The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Group maps alleged victims of NSO Group surveillance tool

Placeholder while article actions load
Researchers built a platform to track the proliferation of a surveillance tool made by NSO Group. It is partially designed to be used as evidence in legal cases.

For years, activists, journalists and opposition figures around the world have decried the Israeli firm NSO Group for allegedly enabling the hacking of their phones. A new platform developed by Forensic Architecture, a research group based at Goldsmiths, University of London that specializes in open-source investigations of human rights issues, aims to up the pressure on the firm.

The platform was built in partnership with Amnesty International and the Citizen Lab at the University of Toronto. To create its data set, Forensic Architecture scoured news reports, legal documents and reports by researchers from Amnesty and the Citizen Lab. It also conducted interviews with more than a dozen lawyers, researchers and alleged targets of NSO’s Pegasus surveillance tool, which researchers say has been deployed in dozens of countries worldwide. 

The group also mapped the cyberattacks in what it is calling “the most comprehensive database to date” on reported Pegasus infections.

“The problem with digital violence is that it’s hard to see,” Forensic Architecture Director Eyal Weizman told The Cybersecurity 202. “We hope [the project] gives an image to what has happened.”

“These are cyber weapons,” Weizman said. “Things happen to you in the physical world at the time that you’re infected in a digital space.”

NSO dismissed the project in a statement.

“These are recycled claims, filled with inaccuracies and half-truths,” a company spokesperson said, touting its human rights policy. The company “investigates all credible claims of misuse, and takes appropriate action based on the results of its investigations. This includes shutting down a customer’s system — a step NSO has taken several times in the past, and will not hesitate to take again if a situation warrants,” the spokesperson said.

The spokesperson also noted that the company has notched legal victories, including one over Amnesty International in Israel, and said the firm can neither confirm nor deny its government customers identities for contractual and national security reasons.

The spokesperson also touted the companys release last week of its first “transparency and responsibility report,” which it called a “historic first-foray” into the conversation about surveillance companies and the interplay between security and human rights.

In interviews by Forensic Architecture and Oscar-winning director Laura Poitras, reported Pegasus targets describe how they discovered being under surveillance and how the infections impacted their lives. 

“Things like hacking have long-term consequences that we don’t always see in the beginning,” said lawyer Mazen Masri, who has sued NSO Group on behalf of activists who say they were infected by Pegasus, and is interviewed in one of the videos.

One of those consequences is a sense of isolation, according to Weizman.

The project brought together a “very interesting coalition of very, very different practitioners,” according to Weizman. Indeed, the videos have a high-profile narrator: Edward Snowden, the former National Security Agency contractor best known for leaking top-secret government documents in 2013. The group also collaborated with Poitras, who created a film about the platform, and musician Brian Eno, who translated the data set into sound.

The collaborations with Eno, Poitras and Snowden go deeper than that, however. They fundamentally shaped how Forensic Architecture approached the project, Weizman said.

“I think the investigation of not just the NSO Group, but this sector and this technology, is the most important unwritten story in media today,” Snowden said at a launch event for the project at the Haus der Kulturen der Welt, a Berlin cultural center.

The project aims to increase pressure on NSO Group in multiple arenas including courtrooms, where Forensic Architecture aims to use the work “as evidence in legal processes,” showing the “systemic nature of the problem.”

It’s also designed to inform NSO’s investors that they’re investing in tools Forensic Architecture says have crossed the line into cyber weapons, and that they should reconsider those investments. Forensic Architecture also wanted to open the debate over cyber human rights violations to the public and turn the art sphere into a place for accountability, Weizman said.

Meanwhile, NSO isn’t staying silent in Washington. 

The company last week hired law firm Pillsbury Winthrop Shaw Pittman to advise it on “business development opportunities and strategies to educate potential business and government partners about NSO’s state-of-the-art technologies, including legal advice on U.S. government procurement regulations and corporate compliance policies,” according to a filing submitted to the Justice Department.

The law firm, which will be paid $450,000 by the company over the next six months, will also “provide assistance with education of government officials about NSO’s technology,” according to the filing. Pillsbury did not respond to a request for comment on the contract.

