How PM Janša met a notorious spyware developer

Maja Čakarić, Matej Zwitter

–

During an official visit to Israel, Slovenia’s Prime Minister met with a representative NSO Group, the surveillance software developer that created Pegasus which was reportedly discovered on the devices of co-workers of murdered journalist Jamal Khashoggi. This was not the first time a top NSO official met with a top Slovenian government representative.

"Prime Minister, Janez, this is an opportunity to usher in a new era in the relations between Slovenia and Israel,” said the Israeli prime minister Benjamin Netanjahu during a live stream of Janez Janša’s official visit on 8 December. He added the iconic quote from the film Casablanca: “I think this is the beginning of a beautiful friendship.”

They agreed that the states are political allies who strive to promote economic exchange. “Israel is one of the most innovative countries on a global scale and as such an excellent role model for Slovenia,”remarked Janša. “Next year, Slovenia will hold the second presidency of the Council of the EU, and cybersecurity will be among its priorities. It’ll be our major focus.” 

A day earlier, soon after landing in Tel Aviv, Janša spent several hours in meetings with Israeli businessmen. They met at The King David, a luxurious hotel overlooking Jerusalem’s Old City that has hosted 53 kings and 248 prime ministers in its long history.

At this exclusive address, Slovenia’s head of state met with the representatives of five Israeli companies, three of which – Arieli Capital, OurCrowd and Startup Nation Central – focus on fostering startups in the field of AI, cybersecurity and tourism, while SparkBeyond develops AI systems for financial, pharmaceutical and other industries.

The fifth company was NSO Group which has developed scores of highly advanced technological tools in the span of eleven years since its establishment. Following the outbreak of the covid-19 pandemic, it developed Fleming, a contact-tracing software for monitoring its spread. 

But then NSO had already been catapulted onto the world stage as the maker of Pegasus spyware which was designed to remotely access mobile devices and monitor communications.

NSO sells its spyware to government intelligence and law enforcement agencies to fight crime and terrorism. But the company was also cooperating with governments that used its spyware for tracking human rights activists, journalists, scientists and politicians.

Cybersecurity experts from The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto, discovered traces of Pegasus on mobile phones of several journalists, managers and producers of the Qatari television network Al Jazeera and on the phone of slain Mexican journalist Javier Valdez[UP3] ’s widow.

Moreover, United Nations investigators also found the spyware on the devices of several co-workers of murdered Saudi’s journalist Jamal Khashoggi. 

Introductory meeting and national security

Conclusions of the talks between Slovenia’s premier and representatives of Israeli companies, among them NSO Group, are not known or supposedly there are none. The Ministry of Economic Development explained that the nature of the meeting with the Slovenian delegation was introductory and involved all five companies, not only NSO Group, introducing themselves. “No binding form of collaboration was neither planned nor agreed.”

Nevertheless, the State Secretary Ajda Cuderman signed a joint declaration between Slovenia’s economy ministry and Israel’s innovation authority that, according to official clarifications, laid foundations for future bilateral cooperation in the field of advanced technologies and innovation.

We referred our questions about details of the talks also to the co-organiser of the visit, Dror Dotan, who is the founder and chairman of the Israel-Slovenia Chamber of Commerce (ISLCC) that helps companies of both countries to seek out new business partners. 

He told us that representatives of only four firms were present at the meeting. The very firm that his list did not include was NSO. It is not clear if this was by mistake or not because Dotan did not respond to further emails or phone calls.

The premier’s office, Government Communication Office and Ministry of Foreign Affairs did not wish to give their opinion on the potential collaboration with NSO Group. The potential users of their tools, Slovene Intelligence and Security Agency and Ministry of the Interior, also maintain silence on the subject.

The premier’s office directed us to a summary of the meeting with Israeli entrepreneurs at the central website of the state administration GOV.si, explaining that they will not comment on any additional questions. The Slovene Intelligence and Security Agency (SOVA) had no further comments.

SOVA referenced secrecy of data involved in ordering sensitive equipment, while the ministry mentioned national security. Following further enquires, the ministry added that it does not plan to purchase equipment produced by NSO and that it has not yet been in touch with the firm: “But we can’t tell what the future will bring.”

