The NSO group, the company behind the Pegasus software, targeted key government officials of US allies in 2019 including some in national-security responsibilities, according to WhatsApp CEO Will Cathcart. Cathcart’s comments, which he made in an interview with The Guardian on Sunday 25th July 2021, came after reports from the Pegasus Project, a group that comprised The Guardian, The Washington Post, and Amnesty International in July 2021. According to the reports, an Israeli company sold military-grade spyware that was used to hack journalists’, activists’, and government officials’ phones. 

Who is the NSO Group?

When NSO Group was under fire in 2019, new investors in the Israeli monitoring firm went on a public relations offensive to reassure human rights groups. In a public letter to Amnesty International and other activists in 2019, they stated that they will do “everything is required“ to ensure that NSO’s weapons-grade software was only used to combat crime and terrorism.

Unbeknownst to the campaigners, NSO would eventually devise a scheme to assist a long-time government customer with a poor human rights record. 

Then came the arrival of another technological behemoth.

In October of 2019, WhatsApp reported that Pegasus had been used to target 1,400 of its users through a flaw in the service. Members of the church in Togo, as well as hundreds of journalists in India, Rwanda, and Morocco, were among those affected by the attack and warned through WhatsApp.

According to a product description filed as an exhibit in WhatsApp’s 2019 lawsuit, the Pegasus software was designed to “covertly collect information about your target’s relationships, location, phone conversations, plans and activities – whenever and wherever they are.” According to the description, the programme tracked GPS whereabouts, monitored audio and VoIP communications, and gathered other data. It also leaves no trace on the device.

In a long-running legal struggle over the issue, NSO contended in front of a US court that it deserved protection since its software had been utilised on behalf of foreign government clients without its knowledge or consent.

So what has been found now?

According to Forbidden Stories, a leaked list of possible Pegasus targets contained more than 50,000 phone numbers, however it was unclear how many were ultimately targeted. According to Amnesty International, the list includes phone numbers for French President Emmanuel Macron and Pakistani Prime Minister Imran Khan. The consortium’s reports, according to NSO Group, were inaccurate and denied the numbers of the list were targets or potential targets of Pegaus.

According to the messaging app’s CEO, governments targeted senior government officials throughout the world with NSO Group spyware in a 2019 campaign against 1,400 WhatsApp users. This included individuals in top national security positions who are “allies of the US.”

Following revelations this week by the Pegasus project, a collaboration of 17 media organisations that investigated NSO, the Israeli company that sells its powerful surveillance software to government clients around the world, Will Cathcart revealed new details about individuals who were targeted in the attack.

Tens of thousands of phone numbers were exposed in the leak, including those of heads of state like French President Emmanuel Macron, government ministers, diplomats, activists, journalists, human rights defenders, and lawyers who are believed to have been targeted for possible surveillance by NSO clients. 

What does NSO have to say?

NSO stated that the data has “no relevance“, and the Pegasus project’s presentation has been dismissed as “full of erroneous assumptions and uncorroborated ideas“. It denied that the stolen data represented persons who had been targeted by the Pegasus software for monitoring. The 50,000 figure was overstated by NSO, who claimed it was too huge to reflect those targeted by Pegasus.

NSO has refused to provide precise information on its clients or the people they target. According to one report, each customer had an average of 112 annual targets. 

How to protect your organisation against this

WhatsApp is a consumer app, which means that the user is in charge of how they use it. WhatsApp lacks a corporate admin page for configuring security settings, as well as a reporting mechanism to assure compliance. Due to the inherent instability of these systems, continuing to use consumer messaging programmes poses a significant risk to these businesses.

The truth remains that still three years later, organisations dealing with sensitive corporate, government, or client information should not use consumer apps to communicate information.  Organisations are safeguarded against the possibility of important and sensitive data being compromised by using a closed system like Salt Communications.

Salt Communications recognises that encryption alone isn’t enough to keep data safe. Salt delivers a highly secure platform that gives the same convenient user experience as consumer apps, but in a safer and more secure manner, allowing the customer to maintain complete, centralised management of the system at all times.

Sign up for a free trial of Salt Communications or to talk to a member of the team by contacting us on info@saltcommunications.com or visit our website at saltcommunications.com. 

About Salt Communications 

Salt Communications is a multi-award winning cyber security company providing a fully enterprise-managed software solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. Salt Communications offers ‘Peace of Mind’ for Organisations who value their privacy, by giving them complete control and secure communications, to protect their trusted relationships and stay safe. Salt Communications is headquartered in Belfast, N. Ireland, for more information visit Salt Communications.