NSO is “delighted” to be working with the firm, a company spokesperson said. “We hope, through this partnership, to further enhance the company’s activities and efforts to keep the world a safer place through use of our technologies.”

The keys

Hackers say they locked more than 1 million devices in a ransomware attack on IT company Kaseya.
CEO Kaseya Fred Voccola descried the impact of a sprawling ransomware attack against the software company on July 4. (Video: AP)

Russian-language hacking group REvil, which claimed responsibility for the cyberattack on Kaseya, demanded a $70 million ransom in exchange for a key to unlock the systems, Rachel Lerman and Gerrit De Vynck report. President Biden said he directed “the full resources of the government to assist in the response. On Saturday, President Biden said that the initial thinking was that the Russian government was not involved, but that the U.S. government was still looking into it.

REvil was also responsible for a June ransomware attack on JBS, the world’s largest meat supplier. The company later confirmed that it paid the group $11 million in ransom.

Just 50 to 60 of Kaseya’s customers were compromised, chief executive Fred Voccola told the Associated Press’s Frank Bajak. But 70 percent were service providers who manage other customers, leading Voccola to estimate the number of victims in the low thousands.

Trump allies pressed Maricopa County officials to stop counting election ballots.

Arizona GOP Chair Kelli Ward told the Maricopa County Board’s chairman at the time, Clint Hickman, that “we need you to stop the counting” in the days after the 2020 election, 12 News KPNX’s Brahm Resnik reports. Ward also sent baseless claims about election machines to Maricopa Supervisor Bill Gates and scolded the board for “throwing in the towel.”

The board unanimously certified the Maricopa County vote on Nov. 20. 

The messages and recordings were first obtained by the Arizona Republic through a public records request. Ward responded on Twitter:

Trump lawyer Rudy Giuliani called the four Republican members of the five-member board as Republican lawmakers from Arizona called for election results to be thrown out. Only one member of the board followed up with Giuliani, according to the Arizona Republic. 

The state’s Republican-controlled Senate authorized a partisan audit of Maricopa County’s election results, which began in April. The review has prompted security concerns. The county says it will replace the voting equipment that was reviewed over fears the security of the machines was compromised.

China’s cyberspace regulator ordered ride-share giant Didi to be removed from Chinese app stores.

Regulators said Didi Chuxing “illegally collected and used users’ personal information” in a “grave violation of law and regulation,” Lyric Li and Pei Lin Wu report. The company, which said it would continue to operate in China but without new users, said it expects the app takedown to “have an adverse impact on its revenue in China.”

The state-owned Global Times cheered the ban. “We still do not know how Didi Chuxing illegally collected users’ personal information,” the newspaper said in an editorial. “The state will never allow tech giants to collect more detailed personal information in their mega-databases than the state has of the Chinese people.”

Global cyberspace

Evidence found on a second Indian activist’s computer was planted, report says (Niha Masih and Joanna Slater)

Cyber insecurity

A string of top accounts on the new pro-Trump app GETTR were hacked and defaced on its July 4 launch day, and the person claiming to be the hacker says the site still has several security bugs (Insider)

Industry report

In crosshairs of ransomware crooks, cyber insurers struggle (Associated Press)

Chinese-owned firm acquires UK’s largest semiconductor manufacturer (The Guardian)

Chat room

The Kaseya cyberattack’s timing, in the hours leading up to the July 4 holiday weekend, was conspicuous. Bad Packetschief research officer Troy Mursch:

The NSA’s director of cybersecurity, Rob Joyce, said it made him more motivated:

Security Management senior editor Megan Gates:

Corellium chief operating officer Matt Tait, a former analyst at U.K. signals intelligence agency GCHQ:


  • Carnegie Mellon Universitys Center for Informed Democracy and Social-cybersecurity kicks off its two-day annual conference on July 12.
  • Defending Digital Campaigns hosts a cybersecurity training event for Oregon campaign and election officials on July 13 at 2 p.m.

Secure log off