Weaving a cyber web
It helped bring down drug lords, thwart terror attacks and stop pedophiles, but despite its determination to paint itself as the enemy of 'bad guys' everywhere, Israeli tech company NSO Group is facing some unsavory claims, not least over the death of Saudi journalist Jamal Khashoggi. CEO Shalev Hulio talks for the first time about his life, his work and what he really wants to achieve with the one of the most sophisticated spyware in the world.
He told, for example, of a suicide bomber wearing an explosive belt who was caught at the entrance to a subway station by special forces who grabbed his hands so he could not reach the detonator. He told of pedophiles who groomed children to meet with them, meetings that should have ended in the ruination of their childhood, but for the abusers' last-minute arrest. And he even talked of a gang of Hell's Angels who captured a rival gang member and began to cut off one finger after another, but who were most surprised when the local police special forces interrupted the torture party.
At the same time, in Brussels, Belgian prosecutors were busy preparing indictments against Assadullah Asadi, an Iranian diplomat stationed at his country's Vienna embassy. According to the evidence against him, Asadi was actually an agent of the Iranian Ministry of intelligence (MOIS), using the code name "Daniel" and operating a terrorist network, one of whose goals was to set off a large explosive device at a meeting of an Iranian opposition group near Paris. The explosion was planned to take place during a speech by Rudy Giuliani, the former mayor of New York and current lawyer to US President Donald Trump. At the same time, the Belgian, French and Danish authorities arrested other members of the same network.
At 8:30pm on the day after that instructive meeting in the European restaurant, a third related event took place, this time in the spacious Smolarz Auditorium at Tel Aviv University. This time too, under heavy guard and after careful vetting (mainly of journalists), the audience watched a presentation that described various incidents from the dark underbelly of the intelligence world, such as how Qatar was caught trying to transfer hundreds of millions of dollars to Iran and Hezbollah; how abducted children were located and returned home to their emotional parents; how a terror attack was prevented at the concert of a well-known band; and the crowning glory – how the Mexican drug baron El Chapo, considered by the US to be the most powerful and most dangerous drug trafficker in the world, was caught following a meeting with American actor Sean Penn.
"And these things," said the person giving the presentation, "happened because of the people who sit here. At the end of the day, you are our superheroes." Wild applause filled the hall for the 400 NSO employees (there were another 200 abroad) sitting there on the stage. Among them on the stage was Shalev Hulio, one of NSO's founders and its CEO. All three locations - the European restaurant, the Belgian prosecutor's office, the auditorium at Tel Aviv University – were celebrating successes that happened following the use of products developed by NSO, in particular the company's ability to infiltrate cell phones and computers and extract information that was once classified and completely encrypted.
Although it was established in and operates from Israel, most of the Israeli public would not even recognize the name NSO. But in the world of intelligence and cyber security, it's a name that opens doors straight into the bureaus of heads of state, and indeed quite a few of them have made extensive use of the tools and capabilities that NSO provides. This access is also why NSO has in recent years absorbed a lot of criticism, slander and negative publicity. Very negative, one might even say.
Some of the reports published about NSO directly tie the company and its products to a series of tyrannical regimes, including Saudi Arabia, Yemen, Mozambique, Kenya, Congo, the United Arab Emirates and Turkey. The products that NSO can provide can be used against terrorism and crime, but also against members of the opposition, critical journalists and more.
NSO, for example, sold products to Mexico to help it fight the drug cartels, but the administration also used them to track journalists and others who dared to criticize the government. After NSO Trojan horses were reportedly discovered on the iPhone of a dissident in Abu Dhabi, Apple had to issue a new version of its operating system to combat the breach. It was also reported that a disgruntled employee who was fired from the company offered to sell one of its products on the Dark Net, and only at the last minute was its sale to criminals prevented. And this just a partial list.
But the gravest incident for NSO was reports linking it to the most infamous murder of 2018 – the brutal assassination of Saudi dissident journalist Jamal Khashoggi. These claims became a real media storm, with no less than US intelligence leaker Edward Snowden explicitly accusing NSO of using its products to locate and track down opposition elements, something he said helped to murder Khashoggi. A similar claim was filed against the company in Tel Aviv.
For most of this period, NSO maintained a policy typical of intelligence bodies that espouse secrecy, which is to respond in one way only – with silence.
Recently, however, something changed, and it seems that the spate of negative reports – in particular regarding Khashoggi's murder – were the straw that broke the camel's back. NSO agreed that CEO Shalev Hulio would grant his first interview. It is possible that Hulio is breaking his silence due to the collapse of acquisition negotiations between NSO and its potential purchasers – an international private equity fund and a large Israeli high-tech security company – for $1 billion (eight times what the Francisco Partners fund paid for a sizeable chunk of NSO in 2013).
