The government of the United Arab Emirates used Israeli phone-hacking technology to spy on political and regional rivals as well as members of the media, with the Israeli company itself participating in the cyber attacks, The New York Times reported Friday.
The Herzliya-based NSO Group uses its controversial Pegasus spyware program to turn smartphones into listening devices.
To sell Pegasus to the UAE, the NY Times noted, the company would have had to receive the express permission of Israel’s Defense Ministry, as such software is considered a weapon.
The NSO Group has insisted in the past that it sells its software to clients on the condition that it be used only against crime and terrorism, and has shirked responsibility in cases where it was allegedly used for civil rights abuses.
But two new lawsuits being brought against the company have uncovered documents that assert the company and its affiliates have actively engaged in illegal activities for clients.
According to the report, leaked emails have shown that when UAE leaders demanded proof of value, an affiliate of NSO hacked the phone of Abdulaziz Alkhamis, the editor of the London-based newspaper Al Arab, and sent them recordings.
It also allegedly advised the UAE on how to best hack the phones of various officials, with the Arab nation’s leaders particularly interested in spying on a Saudi prince, the leader of rival Qatar and Lebanese Prime Minister Saad Hariri — though it was not clear whether those officials were actually hacked.
Documents show the UAE has been using Pegasus since 2013.
The two lawsuits, filed in Israel and Cyprus, call for company accountability for what they claim is an active role in illegal intelligence gathering.
According to Israeli lawyer Alaa Mahajna, “We are pushing to make the law catch up with technology” and prove that tech companies “are complicit in these privacy violations.”
The lawsuits have been filed by a Qatari individual, who claims to have been targeted by the UAE, as well as by Mexican human rights activists who say the government spied on them using Pegasus.
Pegasus infects individuals by sending them text messages tempting them to click an attached link. In the case of the UAE, the NSO affiliate allegedly suggested texts with messages such as: “Ramadan is near — incredible discounts,” as well as “Keep your car tires from exploding in the heat.”
When an unwitting target clicks the link, Pegasus is downloaded onto the device and infects it. The software can track calls and contacts, collect passwords, read text messages and emails, record calls, and trace the whereabouts of the user.
In 2016, Israel’s Yedioth Ahronoth daily first reported that the Defense Ministry had given the NSO Group permission to sell the software to an Arab company, which went on to target a prominent UAE rights activist. But the scope of the government’s involvement had not been known.
Mike Murray, a researcher with Lookout, a San Francisco-based smartphone security company, called Pegasus at the time “one of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
Mexico was scandalized last year by claims that opposition politicians, journalists and human rights defenders in the country had been targeted by the government using the software.
Then-president Enrique Pena Nieto called for a rapid probe and dismissed allegations that his government was responsible. However, the NY Times reported that there had not been much progress in the investigation in the year that has passed, leading the Mexican victims to turn to a lawsuit.
The NSO Group told the NY Times it would study the lawsuits before responding.
It has said in the past that its mission is to provide “authorized governments with technology that helps them combat terror and crime.”
“The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner,” the statement read. “Specifically, the products may only be used for the prevention and investigation of crimes.”
The company said that it “does not operate the software for its clients, it just develops it.”
Israeli companies have been criticized in the past for selling software to monitor internet and phone communication to regimes with poor human rights records, including in Uzbekistan and Kazakhstan, as well as Colombia, Trinidad and Tobago, Uganda, Panama and Mexico, according to the NGO Privacy International.