‘Terror Contagion’ Director Laura Poitras On Dangers Of Israeli Company’s Pegasus Malware: “It’s Classified As A Cyber Weapon”
UPDATED from original 12/10 story with more background on Forensic Architecture and corrected spelling of the name of FA lead researcher Shourideh Molavi:
With voting now underway for the Oscar documentary shortlists, Academy Doc Branch members are choosing from a variety of contenders, including one from Laura Poitras, director of the Oscar-winning Citizenfour.
Poitras’s earlier film focused on Edward Snowden, the whistleblower who revealed the existence of the National Security Agency’s secret and widespread surveillance programs. Her latest, the short documentary Terror Contagion, exposes the activities of a private Israeli company called NSO, maker of a spyware program that has been deployed by numerous governments to crack down on journalists, human rights advocates and others.
“It’s classified as a cyber weapon. This is how extremely violent and invasive this technology is,” Poitras tells Deadline. “NSO Group, this Israeli company, sells to other countries, often countries that have a very bad history or track record of human rights.”
Like Saudi Arabia. The regime allegedly used the Pegasus software to infect the phone of a Saudi dissident, Omar Abdulaziz, and through that hack was able to monitor one of his friends, the journalist Jamal Khashoggi, a columnist for the Washington Post. Khashoggi was subsequently assassinated in 2018; according to an assessment by the U.S. Director of National Intelligence, Saudi Arabia’s Crown Prince Muhammad bin Salman approved the murderous operation.
Shourideh Molavi, a scholar of political science and researcher with Forensic Architecture (FA), says in the film. Molavi served as lead researcher on FA’s investigation of NSO Group and Pegasus, the centerpiece of Terror Contagion(FA describes itself as a “research agency, based at Goldsmiths, University of London, investigating human rights violations including violence committed by states, police forces, militaries, and corporations.”).
“We use spatial and media techniques to investigate state and corporate violence,” Molavi tells Deadline (in an interview conducted via an encrypted app). “We visualize the evidence. We use open source tools to gather [publicly available] information… to show patterns and relations among various events, and then to tell a story of state violence.”
Abdulaziz was living in exile in Canada when he was hacked through Pegasus malware, evidence that governments can now track perceived opponents no matter their location.
“Pegasus is being used by governments… to track people even once they have left their jurisdiction,” Molavi says. “It’s a way that the state reaches out and touches you while you have left its borders formally. And this is a whole new terrain of battle for human rights activists. We’re used to living under a state, then fleeing the repressive state, seeking shelter elsewhere. That’s something you cannot do anymore.”
Part of the sophistication of Pegasus is how it infects mobile devices. Gone is the need, for instance, to get a user to open a Trojan Horse by clicking on a disguised link.
“The current technology is what’s called Zero Click technology, which basically means all they have to do is call you,” Poitras explains. “In other words, you don’t have to do anything. You don’t have to click on anything malicious. All they have to do is call you and you’re infected. And the infection allows them to obtain everything that’s on your phone, to activate your camera and your microphone. So, there’s no way to fend against it.”
The director adds, “The other thing that this software could do, which is really terrifying—it comes up in the film—is that it can pretend to be you. It can send messages as if it’s coming from you… or an email ‘from you’ that actually is coming through whoever the attacker is.”
China, Russia, Iran, North Korea, the United States, and other countries have invested heavily in their own cyber programs for offensive and/or defensive purposes. But NSO represents a different kind of player—it’s a private enterprise.
“The private sector, cyber weapon industry, is a really alarming escalation, in terms of cyber war,” Poitras observes. “You have these companies that are really not accountable. There’s no sense of accountability… Now we have these cyber weapon mercenaries, NSO Group and others, that are selling these incredibly invasive, dangerous tools to regimes all over the world.”
Last month, a U.S. appeals court rejected efforts by NSO to derail a lawsuit filed by WhatsApp, a sister company of Facebook. The suit alleges NSO Group sold software that leveraged WhatsApp to infect the phones of well over a thousand people across 20 countries.
In November, Apple filed its own lawsuit against NSO Group, “to hold it accountable for the surveillance and targeting of Apple users.” The company wrote, “The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.”
Earlier this week, reports claimed Pegasus software was used to infect the iPhones of nine U.S. State Department employees, all of whom were involved in policy impacting Uganda. On November 4, the Biden administration added NSO and three other companies to a list of entities it says are acting in a manner contrary to U.S. national security.
The Commerce Department ruling noted “investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”
“I think it’s about time that the U.S. starts to take this seriously,” Molavi says. “If I was American… and you see the same company is hacking into U.S. cyber infrastructure—it hacked WhatsApp, it hacked Apple, we see the same companies hacking U.S. State Department or government officials—I would be concerned.”
As noted in the film, NSO Group denies any wrongdoing. On its website, the company insists it applies “rigorous, ethical standards to everything we do… We are committed to the proper use of our technology—to help government security and intelligence agencies protect their citizens against terror, crime, and other major security threats. We take this commitment seriously and investigate any credible allegation of product misuse.”
Poitras is disturbed by the way Pegasus software has succeeded in producing a chilling effect on journalists and others promoting respect for human rights.
“Having myself been a target of surveillance, it’s a form of violence. It really is. You don’t trust—” Poitras pauses, before adding, “Anything you write, anything you do on your phone, anything you do over your computers, you just have to assume that it’s not private and it really impacts your life.”
She continues, “If you’re doing work in which people entrust information to you—if you’re a journalist and you have sources who trust you or if you’re a lawyer and you have clients and you have privileged communication—to be hacking them and taking that information, it has enormous negative consequences.”