NSO Group, an Israeli technology company that created spyware that was found being used to compromise a prominent United Arab Emirates activist’s iPhone, had sold the software to an Arab company with the express permission of the Israeli Defense Ministry.
The discovery of the sophisticated spyware, called Pegasus, capable of infiltrating and remotely taking control of iPhones without leaving a trace, forced Apple to push out a security update last week.
The software came to light after researchers said the Emirati rights activist, Ahmed Mansoor, was targeted by a simple text message that asked him to tap on a link for information on detainees tortured in the UAE. Suspicious, he forwarded it to internet watchdog group Citizen Lab.
The software can track calls and contacts, collect passwords, read text messages and emails, record calls and trace the whereabouts of the user. Mike Murray, a researcher with Lookout, a San Francisco-based smartphone security company, called it “one of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
The exploit took advantage of previously undisclosed weaknesses in Apple’s mobile operating system, iOS 9.3.5, according to reports published late last month by Lookout and Citizen Lab.
According to a report Wednesday in the Yedioth Ahronoth daily, the Defense Ministry’s Defense Export Controls Agency (DECA), which must approve the export of sensitive security products, gave NSO Group permission to sell the software to an Arab company.
The report said the decision was met with a great deal of criticism within the agency. A senior Defense Ministry staffer called the export license “a scandal.”
A Foreign Ministry official — none of the report’s sources were named due to the sensitivity of the case — noted that the Israeli company is not accused of taking part in the attempted hacking, but said “the very fact that the company is being linked in the press to a cyberattack on a human rights activist damages the country’s good name.”
According to the report, the original license allowed NSO to sell a version of Pegasus that would take over the iPhone without requiring its user to even tap the link that would download the spyware. Merely receiving the text message would allow the takeover. DECA then changed the license to only permit the sale of the version that requires a tap on the link.
The sale itself was facilitated by former senior officials in Israel’s defense establishment.
The Arab company, its home country and the officials involved on either side were not named in the Yedioth report.
In a statement last month that stopped short of acknowledging the spyware was its own, the NSO Group said its mission was to provide “authorized governments with technology that helps them combat terror and crime.”
“The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner,” the statement read. “Specifically, the products may only be used for the prevention and investigation of crimes.”
The company said that it “does not operate the software for its clients, it just develops it,” according to Channel 2.
Israeli companies have been criticized in the past for selling software to monitor internet and phone communication to regimes with poor human rights records, including in Uzbekistan and Kazakhstan, as well as Colombia, Trinidad and Tobago, Uganda, Panama and Mexico, according to the NGO Privacy International.
In a statement to Yedioth, the Defense Ministry said it “operates an orderly oversight mechanism, under law,” of sensitive defense exports, “that works in close cooperation with the Foreign Ministry.”