In Israel’s legislature, Arab politicians are leading a modest movement to examine the state’s relationship with NSO. The Arab party leader Sami Abou Shahadeh told me, “We tried to discuss this in the Knesset twice . . . to tell the Israeli politicians, You are selling death to very weak societies that are in conflict, and you’ve been doing this for too long.” He added, “It never worked, because, first and morally, they don’t see any problem with that.” Last fall, an investigation by the watchdog group Front Line Defenders identified Pegasus infections on the phones of six Palestinian activists—including one whose Jerusalem residency status had been revoked. Abou Shahadeh argued that the history of Israel’s spyware technology is tied to the surveillance of Palestinian communities in the West Bank, East Jerusalem, and Gaza. “They have a huge laboratory,” he told me. “When they were using all the same tools for a long time to spy on Palestinian citizens, nobody cared.” Asked about the targeting of Palestinians, Hulio said, “If Israel is using our tools to fight crime and terror, I would be very proud of it.”
“I know there have been misuses,” Hulio said. “It’s hard for me to live with that. And I obviously feel sorry for that. Really, I’m not just saying that. I never said it, but I’m saying it now.” Hulio said that the company has turned down ninety customers and hundreds of millions of dollars of business out of concern about the potential for abuse. But such claims are difficult to verify. “NSO wanted Western Europe mainly so they can tell guys like you, Here’s a European example,” the former Israeli intelligence official, who now works in the spyware sector, said. “But most of their business is subsidized by the Saudi Arabias of the world.” The former employee, who had knowledge of NSO’s sales efforts, said, “For a European country, they would charge ten million dollars. And for a country in the Middle East they could charge, like, two hundred and fifty million for the same product.” This seemed to create perverse incentives: “When they understood that they had misuse in those countries that they sold to for enormous amounts of money, then the decision to shut down the service for that specific country became much, much harder.”
Asked about the extreme abuses ascribed to his technology, Hulio invoked an argument that is at the heart of his company’s defense against WhatsApp and Apple. “We have no access to the data on the system,” he told me. “We don’t take part in the operation, we don’t see what the customers are doing. We have no way of monitoring it.” When a client buys Pegasus, company officials said, an NSO team travels to install two racks, one devoted to storage and another for operating the software. The system then runs with only limited connection to NSO in Israel.
But NSO engineers concede that there is some real-time monitoring of systems to prevent unauthorized tampering with or theft of their technology. And the former employee said, of Hulio’s assurances that NSO is technically prevented from overseeing the system, “That’s a lie.” The former employee recalled support and maintenance efforts that involved remote access by NSO, with the customer’s permission and live oversight. “There is remote access,” the former employee added. “They can see everything that goes on. They have access to the database, they have access to all of the data.” The senior European law-enforcement official told me, “They can have remote access to the system when we authorize them to access the system.”
NSO executives argue that, in an unregulated field, they are attempting to construct guardrails. They have touted their appointment of a compliance committee, and told me that they now maintain a list of countries ranked by risk of misuse, based on human-rights indicators from Freedom House and other groups. (They declined to share the list.) NSO also says that customers’ Pegasus systems maintain a file that records which numbers were targeted; customers are contractually obligated to surrender the file if NSO starts an investigation. “We have never had a customer say no,” Hulio told me. The company says that it can terminate systems remotely, and has done so seven times in the past few years.
The competition, Hulio argued, is far more frightening. “Companies found themselves in Singapore, in Cyprus, in other places that don’t have real regulation,” he told me. “And they can sell to whoever they want.” The spyware industry is also full of rogue hackers willing to crack devices for anyone who will pay. “They will take your computers, they will take your phone, your Gmail,” Hulio said. “It’s obviously illegal. But it’s very common now. It’s not that expensive.” Some of the technology that NSO competes with, he says, comes from state actors, including China and Russia. “I can tell you that today in China, today in Africa, you see the Chinese government giving capabilities almost similar to NSO.” According to a report from the Carnegie Endowment for International Peace, China supplies surveillance tools to sixty-three countries, often through private firms enmeshed with the Chinese state. “NSO will not exist tomorrow, let’s say,” Hulio told me. “There’s not going to be a vacuum. What do you think will happen?”
