertly [extract] all data from any smartphone” and fill “a void in law
enforcement data gathering ability.” The brochure was distributed by a
company calling itself NSO’s North American branch.

The use of NSO spyware by the FBI arguably would have been lawful since
wiretap laws generally provide such authority, experts say. Erez Lieberman,
a former federal prosecutor in New Jersey who has prosecuted criminal
hackers, said he would support the use of such a tool “as long as it’s done
with court approval and internal oversight by the FBI, which makes it very
different from its use by some of these other regimes.”

Lieberman noted that a decade ago when he was still a prosecutor, law
enforcement officials feared the rise of strong encryption on mobile
devices was undercutting their ability to intercept criminals’
communications. “There has to be a tool for law enforcement to prevent
crime,” said Lieberman, now a partner at the law firm Linklaters. “The
question for us all is what do we find acceptable?”

But others noted that had the FBI used NSO tools and that use had become
public, the move probably would have been controversial. Human rights
organizations have long highlighted the use of Pegasus by authoritarian
governments to monitor their opponents, and the software was used to target
associates of Washington Post contributing columnist Jamal Khashoggi before
he was murdered by Saudi operatives in Turkey in 2018.

“This is extremely troubling and raises basic questions about whether
Americans’ constitutional rights are being sufficiently protected as the
FBI explores or uses hacking tools,” said John Scott-Railton, senior
researcher at the Citizen Lab, an affiliate of the University of Toronto’s
Munk School of Global Affairs and Public Policy. Citizen Lab reports in
2016 were among the first to claim Pegasus had been used to hack
journalists and dissidents in countries with troubling human rights records.

In November, the U.S. Commerce Department placed NSO on its Entity List, a
designation — in some cases seen as effectively a “death penalty” for
companies — that curbs the firm’s access to American technologies. NSO has
used the servers of American companies such as Amazon Web Services to
distribute the malware, WhatsApp charges in its lawsuit against NSO.

The Commerce Department designation came after Apple began notifying users,
including 11 employees of the U.S. Embassy in Uganda, that their iPhones
had been attacked with Pegasus.

“By design, NSO’s spyware creates a breathtakingly invasive and
disproportionate access to a person’s current and past digital life,”
Scott-Railton said. “It’s time for the U.S. government to be much more
transparent about the use of such contractors and what ethical oversight is
involved. Democracies and dictatorships shouldn’t share a hacking toolbox.”

Pegasus spyware used to hack U.S. diplomats working abroad
In the spring of 2019, WhatsApp discovered that its platform had been
hacked by unknown actors who deployed Pegasus to some 1,400 phones and
devices. At least one number that was targeted had a Washington, D.C., area
code, the company said in court documents.

The company brought the matter to the Justice Department, according to
people familiar with the matter. In October that year, WhatsApp sued NSO in
federal court in San Francisco, alleging the firm’s spyware was used
against victims in 20 countries during a two-week period from late April to
mid-May in 2019.

What WhatsApp “didn’t appear to know” when it filed its lawsuit, the
Times’s report said, was that the “attack on a U.S. phone number, far from
being an assault by a foreign power, was part of the NSO demonstrations to
the FBI of Phantom.”

Asked to comment on that report, WhatsApp said: “In all circumstances, our
priority is to defend our services from threats that would harm people’s
ability to safely communicate with one another. We will continue our
efforts to hold NSO accountable for their attacks against journalists,
human rights activists, and government officials in violation of U.S. law.
The spyware industry must be prevented from undermining the privacy and
security of people in the U.S. and across the world.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220203/0fc03c08/attachment.html>


More information about the BreachExchange mailing list