Maybe it’s time for the Israeli government to put a moratorium on Mossad-based startups. Israeli intelligence services have been the petri dishes for a particular strain of techbro — ones who have the smarts to create zero-click exploits but none of the common sense needed to cull baddies from their customer lists.
The Israeli government is partly to blame. It worked closely with NSO Group (and presumably others in the same business) to broker deals with human rights abusers: diplomacy via malware sales.
Months of negative press got NSO blacklisted by the US government. It also got it investigated in its homeland, finally resulting in the Israeli government (reluctantly) limiting who the company could sell to.
NSO isn’t the only malware merchant with Israeli roots. Candiru — another recipient of US sanctions — calls Israel home. So does Cytrox, yet another exploit developer with ties to Israeli intelligence services. Cytrox was at the center of a recent domestic spying scandal in Greece, with its malware being used to target opposition leaders and journalists. This culminated in Greek police forces raiding Cytrox’s local office, presumably as part of the ongoing investigation.
Israel’s Cognyte Software Ltd won a tender to sell intercept spyware to a Myanmar state-backed telecommunications firm a month before the Asian nation’s February 2021 military coup, according to documents reviewed by Reuters.
Given the fact that any malware sold to the Myanmar government was likely to be abused to target critics and political opponents, Cognyte never should have agreed to sell the government its products. That’s what it should have willingly decided to do because that’s just being responsible.
But there’s another reason Cognyte shouldn’t have done it: it had to violate the law to complete the sale.
The deal was made even though Israel has claimed it stopped defence technology transfers to Myanmar following a 2017 ruling by Israel’s Supreme Court, according to a legal complaint recently filed with Israel’s attorney general and disclosed on Sunday.
According to the documents seen by Reuters, the sale was finalized at the end of 2020, apparently with the assistance of regulator Myanmar Post and Telecommunications (MPT). Given its proximity to the beginning of the coup, it seems this was deliberately acquired for use by the military government, which decided to contest an election it lost in November 2020 by overthrowing the democratically elected government three months later.
The fact that this sale occurred after the government swears it no longer permitted sales to Myanmar presents two possibilities. Neither option is good.
Either the government never stopped handing out export licenses to tech companies hoping to sell to Myanmar’s government or Cognyte ignored the restriction and made the sale without the required export license. Given that the documents show Cognyte as the winning bidder, the company didn’t even bother to try to launder its illegal export through a middleman. Or maybe it was both: a “don’t ask, don’t tell” policy for malware sales to human right abusers.
Whatever the case, it’s another black eye for the Israeli government — one that has done little to prevent local companies from selling powerful tech to bad people. It’s also an indictment of its intelligence services, which seem capable of attracting extremely skilled people who somehow decide that the logical extension of the lessons they’ve learned securing their nation is abandoning any remaining morality or ethics once they hit the private sector.
That NSO Group was shady wasn’t a new fact. Its decision to sell malware to abusive governments had been criticized for nearly a half-decade. But the data leak made this a problem too big to ignore. The US government responded by blacklisting NSO. The Israeli government — which had been instrumental in helping NSO Group secure contracts with human rights abusers — finally decided it was time to limit who NSO could sell its products to.
NSO’s flagship product — Pegagus — was capable of delivering zero-click exploits. Once a phone was infected, NSO customers were free to do as they pleased. They could intercept text messages and listen in on phone calls. And they could commandeer devices to make them much more than passive interception points.
Details and screenshots of a prototype version of the Pegasus spyware designed for Israeli police back in 2014 reveal the tools and far-reaching capabilities of a system that was slated to be deployed in everyday police work.
The spyware’s suite of tools, which were supposed to be presented to the security cabinet headed by then-Prime Minister Benjamin Netanyahu, included various capabilities sought by police – ranging from listening to any phone call on an infected phone, reading text messages, to remotely opening the microphone and the camera without the phone owner’s knowledge.
Haaretz says the presentation was produced to be shown to the Police Brigadier General Yoav Hassan, the newly appointed head of “signals intelligence.” The signals intelligence group operated outside the bounds of domestic law, targeting foreigners as a compartmentalized, “extra-territorial” surveillance operation.
