Israeli Government Agencies Visit NSO Group Offices

Authorities opened an investigation into the secretive Israeli security firm.


Authorities from multiple agencies of the Israeli government paid a visit the offices of the NSO Group as part of a new investigation into claims that the secretive firm is selling its spyware to threat actors for targeted attacks, according to the Israeli Ministry of Defense.

A single tweet from the ministry announced the raid on Wednesday, but did not disclose exactly which government agencies participated. Specifically, Israeli agents visited NSO Group’s offices in Herzliya, near the city of Tel Aviv, according to a post by analyst firm Recorded Future’s The Record.

“Representatives from the number of bodies came today to NSO to examine the publications and claims raised in the matter,” the ministry tweeted (Google translated from Hebrew).

NSO Group is working “in full transparency” with authorities, the firm told The Record.

“We are confident that this inspection will prove the facts are as declared repeatedly by the company against the false allegations made against us in the recent media attacks,” the company said, according to the post.

However, security experts and industry watchers aren’t so sure of the company’s claim of innocence in the matter.

“NSO insists that the report is wrong, but also that it’s fine to spy on people, and also that terrorists will murder us all if they aren’t allowed to reap vast fortunes by helping the world’s most brutal dictators figure out whom to kidnap, imprison and murder,” tweeted Cory Doctorow, an author, journalist and activist.

“As I say, all of this is rather ordinary. The NSO Group’s bloody hands, immoral practices and vicious retaliation against critics are well established,” he added in a separate tweet.

Open Investigation

According to Israeli news outlet Calcalist, the Israeli government’s actions are the start of an effort to get to the bottom of a report called the Pegasus Project that examined leaked data from the NSO Group and spurred an international incident that’s rapidly escalating.

The report in the Guardian newspaper revealed a cache of more than 50,000 mobile phone numbers worldwide that the firm was storing and alleged that Pegasus malware is being used to target activists, journalists, business executives and politicians on a widespread level, using a variety of exploits — including a zero-click zero-day in Apple’s iOS.

Seventeen media organizations participated in the investigative effort, which also accused NSO Group of selling Pegasus to unidentified third-parties, including governments. These entities then use it to infect the phones of dissidents and other people who may be critical of a given regime.

The malware can secretly take remote control of the phone to monitor activity, enabling “customers” to even read encrypted messages of their targets sent via Signal and Telegram.

The report triggered a global response against NSO’s alleged activities, with human rights organization Amnesty International calling “the vast scale of violations perpetrated through secretive cyber surveillance” “a global human rights crisis.”

Security experts also weighed in, with one–Paul Bischoff, a privacy advocate at Comparitech—calling NSO an “weapons dealer.” Others, nothing how Pegasus has been exploiting an iOS zero-day flaw, took aim at Apple for its proprietary security ecosystem.

Still, while many criticized NSO Group for its activities, some see the report and subsequent investigation as an effort to damage the reputation of the Israeli cyber industry at a time when Israel has come under fire internationally for its continued military actions against the Palestinian state.

“They are trying to hurt the Israeli cyber industry reputation, and NSO won’t be their first neither their last,” tweeted @IntelMA, a user who claims to be part of the North and West Africa military intelligence. “They have an agenda, and it’s clear.”

Despite its claims of innocence, NSO Group seems to be taking the government’s intervention seriously. Late Thursday, the company told news outlet NPR that it has temporarily revoked access to Pegasus from several international government clients so it could investigate whether they are misusing the tool.

(This article was updated 7/30 at 8:30 a.m. ET with additional information regarding NSO revoking access to its spy tool.)

Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 a.m. EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11 a.m. EST for this LIVE discussion.

Suggested articles