But Hulio, for his part, denies this is why NSO has suddenly decided to lift a corner of the veil of secrecy that surrounds the company. "There is no connection," he says emphatically in an exclusive conversation with Ynet's sister newspaper, Yedioth Ahronoth. "We decided long ago that we would not respond to anything. No matter what happened, we would not respond, and this worked out fine. But now (after the reports on Khashoggi - RB), for the first time our staff have been coming to my office, and saying: Look, we're upset, because we know the truth and that you can't not respond to these things. We know that in the past all kinds of nonsense has been printed that wasn’t true. We view this incident as shocking, so we are asking that one, you look into it; two, you tell us as your workers what happened; and three, release it to the media. And for the first time I was hurt too. I took it to heart."
So what's the truth? Were you involved in the Khashoggi murder?
"First of all – and I say this to you as a human being and as an Israeli – what happened to Khashoggi was a shocking murder, which was also carried out in a stupid way: To murder a journalist because of his opinions is terrible. You should never hurt anyone because of his views and what he writes.
"We conducted a thorough inspection of all of our clients, not just the one client who could perhaps be a potential suspect for involvement in the affair, but also other customers who may for some reason have had an interest in monitoring him. We also checked whether maybe someone went to a certain other country and asked their intelligence services 'to do him a favor.' We checked all of our clients, both through conversations with them and through technological testing that cannot be forged. The systems have records and it is impossible to act against a target such as this without us being able to check it.
"After all these tests, I can tell you, in an attributed quote, that Khashoggi was not targeted by any NSO product or technology, including listening, monitoring, location tracking and intelligence collection."
But these capabilities do exist, so I want to ask a hypothetical question: How can a person feel safe talking, texting, posting on Facebook and Instagram without fearing that someone is listening to or watching them?
"The governments that have these technologies are very limited in the number of targets they can actually handle. In the entire world, there are today no more than 150 active targets (NSO says their products are worldwide, with all of their customers handling less than 100 targets at any given time - RB). This, along with well-secured cell phone operating systems and advanced application security, dramatically reduces the possibility of tracking civilians who are not involved in terrorist or criminal acts. We are proud that the company's technology prevents terror attacks, leads to the arrest of terrorists and takes part in the response to serious crime."
But what do you classify as 'terrorism'? Won't there be governments that could decide to classify Greenpeace or Doctors Without Borders as terrorism, or the journalists of The Associated Press, for example?
"When we talk about terror prevention, we only talk about thwarting terror attacks and saving lives. In the past six months alone, the company's products aided in foiling several very big terror attacks in Europe—both car bombs and suicide bombers. I can say in all modesty that thousands of people in Europe owe their lives to hundreds of our company employees from Herzliya.
"I repeat: Any use that deviates from the criteria of saving lives due to crime or terrorism leads to immediate sanctions by the company, decisively and without compromise."
Knocking down walls
Hulio, 38, has a different story to others in the world of Israeli start-ups, mostly because he is the antithesis of the caricature of an Israeli tech whizz. He didn't serve in the IDF's elite Unit 8200, which specializes in signal intelligence (SIGINT) or in the larger intelligence community. In fact, he doesn't even have a technological background at all, and he is far from being one of those computer nerds who prefers coding in a darkened room to fine dining in a fancy restaurant.
Hulio, who is married and father of two, was born in Haifa to a mother who is second generation Romanian Holocaust survivor and a father who comes from a family of Jews expelled from Spain and arrived in Israel after generations of wandering through Turkey, Syria and Lebanon. Hulio remembers his childhood well, a time long before computer games, "when everyone was equally poor, and we all played out in the street together."
At first he was placed in a class for gifted students, but he misbehaved and was not a good fit. He went on to study art and theater at Hugim High School in Haifa, where he met his best friend Omri Lavie, with whom he would start a revolution in cyber warfare just two decades later.
"The army helped ground me," says Hulio, who held different positions in the IDF. His final posting was as commander of a search and rescue team in the Home Front Command. He was the first deputy commander of the Home Front's infantry brigade and was involved in a series of operations in the West Bank. This included action during Operation Defensive Shield, at the height of the second intifada, when he took part in a complex operation planned by Aviv Kochavi, who was then commander of the Paratrooper Brigade and today is the incoming IDF chief of staff. The 2002 operation aimed to reduce losses to the IDF as much as possible, by sending troops straight through the walls of the Balata refugee camp in Nablus, instead of fighting their way through dangerous alleyways.
"We were actually the first team to do that," he says. "We were the trailblazers for the fighters of Defensive Shield."
He continues to do reserve duty in the unit, and even went to aid survivors of the devastating earthquake in Haiti in 2010.
Hulio was discharged from the IDF with the rank of captain, and like many young Israelis who had just completed their army service, flew to the US to try his luck selling Israeli products in American malls.