This information may have been presented to this secretive division of Israel’s national police force. It’s not clear whether NSO’s presentation was ever given to government officials overseeing this program. If so, government officials chose to ignore the dangers posed by Pegasus deployment, which included giving NSO customers access to capabilities that were illegal under Israeli law.
Israeli law may not apply elsewhere in the world, but these not-so-legal features of NSO’s Pegasus malware were apparently presented to Israel’s federal police, who utilized a version of Pegasus called “Seifan” to engage in surveillance. Whether or not the police ever used these features, the features were presented as options by NSO as it pitched its goods to Israeli law enforcement.
Another capability of Seifan mentioned in the presentation is the interception of incoming and outgoing phone calls. Besides this ability, which seems to be relatively routine in the world of intelligence surveillance, there is another one known in the professional parlance as “volume listening” and is considered much more intrusive.
In simple terms it means real time wiretapping to a device’s surrounding through the remote activation of the device’s microphone. This type of wiretapping requires an order from a district court president or their deputy.
Placing a microphone in private areas to intercept all conversations in range isn’t normal investigative behavior. Intercepting communications between suspects is one thing. Becoming an unseen and uninvited guest in someone’s home or place of business is quite another — the sort of thing courts are often extremely hesitant to approve.
But if you can achieve the same thing with a targeted phone, the ends become a justification for the means. And the means become impossible to trace, buried beneath technical jargon, redacted filings, and parallel construction.
Whether or not this feature was enabled for Israeli police post-purchase is unknown. But, according to information obtained by Haaretz, these features were part of the demo version delivered to law enforcement by NSO.
Documents in Haaretz’s hands attest that throughout the relevant time, the police signals intelligence division and NSO personnel tested the product in conjunction with a number of “operational requirements.”
Overall, the product presented then incorporates many features that are reportedly part of the Pegasus system, as well as some that are absent from the versions that have recently been sold to other governments in recent years.
This is the version Israeli law enforcement may have deployed against Israeli citizens. While the government continues to claim any local abuses of NSO malware were minimal, the fact is that oversight of domestic surveillance in Israel is, at best, almost nonexistent.
According to a cyber-technology expert, Israel is the only nation in the world to which oversight does not apply. Or, to put it another way, “On a principle level, NSO is free to sell services and technology to Israel, with no restrictions whatsoever on the technology it can sell it.”
Israeli law enforcement officials continue to insist all use of Pegasus spyware was legal and court-approved. It also claims, according to Haaretz, it blocked features that allowed access to phone cameras and mics at will. But that claim remains little more than a self-serving deflection. The Israeli government allowed Israeli law enforcement a considerable amount of leeway to chase down criminals and national security threats. Just because something is illegal doesn’t mean cops won’t break the law to achieve their goals. And the Israeli police’s statements, which have become increasingly defensive over the past few months, suggest there’s a lot it isn’t telling us.
Most telling is the federal police’s insistence that critical reporting somehow harms officers’ ability to investigate criminal acts.
The grave damage caused by reports of this sort have harmed and are still harming severely the ability of the police to act against grave crimes, prevent violations of the law, thwart them and bring the transgressors to court.
Words on a website are not new legislation, mandates, or any other curtailment of current police activities. This is nothing more than proactive whining meant to encourage readers to consider critical reporting a threat to public safety. It’s cowardly, disingenuous, and, above all, a distraction from questions the Israeli government (federal police and their overseers) have refused to answer directly.
Almost exactly a decade ago, a few months after the US Congress rejected the site blocking setup of the SOPA copyright bill, which would enable copyright holders to force ISPs to block access entirely to websites deemed as being dedicated to “piracy,” we wrote a post about how it wasn’t even clear SOPA was needed when courts were willing to issue such blocking orders already. That was in a case around counterfeiting, where Louis Vuitton sought, and obtained, an order from a judge that demanded that domain registrars and ICANN effectively wipe certain website domains off the internet entirely.
Fast forward almost exactly a decade and TorrentFreak points us to a somewhat similar series of orders that demand that every ISP in the US block access entirely to three websites accused of infringement by a series of movie, TV, sports, and news content providers in Israel. The three orders are all embedded below, though they’re all basically the same — but they order non-party ISPs to block access to three domains that are accused of showing infringing streams: israel-tv.com, israel.tv, and sdarot.tv.
