Google’s top security specialist says the US government should impose tighter regulation on spyware such as Pegasus, which can be used to covertly monitor mobile devices. The call came as it was revealed the Pegasus software, produced by Israeli company NSO Group, has likely been used to spy on devices belonging to European Union officials.
Shane Huntley, who heads up the company’s Threat Intelligence Group (TAG) said restrictions placed on NSO Group were a positive step, but told a hearing of the US House Intelligence Committee on Wednesday that a full ban on the procurement of commercial spyware technologies should be introduced in the US, and that the government should consider applying further sanctions to vendors who produce the technology.
NSO Group was placed on the US “entity list” last year, which means US companies are limited from doing business with it on national security grounds.
Spyware is a particularly effective and evasive malware that is capable of hacking into any device, to access its camera and microphone and stored data. Pegasus is the most high-profile example of the technology, with a global investigation last year finding it being used by authoritarian regimes to covertly track political opponents, activists and journalists. It has since been revealed that devices belonging to government officials in the UK, France and Spain are among those that have been targeted by the software.
Huntley said TAG “is actively tracking more than 30 vendors, with varying levels of sophistication and exposure, selling exploits or surveillance capabilities to government-backed actors”. He added: “We have publicly taken action to discover and counter exploits and malware produced by Equus, Cytrox, Candiru and RCS Labs, amongst others.”
Committee chair Adam Schiff added that when it comes to Pegasus “we are very likely looking at the tip of the iceberg, and that other US government personnel have had their devices compromised, whether by a nation-state using NSO’s services or tools offered by one of the lesser known but equally potent competitors”.
European Union staff ‘phones compromised by Pegasus’
Meanwhile it emerged this week that phones belonging to prominent EU officials may have been compromised by Pegasus.
In a letter seen by Reuters, EU Justice Commissioner Didier Reynders says “indicators of compromise” by Pegasus were discovered on his device and phones belonging to European Commission employees. An investigation of the devices was trigged after Apple warned Reynders last year that his phone may have been hit by spyware, according to the letter dated 25 July.
Earlier this year the EU formed a committee to investigate the use of spyware in Europe, and last week it announced that an investigation found that 14 European member states had licensed NSO Group technology.
Addressing a hearing of the committee last month, NSO Group’s general counsel Chaim Gelfand said the company had “made mistakes”, but defended its efforts to ensure the company’s software is not misused, saying: “We’re trying to do the right thing and that’s more than other companies working in the industry.” He added “Every customer we sell to, we do due diligence on in advance in order to assess the rule of law in that country. But working on publicly available information is never going to be enough.”