Bulgaria and its Ministry of the Economy have found themselves at the center of a global scandal involving surveillance of human rights activists, journalists, dissidents, and politicians through the use of the Pegasus software developed by the Israeli cybersecurity firm NSO Group. The software has been used by both authoritarian regimes and democracies, according to a joint investigation by The Guardian, Le Monde, Haaretz, the NGO Forbidden Stories, and other publications around the world.
Bulgaria was one of three countries (along with Israel and Cyprus) to issue an export permit to a company connected with NSO Group - Circles Bulgaria. The software, NSO Pegasus, gives governments access to all data stored on monitored devices. For years, the firm has insisted that the countries licensing Pegasus are contractually obligated to use the software only to fight major crime and terrorism.
However, the Project Pegasus investigation tells a different story. Dozens of activists and dissidents in Azerbaijan, India, the UAE, Mexico, Hungary, and Saudi Arabia have been under government surveillance. Over 180 journalists have also been monitored, from organizations like The Wall Street Journal, The Financial Times, CNN, The Economist, and other leading media companies.
Bulgaria opens the door
In 2019, the non-governmental organization for the protection of digital rights Access Now sent two letters to the International Controlled Trade and Security Directorate at the Bulgarian Ministry of Economy, with a copy to then-ombudsman Maya Manolova (now leader of the Rise Up! Thugs out! party that entered Bulgaria's new parliament in the July 11 election). In its letters, Access Now requested transparency regarding the type and scope of licenses that were issued and asked that an investigation be conducted to review compliance with the EU's export controls regime and its requirements.
A few months later, Access Now announced that they had received an official response from Bulgaria, which stated that the country had not issued such licenses to NSO Group. However, this is only partially true.
Capital Weekly found that, even now, there is a valid export permit expiring in 2023, and it belongs to the NSO-related Bulgarian firm Circles Bulgaria. The issuing date is likely 2019, judging by the fact that these permits are usually issued for a term of five years. At the time, the Ministry of Economy was headed by Emil Karanikolov. The permit is issued after applying before a joint commission at the ministry that includes representatives of the State Agency for National Security, the Ministry of the Interior, the Ministry of Foreign Affairs, and the Ministry of Defense.
NSO Group tells The Guardian that they take ethical considerations seriously, that they are regulated by the export controls of the three countries from which their products are exported - Israel, Cyprus, and Bulgaria, and that they sell only to vetted foreign governments.
Capital Weekly contacted the management of Circles Bulgaria and was referred to the PR department of NSO Group. The company did not respond to enquiries about its relations with Circles Bulgaria and the business in the country, but they are visible through business registers. Established in 2010 by Nadezhda Edi-Petrova Ropleva, Circles Bulgaria had about 150 employees and revenues of 20 million levs (10 million euro) in 2019. In 2014, it was bought for 130 million dollars by American fund Francisco Partners which merged it with the NSO Group, a previous investment of theirs. In 2019, the fund sold a majority stake in NSO back to founders Omri Lavie and Shalev Hulio whom The Washington Post cites as "ex-cyberspies with government-honed skills".
Circles is now owned by the Cyprus-based company CS - Circles Solutions Limited. The firm indicates that its official activity is developing software and hardware for government and private customers in the field of telecommunications and marketing.
A report from the University of Toronto's Citizen Lab research unit said late last year that Circles products take advantage of gaps and weaknesses in the global mobile network and can eavesdrop and monitor calls, messages, and phone coordinates across the world. Unlike Pegasus, Circles' services do not hack the phones, and the company told Citizen Lab that it sells only to government customers. According to documents published in the report, Circles customers can purchase a system to connect to the infrastructure of local telecommunications companies. Or use another system - Circles Cloud, which can connect to the networks of telecommunications companies around the world. The Citizen Lab study found that at least 25 countries use Circles products.
Pegasus is probably the most powerful spyware ever developed, says The Guardian. After hacking a person's phone through SMS, iMessage, WhatsApp or another, unknown vulnerability, the software turns the phone into a 24-hour surveillance device. It can copy the sent and received messages, collect photos, and record calls. It can indicate the location of the person monitored, who he met with, and what he discussed during the meeting. The software is developed, marketed, and licensed to governments around the world by the NSO Group and can infect billions of phones with iOS and Android.
NSO has repeatedly stated that the Pegasus software is only intended to track terrorists and criminals. At the same time, it can be purchased freely by some of the most repressive regimes in the world so it comes as no surprise that among the 50,000 phones monitored are those used by at least 85 human rights activists, 65 businessmen, 600 politicians, 180 journalists.