Dublin-based rights group Front Line Defenders (FLD) said it began investigating the devices — all iPhones — last month after it was contacted by Ramallah-based civil society group Al Haq about a possible infection of a phone belonging to one of its staff.
FLD went on to share its investigations with Amnesty International and Citizen Lab, both of which have conducted investigations into NSO Group spyware penetration. They confirmed the FLD’s findings.
The Palestinian NGOs include those designated as terrorist entities by Israel last month, a move that was sharply criticized by international donors who said the evidence used to back up the designations was unconvincing.
Last week, the US Commerce Department blacklisted NSO Group, accusing it of enabling governments to “silence dissent.”
The rights groups who uncovered the hacking of staff at Palestinian NGOs have not accused any particular government of ordering the Pegasus hack, but in a joint statement referenced NSO Group’s headquarters location in the Israeli city of Herzliya.
“NSO Group’s headquarters in Herzliya, Israel, are less than a hundred kilometers from where the hacked Palestinian organizations work,” the statement said. “Not only has this technology been exported to countries where it has facilitated human rights abuse like Saudi Arabia and Mexico, but it is also being deployed locally and in some cases against Israeli [phone] numbers — something which the NSO Group previously claimed was not possible.”
In response, NSO Group said: “Due to contractual and national security considerations, we cannot confirm or deny the identity of our government customers. As we stated in the past, NSO Group does not operate the products itself; the company license approved government agencies to do so, and we are not privy to the details of individuals monitored.”
NSO Group says its spyware helps “law enforcement and intelligence agencies around the world to defend the public from serious crime and terror.”
Cybersecurity analysts and human rights activists have long accused NSO Group, in particular, of selling invasive and easy-to-use mobile hacking software to repressive governments.
NSO Group’s Pegasus spyware is said to have been used to spy on a journalist and activist in Morocco, the widow of a slain Mexican journalist and two women connected to murdered Saudi journalist Jamal Khashoggi, among other targets, according to security researchers.
US government officials have been concerned by the expansion of the market for hacking tools and the ability of foreign governments to quickly develop their own cyber capabilities using American expertise. In September, for example, the Justice Department announced charges against three former US intelligence and military operatives for allegedly helping build a hacking program for the United Arab Emirates government.