A Ukrainian effort to acquire the powerful Pegasus spyware system was blocked by Israeli defense officials out of fear that such a move would upset Russia, which in 2014 had seized Crimea and fomented separatist fighting in Ukraine’s eastern region, according to people familiar with the decision.
Ukraine’s efforts to bolster its surveillance capabilities, like its efforts to strengthen its military, had support from the United States, Israel’s closest ally.
But Israeli officials balked at any move that might provoke a confrontation with Russia, whose military at the time was aggressively helping Syria combat a rebellion beyond Israel’s northeastern border. The country’s Defense Exports Controls Agency rejected a possible license that would have allowed the NSO Group to offer Pegasus to Ukraine, said the people familiar with the decision, who included Western intelligence officials. These people believed this action happened as far back as 2019, but the exact timing was unclear.
Concerns about Russian reaction also affected NSO’s dealings with Estonia, a member of NATO, say people familiar with those actions. According to these people, NSO had licensed Pegasus to Estonia, which achieved independence from five decades of Soviet rule in 1991 and is known for its aggressive counterintelligence measures against Russia, but the company later imposed restrictions on the spyware’s use. The exact nature of those restrictions is not clear, though Estonia does not have the ability to target Russian phones, according to people familiar with its Pegasus license.
Though NSO is a private company, Israeli officials have for years sought to align its distribution of Pegasus with national diplomatic priorities. The website for the Defense Exports Controls Agency, which is part of the nation’s defense ministry, says it “has worked to protect Israel’s national security and defense interests through its licensing responsibilities in relation to defense equipment, know-how, counter-proliferation, and in terms of preventing damage to Israel’s international relations and national strategic interests.”
NSO officials have long said that Pegasus, which can turn almost any smartphone into a spying device, cannot be used by foreign governments against U.S. +1 numbers or to spy on phones with foreign-based numbers if they are inside the United States. More recently, the company began blocking the ability of foreign governments to use Pegasus against phones linked to British cellular networks in August 2020, according to people familiar with company operations.
But the extent of Israel’s efforts to avoid upsetting Russia by limiting the use of Pegasus has not previously been reported. This article was jointly reported by The Washington Post and Britain’s Guardian newspaper.
The Pegasus Project, a global investigation consortium including The Washington Post, The Guardian and 15 other partners, last year found widespread abuses, with politicians, journalists, human rights workers, diplomats and government officials targeted in numerous countries.
The investigation, led by Paris-based journalism nonprofit Forbidden Stories, also found that government operators of Pegasus often use it as an intelligence gathering tool to surveil targets outside their own borders, in neighboring countries and beyond. NSO’s customers include dozens of countries, including some in Western Europe, say people familiar with the use of Pegasus.
In the nearly four weeks since Russia invaded Ukraine, Israel’s efforts to limit the distribution of a powerful spying tool seem newly relevant. Israel’s current prime minister, Naftali Bennett, has taken a softer stance toward Russia than other American allies and has sought to mediate between Russia and Ukraine. Israel also reportedly refused to sell its Iron Dome missile defense system, developed with U.S. financial support, to Ukraine last year, according to Israel’s Ynet News.
The Israeli Defense Ministry, which Bennett once headed, on Tuesday acknowledged in a statement that it considers a wide range of factors when granting a license for Pegasus. “Policy decisions regarding export controls take into account security and strategic considerations, which include adherence to international arrangements,” the statement said.
It did not directly address most of the questions posed by The Post and The Guardian. U.S. officials did not reply to questions about this story posed on Tuesday.
Ukraine’s desire to acquire Pegasus and Israel’s reluctance to allow the move was previously reported by Israel’s Channel 12.
The NSO Group, presented with a detailed list of questions, said in a brief statement, “NSO continues to be subjected to inaccurate media reports regarding alleged clients, which are based on hearsay, political innuendo and untruths.”
Mykhailo Fedorov, Ukraine’s deputy prime minister who oversees digital technology for Ukraine, declined to confirm that his nation had sought to acquire Pegasus, but he acknowledged the country has been seeking Israeli technology.
“The government of Israel is at this time not participating in any discussion or facilitation regarding offensive tech, but we have ongoing conversations with a lot of the Israeli companies in the market and they’re at various stages,” he said. “But again, let me say this: We have enough capability to continue winning and we’re adding new tools, including emerging tools, every day.”
Russia, whose embassy in Washington did not respond to a requests for comment, has treated Ukraine with increasing hostility since the Maidan Revolution of 2014 pushed the country toward Europe and the West. Russia seized the strategically important Crimean region that year and fomented a separatist movement in the eastern Donbas region that continued up until Russia’s full-scale invasion of Ukraine last month.
Estonian Ministry of Defense spokeswoman Susan Lillevali declined to comment about the use of Pegasus in her country, which has not been previously reported.
Pegasus can infect almost any smartphone, whether made by Apple, Google, Samsung or other companies, through a malicious link embedded in a text message or through what’s called a “zero-click attack.” Such attacks require no action by the phone’s user and begin without any kind of alert.
Once Pegasus infection starts, operators of the system can do anything its owner can do — access files, contacts, passwords, photos and videos, or track the current and historic locations of targets. Operators of Pegasus also can remotely activate cameras or microphones to listen directly to conversations, make video or eavesdrop on calls.
The NSO Group has repeatedly said that Pegasus is intended for use against terrorism and major crimes such as drug trafficking, and that the company investigates reports of abuses and cuts off nations that misuse the system. The company has said that there are dozens of countries to which it will not license Pegasus because of human rights or other concerns.
After the Pegasus Project was published last summer, it was also discovered that Pegasus had been used to target the telephones of American diplomats in Uganda. The Biden administration in November blacklisted NSO Group, depriving it of access to American technology.
Craig Timberg is a Washington Post technology reporter. Stephanie Kirchgaessner is a Washington-based investigative reporter for The Guardian. Souad Mekhennet, Ellen Nakashima and Shane Harris are Washington Post national security reporters. Post technology reporter Cat Zakrzewski contributed to this report.