NSO is also competing with Israeli firms. Large-scale hacking campaigns, like the one in Catalonia, often use tools from a number of companies, several founded by NSO alumni. Candiru was started in 2014, by the former NSO employees Eran Shorer and Yaakov Weizman. It was allegedly linked to recent attacks on Web sites in the U.K. and the Middle East (Candiru denies the connection), and its software has been identified on the devices of Turkish and Palestinian citizens. Candiru has no Web site. The firm shares its name with a parasitic fish, native to the Amazon River basin, that drains the blood of larger fish.
QuaDream was founded two years later, by a group including two other former NSO employees, Guy Geva and Nimrod Reznik. Like NSO, it focusses on smartphones. Earlier this year, Reuters reported that QuaDream had exploited the same vulnerability that NSO used to gain access to Apple’s iMessage. QuaDream, whose offices are behind an unmarked door in the Tel Aviv suburb of Ramat Gan, appears to share with many of its competitors a reliance on regulation havens: its flagship malware, Reign, is reportedly owned by a Cyprus-based entity, InReach. According to Haaretz, the firm is among those now employed by Saudi Arabia. (QuaDream could not be reached for comment.)
Other Israeli firms pitch themselves as less reputationally fraught. Paragon, which was founded in 2018 by former Israeli intelligence officials and includes former Prime Minister Ehud Barak on its board, markets its technology to offices within the U.S. government. Paragon’s core technology focusses not on seizing complete control of phones but on hacking encrypted messaging systems like Telegram and Signal. An executive told me that it has committed to sell only to a narrow list of countries with relatively uncontroversial human-rights records: “Our strategy is to have values, which is interesting to the American market.”
In Catalonia, Gonzalo Boye, an attorney representing nineteen people targeted by Pegasus, is preparing criminal complaints to courts in Spain and other European countries, accusing NSO, as well as Hulio and his co-founders, of breaking national and E.U. laws. Boye has represented Catalan politicians in exile, including the former President Carles Puigdemont. Between March and October of 2020, analysis by the Citizen Lab found, Boye was targeted eighteen times with text messages masquerading as updates from Twitter and news sites. At least one attempt resulted in a successful Pegasus infection. Boye says that he now spends as much time as possible outside Spain. In a recent interview, he wondered, “How can I defend someone, if the other side knows exactly everything I’ve said to my client?” Hulio declined to identify specific customers but suggested that Spain’s use of the technology was legitimate. “Spain definitely has a rule of law,” he told me. “And if everything was legal, with the approval of the Supreme Court, or with the approval of all the lawful mechanisms, then it can’t be misused.” Pere Aragonès, the current President of Catalonia, told me, “We are not criminals.” He is one of three people who have served in that role whose phones have been infected with Pegasus. “What we want from the Spanish authorities is transparency.”
Last month, the European Parliament formed a committee to look into the use of Pegasus in Europe. Last week, Reuters reported that senior officials at the European Commission had been targeted by NSO spyware. The investigative committee, whose members include Puigdemont, will convene for its first session on April 19th. Puigdemont called NSO’s activities “a threat not only for the credibility of Spanish democracy, but for the credibility of European democracy itself.”
NSO Group also faces legal consequences in the U.K.: three activists recently notified the company, as well as the governments of Saudi Arabia and the U.A.E., that they plan to sue over alleged abuses of Pegasus. (The company responded that there was “no basis” for their claims.)
NSO continues to defend itself in the WhatsApp suit. This month, it filed an appeal to the U.S. Supreme Court. “If we need to go and fight, we will,” Shmuel Sunray, NSO’s general counsel, told me. Lawyers for WhatsApp said that, in their fight with NSO, they have encountered underhanded tactics, including an apparent campaign of private espionage.
On December 20, 2019, Joe Mornin, an associate at Cooley L.L.P., a Palo Alto law firm that was representing WhatsApp in its suit against NSO, received an e-mail from a woman who identified herself as Linnea Nilsson, a producer at a Stockholm-based company developing a documentary series on cybersecurity. Nilsson was cagey about her identity but so eager to meet Mornin that she bought him a first-class plane ticket from San Francisco to New York. The ticket was paid for in cash, through World Express Travel, an agency that specialized in trips to Israel. Mornin never used the ticket. A Web site for the documentary company, populated with photos from elsewhere on the Internet, soon disappeared. So did a LinkedIn profile for Nilsson.
