Step-by-step: How Israel Police used NSO’s Pegasus to spy on citizens

Dozens of investigators in Israel Police are using the different capabilities of NSO’s Pegasus system in order to intimately track intelligence targets. Some of these targets are dangerous criminals, but Calcalist’s exposé revealed that some are citizens that were labeled as dangerous after it became apparent that their political views oppose those of the Israeli government under the leadership of former Prime Minister Benjamin Netanyahu.

Calcalist reveals how the system works: For around a week Israel Police investigators used NSO’s Pegasus around the clock. Analysts scrutinized the data collected on each target and a designated investigator continuously tracked the incoming and outgoing calls and messages from the phone. After a week of surveillance, the team gathers for a meeting in which the target's profile, including his weaknesses and the leverage points identified during the tapping are discussed among the attendees. For example, if it becomes apparent that the target is a married man who holds intimate meetings with men, this information can be used as leverage against him during a future investigation. Regardless of what ultimately is decided in the suspect’s case, this information will almost always be saved in some police cabinet.

Former police cheif Roni Alsheikh (left), police chief Kobi Shabtai and NSO CEO Shalev Hulio. Photos: Elad Gershgoren and Alex Kolomoisky

1. Marking the target

The use of Pegasus by police starts, of course, well before the attempt to install the spyware on the targeted phone. The operator’s software is installed on a designated computer in a locked room at the SIGINT unit’s offices in Jerusalem. The order to collect intelligence information on a target is given to the head of the technologies unit from a high-ranking officer and from there it is passed on to a special operations officer. The officer assembles the team, provides the phone number of the target, and a general explanation for the reasons this powerful surveillance tool is being used. This is where the discussion regarding the essence of the activity ends. At this stage, a file with the target’s name is opened on the computer in which the goals of the surveillance are detailed.

2. Hacking the phone

The next stage is tapping the phone. In some cases, the phone can be penetrated in what is known as a zero-click attack in which there is no need for the user to take any action. However, these hacks are difficult to track and operate and many times there is a need to use a one-click attack in which the target needs to open a link sent to them so that Pegasus can be installed on their device. In this situation, investigators need to use some social engineering, understanding what kind of message should be sent to the target and through which medium (SMS, WhatsApp, social media DM) in order to come up with the most convincing approach that will convince the target to click on the link. A common practice is to send a text message that impersonates a news story on a topic that interests the target with a link that will send the target to a malicious website being operated by the attacker.

3. Extracting the data from the phone

If Pegasus manages to infect the phone (it isn’t rare that the attack fails), the operators will receive a notification of a successful infection. Pegasus will begin extracting information from the victim’s phone and transfer it to the police’s computer where it will be automatically filed away according to file type (photos, recorded calls, WhatsApp messages, etc). Simultaneously, investigators can track the phone in real-time (meaning track whatever the target is seeing while using the device), and also receive offline access to the phone’s usage history (meaning see what the user saw a day earlier, for example).

4. Real time tracking

There is a significant amount of information that is collected from several targets simultaneously. In order to track and analyze this data in real time, the police operate a team of analysts that work around the clock in three shifts, 24 hours a day, seven days a week. They analyze offline the data collected from the different devices that have been penetrated by Pegasus. At the same time, another investigator sits and listens to any call made from the phone and can see any alert received by the phone, incoming emails, etc.

5. Building a target profile

After a week of collecting and analyzing information, the investigative team gathers for a special meeting. The investigators prepare a presentation of the profile of the target and his weaknesses based on the information collected and its analysis. In one instance, as revealed in Calcalist today, investigators discovered through Pegasus that the target was using a gay dating app named Grindr. This information was included in the presentation, which read: "he is meeting men, apparently, while being married, it is leverage for investigation, prepare confidentiality, and a wiretap warrant."

6. Making a decision and filing the findings

The team discusses the findings and at the end of the meetings decides whether there is enough information to be transferred to the relevant investigative unit. In regards to the privacy of the victim, this decision is of little significance as even if it is decided not to transfer the information to the investigative unit, it is still saved in a “target file”, either a physical file or a computer file. Meaning: police save all of the data collected via Pegasus even if it doesn’t have enough information to continue the investigation. Only on rare occasions is the information shredded or deleted.

7. Approaching the courts ex post facto

All of the process until this stage takes place without any warrant or involvement of a court. Only if it is decided to transfer the information to the investigative unit will the SIGINT investigators decide whether a bugging warrant was required ex post facto. The unit that approaches the court is the investigative unit and not SIGINT, which committed the hack and collected the data. In fact, the request for the warrant is done based on information received in a hack conducted without any warrant and without even the investigators who are requesting the warrant knowing its source, other than the fact that it was acquired via “technological tools”.

This is probably the basis for police claims in their response to the Calcalist exposé that the use of Pegasus was done in accordance with a court warrant. Even if there is a warrant, it was only granted after the hack, which required the warrant, already took place. And if the information wasn’t passed on to continue the investigation, no warrant was requested or granted at all.

Omer Kabir contributed to this report