For all three of the websites, no defendants showed up in court (not too surprising, given that the cases were filed in the US). Without a defendant showing up, the court ruled for the plaintiffs in a default judgment — which is pretty typical. However, what is atypical, is that the judge then basically set the 1st Amendment on fire, and basically ordered a ton of non-parties to do things to stop enabling any access to these websites. It first issues a permanent injunction for anyone operating or working with those websites, but then issues an order for EVERY single ISP in the US to block access to these websites.
IT IS FURTHER ORDERED that all ISPs (including without limitation those set forth in Exhibit B hereto) and any other ISPs providing services in the United States shall block access to the Website at any domain address known today (including but not limited to those set forth in Exhibit A hereto) or to be used in the future by the Defendants (“Newly-Detected Websites”) by any technological means available on the ISPs’ systems. The domain addresses and any NewlyDetected Websites shall be channeled in such a way that users will be unable to connect and/or use the Website, and will be diverted by the ISPs’ DNS servers to a landing page operated and controlled by Plaintiffs (the “Landing Page”) which can be reached as follows:
Domain – zira-usa-11026.org IP Address: 206.41.119.50 (Dedicated)
The Landing Page will include substantially the following information:
On April 26, 2022, in the case of United King Distributors, et al. v. Does 1-10, d/b/a Sdarot.tv (S.D.N.Y., Case No. 1:21-cv-11026 (KPF) (RWL)), the U.S. District Court for the Southern District of New York issued an Order to block all access to this website/ service due to copyright infringement
It’s unclear who created this particular landing page, but it does not exist, and at least it doesn’t include the silly badges with eagles on it.
The blocking order shows a very long list of ISPs, covering nine pages. For unclear reasons, the list shows not just the names of the ISPs, but also the estimated population covered, the number of states they cover, and their max speeds. As far as I can tell, the list appears to come from BroadbandNow’s “Internet Providers in the United States of America” list. This is the first page that comes up if you Google “list of US ISPs” and it also displays the exact same data sets in the exact same order. The list doesn’t match exactly, though, so it appears to be a subset of the larger list — though the court order says that it should be considered to apply to any US ISP.
And Judge Katherine Polk Failla doesn’t stop there. After ordering every ISP to block these websites, she also orders all third party service providers to cease doing business with these three websites. This includes an incredibly long list of possible service providers (notably a list that is even more in-depth than would have been required under SOPA — which, again, Congress rejected):
IT IS FURTHER ORDERED, that third parties providing services used in connection with Defendants’ operations — including, without limitation, ISPs, web hosting providers, CDN service providers, DNS service providers, VPN service providers, domain name purchasing service, domain names privacy service, back-end service providers, affiliate program providers, web designers, shippers, search-based online advertising services (such as through-paid inclusion, paid search results, sponsored search results, sponsored links, and Internet keyword advertising), any banks, savings and loan associations, merchant account providers, payment processors and providers, credit card associations, or other financial institutions, including without limitation, PayPal, and any other service provider which has provided services or in the future provides services to Defendants and/or the infringing Website (including without limitation those set forth in the list annexed and made Exhibit C annexed hereto) (each, a “Third Party Service Provider”) — having knowledge of this Order by service, actual notice or otherwise be and are hereby permanently enjoined from providing services to the Website (through any of the domain names set forth in Exhibit A hereto or at any Newly-Detected Websites) or to any Defendant in conjunction with any of the acts set forth in subparagraphs (A)(1) to (A)(6) above;
And, as if that was not enough, she also orders domain registrars effectively kill those domains as well and hand them over to the plaintiffs:
That all domain names associated with the infringing Website, including without limitation those set forth in Exhibit A hereto, as well as any Newly-Detected Websites, be transferred to Plaintiffs’ ownership and control; and
That in accordance with this Court’s inherent equitable powers and its power to coerce compliance with its lawful orders, and due to Defendants’ on-going operation of their counterfeiting activities, in the event Plaintiffs identifies any Newly-Detected Website registered or operated by any Defendant and used in conjunction with the streaming any of Plaintiffs’ Works, including such Websites utilizing domain names containing any of Plaintiffs’ service mark or marks confusingly similar thereto, Plaintiffs shall have the ongoing authority to serve this Order on the domain name registries and/or the individual registrars holding and/or listing one or more of such the domain names associated with the Newly-Detected Websites; and
That the domain name registries and/or the individual registrars holding and/or listing one or more of the domain names associated with the Newly-Detected Websites, within seven (7) days of service of a copy of this Order, shall temporarily disable any domain names associated with the Newly-Detected Websites, make them inactive, and channel them in such a way that users will be unable to connect and/or use the Website, and will be diverted to the Landing Page (as defined in Paragraph B, above); and
That after thirty (30) business days following the service of this Order, the registries and/or the individual registrars shall provide Plaintiffs with all contact information for the Newly-Detected Websites; shall transfer any domain names associated with the Newly-Detected Websites to the ownership and control of Plaintiffs, through the registrar of Plaintiffs’ choosing, unless the Defendant has filed with the Court and served upon Plaintiffs’ counsel a request that such Newly-Detected Websites be exempted from this Order or unless Plaintiffs requests that such domain names associated with the NewlyDetected Websites be released rather than transferred;
Again, this is way, way beyond what even SOPA would have allowed. But Congress didn’t do it — and for good reason. This ruling has some really significant 1st Amendment issues. Ordering the complete takedown of a website like this is the equivalent of shutting down a magazine — ordering that the landlord evict the publisher, that the printing presses be destroyed, that the postal service refuse to send copies of the magazine, that the local waste management company refuse to pick up the garbage, etc. etc. An order like that would obviously have tremendous 1st Amendment problems as an attack on speech, even if you recognize that some of the content was infringing.
Of course, given that the websites chose not to show up in US court, it seems unlikely that they will challenge the order. It is possible that some ISPs might push back on it, not because they want to support piracy, but because of the extraordinarily problematic general precedent of allowing a judge to order such an extreme internet kill order. Allowing these kinds of orders to survive creates tremendous instability for the internet, and hopefully some ISPs will push back.
Nearly every rumor about NSO Group has been proven true, despite plenty of early denials by the (oh, I guess we’ll be nice…) “embattled” malware merchant. The world’s foremost purveyor of zero-click exploits capable of completely compromising phones of targets is still in damage control mode. The damage can no longer be controlled, though. So, it’s basically just NSO admitting the nasty things said about have been mostly true.
The Israel Police was sold a version of the Pegasus spyware that is weaker than the software sold abroad but, unlike the international package, can be used against Israeli cellphones, the CEO of NSO Group said Tuesday.
Shalev Hulio confirmed to Radio103FM in an interview that police were provided with the Saifan package, which was assumed to be the case based on police rhetoric, media reports and expert opinions.
Apparently, it’s ok to assist in domestic surveillance as long as the surveillers don’t have access to the full version of the malware. That’s weird. What’s weirder is that NSO sold the full-strength version of this exploit to Israel’s enemies — a list that pretty much includes every other nation in the Middle East. They got the real exploit. Meanwhile, the locals had to make do with something less effective, presumably under the theory that this would make domestic surveillance more palatable.
But it really doesn’t. All we have is the CEO Salev Hulio’s assertions that foreign customers (including plenty of human rights abusers) couldn’t target Israeli numbers. This assertion means a whole lot less when the company is willing to bend the rules to target numbers previously declared to be off-limits. It created a version for the FBI that allowed the agency to target US phone numbers. And it crafted a variation that allowed Israeli police to bypass the rules NSO claims governs its spyware: the “forbidden” targeting of Israeli phone numbers.
This selective inability to remain consistent makes this statement by Hulio completely nonsensical.
“The police incident was not Pegasus but Saifan, a weaker version of Pegasus, with fewer capabilities and options for action. They tried to paint it as if they were spying on Israeli citizens; this of course was not true,” Hulio said.
But it is spying on Israeli citizens. You don’t target a phone with malware for any other reason if you’re a law enforcement/domestic security agency. Phones were hit with allegedly-weakened malware for one purpose: to gain intel. That is the definition of surveillance and spying. Previous reporting confirms what NSO won’t admit: its spy tech used to spy on Israeli citizens.
Pegasus is an extremely powerful tool that delivers a zero-click exploit — requiring no user interaction — allowing the spyware’s operator to remotely gain access to all of a phone’s data and functionality. It also enables operators to listen in on calls and use it as a listening device.
Israeli media reports have suggested it was only those latter capabilities that police had access to.
The latter capability is 100% spying. Even if what happened was 100% lawful, it’s still spying. If Hulio wants to argue about the specifics of Israeli surveillance law, that’s one thing. But to claim that “listening in on calls” and turning phones into “listening devices” isn’t spying is absurd. Even in its weakened state, the spyware was completely capable of doing plenty of surveillance.
And Hulio freely admits it was used to target Israelis. That is domestic surveillance. Lawful or not, that’s what happened and that’s what NSO enabled. There’s no walking away from that no matter how often media figures give you the opportunity to reiterate NSO’s corporate cognitive dissonance.
Oh, NSO Group, is there anything you won’t do? (And then clumsily deny later?). If I were the type to sigh about such things, I surely would. But that would indicate something between exasperation and surprise, which are emotions I don’t actually feel when bringing you this latest revelation about the NSO’s shady dealings.
The Mossad used NSO’s Pegasus spyware to hack cellphones unofficially under the agency’s previous director, Yossi Cohen, several NSO Group employees said.
The employees, who asked to remain anonymous because of their confidentiality agreements with the company, said that Mossad officials asked NSO on several occasions to hack certain phones for them. The employees didn’t know why these hacks were requested.
There’s plenty that will shock no one about these allegations. First off, NSO Group has an extremely close relationship with the Israeli government. Top-level officials have paved the way for sales to countries like Saudi Arabia and the UAE, leveraging powerful spyware to obtain diplomatic concessions.
Second, NSO — like other Israeli malware merchants — recruits heavily from the Israeli government, approaching military members and analysts from intelligence agencies Shin Bet and the Mossad. Given this incestuous relationship, it’s unsurprising visiting Mossad members would feel comfortable asking for a few off-the-books malware deployments.
It appears these alleged hacking attempts were requested to obscure the source of the hackings, eliminating any paper trail linking the Mossad to the information obtained as a result of these malware deployments. As the Haaretz article points out, the Mossad doesn’t really need NSO’s tools or expertise. It had the capability to compromise cellphones well before NSO brought tools like Pegasus to market.
A generous reading of these informal requests would be that the Mossad was having problems compromising a target and wanted to see if NSO had any recent exploits that could help. A more realistic reading is that these requests were meant to evade the Mossad’s oversight.
Experts in the field of phone exploitation are still trying to verify these claims and ascertain whether or not NSO could actually do what was requested. Evidence of these allegations has yet to be discovered. But it’s apparent NSO’s hard rules about who could or couldn’t be targeted were actually portable goal posts.
NSO has sold plenty of spyware to governments with the understanding it can’t be used to target US numbers. But then it showed up in the United States with a version of Pegasus called “Phantom” that could be used to target US numbers. It pitched this to FBI (with live demonstrations using dummy phones purchased by the agency) but left empty-handed when DOJ counsel couldn’t find some way to use this malware without violating the Constitution or (far more likely) keeping the particulars of the hacking tool from being discussed in open court.
NSO also claims malware cannot be deployed against Israeli numbers. This, too, has been shown to be false. So, there’s really no reason to believe NSO when it claims everything about its malware products is so compartmentalized Mossad officials would not be able to waltz into the building and ask for unregulated malware deployments.
When asked what prevents an executives from spying on, say, a competitor by using an in-house server, the NSO representative stressed that even if such a system existed, the legal risks posed by such a scenario would serve as a serious deterrent.
They added that the question is tantamount to asking what prevents workers in a munitions factory from stealing guns and using them illegally, or what stops a police officer from abusing their power.
On one hand, I can see this is NSO saying you have to trust your employees and that no policy is capable of eliminating all wrongdoing. On the other hand, it offers no meaningful denial about alleged wrongdoing. The answer is at least as meaningless as the question. It basically says NSO can’t really prevent malfeasance, which is definitely not a direct denial of the allegations made in this report.