Several months later, a woman claiming to be Anastasia Chistyakova, a Moscow-based trustee for a wealthy individual, contacted Travis LeBlanc, a Cooley partner working on the WhatsApp case, seeking legal advice. The woman sent voice-mail, e-mail, Facebook, and LinkedIn messages. Mornin identified her voice as belonging to Nilsson, and the law firm later concluded that her e-mail had come from the same block of I.P. addresses as those sent by Nilsson. The lawyers reported the incidents to the Department of Justice.
The tactics were similar to those used by the private intelligence company Black Cube, which is run largely by former officers of Mossad and other Israeli intelligence agencies, and is known for using operatives with false identities. The firm worked on behalf of the producer Harvey Weinstein to track women who had accused him of sexual abuse, and last month three of its officials received suspended prison sentences for hacking and intimidating Romania’s chief anti-corruption prosecutor.
Black Cube has been linked to at least one other case involving NSO Group. In February, 2019, the A.P. reported that Black Cube agents had targeted three attorneys involved in another suit against NSO Group, as well as a London-based journalist covering the case. The lawyers—Mazen Masri, Alaa Mahajna, and Christiana Markou—who represented hacked journalists and activists, had sued NSO and an affiliated entity in Israel and Cyprus. In late 2018, all three received messages from people who claimed to be associated with a rich firm or individual, repeatedly suggesting meetings in London. NSO Group has denied hiring Black Cube to target opponents. However, Hulio acknowledged the connection to me, saying, “For the lawsuit in Cyprus, there was one involvement of Black Cube,” because the lawsuit “came from nowhere, and I want to understand.” He said that he had not hired Black Cube for other lawsuits. Black Cube said that it would not comment on the cases, though a source familiar with the company denied that it had targeted Cooley lawyers.
“People can survive and can adapt to almost any situation,” Hulio once told me. NSO Group must now adapt to a situation in which its flagship product has become a symbol of oppression. “I don’t know if we’ll win, but we will fight,” he said. One solution was to expand the product line. The company demonstrated for me an artificial-intelligence tool, called Maestro, that scrutinizes surveillance data, builds models of individuals’ relationships and schedules, and alerts law enforcement to variations of routine that might be harbingers of crime. “I’m sure this will be the next big thing coming out of NSO,” Leoz Michaelson, one of its designers, told me. “Turning every life pattern into a mathematical vector.”
The product is already used by a handful of countries, and Hulio said that it had contributed to an arrest, after a suspect in a terrorism investigation subtly altered his routine. The company seemed to have given little consideration to the idea that this tool, too, might spur controversy. When I asked what would happen if law enforcement arrested someone based on, say, an innocent trip to the store in the middle of the night, Michaelson said, “There could be false positives.” But, he added, “this guy that is going to buy milk in the middle of the night is in the system for a reason.”
Yet the risk to bystanders is not an abstraction. Last week, Elies Campo decided to check the phones of his parents, scientists who are not involved in political activities, for spyware. He found that both had been infected with Pegasus when he visited them during the Christmas holiday in 2019. Campo told me, “The idea that anyone could be at risk from Pegasus wasn’t just a concept anymore—it was my parents sitting across the table from me.” On his mother’s phone, which had been hacked eight times, the researchers found a new kind of zero-click exploit, which attacked iMessage and iOS’s Web-browsing engine. There is no evidence that iPhones are still vulnerable to the exploit, which the Citizen Lab has given the working name Homage. When the evidence was found, Scott-Railton told Campo, “You’re not going to believe this, but your mother is patient zero for a previously undiscovered exploit.”
During a recent visit to NSO’s offices, windows and whiteboards across the space were dense with flowcharts and graphics, in Hebrew and English text, chronicling ideas for products and exploits. On one whiteboard, scrawled in large red Hebrew characters and firmly underlined, was a single word: “War!” ♦
Georgia Gee conducted additional research for this piece.
An earlier version of this story misstated the time of a Pegasus infection on a device connected to the network at 10 Downing Street.