FBI considered using Pegasus spyware in criminal investigations, report says
Israel-based NSO Group has been making waves in the cybersecurity community in recent years, becoming the target of an Apple lawsuit and US government sanctions. This did not prevent the Federal Bureau of Investigation (FBI) to almost use the company’s powerful but sleazy Pegasus spyware in criminal investigations, according to a report of The New York Times. The agency ultimately decided not to deploy the spyware, but it looks like the project is on the verge of becoming a reality.
NSO Group presents itself as a cyber intelligence and security firm, but is best known for creating malware that has been used to monitor activists, journalists and government officials around the world. Pegasus has made a name for itself in the cybersecurity world due to its advanced features and ease of deployment. While most malware requires physical access or some form of user interaction to install, Pegasus leverages private “zero-day” exploits to silently install itself on targeted smartphones. NSO Group used Apple’s own iCloud service to help embed the malware on iPhones, which leads to trial.
Once executed on a target device, Pegasus connects to a command and control server from which the operator can monitor communications, activate the camera or microphone, and exfiltrate stored data. It’s nasty malware, and naturally the FBI was interested in leveraging it for criminal investigations. According to the report, between late 2020 and early 2021, the FBI was testing a version of Pegasus called Phantom that was designed to target US phone numbers. The bureau was apparently so far into the project that it had developed guidelines for federal prosecutors that outlined how to speak (or not speak) about the FBI’s use of Pegasus during court proceedings.
The program was suspended in July 2021, around the same time that Pegasus was found on phones belonging to close associates of murdered journalist Jamal Khashoggi. It was also used to compromise smartphones belonging to US State Department employees working in Africa. This seems to have been a turning point for any intended use of NSO Group tools. Later in 2021, the U.S. Department of Commerce added the company to its Entity List, which prohibits U.S. companies from doing business with the company.
The Time report includes an FBI legal brief, which summarizes its position. “Just because the FBI ultimately decided not to deploy the tool in support of criminal investigations doesn’t mean it wouldn’t potentially test, evaluate, and deploy other similar tools to access encrypted communications used by criminals,” the office said. The FBI probably has malware in its investigative arsenal, but the NSO Group malware doesn’t.