John Scott-Railton rushed into the Peninsula Hotel on Fifth Avenue in New York City, behind schedule, half-soaked from a rainstorm and out of breath. He hurried through the lobby to the hotel’s five-star restaurant, the Clement, praying that the microphone hidden under his tie was still working, and that his lunch date hadn’t bailed.
He felt like a mess as he moved through the swanky hotel. He worried his whole plan was about to fall apart because of a bit of traffic on the way over.
Scott-Railton was set to meet with Michel Lambert, a wealthy entrepreneur who promised him a lucrative business opportunity — one that paid far better than his spyware-hunting job at Citizen Lab in Toronto.
But he says he knew the man he ultimately sat down with for dinner that afternoon was not a businessman named Michel Lambert. According to Scott-Railton, he was an ex-spy from Israel operating under a false name.
A man who identified himself as Michel Lambert reacts during an interview at a restaurant in New York on Thursday, Jan. 24, 2019.
AP Photo/Joseph Frederick
Help us improve Globalnews.ca
Scott-Railton says he agreed to meet the man he says was a covert operative because he wanted to “turn the tables” on a shadowy operation that had targeted his Citizen Lab colleague, Bahar Abdul Razzak, a few months earlier. A supposed entrepreneur had lured Razzak to a meeting in Toronto, then grilled him about his research into NSO Group, an Israeli tech firm with software that can hack any smartphone via text message, according to Scott-Railton.
Undercover spies caught fishing for anti-Israel remarks following Canadian sting
Citizen Lab has been tracking NSO Group’s phone-cracking software for years, and its research forms the basis of three major lawsuits. The plaintiffs allege that NSO’s software was used to hack their phones and spy on them because they were critical of governments in Mexico, Saudi Arabia and the United Arab Emirates.
“Lambert” asked Scott-Railton several questions about NSO over lunch. He also posed leading questions about potential anti-Israel bias or outside funding at Citizen Lab, an independent research facility at the University of Toronto’s Munk School of Global Affairs.
John Scott-Railton, a senior researcher at Citizen Lab, poses for a photo in New York City on Jan. 17, 2019.
AP Photo/Kathy Willens
However, the man had little to say once Scott-Railton invited a hidden Associated Press reporter over to the table.
“I don’t have to speak with you,” said the man, whom the New York Times and Israel’s Channel 12 later identified as former Israeli security official Aharon Almog-Assouline. Almog-Assouline stormed out of the restaurant and refused to answer questions from the AP reporter.
The sting has shed light on an alleged wider plot targeting at least six critics of NSO, an Israeli cybersecurity firm that helps law enforcement access suspects’ smartphones. Three lawsuits accuse NSO of selling its phone-cracking program, Pegasus, to governments that allegedly used it to monitor journalists and activists. The lawsuits call for NSO to stop selling Pegasus to some of its most lucrative government clients, many of whom pay tens of millions of dollars for its services.
Global News has reached out to NSO Group for comment on Citizen Lab’s reports, the lawsuits against it and the alleged attempts by anonymous individuals to contact people linked to those lawsuits. NSO has not responded. However, it has previously refuted the Citizen Lab reports, rejected the claims in the lawsuits and denied any connection to those asking about the lawsuits.
Citizen Lab, which operates out of the University of Toronto, does independent research into human rights abuses online, such as government surveillance and censorship.
“Our work exposing these abuses is clearly making some people uncomfortable, and we are being targeted with underhanded, unethical tactics,” Scott-Railton told Global News.
“To us, this is a signal that we are doing something right, and why academic work is so important.”
Scott-Railton and his colleagues at U of T’s Citizen Lab have been monitoring NSO since 2016.
Citizen Lab has published over a dozen reports documenting alleged abuse of NSO’s software, Pegasus, based on digital forensics. They say NSO has been reckless with its choice of clients, by selling to governments with a history of human rights abuses.