NSO Group is in an unenviable position: it can’t disprove allegations without opening up scrutiny of its operations and its clients. On the other hand, it can’t do that without risking existing contracts or future sales. But as much as I’d like to express sympathy, the company has spent years making itself unsympathetic by selling to human rights violators and blowing off legitimate criticism of its business model. It made itself millions by selling to authoritarians and getting super cozy with Israel’s government. Now it has to pay the piper. And it seriously looks like it will be as bankrupt as its morals by the time this is all said and done.
The Israeli broadcaster Channel 12 said a police investigation ordered by Israel’s public security minister, Omer Barlev, had concluded that of 26 individuals named in recent reports as having been targeted using NSO Group’s Pegasus software, three named individuals were targeted, with the police successfully hacking only one of the phones.
The investigation apparently is still ongoing, so these early positive results might be undone after further examination. Fortunately, the Israeli police aren’t investigating themselves. Instead, the federal police agency is being scrutinized by officers from Israeli intelligence agencies Shin Bet and Mossad.
This doesn’t mean Israeli police haven’t targeted Israeli citizens with NSO hacking tools. It just means that what’s been discovered so far has been lawful, contradicting earlier reports that suggested targets were subjected to attempted (or successful) hacking without the proper paperwork in hand.
Of course, earlier reports also said the police were able to do this by exploiting a “loophole” in the law. And that means the spirit of the law can be violated without anyone engaging in anything that’s actually illegal. This is how state-ordained surveillance programs work: by playing right up to the edges of what the law permits.
The only possible illegal hacking was regarding Shlomo Filber, a former director-general of the Communications Ministry and longtime confidant of Netanyahu, according to Hebrew-language television reports.
The Israeli police are apparently hoping that this illegal hacking will be excused because law enforcement never accessed or made use of the data and communications obtained with the use of phone hacking tools. But the police have admitted investigators went beyond what was authorized in the court order.
Police brass told justice officials that the data was downloaded accidentally and was never given to investigators in the Netanyahu cases.
This possibly illegal hacking was discovered during the course of another investigation entirely unrelated to the current investigation about police use of NSO phone exploits.
Filber’s phone was reportedly accessed in 2017, and had the entirety of its content drained using unnamed spyware. The discovery that Filber’s phone had been targeted was made in the course of an unrelated investigation, ordered by the attorney general, into alleged police abuse of the controversial NSO Group’s Pegasus software, though a different technology was used to access Filber’s phone.
Calcalist on Monday published specific, but unsourced, allegations of hacking against 26 targets by police. The bombshell report said NSO Group’s Pegasus program was deployed against senior government officials, mayors, activist leaders, journalists and former prime minister Benjamin Netanyahu’s family members and advisers, all without judicial authority or oversight.
To be clear, NSO doesn’t deny the listed names were targets of NSO malware. Instead, it is taking issue with Calcalist’s claim that NSO provided customers with malware deployment tools that could be configured to prevent the creation of data logs during deployment and use, thus preventing the creation of digital footprints that could indicate the use of NSO’s Pegasus spyware. NSO denied this allegation in a letter threatening legal action, stating that it never provided customers with systems that offered plausible deniability as undocumented feature.
In response to Thursday’s report, NSO wrote to Calcalist that the relevant systems “include full documentation of the actions performed in them,” and that the records are kept for legal purposes and to prevent tampering with evidence. It further denied the newspaper report’s claim that it had sold client software that does not include the documentation feature or only in a limited way.
We’ll see what becomes of this legal threat. NSO is already defending itself against two lawsuits brought by US tech companies. It may not be wise to press forward with one of its own and roll the dice on discovery for a third time. Given the nature of NSO and the those it has chosen to sell to, it’s not all that unreasonable to believe it may have offered cover-up solutions to certain customers at a comfortable markup.
Exploit developer NSO Group may be swallowing up the negative limelight these days, but let’s not forget the company has plenty of competitors. The US government’s blacklisting of NSO arrived with a concurrent blacklisting of malware purveyor, Candiru — another Israeli firm with a long list of questionable customers, including Uzbekistan, Saudi Arabia, United Arab Emirates, and Singapore.
