Last summer, we wrote about a major international investigation of the NSO Group and its Pegasus spyware. We described how it works and what you can do to protect your phone. NSO has gone through some difficult times as a result of that analysis. NSO was almost purchased by an American company that is closely linked to intelligence operations until the US Government put them, along with another Israeli spyware vendor Candiru, on a special block list that prevents both from obtaining government contracts. Candiru, you might recall, was discovered to be doing its own zero-day spying by Avast researchers.

In late July 2022, the House Intelligence Committee held a hearing to discuss Pegasus and its implications for national policy. The House is set to vote on sweeping legislation to regulate the spyware industry that has been written into the latest version of the Intelligence Authorization Act. The House and Senate bills differ on the spyware provisions, however. This is in addition to the National Defense Authorization Act that was passed last December that directs the State Department to prepare an annual list of spyware vendors. This research has found that numerous American citizens and public officials have been targeted by Pegasus over the years, despite denials by NSO that they have never done this. 

 “Powerful spying tools are being sold on the open market, essentially offering sophisticated signals intelligence capabilities as an end-to-end service,” said Intelligence Committee Chair Adam Schiff. Three witnesses testified at the hearing:

• Shane Huntley, the senior director of the Threat Analysis Group at Alphabet
  
  
• Carine Kanimba, the daughter of Paul Rusesabagina, who was the model for the main character of the film, Hotel Rwanda
  
  
• John Scott-Railton, a senior researcher at the CitizenLab at the University of Toronto who has extensively analyzed Pegasus incursions of dozens of phones across the world

If you don’t want to watch the entire hearing, you can skim through the opening remarks of the three witnesses.

Carine Kanimba testifying before the House committee in July. (Image credit: House Intelligence)

Shane Huntley mentioned his group’s activities in rooting out state-sponsored spyware and mentioned how Android was the first platform in 2017 (and then again in 2019) to warn users about Pegasus. His testimony is filled with numerous research links to other spyware they have detected over the years. “We believe commercial spyware use is growing, fueled by demand from governments,” he said. “It is targeting dissidents, journalists, human rights workers and opposition party politicians. Taking these threats on has to be a team sport, and there is very good cooperation between private industry and the intelligence community.”

Rusesabagina was lured from his Texas home by an operative of the Rwanda intelligence agencies and kidnapped and taken to Rwanda, where he was imprisoned by their government. Kanimba is a US citizen and both her and her father were targeted by agents of the Rwanda government using Pegasus spyware. Kanimba’s phone was subsequently tracked during various meetings and phone calls she had with foreign officials as she tried to secure her father’s release. “I am frightened by what the Rwandan government will do to me and my family next. It is horrifying to me that they knew everything I was doing, precisely where I was, who I was speaking with, my private thoughts and actions, at any moment they desired,” she said. She is concerned about her father’s care since he suffered a stroke while in prison, as well as afraid for her own welfare given what can be gleaned from her phone thanks to Pegasus. “Americans need to feel safe in our country and when we travel,” she said.  

Growth of the global mercenary spyware ecosystem

Scott-Railton agreed with Huntley that the growth of what he called the global mercenary spyware ecosystem has grown. Pegasus, and other zero-click spyware, is insidious. “One moment the device is clean. The next? Your data is silently streaming to an adversary,” he testified, describing Pegasus’ actions and the depth of information it can access on a targeted phone. “It is highly sophisticated, invasive, and difficult to detect at scale, even by well-resourced governments. This industry has become a threat to U.S. national security and counterintelligence.”

He cites the research that at least 10 prime ministers, three presidents, and a king may have been selected for Pegasus targeting. Since that report, the CitizenLab has found evidence of Pegasus on politicians’ phones in Thailand, Catalan, Poland and El Salvador. “Tools like Pegasus make political spying easier, much more invasive, and very difficult to uncover.” Scott-Railton anticipates ransomware actors will incorporate this technology as part of their exploit tool kits.

How to combat the threat of spyware

Google is constantly scouring the internet, looking for evidence that state-sponsored hacking (including spyware) is happening. Huntley mentioned they notify users when they detect this situation, which is a good start. But as Scott-Railton mentioned, the industry needs to provide more specifics, such as who is doing the snooping and how and when it happened, “so that victims know who to look for and who is responsible.”

Placing NSO and Candiru on the block list sends a signal to investors. “NSO’s valuation is in a tailspin,” said Scott-Railton at the hearing. He had other suggestions on government actions that could prevent these spyware companies from operating, such as preventing public retirement funds and venture capitalists who hold major corporate investment positions in NSO, for example. Kanimba’s story especially pointed out the threat of spyware to various democracies around the world.