NSO Group Issues Response As Leak Gets Them Kicked Off Amazon

As the leak continues to push the shadowy company more into the public spotlight, NSO Group has issued a response.

It’s been quite the week for military grade malware vendor, NSO Group. Obviously, not a good one. Last weekend, a leak suggested that as many as 50,000 journalists and activists were potentially targeted by the spyware. They are generally those working in third world countries under repressive governments. As a general rule, if you are found to have been assisting these repressive third world country governments crack down on human rights, you probably aren’t going to be looked at in a positive light. In response, Amazon began shutting down NSO Group linked accounts from their services.

Shortly after, the fallout of the leak grew as high ranking politicians were apparently flagged as possible targets for the Pegasus Project malware. This includes the French president and the inner circle of the Mexican president. Combine this with WhatsApp lawsuit and the situation really doesn’t look good at all.

So, unsurprisingly, NSO Group has issued a response to all this. The response from the organization was posted on The Guardian. To our surprise, it’s actually a rather lengthy one. It starts off somewhat reasonably with the following:

NSO Group firmly denies false claims made in your report, many of which are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story.

NSO Group has good reason to believe that claims that you have been provided with, are based on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products.

The alleged amount of “leaked data of more than 50,000 phone numbers” cannot be a list of numbers targeted by governments using Pegasus, based on this exaggerated number. The fact that a number appears on that list is in no way indicative of whether that number was selected for surveillance using Pegasus. NSO is not related to the list [of numbers], it is not an NSO list, and it never was. It is not a list of targets or potential targets of NSO’s customers. Forbidden Stories never shared the leaked list with NSO Group to allow it to verify or comment on the list.

So, basically, they question the credibility of the list in question. Had this been the entire statement, a reasonable conclusion would be to say that showing the credibility of that data would be in Forbidden Stories court. However, whoever wrote that statement chose to keep typing (which is almost never a good sign):

NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets yet [its customers] are obligated to provide us with such information under investigations. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems.

As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi. We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in your inquiry. We previously investigated this claim, which again, is being made without validation.

Those two paragraphs seemingly contradict themselves. In the first paragraph, NSO Group says that they don’t have access to their customers targets. The second paragraph says that they know full well that their technology was not used in the murder of Jamal Khashoggi. Either the organization knows who the targets of their software is, or they do not. The fact that they admit that the only way they know their malware isn’t being misused is based on their customers being totally honest and telling them who their targets are. Admittedly, that sounds like a pretty tenuous method of ensure that their software isn’t being misused.

We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no foreign customer has ever been granted technology that would enable them to access phones with US numbers. It is technologically impossible, and reaffirms the fact that your sources’ claims have no merit.

This is a pretty curious claim that it would be “technologically impossible” to surveil a US phone number. An interesting question would be, “in what way?”. Does the software simply block all US numbers? Is this based on the above statement that the client simply pinky swears they won’t target US phone numbers? Sadly, we don’t have an answer to this here.

The statement then wraps up with this:

The fact is NSO Group’s technologies have helped prevent terror attacks, gun violence, car explosions and suicide bombings. The technologies are also being used every day to break up paedophilia, sex- and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.

Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.

If your company is under fire for something, the absolute last thing you want to do is provide a statement in response that contradicts itself. In this case, on the one hand, the organization says that they have no access to a list of targets for their malware. On the other hand, they somehow are magically able to determine if their software was being misused. That, at the core, is the problem of this statement. It’s a bit difficult to see how this statement really helps the organization all that much.

There’s really two options for this organization at this stage. The first option is to offer clarity on some of what is being said to try and put to rest some of the questions out there. The other option is to lay low and hope this all blows over. Given how tough this spot is, both options have pitfalls here.

Drew Wilson on Twitter: @icecube85 and Facebook.

2 Trackbacks and Pingbacks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: