Storm brewing over Israeli spyware firm over sales to Saudis

A controversial American-owned Israeli vendor is again under fire after media reports that it is selling spyware to repressive regimes, including Saudi Arabia.

Israeli newspaper Haaretz reported this week that NSO Group had offered its Pegasus spyware to Saudi Arabia where it was used in a purge of regime opponents.

Former National Security Agency contractor and classified information leaker Edward Snowden said the spyware was used track associates of murdered and dismembered Saudi journalist Jamal Khashoggi.

Haaretz confirms reports by @Citizenlab showing Saudi Arabia's purge of regime opponents was fueled by the #NSO group, an out of control Israeli hacking company. Before Khashoggi's murder, three of his contacts were targeted by SA using NSO's burglary kit. https://t.co/PkUcAsuGUu

— Edward Snowden (@Snowden) November 25, 2018

Human rights lobby group Amnesty International which has been targetted with Pegasus, demanded that Israel revokes NSO Group's license to operate, following reports of the Saudi spyware sales.

The malware itself has been known for the last couple of years. Apple released an emergency update for iOS and macOS/OS X in September 2016 to patch against Pegasus.

The emergency patches followed a United Arab Emirates human rights activist being targetted with Pegasus, via a text message that contained a link which, if clicked on, would deliver the malware to his iPhone.

Analysis by security researchers found that Pegasus infections fully compromise iPhones.

Attackers are able to access voice and text messages from a range of apps, as well as log files, emails and other data on compromised devices.

NSO Group has continued to develop the malware since 2016.

University of Toronto's Citizen Lab published a report in September that showed Pegasus has spread to 45 countries, including the United States, UK, France, and Canada since it was first discovered and is in use currently.

The spyware vendor said at the time that it does not sell its products to many of the countries listed by Citizen Lab, and that Pegasus is only licensed to operate in nations approved under the firm's Business Ethics Framework.

Pegasus is specifically designed not to operate in the United States of America, NSO Group said in a statement to Citizen Lab.

In July a senior programmer who worked at NSO Group was hauled in front of court, accused of trying to sell the company's intellectual property on the Dark Net for US$50 million.