Israeli cyber-intelligence firm NSO Group’s spyware Pegasus has been all over the news lately after some news reports suggested that the Centre was allegedly using the technology to monitor certain citizens.
For Rwanda particularly, the cache of 50,000 phone numbers includes 3,500 people purported to have been targeted from Rwanda. The government, through foreign affairs minister De Vincent Biruta has repeatedly denied the country has ever used that technology.
Pegasus is an extremely sophisticated program that is designed for use by government agencies and is not meant to be operated by individuals or small groups.
For operating the Pegasus program, several hardware requirements need to be met and contracts need to be signed. Here are some of the requirements that need to be met before a customer can operate the Pegasus program:
Hardware requirements for Pegasus
The first thing to note is that Pegasus cannot be operated with just the software provided by NSO. A Pegasus customer is required to set up a physical office for operating the program. The office will house the local support infrastructure needed to run the program. This infrastructure is typically set up in an air-conditioned two-room setup or a large hall.
The setup for Pegasus could ideally need a server space of 25 square metres and an operator space of 100 square metres, as per documents submitted to a US court.
Apart from other hardware equipment, the server room should be able to contain at least two 42U racks cabinets which are the standard server rack cages. Servers, monitors, routers, UPS system, processors, keyboards, wires and other hardware equipment are integrated to form a complex architecture to run Pegasus program. Depending on the scale of the operations, the infrastructure would need to be expanded accordingly.
The temperature of the server room has to be maintained at around 18 degrees Celsius. The infrastructure requires network connectivity to run the operations. At least two Asynchronous Transfer Mode (ATM) lines from two different Internet Service Providers (ISPs) are required for this. The customer would then need to set up eight static external internet protocol addresses.
The infrastructure would need a stable cellular network that has a signal strength better than at least -95 decibels. Hence, a cellular tower should be close to the location of the setup. Several SIM cards are also required.
The US court documents show that customers are also mandated to submit a third party named credit card, passport copy of an individual and utility bill that should not belong to the organisation that has actually bought the program.
Timeline for setting up Pegasus program
The entire deployment process for Pegasus can take up to 15 weeks. During the initial week, the NSO Group confirms the identity of the end-user and receives clearance from Israel Ministry of Defence (IMOD). Without this approval, no operation can go forward.
All Pegasus customers are monitored by NSO Group as it is mandatory under Israeli laws to ensure that its technology is not used against Israel itself. Hence, the identity of the end-user has to be verified and approved by the government of Israel.
Over the next six weeks, the process of equipment acquisition, system integration and local network adjustments takes place. After this, the device porting process begins. This is then followed by system training during which NSO Group provides instructions to the customer’s staff on how to run operations and conduct maintenance.
Once the customer pays the full license fees to NSO Group, the Pegasus program becomes ready to run.
How much will it cost?
Operating the Pegasus spyware is not cheap and the prices are not uniform for every customer as they depend on various factors. The US court documents revealed that NSO Group allegedly charged $8 million to set up a Pegasus system in Ghana in order to spy on 25 phone numbers during 2015-16. The customer was also expected to pay an annual support fee that was 22 per cent of the system consideration cost, i.e. $1,76,000.
In 2016, NSO Group had charged $6,50,000 plus 17 per cent of the total amount as an annual service fee to spy on 10 iPhone users, according to a New York Times report. It is speculated based on Wikileaks reports that Pegasus had reduced the prices due to competition in the business.
A marketing brochure submitted to the US court offers a glimpse into the dashboard of the Pegasus spyware once it is finally running. The dashboard provides options to access customised data that is collected from the end user’s targets.
Contracts signed for Pegasus program
To avoid exposure, NSO Group and the government agency wanting to use Pegasus sign the contract through two front companies standing in for both parties. However, the government agency is mentioned as the end-user in the contract which bars it from transferring the program to another party down the line.
Pegasus spyware also comes with a warranty. NSO Group offers a limited 12-month warranty period on services. It offers year-round 24-hour support with its dedicated Network Operations Centre (NOC) to solve problems faced by customers. However, the warranty doesn’t cover third-party hardware installations and would become void in case of local modifications or mishandling. The firm also takes care of regular software updates to Pegasus.
Pegasus in black market
While there are several military-grade surveillance tools available in the black market, there is no guarantee that they actually work. Pegasus is a sophisticated program that requires manpower and significant infrastructure to operate. Its software also needs constant upgrades. These factors make it extremely difficult for any individual to develop and run a similar program.
However, one NSO Group employee did try to sell the program for $50 million in 2018. He was caught by the company and arrested.
Adapted from Business Today and agencies