"I wasn't very good at it, but it did give me experience of how to reach every person, how to talk to every person, at eye level. It teaches humility. I was a company commander, I had 200 soldiers (under my command), a macho man. And then, all of a sudden, I found myself trying to sell some Dead Sea cream to elderly women. It took me a while to get used to that; it wasn't easy."
But then Hulio got a call from the IDF to return to Israel for the 2006 Second Lebanon War. His mother urged him to stay in Israel and enter higher education. He enrolled at the Interdisciplinary Center Herzliya (IDC), where he studied law and government.
And then one year, on the eve of Independence Day, drunk on wine at a pub in Haifa, he and Omri Lavie decided to found a start-up that allowed viewers to buy products they saw on TV shows and in movies. "Sex and The City" was used in their demo: Viewers pointed to an item of clothing or an accessory worn by one of the main characters, the technology identified the item and directed the user to the store that sold it.
Despite its immense potential, the idea only partially succeeded. Hulio says the startup already had initial investors, and they were in negotiations with Fox and CBS, but then the great financial crisis of 2008 hit America hard, and the investors bought out the two for relatively little money. Hulio: "They essentially kicked us out."
That's a bit of a bummer.
"Yes, but we're very optimistic people. You can't be an entrepreneur without being very optimistic. We said: 'Okay, that happened. Let's move on.'"
The guy in the plaid shirt
Several weeks later, Hulio and Lavie founded CommuniTech, a company that operates to this day in Yokne'am, northern Israel, with some 50 employees. The technology for the company was developed by two of their friends from Hugim High School, one who did serve in Unit 8200 and the other who studied at the Technion-Israel Institute of Technology. It was the early days of smartphones, and many users were having a hard time operating their devices. The cell phone carriers were wasting hours on explaining to customers how to change their ringtone or connect their email account to the device. So CommuniTech came up with an answer to their woes.
"The solution we proposed was to have the cell phone carrier send the customers a link, and with a few clicks they could authorize the carrier to remotely access their phones," Hulio says. "The tech support center receives the authorization to remotely perform many actions, including version updates and training. Our technology helped a lot and saved resources."
Then came the phone call that would change their lives. "A European intelligence service heard what we were doing and approached us," Hulio says. "'We saw that your technology works,' they told us, 'why aren't you using this to collect intelligence?'
"Truthfully, we didn't really understand what they wanted. We said, 'What's your problem in collecting intelligence? You sit inside the cell phone carrier.' They said we didn't really understand, that the situation was grave. 'We are going dark, we are getting blind,' were the exact words they used. 'Help us.'"
At the time, cell phone networks were claiming their position as the main means of communication for everyone, including terrorists and criminals. Law enforcement authorities around the world were facing a growing problem.
If they wanted to locate a terrorist or a criminal using his cell phone, they had two options.
The first: A court order or a state executive order (in Israel, the prime minister can give that order in certain circumstances), which they took to the cell phone carrier so they could tap into the target's phone calls and text messages.
The second: Mass collection of all data going through all networks, in the hopes a target used suspicious words, leading the system to mark that person as a suspect.
These two methods still worked, of course, with varying levels of efficiency, but the market was changing dramatically. Cell phones began to include encryption services for text messages. Then came Skype calls, and other apps such as Facebook, WhatsApp, Telegram, Gmail and others—all offering advanced encryption as a basic service. This and more- the encryption takes place on the device itself, on the user's end. So even with access to the cell provider's data traffic, there is not much that can be done with it.
The only solution was to get "inside" a device and "catch" the information before it was encoded. But since most of the apps are American, there was slim chance of getting a court order to obtain such access, even less likelihood for foreign agencies.
"At the time, we knew nothing about this world," Hulio says. "And then the police forces and the intelligence agencies of Europe told us: 'With the technology you developed, you could help us solve this problem.' So us being Israelis and hearing we had technology that could save lives, we immediately said: 'Tell us what you need, and we'll do it.'"
But it wasn't that simple. Primarily, there were those at CommuniTech who were against this new direction. "Omri and I went to the board and said: 'We have a great idea, come with us to a new line of business.' They looked at us and said: 'Guys, you've lost your minds. What do we have to do with any of this? Our business, which is entirely civilian, is successful and working. What are you doing coming to us now with these ideas?'"
Eddy Shalev, the founder of Genesis Partners and one of the veteran high-tech investors in Israel, agreed to be the first investor in NSO, on the condition that Hulio and Lavie brought in a technological expert who could rise to the challenge, someone from the defense establishment.
"That is how we met Niv Carmi, who was working at the Prime Minister's Office as a student, and we brought him in," Hulio says.
This is where the company's name comes from: the first letter of the first name of each of the founders: Nir, Shalev and Omri – NSO Group Technologies.
