The Billion Dollar Spy: Inside Israel's Cyber War Industry
Israeli cyberwar firms are notoriously secretive
Five years ago, in 2016, Ahmed Mansoor, a human rights activist in the United Arab Emirates, received what has been called the most famous text message in the world. Mansoor received two SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Suspecting something was amiss, Mansoor sent the messages to Citizen Lab, a research group at the University of Toronto, who analyzed the link and pointed to Pegasus, NSO’s flagship product.
The same software was reportedly used to spy on a number of Indian politicians, activists and journalists, with the Pegasus scandal dominating headlines recently.
A lot has changed at NSO since the attack on Mansoor in 2016. At the time, the company was owned by the American private equity firm Francisco Partners, which had bought it for around $100 million in 2014. The company had a strict no-press policy. Just a few years later in 2019, NSO sold for $1 billion to the European private equity firm Novalpina and the original founders.
The massive jump in valuation reflects the rapid growth of the spyware industry - made possible by technology improvements, including so called “zero click” techniques that infect targets without the need for any action at all. Mansoor had to click on a link for the spyware to run on his phone. That’s no longer the case, as the spyware uses sophisticated techniques that keep its activities as unobtrusive as possible - and runs on your devices with no action on your part.
With growth comes increased secrecy. Israeli cyberwar firms are notoriously secretive. So secretive that we truly do not know the scale of the industry. “We can only guess at scale. We only know some players. The market is growing, but we lack a lot of information about abuses,” John Scott-Railton, a senior researcher at Citizen Lab, told Technology Review.
The techniques and indicators investigators used to detect and analyse spyware are becoming more difficult to spot. And as a result, it is becoming increasingly difficult to hold these firms accountable when privacy violations and human rights abuses occur.
The spyware firms say their technology is crucial in catching criminals and terrorists, but as the recent leaks reveal - more prominent among the list of targets are human rights activists, journalists and political opponents.
Tracing the hack to a particular spyware firm is increasingly difficult. The firms operate with different names in different jurisdictions, and often deploy through equally complicated third party companies. NSO, for instance, goes by a string of other names, including Q Cyber Technologies in Israel, OSY Technologies in Luxembourg, and Westbridge in North America. Media articles have linked NSO to shell companies and byzantine deals. This confusing corporate maze makes accountability a hard task - especially as NSO and other spyware firms come under the scanner for misuse by authoritarian regimes.
NSO is one of several cyberwar players in Israel. And it’s perhaps no surprise that the cybersecurity space in Israel has its roots in military development. Unit 8200 is one of the most elite units of the Israel Defense Forces, and very little is known about it - other than the fact that it has produced some of the country's biggest tech stars and contributed to the emergence of cyberwarfare on a global scale.
Alongside NSO, are cyberware firms such as Candiru - with even less information publicly available. Named after an Amazon fish known to parasitize the human urethra, Candiru is known to recruit heavily from Unit 8200. The firm operates without a website, its office spaces are missing from the directories, and its 120 employees sign strict non confidentiality agreements. Just two weeks ago, Citizen Lab released a report that found that at least 100 activists, journalists and government dissidents across 10 countries were targeted with spyware produced by Candiru.
Using a pair of vulnerabilities in Microsoft Corp.’s Windows, the tool was used in “precision attacks” against targets’ computers, phones, network infrastructure and internet-connected devices,” said Cristin Goodwin, general manager of Microsoft’s Digital Security Unit.
John Scott-Railton, a senior researcher at Citizen Lab, told Al Jazeera that the Candiru research “shows there’s a whole ecosystem selling to authoritarian regimes.”
Citizen Lab’s findings also offered rare insight into the cost of doing business in the spyware industry. For $18.9 million, Candiru’s clients can attempt to compromise an unlimited number of devices but are limited to actively tracking only 10 at a time, according to Citizen Lab. For an extra $1.8 million, buyers can monitor an additional 15 victims.
There have been efforts, albeit limited and inadequate, to regulate the cyber arms industry. The Wassenaar Arrangement, a crucial arms export control agreement between 42 countries now has a cyber dimension. And Israel has a cyber export law. NSO however, has reportedly never been denied an exports license.
Interestingly, NSO uses this loose regulation to justify its products. The company has defended itself against accusations of misuse, saying it does not control what its clients do with its software. NSO says it follows Israeli laws on exporting military-grade technology, and allegations of misuse are investigated in accordance with these laws. NSO co-founder Shalev Hulio in fact publicly justified the need to spy on lawyers and activists, saying that these taps sometimes lead to catching criminals.
The spying is not without pushback. In 2019, WhatsApp and its parent company Facebook sued NSO Group in U.S. federal court in San Francisco, accusing it of exploiting a flaw in the popular encrypted messaging service to target -- with missed calls alone -- some 1,400 users. NSO denies the charge.
NSO was sued in Israel and Cyprus -- countries from where it exports its products -- by Al-Jazeera journalists, and other Qatari, Mexican and Saudi journalists and activists who say the company's spyware was used to hack them. The lawsuits rely heavily on leaked material provided to Abdullah Al-Athbah, editor of the Qatari newspaper Al-Arab and one of the alleged victims.
The spyware was linked to the murder of Saudi dissident Jamal Khashoggi. In a lawsuit filed in Israel, Montreal-based Saudi dissident Omar Abdulaziz claimed that NSO’s spyware helped the royal court take over his smartphone and spy on his communications with Khashoggi.
Amnesty International also accused the NSO Group of helping Saudi Arabia spy on a member of the organization’s staff. Last year, an Israeli court dismissed Amnesty International’s lawsuit seeking to strip NSO of its export license, citing insufficient evidence.
“By continuing to approve of NSO Group, the Ministry of Defense is practically admitting to knowingly cooperating with NSO Group as their software is used to commit human rights abuses,” said Molly Malekar, the programs director of Amnesty International’s Israeli office.
Even as NSO denies the allegations and information remains scarce, efforts such as this new, interactive online data platform created by the group Forensic Architecture with support from Citizen Lab and Amnesty International catalogs NSO Group's activities by country and target.
But the scrutiny and criticism has had little impact, as Israel’s cybersecurity industry continues to grow. Israeli media recently reported that NSO was considering an initial public offering, most likely on the Tel Aviv Stock Exchange.
In a long interview to Forbes Magazine recently, after the Pegasus Project was made public, Hulio defended the company’s operations, adding that “The people that are not criminals, not the Bin Ladens of the world—there’s nothing to be afraid of.”