from the pretty-sure-NSO-has-already-liquidated-its-benefit-of-a-doubt-to-service-its-deb dept
Oh, NSO Group, is there anything you won’t do? (And then clumsily deny later?). If I were the type to sigh about such things, I surely would. But that would indicate something between exasperation and surprise, which are emotions I don’t actually feel when bringing you this latest revelation about the NSO’s shady dealings.
The Mossad used NSO’s Pegasus spyware to hack cellphones unofficially under the agency’s previous director, Yossi Cohen, several NSO Group employees said.
The employees, who asked to remain anonymous because of their confidentiality agreements with the company, said that Mossad officials asked NSO on several occasions to hack certain phones for them. The employees didn’t know why these hacks were requested.
There’s plenty that will shock no one about these allegations. First off, NSO Group has an extremely close relationship with the Israeli government. Top-level officials have paved the way for sales to countries like Saudi Arabia and the UAE, leveraging powerful spyware to obtain diplomatic concessions.
Second, NSO — like other Israeli malware merchants — recruits heavily from the Israeli government, approaching military members and analysts from intelligence agencies Shin Bet and the Mossad. Given this incestuous relationship, it’s unsurprising visiting Mossad members would feel comfortable asking for a few off-the-books malware deployments.
It appears these alleged hacking attempts were requested to obscure the source of the hackings, eliminating any paper trail linking the Mossad to the information obtained as a result of these malware deployments. As the Haaretz article points out, the Mossad doesn’t really need NSO’s tools or expertise. It had the capability to compromise cellphones well before NSO brought tools like Pegasus to market.
A generous reading of these informal requests would be that the Mossad was having problems compromising a target and wanted to see if NSO had any recent exploits that could help. A more realistic reading is that these requests were meant to evade the Mossad’s oversight.
Experts in the field of phone exploitation are still trying to verify these claims and ascertain whether or not NSO could actually do what was requested. Evidence of these allegations has yet to be discovered. But it’s apparent NSO’s hard rules about who could or couldn’t be targeted were actually portable goal posts.
NSO has sold plenty of spyware to governments with the understanding it can’t be used to target US numbers. But then it showed up in the United States with a version of Pegasus called “Phantom” that could be used to target US numbers. It pitched this to FBI (with live demonstrations using dummy phones purchased by the agency) but left empty-handed when DOJ counsel couldn’t find some way to use this malware without violating the Constitution or (far more likely) keeping the particulars of the hacking tool from being discussed in open court.
NSO also claims malware cannot be deployed against Israeli numbers. This, too, has been shown to be false. So, there’s really no reason to believe NSO when it claims everything about its malware products is so compartmentalized Mossad officials would not be able to waltz into the building and ask for unregulated malware deployments.
Indeed, the answer given by an NSO spokesperson is so ridiculous it may prompt a sudden burst of laughter from all but the most credulous readers.
When asked what prevents an executives from spying on, say, a competitor by using an in-house server, the NSO representative stressed that even if such a system existed, the legal risks posed by such a scenario would serve as a serious deterrent.
They added that the question is tantamount to asking what prevents workers in a munitions factory from stealing guns and using them illegally, or what stops a police officer from abusing their power.
On one hand, I can see this is NSO saying you have to trust your employees and that no policy is capable of eliminating all wrongdoing. On the other hand, it offers no meaningful denial about alleged wrongdoing. The answer is at least as meaningless as the question. It basically says NSO can’t really prevent malfeasance, which is definitely not a direct denial of the allegations made in this report.
NSO Group is in an unenviable position: it can’t disprove allegations without opening up scrutiny of its operations and its clients. On the other hand, it can’t do that without risking existing contracts or future sales. But as much as I’d like to express sympathy, the company has spent years making itself unsympathetic by selling to human rights violators and blowing off legitimate criticism of its business model. It made itself millions by selling to authoritarians and getting super cozy with Israel’s government. Now it has to pay the piper. And it seriously looks like it will be as bankrupt as its morals by the time this is all said and done.