The three rented an abandoned chicken coop on Moshav Bnei Zion, not far from Tel Aviv, and got to work. It turned out the technological challenge was a lot harder to crack than they initially thought. "When we told intelligence officials in Europe that we could do this, we said it because that's the way we Israelis are—always saying everything is possible. But we also did it because we thought we already had the solution," Hulio says.
"This time, however, we had to install the software without the user's knowledge. The approach was generally right, but also very naive, because this was a very complex challenge. We realized that if you, the user, are holding the device and can read the message, then it isn't encrypted for you. And if we had access to that recipient's device, we could read the message too."
At this point, Niv Carmi decided to leave the company, but the name remained (officially, it was recently changed to Q Cyber, but only a few use it).
And then, in April 2010, when he was almost out of money and still without a technological solution, and as despair was beginning to spread through the NSO offices, Hulio set up a meeting with investor Eddy Shalev at a cafe in Ramat Aviv, intending to beg him to throw the dying start-up a lifeline.
As he was standing in line at the cafe, he heard two people talking about someone they knew who had the technology to hack into cell phones.
"I turned around to them and said: 'Hi, how are you? I'm sorry to be barging in like this, I was just listening to your conversation. Let me buy you a coffee, because I have to talk to you.' They gave me rather a funny look but agreed. After talking for a few minutes, when they realized we had some friends in common, they became convinced I wasn't crazy. So I told them about the idea behind NSO, and for the first time someone told me it was possible. I said: 'Great, do you know how to do it?' And they told me, 'It's possible, but it's not us, our friend is doing it. He works in Raanana at Texas Instruments. We'll make an email introduction.' And I said: 'Not by mail, by phone. Call him now.'"
An hour later, according to Hulio, he was at a cafe in Petah Tikva to meet with the technology nerd ("scrawny guy, plaid shirt, glasses, a lot of pens"). Hulio explained to the programmer what he was looking for, "and the guy told me that this was what he was doing as a hobby."
That's some hobby.
"Absolutely. I asked him: 'What would it take for you to come work for us?' And he said: 'There's no way I'm coming. I'm working for a good company, I have an excellent job. You want me to leave all of this for that?' But after an hour talking about the vision, and after agreeing to give him the salary he wanted and to let him bring some of his friends to work with him, he signed on and became the first employee of the new company."
Some in Israel's defense and intelligence community were skeptical of Hulio's fanatic tale of a chance meeting while in line for coffee. According to a senior intelligence official with knowledge of Israel's offensive cyber apparatus, "NSO is apparently another example of Israel's strategic capabilities, which were developed to protect its citizens and its national security, that have been proliferated by former members of the intelligence community who took that knowledge with them to the private market."
Hulio denies that claim entirely. The guy in the plaid shirt may have served in Unit 8200, he confirms, but the technology did not come from there.
The target: El Chapo
Maj. Gen. (res.) Avigdor Ben-Gal had no technological knowhow, but he was the one who brought in the connections that led to the big deals in Mexico and Abu Dhabi.
It was August 2010, and in their new offices in a dilapidated house near Herzliya train station, the man in the plaid shirt and his friends began to develop their first offensive tool.
"We knew what we wanted to achieve – remote control over a phone. But what it looked like, what it was going to do, what functions it would have—all of these were one big question mark. Before you start, you really have no idea," Hulio says.
A year later, the first prototype was complete. "It was still half-baked, but it was something we could show the client."
NSO called it Pegasus, after the winged horse of Greek mythology. "Because what we built was actually a Trojan horse we sent flying through the air to devices," Hulio says.
NSO's flying horse could infiltrate cell phones, collecting information that wasn't encrypted, and intercepting information a second before it was encrypted. Even in its first incarnation, Pegasus was able to take full control of a cell phone, including listening in on calls, reading every written communication, using its microphone to eavesdrop on conversations held in its vicinity, and taking photos (but not video) with its camera. It was also able to obtain access to all the credentials required to log into bank accounts, emails and so on without needing to hack into these accounts. The system even allowed control and monitoring of battery use, so the person whose phone was being broken into remained none the wiser of the fact he or she was being stripped of their privacy.
Armed with Pegasus and a cell phone to demonstrate its abilities, Ben-Gal, Lavie and Hulio went abroad to meet their first client. Hulio refuses to discuss specific clients and would only say their first customer was a Western nation that was a member of the OECD. Sources familiar with the company's history confirm that country was Mexico, which was suffering from unbridled organized crime and drug cartels.
"In that country, we were told: 'We have a very serious crime problem, and we decided to hit the cartels hard,'" Hulio says, careful not to disclose the nation's name.
But the installation of the first version of Pegasus was delayed, according to Hulio. NSO suspected the police force fighting the drug dealers was a "problematic organization" and refused to sell it the software.
