French Launch NSO Probe After Macron Believed Spyware Target

Fourteen world leaders were among those found on list of NSO believed targets for its Pegasus spyware.

French lawmakers have launched an investigation into Israeli offensive cybersecurity company NSO Group after they learned French President Emmanuel Macron topped a list of 14 heads of states potentially targeted by the company’s spyware.

Amnesty International said Tuesday the French leader was a potential spyware target, along with presidents Imran Khan of Pakistan, Cyril Ramaphosa of South Africa and Barham Salih of Iraq. Heads of state, including the prime ministers and the king of Morocco, Mohammed VI, were also high-profile potential targets of NSO’s software known as Pegasus.

“The unprecedented revelation … should send a chill down the spine of world leaders,” wrote Agnes Callamard, Amnesty International’s secretary general, in a statement.

The world leaders were potential targets, according to a list of 50,000 phone numbers believed linked to the NSO Group and leaked to Amnesty International and the Paris-based journalism nonprofit Forbidden Stories. The extensive list is believed to date back to 2016 and includes people of interest by clients of NSO.

On Sunday, a consortium of 17 media partners published a bombshell report shedding light onto what they believe is a systemic and widespread use of the Pegasus spyware by sometimes repressive regimes against human rights activists, political dissidents, journalists and religious and world leaders.

French Outraged

French daily Le Monde, said after it launched its own investigation into the NSO leaked data, it determined that 15 members of the French government may have been among potential targets, along with Macron.

On Wednesday, the Paris prosecutor’s office confirmed to the Associated Press it was investigating the suspected widespread use of NSO’s Pegasus spyware on French politicians. The Washington Post also reported that France’s prime minister, Jean Castex, told French lawmakers at the country’s National Assembly that the government had ordered investigations.

The Post published a statement by the official residence of the President of the French Republic, Élysée Palace, stating:

“If the facts are confirmed, they are clearly very serious. All light will be shed on these press revelations. Certain French victims have already announced that they would take legal action, and therefore judicial inquiries will be launched.”

NSO Founder Denies Allegations

In an exclusive interview with publication Calcalist, NSO founder and CEO Shalev Hulio doubled down on its assertion that the list of 50,000 phone numbers, potentially targeted by Pegasus spyware, is bogus.

“This is an engineered list unrelated to us,” Hulio said.

A statement by Hulio to Calcalist reads:

“Around one month ago we received the first approach from an information broker. He said that there is a list circulating in the market and that whoever holds it is saying that the NSO servers in Cyprus were hacked and that there is a list of targets there and that we should be careful. We looked into it. We don’t have servers in Cyprus and don’t have these types of lists, and the number doesn’t make sense in any way so it has nothing to do with us. He insisted that it does. We were later approached by two different clients who said that brokers have come to them claiming that they have a list related to NSO. We eventually received some screenshots of the list the brokers managed to get a hold of and based on that we understood that this doesn’t look like the Pegasus system, certainly on the server, and that this is an engineered list unrelated to us. We looked over it with the clients and it slowly became clear to us that it is an HLR Lookup server and has nothing to do with NSO. We understood that this was a joke.”

Hulio said it works with 45 customers a year who target an average of 100 phones a year. He maintains the list of 50,000 alleged targets has nothing to do with NSO.

Still, a forensic analysis of 67 of the phones on the list 50,000 revealed that 37 had traces of Pegasus software. Amnesty International and Forbidden Stories editors emphasized the list of phone numbers does not indicate that all of those phones were targeted with an attack.

Tech World Recoils in Disgust

News of possible widespread use of the notorious Pegasus mobile spyware from NSO Group has drawn a sharp rebuke by those in the security community. Reactions have been varied, with many voicing concern over the level of security in Apple’s closed ecosystem. According to reports, the NSO Group made use of a zero-click zero-day in Apple’s iMessage feature in its Pegasus mobile spyware.

Noted Johns Hopkins cryptographer Matthew Green suggests Apple could do more to beef up security around its iMessage technology.

“There is good evidence that Apple realizes the bind they’re in, since they tried to fix iMessage by barricading it behind a specialized “firewall” called BlastDoor. But firewalls haven’t been particularly successful at preventing targeted network attacks, and there’s no reason to think that BlastDoor will do much better. (Indeed, we know it’s probably not doing its job now.),” he wrote in a recent blog post titled “A case against security nihilism“.

In a statement to Threatpost, Amazon said it shut down NSO accounts that were “confirmed to be supporting the reported hacking activity.” Amazon, who was identified in the Pegasus report, said the accounts had violated its terms of use.

DigitalOcean, another tech firm that hosted NSO servers, told the Associated Press “All of the infrastructure outlined in the Amnesty report is no longer on DigitalOcean.”

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles