An employee of controversial surveillance vendor NSO Group abused access to the company's powerful hacking technology to target a love interest, Motherboard has learned.
The previously unreported news is a serious abuse of NSO's products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO's can ultimately be abused by the humans who have access to it.
"There's not [a] real way to protect against it. The technical people will always have access," a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source's account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company's system. Motherboard granted multiple sources in this story anonymity to speak about sensitive NSO deliberations and to protect them from retaliation from the company.
NSO sells a hacking product called Pegasus to government clients. With Pegasus, users can remotely break into fully up-to-date iPhone or Android devices with either an attack that requires the target to click on a malicious link once, or sometimes not even click on anything at all. Pegasus takes advantage of multiple so-called zero day exploits, which use vulnerabilities that manufacturers such as Apple are unaware of.
Do you work at NSO Group, did you used to, or do you know anything else about the company? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
After infecting a device, Pegasus can track the target's location, read their texts, emails, social media messages, siphon their photos and videos, and turn on the device's camera and microphone. Researchers have previously tracked installations of Pegasus to Saudi Arabia, the United Arab Emirates, Mexico, and dozens of other countries. NSO says its tool should exclusively be used to fight terrorism or serious crime, but researchers, journalists, and tech companies have found multiple instances of NSO customers using the tool to spy on dissidents and political opponents. David Kaye, the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression, has noted that there is a "legacy of harm" caused by Pegasus.
This latest case of abuse is different though. Rather than a law enforcement body, intelligence agency, or government using the tool, an NSO employee abused it for their own personal ends.
Several years ago, an at-the-time NSO employee travelled to the UAE for work, a former employee explained to Motherboard. NSO sent the employee "to do on site support," a second former employee said. While on location, the employee broke into the client's office; the client received an alert that someone had logged into the Pegasus system out of normal office hours and investigated, one of the sources with knowledge of the incident added. Authorities detained the NSO employee, two sources said.
"The client was pissed," the first former employee said.
"He used the system while nobody was looking," the second former employee added. The client-facing side of the Pegasus system is very easy to use; in some cases a user simply enters the phone number of the target, and the process of breaking into the device starts.
The target was a woman the employee knew personally, the sources said.
NSO fired the employee, those two sources added. The company's leadership held a meeting to tell employees about the incident to make sure it would not happen again, they said.
"They deal harshly with abuse of the system," one of the former NSO employees told Motherboard.
"He used the system while nobody was looking."
Two sources said the abuse happened in 2016, while NSO was majority-owned by U.S. investment firm Francisco Partners. In February 2019 NSO's founders bought back their company from the firm.
The sources did not specify which UAE agency's NSO installation the employee abused. UAE has three intelligence agencies: UAE State Security, the Signals Intelligence Agency, and the Military Intelligence Security Services.
The UAE Embassy in Washington did not respond to a request for comment. NSO declined to speak on the record about the incident.
Though well-known in the security world for years, NSO entered the broader public consciousness after selling its hacking technology to Saudi Arabia, which used the tool to break into the phones of political dissidents, including contacts of Washington Post columnist Jamal Khashoggi. The CIA believes Saudi agents murdered Khashoggi in Istanbul, Turkey, in 2018 at the behest of the country's Crown Prince.
Eva Galperin, director of cybersecurity at the EFF, and who has extensively researched not just government hacking campaigns but also how abusive partners use malware to spy on their spouses, told Motherboard, "It's nice to see evidence that NSO Group is committed to preventing unauthorized use of their surveillance products where 'unauthorized' means 'unpaid for.' I wish we had evidence that they cared anywhere near as much when their products are used to enable human rights violations."
"You have to ask, who else may have been targeted by NSO using customer equipment?" John Scott-Railton, a senior researcher from University of Toronto's Citizen Lab, which has extensively researched NSO's proliferation, told Motherboard. "It also suggests that NSO, like any organisation, struggles with unprofessional employees. It is terrifying that such people can wield NSA-style hacking tools," he said.
NSO has repeatedly painted itself as hands-off when it comes to actual hacking of phones in the wild, saying it only develops a capability that its clients then use. This case of abuse, however, "is devastating to NSO's claims that it cannot conduct hacking. It proves that its employees have conducted illegal hacking, unsupervised," Railton added. Motherboard has also previously reported how NSO helps clients craft effective phishing messages tailored to their targets to increase the chance of a successful infection.
Kaye, the United Nations special rapporteur, and who has called for a worldwide pause on the export of hacking technology before more regulation can be put in place, told Motherboard the incident raises a number of questions around NSO.
"How in fact can an employee do that in the first place?" he asked, and whether there are other incidents of abuse of the platform.
After this case, NSO introduced "more rigorous screening of customer facing people," one of the former employees told Motherboard. That includes biometric checks to ensure only authorized people are able to use the system, a source familiar with the incident added.
Although in this instance the employee was caught abusing the tool, on a more technical level, "there was nothing stopping me [...] to use the system against whoever I wanted," one of the former employee told Motherboard.
"The client was pissed."
NSO is currently embroiled in a lawsuit with Facebook, with the tech giant suing NSO for leveraging a vulnerability in WhatsApp so customers could remotely hack into phones just by dialing their number. The company has also developed a technology designed to track the spread of COVID-19, but privacy experts are concerned about the system's design.
Employees at government agencies with access to surveillance capabilities have also abused their positions. In 2013, the Wall Street Journal reported that NSA officers on several occasions abused the agency's spying capabilities to monitor their own love interests.
The UAE has faced its own controversies about its use of powerful hacking technology. Reuters published several investigative pieces on Project Raven, an operation in which former U.S. NSA hackers emigrated to the UAE and formed an elite hacking group for the country. Raven ended up targeting U.S. citizens, the reports said. Reuters also reported that the FBI has been probing the use of NSO's malware to target American residents and companies since at least 2017.
All sorts of tech companies have issues with their own employees abusing access to data or insider tools. Motherboard has previously revealed how Facebook fired workers for stalking people through privileged access to user data; how MySpace employees leveraged a tool called Overlord for their own benefit; and how Snapchat had its own instances of insider abuse as well.
Subscribe to our cybersecurity podcast, CYBER.