"But then the country decided to establish a separate new body – a branch of the military – to deal with the drug issue. This body would include spotless individuals with no history of corruption who would undergo a polygraph test. Then we met with the general, the head of that branch. He said: 'You fit us like a glove. We will base our entire drug fighting apparatus on your new technology. This is how the biggest situation room—not just in the region, but one of the biggest in the world—will fight organized crime and drugs.' And to them, we agreed to sell."
The deal ended up being very beneficial to both sides. The cellular devices and text communication devices used by the drug dealers (at the time it was mostly the encrypted BBM text message service on BlackBerrys) suddenly became "transparent" to Mexican intelligence after years in which drug dealers used them with impunity.
On Christmas Eve 2011, shortly after the system was installed, Hulio was awakened by his ringing phone. "I was informed in English that the president wanted to talk to me. I was sure Omri was pulling a prank, so I said 'Do me a favor and let me sleep,' and hung up," he says.
"After they realized that they couldn't reach me, they called Tzachi, the project manager, who was more awake and agreed to take the call. The president of the unnamed nation said he wanted to thank us on his behalf and on behalf of his country, and that 'I couldn't have asked for a better Christmas present. With what you gave us, we can finally eradicate the cartels.'"
A few years later, NSO was involved in one of the biggest achievements in the fight against the cartels: The capture of the world's biggest drug baron and head of the violent Sinaloa Cartel, Joaquín Archivaldo Guzmán Loera – better known as El Chapo.
El Chapo had already been captured in 1993, but escaped from prison in 2001. Thanks to advance use of the NSO system, along with other measures, the Mexicans managed to locate him in February 2014 in his apartment in Mazatlán, off the coast of the Pacific Ocean. He was caught without a fight and imprisoned again.
While in prison, El Chapo was using hidden phones he had in his possession (some under NSO surveillance) to try to have a Hollywood movie or TV show based on his life. During these phone calls, he asked his lawyers to find him someone from the film or TV industry to take on the task. The lawyers turned to Mexican-American telenovella star Kate del Castillo, who played a drug baron in a Mexican soap opera.
In July 2015, El Chapo escaped again, this time through a tunnel dug under the shower in his cell to a small house some two kilometers from the prison. El Chapo disappeared. All attempts to recapture him had failed. Mexico's prestige was at stake.
But even out of prison, El Chapo didn't stop dreaming about a having show like "Narcos" made about his own life. Del Castillo received a rare cell phone from El Chapo's men, one which was supposed to be impenetrable to hacking, so she could talk to the fugitive drug baron. But Mexican military intelligence obtained a similar device, and flew it to NSO's labs in Herzliya, where it received a "special infiltration package."
Managing to break into the phone, Pegasus monitored the calls between El Chapo and del Castillo, and heard her on her other phone excitedly telling the drug baron's men that she met with actor Sean Penn and recruited him for the project. It's unclear whether Penn's own cell phone was being tapped, but that must have been unnecessary, as his calls and WhatsApp messages—at first with del Castillo and her lawyers, and later with El Chapo himself—were being closely surveilled on their own devices.
At some point, it was decided that Penn and del Castillo would actually meet with El Chapo. They boarded a private jet that took them to an unknown location, and from there traveled a great distance by land, until they reached their meeting place. Unknown to them, this journey was heavily monitored by Mexican intelligence agents, who for security reasons preferred not to arrest El Chapo at that point and avoid a predictable firefight, instead monitoring him and his conversations with the two actors.
Several weeks after that meeting, on January 8, 2016, Mexican special forces raided one of El Chapo's safe houses in the city of Los Mochis, in northern Sinaloa. During the ensuing firefight, five of the drug lord's men were killed, and he was captured at a nearby hotel while trying to escape. Today, he is on trial in the United States under tight security.
A powerful weapon
The success in Mexico opened the door for NSO to the entire world. The next big deal was with the United Arab Emirates (UAE), as first reported by The New York Times. The Israeli Defense Export Control Agency (DECA) authorized three deals in the UAE, which brought in a total of $80 million in revenue to NSO, according to one source. The deal was mediated by former senior Israeli defense officials who had deep ties with a senior official in acquisition in the UAE. DECA authorization is given only for the purpose of fighting terrorism and crime.
Here, too, success came quickly. The UAE has a serious rivalry with Qatar, and NSO cyber tools were used to intercept phone calls and text message made by the Qatari foreign minister and later by the Qatari emir himself. These conversations concerned hundreds of millions of dollars in ransom to Iran and Hezbollah for the release of several Qataris. Some of that money even reached Qasem Soleimani, the commander of the Iranian Revolutionary Guards' Quds Force, who also heads the front against Israel and the US in Syria. This information leaked to the international media, greatly embarrassing the Qataris, and fueling a powerful campaign against them.
At a meeting of NSO employees at Tel Aviv University, the case was presented as one of the instances in which NSO technology defeated the bad guys—and aided Israel's national security.