A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.
QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.
Like NSO, QuaDream sold a “zero-click” exploit that could completely compromise a target’s phones. We’re using the past tense not because QuaDream no longer exists, but because this particular exploit (the basis for NSO’s FORCEDENTRY) has been patched into uselessness by Apple.
But, like other NSO competitors (looking at you, Candiru), QuaDream has no interest in providing statements, a friendly public face for inquiries from journalists, or even a public-facing website. Its Tel Aviv office seemingly has no occupants and email inquiries made by Reuters have gone ignored.
QuaDream doesn’t have much of a web presence. But that’s changing, due to this report, which builds on earlier reporting on the company by Haaretz and Middle East Eye. But even the earlier reporting doesn’t go back all that far: June 2021. That report shows the company selling a hacking tool called “Reign” to the Saudi government. But that sale wasn’t accomplished directly, apparently in a move designed to further distance QuaDream from both the product being sold and the government it sold it to.
According to Haaretz, Reign is being sold by InReach Technologies, Quadream’s sister company based in Cyprus, while Quadream runs its research and development operations from an office in the Ramat Gan district in Tel Aviv.
[…]
InReach Technologies, its sales front in Cyprus, according to Haaretz, may be being used in order to fly under the radar of Israel’s defence export regulator.
Reign is apparently the equivalent of NSO’s Pegasus, another powerful zero-click exploit that appears to still be able to hack most iPhone models. But it’s not a true equivalent. According to this report, the tool can be rendered useless by a single system software update and, perhaps more importantly, cannot be remotely terminated by the entity deploying it, should the infection be discovered by the target. This means targeted users have the opportunity to learn a great deal about the exploit, its deployment, and possibly where it originated.
One QuaDream system, which would have given customers the ability to launch 50 smartphone break-ins per year, was being offered for $2.2 million exclusive of maintenance costs, according to the 2019 brochure. Two people familiar with the software’s sales said the price for REIGN was typically higher.
With more firms in the mix — and more scrutiny from entities like Citizen Lab — it’s only a matter of time before information linking NSO competitors to human rights abuses and indiscriminate targeting of political enemies threatens to make QuaDream and Candiru household names. And, once again, it’s time to point out this all could have been avoided by refusing to sell powerful hacking tools to human rights abusers who were obviously going to use the spyware to target critics, dissidents, journalists, ex-wives, etc. That QuaDream chose to sell to countries like Saudi Arabia, Singapore, and Mexico pretty much guarantees reports of abusive deployment will surface in the future.
Instead, like everywhere else NSO malware has been abused, Israeli police forces targeted activists protesting then-Prime Minister Benjamin Netanyahu’s CVOID restrictions, as well as mayors of Israeli cities. Also included on the list of hacking targets were former government employees and “a person close” to a senior politician. In some cases, the police used the malware to phish for information from targets’ phones, all without any reasonable suspicion these targets may have committed criminal acts.
On top of all that, the police deployed the malware without direct or judicial oversight. Utilizing a loophole in the law, investigators avoided seeking court authorization for these hacking attempts.
Israel police used spyware to access data in the phone of an individual involved in the trial of former Prime Minister Benjamin Netanyahu, a report said on Wednesday.
The hack, reported on Channel 13 News, was discovered by the Justice Ministry during its review of the police’s use of the spyware.
This hacking — like much of what was reported by Calcalist — was also likely illegal.
The police reportedly claimed that the investigators never received the data, which was gathered against the police’s procedures.
A failure to collect data is not the same thing as never engaging in illegal hacking at all, no matter how the police might try to spin this. The target of this attack still has yet to be identified, but the report contains a statement from the attorney representing Shaul and Iris Elovich, a couple accused of bribing Netanyahu.
There’s also this tantalizing detail, which shows the police may have been lying in its earlier statement to Calcalist about every use of NSO malware being legal and authorized by the proper court paperwork.
In a brief statement that doesn’t go into any specific cases, the police said “additional findings” from its internal probe “change in some ways” an earlier statement last month that ruled out any wrongdoing.