Toronto-based Citizen Lab, which exposed Israeli spy software, targeted by undercover agents
Citizen Lab alleges that NSO’s Pegasus software has been used for political purposes in several countries, including Mexico, the United Arab Emirates and Saudi Arabia. Overall, Citizen Lab estimates that 36 operators have used Pegasus on targets in 45 different nations, including the United States and Canada. It says six operators were linked to countries with a “history of abusing spyware to target civil society.”
NSO Group has repeatedly denied all allegations stemming from Citizen Lab’s research, and insists that its technology is only used for law enforcement purposes. The company has disputed Citizen Lab’s list of countries where it operates, and claims that the product “will not operate outside of approved countries.”
A recent AP investigation found that at least six individuals linked to NSO lawsuits, including Citizen Lab’s Razzak and Scott-Railton, have been targeted by undercover operatives seeking information about the cases. These shady figures invited their targets to swanky dinners to discuss lucrative job offers, then questioned them about NSO, according to the AP.
Two people targeted by undercover operatives were secretly recorded and the footage later broadcast on Israeli television, the AP reports.
“There’s somebody who’s really interested in sabotaging the case,” Mazen Masri, who is one of the alleged targets, told the Associated Press. Masri teaches at City University in London, and is advising the plaintiff’s attorney in one of the NSO lawsuits. He suggested the man was “looking for dirt and relevant information about people involved.”
WATCH BELOW: Up to 500-million Marriott customers’ data accessed in cyberattack
Citizen Lab condemned the alleged operations against Razzak and Scott-Railton in a statement last month, after Scott-Railton met with the suspected spy.
“This failed operation against two Citizen Lab researchers is a new low,” Citizen Lab director Ron Deibert wrote on Jan. 25. “We have always welcomed debate and dialogue about our work, but we condemn these sinister, underhanded activities in the strongest possible terms.”
Deibert added that he has “no evidence” that NSO Group itself is responsible for the incidents.
How NSO’s phone-hacking Pegasus spyware works
Pegasus is an extremely powerful spyware program that installs itself on a phone after the target is tricked into clicking a text-message link. It’s designed to let police covertly examine everything on a target’s phone, according to an in-depth technical analysis of the program by Lookout, a California-based cybersecurity company. The analysis was conducted in partnership with Citizen Lab.
Pegasus effectively turns the target’s phone into an open book. The spyware operator can access anything connected to the phone, and can even switch on its microphones and cameras to turn it into a remote surveillance device. The only way to avoid infection is to avoid clicking on text-message links.
This diagram shows all the systems an operator can access by infecting someone’s phone with Pegasus spyware.
“The Pegasus software is highly configurable,” the Lookout report says. “Depending on the country of use and feature sets purchased by the user of the spyware, the surveillance capabilities include remotely accessing text messages, iMessages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, Line, Mail.Ru, WeChat, Surespot, Tango, Telegram, and others.”
Citizen Lab and Lookout worked with Apple in 2016 to help it fix an iOS vulnerability that Pegasus appeared to exploit. Citizen Lab says it discovered Pegasus exploiting the vulnerability on a phone belonging to Ahmed Mansoor, a prominent human rights activist in the United Arab Emirates. NSO continued to sell the product to the UAE government long after Apple said it fixed the patch, the New York Times reports.
iPhone security update prompted by spyware discovery
NSO Group says the tool has helped foil terror plots in Europe, allegedly contributed to the capture of Mexican drug lord Joaquin “El Chapo” Guzman and led to the arrest of many dangerous criminals and child sex traffickers.
NSO Group has not publicly revealed the names of its current clients. However, its software is not unique. Several companies, including Italy’s Hacking Team and Germany’s FinFisher, have developed technology to help law enforcement crack suspects’ phones.
Many countries, including Canada, have legal provisions that allow for “lawful interception” of certain communications in serious criminal cases. Canadian police need a warrant or a judge’s authorization to use such extreme measures, according to the Department of Justice.
WATCH BELOW: What to do if your email gets hacked
However, Citizen Lab says the Pegasus software has been deployed against unwarranted political targets, such as journalists and activists.
Amnesty International has also accused NSO Group of releasing its technology to an entity that targeted one of Amnesty’s staffers. The human rights group has called for Israel to revoke NSO Group’s export licence, which would effectively kill all of its contracts with foreign governments.