Buoyed by this wave of success, Hulio, Carmi and the initial investors sold the controlling majority in NSO to Francisco Partners for $120 million (leaving each of them with 10 percent).
NSO had managed to find a solution to a problem that troubled countless intelligence and enforcement agencies around the world. More and more European countries clamored to buy the tools NSO was developing. But for some countries, the price was initially too high. "Even with the suitable legislation, they still couldn't necessarily find the budget," says Carlos, the European intelligence official. The money was eventually found ("big time," according to Carlos) when global jihadists, mostly from al-Qaeda and later Islamic State, began mounting attacks inside Europe.
NSO won't disclose prices, but according to reports, one of their basic systems costs between $15-$30 million. Each of their clients has to pay that and a lot more for every one of the "tokens", for each additional target, not including updates and adjustments, which are so necessary in such a dynamic market.
Hulio says that 2018 was the best in the company's history. Over the past year, NSO has sold systems to dozens of countries across the world "on all continents except Antarctica."
Talking to Carlos, the senior intelligence official, it is clear that he is grateful for the system and its role in what he calls "matters critical to state security and to the war against crime."
There is a claim that all this is being achieved at the cost of violating the privacy of uninvolved people.
Carlos: "Most of the population are not criminals and have a right to encrypted communication. On the other hand, in some situations there is no choice, and we the authorities must be given the tools to deal with terrorism and crime. This is why I want to remain anonymous and expose as few cases as possible, so as to not give the criminals and terrorists knowledge of which tools we're using, thereby allowing us to keep using them effectively."
Carlos claims that NSO's systems helped, for example, to map ISIS's method of recruiting volunteers and sending them from Europe to Syria and Iraq. It also helped to later locate those militants who returned to the West, including his own country —a favorite target for Islamic State cells. One of the militants who returned and was under surveillance sent a WhatsApp message to his family one day, telling them he was going to become a shahid (martyr) and blow up an underground train. He was arrested by the counterterrorism unit as he took the first step down into the station. A terrible tragedy had been thwarted.
In another case, wiretapping allowed Carlos and his team to uncover a plot to smuggle 20 tons of raw materials to produce mustard gas—this time apparently for the Assad regime in Syria—and nip that in the bud.
"NSO's technology is the best there is, an important tool in our toolbox," Carlos says. "It's a powerful weapon, without which I would not be able to do my job properly — in other words, fight crime to defend civilians."
Hulio knows that there is increasing media criticism of his company, so it was important for him to organize this meeting between Carlos and me. This is also why it was important for him to add his own disclaimer.
"The good this company has done is very difficult, almost impossible, to quantify. There is no way for me to say this without sounding arrogant or cocky, or for people to say I'm going off-topic, but in the very final analysis, when you strip it down to the basics—in the eight years of this company's existence, tens of thousands of lives have been saved thanks to foiled terror attacks and crimes, scores of abducted children have been returned to their parents, survivors have been found in the wreckage of buildings, and extremely serious crimes have been prevented."
Fake news
But if reports in the international media are to be believed, it is not just "bad guys" who have been exposed to the sheer power of NSO systems. In recent years, more and more reports have emerged that governments and rulers are using NSO tools to monitor journalists or bring down legitimate opposition.
For example, claims emerged in Panama that former president Ricardo Martinelli's people used Pegasus to persecute his political rivals. According to the allegations, Panama bought the system for $13.4 million, and during its acquisition, Martinelli reportedly made great efforts—unusual and surprising ones—to come to the aid of Israel and the US in the international arena.
In Mexico, there are claims the system was not solely used to collect intelligence on the drug cartels, but also against political rivals and at least one investigative journalist, Rafael Cabrera, who was looking into crony capitalism in the country. Toronto University's human rights project Citizen Lab claimed it identified attacks on at least 24 targets that had no ties to crime or drugs, but did have ties to the opposition in Mexico.
Other international reports claimed that the system—in one configuration or another—was sold to or was being considered by other problematic nations, such as Turkey, Mozambique, Kenya, Yemen and Nigeria.
But Hulio denies this: "This list of countries is almost entirely wrong and comes from false reports. In addition to the State of Israel and its defense establishment's excellent export policy, the company has its own internal supervision mechanisms using additional varied considerations. Therefore, we have not and will not sell (our software) to most of the countries you mentioned."
One of the more well-known reports about NSO concerns Ahmed Mansoor, an opposition activist in the UAE. One day, Mansoor found a message with a link on his iPhone that seemed suspicious. He didn't click the link, but instead gave it to two security companies to examine. According to these companies, the link led to an NSO Trojan horse. This report led Apple to release a worldwide update to its operating system to fix the security breach.
One of the security companies that examined the message described it as "the most sophisticated tracking software we have encountered, that completely takes over a device with just one click of a link, including all of its content: Gmail, Facebook, Skype, WhatsApp, Viber, WeChat, Telegram, FaceTime—anything you could imagine.