No lobbying, just briefing

Janša’s meeting in Israel was not the first contact between the highest-ranking officials of the Slovenian government and NSO Group. Data on reported lobbying shows that Stefan Kowski, member of NSO’s management board, met with the minister Zdravko Počivalšek in Slovenia on 29 May of last year.

Kowski did not attend the meeting as a representative of NSO Group but  of one of its shareholders, Novalpina Capital. In addition to Kowski, four other members of NSO’s board work for Novalpina Capital.

Kowski arrived at the meeting accompanied by Primož Pusar from Pristop marketing agency. The meeting’s topic is not known. According to the data available from the Integrity Watch platform on reported lobbying contacts managed by Slovenia Transparency International, the conversation revolved around investment possibilities in the Republic of Slovenia.

The office of the Minister of Economic Development and Technology Zdravko Počivalšek explained that it supports strategic investments and wishes to ensure fertile ground for new projects by foreign investors in Slovenia. The office did not provide any further information about the Minister’s meeting with Kowski. It claims that minutes of the meeting do not exist. 

Primož Pusar did not respond to Oštro’s messages or phone calls. 

The Commission for the Prevention of Corruption (CPC), the country’s authority on lobbying, explained that the meeting between Kowski in Počivalšek did not constitute lobbying.

The Commission relied on the Minister’s report on a contact with a lobbyist according to which the meeting was simply a briefing about possible investments. According to CPC, the meeting was not geared at influencing decision-making, which is one of the legal conditions for identifying a contact with a public official as lobbying

Stefan Kowski did not respond to Oštro’s requests for comment.

The representatives of Novalpina Capital who took our calls said that they will relate our messages to Kowski. One representative instructed us to use the media department’s email, while the other later said there was no such department and promised to relate our questions to the relevant persons herself. We did not receive a reply. 

Our inquiries into potential collaboration of Slovenian government with NSO Group also proved fruitless. After numerous phone calls and emails, the London office of a high-stakes public strategy firm Mercury Public Affair that deals with public relations informed us there will be no comment.

Keeping up appearances

At the end of 2019, NSO Group entrusted the management of legal and regulatory procedures – including those connected with the tool’s alleged use for surveillance of specific WhatsApp users – to Mercury Public Affairs. The public strategy firm will safeguard NSO’s interests for $1.44 million (EUR 1.28 million) a year, as can be gleaned from a document by the U.S. Department of Justice where the firm was registered under the Foreign Agents Registration Act. 

In October 2019, Facebook filed a lawsuit against NSO for hacking the accounts of 1400 WhatsApp users in Bahrain, UAE and Mexico. According to the findings of the UN High Commissioner for Human Rights, Pegasus’ code was most likely concealed in a message that the crown prince of Saudi Arabia Mohammed bin Salman sent to Jeff Bezos, founder and CEO of Amazon, in May 2018. Nine months later, the American tabloid National Enquirer published Bezos’ personal messages. 

This happened in the wake of the murder of Jamal Khashoggi, a journalist and columnist of The Washington Post, owned by Bezos, that regularly reported on the murder. The UN investigators discovered that the devices of several Saudi dissidents, who were in contact with Khashoggi, were also infected with the malicious software. 

In Spring of 2019, NSO Group denied the allegations that its spyware was used for hacking Bezos’ phone, as well as the involvement of its Pegasus tool in the journalist’s murder. In the few public statements it made following Khashoggi’s murder, the company denied the allegations and underlined that the software was not licensed for intercepting messages of activists and journalists. Its sole purpose was to provide technology, such as Pegasus, to licensed government intelligence and law enforcement agencies to help detect threats to public security. 

It was with the help of Pegasus spyware that the Mexican drug baron Joaquín “El Chapo” Guzmán, who spent years on the run, was at last tracked down and captured.

In 2019 alone, NSO software purportedly helped to prevent several terrorist attacks in Europe, NSO co-founder and CEO Shalev Hulio told the Israeli Ynetnews portal. “I can say in all modesty that thousands of people in Europe owe their lives to hundreds of our employees.”

Khashoggi’s murder, however, is not the only case of NSO software abuse uncovered by independent investigators. 

During a verification of WhatsApp vulnerabilities, researchers of the Citizen Lab at the University of Toronto later discovered more than a hundred breaches of communication privacy of civil society representatives from at least 20 countries around the globe. 