What is NSO Group?
NSO Group is an Israeli cybersecurity firm that specializes in hacking smartphones. Its headquarters are in Luxembourg and its offices are in Herzelia, near Tel Aviv in Israel. The company has between 500 and 1,000 employees, according to its LinkedIn page.
The group claims on its website that its technology is used “exclusively by government intelligence and law enforcement agencies to fight crime and terror.”
NSO Group’s co-founders, Shalev Hulio and Omri Lavie, re-acquired a majority ownership stake in the company on Thursday, in a deal that reportedly valued the company at US$1 billion. Francisco Partners, a U.S.-based private equity firm that previously owned 70 per cent of the company, announced the sale in a news release.
NSO Group sells licences to its software through an export licence approved by the Israeli government. It has dozens of licensed customers and earned $250 million in revenue last year, Francisco Partners said.
Hulio and Lavie founded NSO Group in 2010 and have been with the company ever since, serving as its CEO and director, respectively.
WATCH BELOW: Canadian cybersecurity officials outline plans to protect 2019 election
NSO Group has denied all allegations that suggest its software has been used improperly. It insists its product is meant to be used exclusively to prevent crime and terrorism.
“Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company,” NSO Group said in a written statement to Amnesty International last August. The statement was issued after Amnesty claimed one of its members was spied on using NSO software.
NSO Group has signed several lucrative contracts with foreign governments, including multi-million-dollar deals with Saudi Arabia and the United Arab Emirates, according to reports in the New York Times and Haaretz, an Israeli daily newspaper.
Khashoggi friend allegedly hacked
One of the three lawsuits against NSO was filed in Israel on behalf of Saudi dissident Omar Abdulaziz, a permanent resident of Canada living near Montreal. Abdulaziz alleges that Pegasus software was used to monitor his conversations with Saudi journalist Jamal Khashoggi last year, shortly before Khashoggi was murdered in the Saudi embassy in Istanbul.
WATCH BELOW: Omar Abdulaziz says he was targeted by Saudi Arabia
Edward Snowden, the former NSA contractor-turned whistleblower, has also suggested that Abdulaziz’s hacked phone may have contributed to the death of Khashoggi, citing an analysis by Citizen Lab.
“The reality is that they bugged one of his few friends and contacts using software created by an Israeli company,” Snowden told an audience in Tel Aviv via video link last November.
Citizen Lab published a report about Abdulaziz’s hacked phone on Oct. 1, one day before Khashoggi was killed. The Citizen Lab researchers concluded with “high confidence” that the breach was caused by NSO’s Pegasus spyware.
Saudi Arabia used controversial spyware to monitor Canada-based political refugee: report
NSO Group disputed some details in Abdulaziz’s lawsuit in a written statement to the Times of Israel in December. The company said the lawsuit “appears to be based on a collection of press clippings that have been generated for the sole purpose of creating news headlines and do not reflect the reality of NSO’s work.”
NSO Group CEO Shulev Hulio says the company looked into the allegations and concluded that its software was not involved in Khashoggi’s murder.
Jamal Khashoggi’s friend sues Israeli surveillance company, saying it helped track journalist
“Khashoggi was not targeted by any NSO product or technology, including listening, monitoring, location tracking and intelligence collection,” he told Yedioth Ahronoth, a Hebrew-language daily, in an interview last month. The interview was translated by Yedioth Ahronoth’s English-language sister site, Ynetnews.
He added that the company immediately sanctions any customer that is found to be using its software for anything other than saving lives and thwarting crime or terrorism.
WATCH BELOW: What we know about Khashoggi’s murder
NSO has also denied any connection to the individuals who contacted Abdulaziz’s lawyers or Scott-Railton and Razzak at Citizen Lab.
Scott-Railton says the whole situation is shining some much-needed light on the highly secretive and extremely lucrative business of military-grade spyware.
“The problem is, this industry operates in the shadows, and not everything that happens there is just about catching bad guys,” he said.
“Sending private spies to go after academics is a tactic you might use if you have something to hide.”
—With files from The Associated Press and Reuters