Can you understand why your products alarm so many people?
"Those who need to be afraid are terrorists, arch-terrorists, criminals and crime bosses. The public can and should sleep soundly at night," Hulio says.
NSO stresses that their sales—which, as aforementioned, are only done with a green-light from DECA—are to sovereign countries and their police and law enforcement organizations and not to private individuals or bodies. These sales are carried out with a commitment from the buyers that the system will only be used to fight terrorism and crime.
Israelis who use NSO products say it is a great company developing excellent products that promote state security. On the other hand, the Mansoor iPhone affair perhaps demonstrate the dangers of knowledge that comes expertise gained by the intelligence community that ends up in non-Israeli hands. Primarily, there is a risk that this knowledge will reach elements hostile to Israel. Secondly, there is the danger that a system bought by countries that truly use it to fight terrorism will also use it to wage war on human rights activists. This is a moral issue, and, just as important, Israel could find itself entangled in complex international affairs. Thirdly, exposure of these capabilities, like the suspicious link sent to Mansoor that led Apple to release an iOS update, could cause immense damage to intelligence operations Israel itself is performing using similar capabilities.
Hulio claims that if these concerns are ever realized, NSO knows exactly how to respond.
"El Chapo, the biggest drug lord in the world and a mass murderer, was reportedly caught by using a technological system that wiretapped his immediate surroundings—a journalist, an actress and a lawyer—which led to his incrimination and capture. If a state or an organization wiretaps journalists or human rights activists simply because of their position, it would be considered an inappropriate use of the system, and if we learned about it, the system we sold them would be disconnected immediately. We can do that both technologically and contractually."
Has this ever happened?
"We have previously permanently shut down three systems. And we didn’t do this lightly—these were paying clients, who gave us a lot of money, and with whom we had close business ties."
In which countries were these systems installed?
"We can't disclose that."
Can you say with confidence that tomorrow or the next day Pegasus won't fall into the hands of Hezbollah or the Iranian Revolutionary Guards through a third party? There were reports, for example, that a disgruntled former employee of yours who was fired offered to sell Pegasus on the Dark Net.
"The system is made up of both hardware and software. The technology is installed only at the approved client's site, and it has a range of the most advanced and sophisticated security mechanisms in the world. The chances of such technology being used by an unauthorized operator are zero—and even then, as I said, we have the ability to immediately disconnect the system the moment we learn about it."
According to reports, one of your software systems called Chrysaor (Pegasus' brother in Greek mythology) was found on Israelis' cell phones as well. Can you confirm or deny that you sold software to Israeli government agencies?
"That wasn't our software. These reports are baseless and have no connection to reality. This is a clear example of fake news."
The recent wave of reports primarily concern claims that the company's systems were used to locate Saudi dissident journalist Jamal Khashoggi before his murder. Hulio, as previously mentioned, categorically denies any connection between his products and the murder.
David Ignatius of the Washington Post reports that you sold your system to a close advisor of Mohammad bin Salman, the Saudi Crown Prince and de factor ruler of the country. The advisor, Saoud Al Qahtani, was later fired on suspicion he ordered the murder.
"We categorically deny selling the system to Qahtani. We don't sell the system to private bodies."
Of course you didn't sell it to Qahtani as a private individual. The question is did you sell the system to Qahtani or another Saudi official.
"We deny selling the system to Qahtani."
That is somewhat ambiguous wording. He holds an official position; he's not buying the system from you as a private individual.
"Qahtani's role was an advisor. As an advisor, we didn't sell it to him. If we are selling and if we did sell, it'd only be to intelligence agencies."
Did you sell the system to Saudi Arabia?
"We do not comment on any question about specific clients. We will neither confirm nor deny."
'A risky business'
Edward Snowden is absolutely unconvinced by NSO's arguments that they had no connection to Khashoggi's murder. It may be true, he says, that they had no direct involvement, but they cannot be certain that their technology was not used. In fact, says Snowden, their entire operation is open to exploitation. Lsst November, Snowden spoke for the first time to an Israeli audience in a closed event that was organized by the Israeli media consultancy firm OH! Orenstein Hoshen. Here, he shares his thoughts on the company:
"I'm not alleging that NSO was involved in hacking Khashoggi's phone, so their denying that doesn't get us very far. What the evidence shows -- and I'm alleging based on that -- is that they were involved in the hacking of his friends' phones: Omar Abdulaziz, Yahya Asiri, and Ghanem Almasrir. That's what needs to be answered for, and that's what we're not hearing."
"It's good to see they are willing to say there's one phone in the world they didn't hack, but that raises even more questions. One, how do they know? Are they just taking their customers' word for it, or do they have access to a list of every number their customers ever targeted? And if it's that easy to check, why are they so silent on whether they hacked Khashoggi's friends?"
