A seven-year-old Israeli firm founded by three veterans of Israel's military intelligence unit is raking in millions selling CIA-tier hacking software to governments around the world. With over 200 employees, a sales arm in Bethesda, Maryland, and a long list of clients identified by watchdogs which have dubious civil rights records, the NSO Group - owned by U.S.-based Francisco Partners, charges $500,000 plus $65K per phone to completely hack and infiltrate a device with their flagship "Pegasus" software suite.
Omar Lavie, co-founder of NSO group
Housed in an office complex in the northern Tel Aviv district of Herzelia, the NSO Group has created the world's most invasive mobile spy kit responsible for some of the most aggressive attacks in the world of espionage. From Mexico's misuse of NSO's software, to the UAE targeting dissidents, to the ex-President of Panama using Pegasus to spy on his enemies, researchers at Canada's Citizen Lab have uncovered dozens of instances of inappropriate hacking.
The Pegasus software suite uses similar techniques to the CIA for hacking an iPhone, according to Forbes:
Of the similarities between NSO Group and the CIA techniques, the researcher said: "They both use the same vulnerability, but implementation differs a bit." NSO Group had not responded to a request for comment. It's entirely possible the CIA used the same technique without going through NSO. -Forbes
The software works by luring people to websites in SMS text messages, where the Pegasus malware package is surreptitiously installed on the device to take advantage of a "zero-day" exploit. As Fast Company explains "anything you can do on the phone, Pegasus can do on your phone,” says John Scott-Railton, a senior researcher at Citizen Lab, which released its initial findings on the spyware in August 2016. “Turning on the camera and watching somebody in the room, turning on the microphone and listening to somebody: It can even do some things that you can’t, like put files on the phone and take files off, to manipulate data on the phone.”
One of the suspicious SMS messages Mexican citizens received from the NSO Group software, Photo: Citizen Lab.
The software can even foil encryption - intercepting messages and calls either before or after they are encrypted. Moreover, Pegasus can delete itself, foiling forensic researchers who have called it "the most sophisticated commercial spyware yet to be made public."
And if it can do all that, perhaps, just perhaps, it can also camouflage itself as a Russian hacker and penetrate John Podesta's email system.
Apple and Google have issued security patches to eliminate the "zero-day" exploit used by the NSO (and the CIA) to gain access, however many Android devices have not yet received recent security updates. On top of that, according to Fast Company, "Since Pegasus was first deployed, at least three years ago, security researchers says it’s likely that NSO and other cyberarms makers have developed even more sophisticated techniques."
Installs of an Android version of Pegasus, as found by Google and Lookout, via Fast Company
While NSO's client list is private, Canadian watchdog group Citizen Lab also discovered that NSO has registered several web domains in countries with dubious civil rights records, ostensibly used for hacking purposes - including Uzbekistan, Bahrain, Kenya, Saudi Arabia, Nigeria, Turkey, Qatar, Yemen, Hungary.
In June, Citizen Lab released a report with the New York Times which detailed an extensive effort by the Mexican government to use Pegasus spyware on journalists, human-rights activists, lawyers and others looking into corruption, murders, and even the disappearance of dozens of college students - paying NSO Group $80 million for the software. The Pegasus malware had even been used against scientists and public health advocates trying to battle childhood obesity, such as Mexico's "Soda Tax."
While NSO said that it only sells to "authorized" government customers, a huge potential for misuse of the system reportedly ended up killing a $400 million deal by Blackstone Group to acquire part of NSO group from Francisco Partners, after Citizen Lab and other human rights groups told Blackstone that NSO could not prevent customers from misusing the spying tool - pointing to over 20 documented cases of reckless misuse.
“We would expect such a track record to trigger exceptional due diligence by an American company, and we asked Blackstone if they had done so,” says Scott-Railton of Citizen Lab. “We also asked what oversight Blackstone proposed to implement to prevent future misuse, if the purchase had gone through.”
The protest letter Citizen Lab sent to Blackstone regarding its possible stake in NSO, Photo: Citizen Lab.
Former Panama president Ricardo Martinelli was also caught using NSO's Pegasus to hack citizens' smartphones, which the government of Panama has opened an investigation into. Martinelli was reportedly running a personal NSO deployment out of a secret office, in order to spy on opponents, including Americans.
“What my colleagues and I say informally is, there is the principle of misuse, where it’s only a matter of time if you sell this kind of software to a government that doesn’t have very rigorous rules in place before it gets misused,” adds senior researcher at Citizen Lab, Scott-Railton. “It’s clear that the industry that sells the commercial spyware to governments is not wired to take that very basic fact into account and mitigate it.”
NSO claims every client is fully vetted, however, pointing to Israel's export laws which require the Israeli government body SIBAT to promote and review all weapons exports. NSO also says they have an "ethics committee" that reviews every deal before it's executed, according to a NSO executive who spoke with The Marker.
Citizen Lab's Scott-Railton disagrees - insisting that companies like NSO need to institute a more stringent vetting process, and pointing to egregious abuse uncovered by Mexico, the United Arab Emirates and Panama.
NSO has a U.S. sales arm in Bethesda, Maryland called WestBridge Technologies, which bills itself as a seller of "top-of-the-line technologies to various government agencies in North America, particularly in the U.S.," according to its LinkedIn profile. Sometime before January, 2015, WestBridge met with U.S. Drug Enforcement Administration (DEA) officials to discuss implementing its software, reported Motherboard, which received leaked emails regarding the meeting. While we don't know the outcome of the meeting, and NSO's offices have been mum on the deal, the strong possibility exists that the DEA has been using NSO software for several years.
In an interesting "small-world" coincidence, financial disclosure forms reveal that former Trump advisor and short-lived National Security Advisor Lieutenant General Michael Flynn is connected to the NSO group, earning $40,280 from May 2016 through January 2016 on an advisory board of an NSO Group offshoot, OSY Technologies based in Luxembourg. Flynn also worked for NSO Group parent company Francisco Partners, earning "less than $100,000" according to the New York Times.
When asked by Reuters about reports of NSO software being abused, NSO co-founder Omar Lavie - who is launching a new startup named, Orchestra, with a mission to ironically-enough protect phones from cyberattacks, said "I think people believe that NSO is a company that does good. [Security experts] understand the value that this company has generated for the world. I am extremely proud of NSO."