NSO’s programming code was also discovered on the phone of Ben Hubbard, a New York Times journalist, the award winning human rights defender Ahmed Mansoor from the UAE, Morrocan journalist and activist Omar Radi, and Griselde Triane, the widow of slain Mexican journalist Javier Valdez Cárden. 

Pegasus is a sophisticated spyware that targets mobile devices, both Android and iOS, and exploits their vulnerabilities. After clicking a web link that a user receives in a text message, a programme is activated that infects the mobile device and enables real-time monitoring of text messages and calls, tracking the phone’s location, siphoning passwords for using web services, social networks or communications channels, such as iMessage, Gmail, Viber, WhatsApp, Facebook, Skype etc. and also operates as a wiretap, effectively turning the phone into a bug.

Citizen Lab’s latest stunning report revealed that, from autumn 2019 to summer 2020, NSO spyware was used for intercepting communication of journalists, producers and other employees of the AlJazeera network by hacking their phones. Compared to the technology that was used to infect Bezos’ phone, however, malware installation in this case did not require any interaction. A specially designed message sent via iMessage by an iPhone user did the job.

Etienne Maynier, a technologist at Amnesty International, explained to Oštro they have “observed a shift in the tactics used by NSO’s customers since 2016, moving from links in text messages, (requiring the victim to click on it) to zero-click attacks, either by exploiting bugs in chat applications or through network injection”.

A network injection attack requires no interaction from the victim. It reroutes the target browser to a malicious website that can install spyware on the victim’s device.

But sophisticated hacks of mobile phones are hard to trace because the victim usually does not notice anything unusual on their phone. Claudio Guarnieri, head of Amnesty International’s Security Lab, warns that the hack can only be confirmed by finding victims who reasonably believe they had been hacked and conducting forensics of their mobile devices. 

Omri Lavie, co-founder of NSO Group, used uncannily similar words when describing its software for the American magazine Defence News in 2013: “We’re a complete ghost, we’re totally transparent to the target, and we leave no traces.”

Insufficient control of surveillance agencies

When it talked to the Slovenian government the NSO Group also left almost no traces. This hardly surprised national security expert Iztok Prezelj from The Faculty of Social Sciences. Dealings of democratic states “must be open to the public and display a high level of transparency while, on the other hand, the public in democracies also expects a high level of security which is obviously not possible to ensure without a certain level of secrecy.”

“Without[UP6]  tools, such as those developed by NSO Group, it’s not possible to efficiently ensure national security,” underlined Branko Lobnikar, expert for security issues at the Faculty of Criminal Justice and Security. To expect that the security institutions will renounce the use of modern surveillance tools, whilst successfully and efficiently responding to security issues, is contradictory in nature.

But Lobnikar also warned that the use of such tools should be adequately monitored: “Any use of tools that constitutes a breach of an individual's privacy or other protected good should be regulated.”

In line with national legislation Slovenian police and intelligence must obtain a court order for every case of communication surveillance of individuals, including collecting device data, wire-tapping or other interference in privacy. 

According to Lobnikar and Prezelj, the control of institutions that exercise police and security powers, among them also private security companies, should be tightened. 

Judicial and political control is insufficient, therefore professional control of intelligence and security services should be introduced, which, according to Lobnikar, “never existed in Slovenia and still doesn’t exist.” This control is necessary, but also expensive, he says. 

This cannot be solved simply by establishing a new, independent agency entrusted with control. Aside from funding great efforts would have to be invested in training staff that will be capable of effectively implementing control.

If we do not invest in security, Lobnikar thinks, criminals and terrorists will thrive. But if we only invest yet fail to train the staff, perversion of power would most likely ensue.

The production of this story was supported by Transparency International Slovenia within the framework of the Integrity Watch Europe project. The project was funded by the European Union's Internal Security Fund — Police. The content of this article represents the views of the author only and is his/her sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.

Note on ethics: In accordance with the code of conduct and due to a possible perception of conflict of interests, the responsible editor excluded herself from the decision-making process regarding the selection of this topic and from preparing this article.

Do you have information or documents relevant to the understanding of the reported subject?

You can safely send them through our whistleblowing platform zvizgac.si.