"Let's say you trust NSO with your life. They're beyond reproach, the perfect custodians of public trust. Here's the problem: when you drop a bomb on someone, they can't catch it and throw it back at you. With digital weapons like this, you can. It's like biological warfare: as long as I can get a sample of some evil germ, I can copy it a million times and use it against anybody I want. As soon as NSO has said, "OK, you can use our exploits ten times to hack terrorists," they've lost control, because that guy—if he's smart—can hit his own system with those germs—NSO's exploits—and copy them. A couple days later and he can use it a thousand times, a million times, and not just against terrorists. He can use it against Israel. He can use it against you. He can use it against NSO. They're playing a dangerous game with all of our lives."
"I'd like to believe NSO didn't hack Khashoggi's personal cell phone, but then again, for somebody of Khashoggi's age and sophistication as a dissident, it's to be expected that he'd be a hard target. In intelligence work, directly hacking the primary target—or victim, here—doesn't always make sense: it can leave forensic evidence on the phone, which is not great if, for example, you're considering murdering them in a foreign country and the local police might end up reviewing that phone. Malware can also be noticed by a particularly savvy target—which can lead them to abandon electronic communications entirely. These are some of the reasons why spy services that are up to no good often hack the *associates* of a victim in lieu of the victim themselves. Remember, there are always at least two places to spy on a call: the victim, and the person the victim is talking to.
"Thanks to Citizen Lab, we have strong evidence that this is what happened in the case of Khashoggi. Three different people who all happened to be in contact with Khashoggi – Omar Abdulaziz, Yahya Asrir, and Ghanem Almasrir – suffered hack attempts by what looks like Saudi Arabia using NSO Group's tools, and we used to have a saying at NSA: "Once is coincidence. Twice is chance. Three times is enemy action." What appears to have happened in the Khashoggi case looks like a pattern I've seen many times: an out of control government, chafing at criticism, demanded their spies go out and discover the "plans and intentions" of reform movement, using powers everybody pretends are only used against terrorists and criminals.
"The Saudis knew Khashoggi had to come in for an appointment at their consulate. They didn't need to geolocate him or steal a copy of his itinerary. What they needed to decide is if the reform movement posed a large enough concern to risk killing its leaders, and I think that's where the NSO group comes in. Based on the public evidence, Pegasus was used to compromise the devices of Khashoggi's human network—his friends, the people he trusted and confided in, and based on what they learned, the Saudis pulled the trigger.
"I think there's a real possibility that had NSO refused to sell this profoundly dangerous technology to Saudi Arabia, a country with a long history of human rights abuses, Jamal Khashoggi might still be alive. But whether or not you agree with me, it's clear this is a risky business. It's not a question of if the NSO group has gotten somebody killed, but how many. I think that's the darkest irony of this whole story: they say they're saving lives, but the evidence shows they're costing them."
NSO reaction to Snowden: "Snowden is the guy who advocated mass eavesdropping, such that the entire traffic of conversations and the data of all citizens would be listened-in to at any given moment, and suspect profiles derived therefrom.
"NSO supplies technology that does exactly the opposite, enabling only pin –point listening to specific individuals with the aim of investigating and preventing terror and crime. Moreover, each customer receives only a limited number of surveillances of each end device.
“Snowden knows nothing about NSO, and all the information that he has is based on incorrect reports of Citizen Love whose own investigators have reservations about their own findings and who use phrases such as ‘Apparently there was use of …’ or ‘There is a suspicion that …’ or ‘We believe that…’ – all without any certainty, just guesswork. And indeed, these reports are very far from the reality, and we would be very happy to speak to Snowden and to show him why they are totally incorrect.
“And on a personal note, it is slightly confusing how one of the biggest traitors in the history of the United States receives asylum and hides in Russia – a country that violates human rights, harms the gay community and uses advanced espionage techniques against many of its own citizens. Is this the man who preaches that our technologies are committing crimes and violating human rights? This is pure hypocrisy.”
Citizen Lab says its research has raised "serious doubts as to the actual oversight and human rights due diligence processes in place at NSO Group." It also questions "the company’s concern for ensuring that its products are not used against human rights defenders, civil society, dissidents, or other similar actors."
The Lab claims it has found 24 individuals in Mexico who were targeted by NSO products.
"None of these 24 individuals were either terrorists or criminals by any reasonable, rights-respecting standard," writes Toronto University's Professor Ronald J. Deibert, who heads Citizen Lab. "(T)hey were, instead, journalists, human rights defenders, lawyers, investigators into mass disappearances, and even a minor child."
According to Deibert, "Citizen Lab continues to urge NSO Group to adopt transparent, detailed, and publicly-accessible policies and oversight mechanisms that, at minimum, provide for a legitimate grievance process and are compliant with the UN Guiding Principles on Business and Human Rights."