Hmm. Maybe don’t offer up blanket statements when you have no other evidence but knee-jerk defensiveness when you’ve been caught with your hand in the domestic surveillance cookie jar. The only “way” the earlier statement could “change” at this point is to contain admissions of wrongdoing and illegal searches. That correction — whenever it arrives — is going to leave deep, self-inflicted bruises on the Israel Police.
Israel police uses NSO’s Pegasus spyware to remotely hack phones of Israeli citizens, control them and extract information from them, Calcalist has revealed. Among those who had their phones broken into by police are mayors, leaders of political protests against former Prime Minister Benjamin Netanyahu, former governmental employees, and a person close to a senior politician.
Not exactly the terrorists and dangerous criminals NSO claims its customers target. Instead, the targets appear to be more of the same non-terrorists and non-criminals NSO customers have targeted with alarming frequency: political opponents, activists, etc.
That already looks pretty terrible (but extremely on-brand for NSO customers). But it gets a lot worse. The government didn’t even bother trying to fake up any justification for this spying.
Calcalist learned that the hacking wasn’t done under court supervision, and police didn’t request a search or bugging warrant to conduct the surveillance.
Is it a “rogue state” when the entire state has decided the rules don’t apply to them? Asking for people I would never consider friends.
Perhaps this abuse could have been contained, curtailed, or averted entirely. But the upper layers of the Israeli government cake couldn’t be bothered.
There is also no supervision on the data being collected, the way police use it, and how it distributes it to other investigative agencies, like the Israel Securities Authority and the Tax Authority.
“Fuck it,” said multiple levels of the Israeli government. It would be a shame to let these powerful hacking tools go to waste — not when there are anti-government activists out doing activism. Israeli law enforcement decided — not incorrectly, it appears — it was a law unto itself, and issued its own paperwork to target protesters demonstrating against the former Prime Minister and COVID restrictions handed down by the Israeli government.
At least some of these malware attacks were targeted. In other cases, law enforcement engaged in almost-literal fishing expeditions to find more targets for NSO’s Pegasus spyware.
NSO’s spyware was also used by police for phishing purposes: attempts to phish for information in an intelligence target’s phone without knowing in advance that the target committed any crime. Pegasus was installed in a cellphone of a person close to a senior politician in order to try and find evidence relating to a corruption investigation.
If you like your damning reports to be breathtaking in their depiction of government audacity, click through to read more. The further you scroll down, the worse it gets. Evidence obtained with illicit malware deployments was laundered via parallel construction. Employees of government contractors were targeted without consultation with any level of oversight. A town’s mayor was hacked — allegedly because the Israeli government suspected corruption — but no evidence of corruption was obtained. However, all data and communications harvested from the compromised phone still remains in the hands of the government. In one case, cops used NSO malware — again without court permission — to identify a phone thief suspected of publishing “intimate images” from the stolen phone online.
In only a few cases was the malware used to investigate serious crimes. But even in those cases, no legal approval was obtained and the malware was deployed furtively to fly under the oversight radar.
NSO’s response to this report is more of the same: Hey, we just sell the stuff. We can’t control how its used, even when it’s being purchased by our own government.
The Israeli police statement is far more defensive:
“The claims included in your request are untrue. Israel Police acts according to the authority granted to it by law and when necessary according to court orders and within the rules and regulations set by the responsible bodies. The police’s activity in this sector is under constant supervision and inspection of the Attorney General of Israel and additional external legal entities…”
Well, then I assume the paperwork containing signatures and explicit approval of all relevant authorities is being swiftly couriered to Calcalist HQ to provide evidence refuting the claims made in its article. Otherwise, this just sounds like the bitter muttering of an angry government spokesperson willing to do nothing more than allude to the Emperor’s New Court Orders. Given the routine abuse of NSO Group malware by governments around the world, it comes as absolutely no surprise it’s being abused at home as well. And the non-denials by governments are starting to wear as thin as NSO’s “hey, we’re only an enabler of abuse” statements.
In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.
What was being tested was NSO’s Pegasus — an exploit so advanced it pretty much rendered encryption obsolete. In some cases, the exploit didn’t even need the target’s participation to deploy. NSO was selling zero-click malware that compromises phones entirely — providing access to texts, photos, WhatsApp messages, cameras, mics, and whatever other data might be flowing through it. That’s what the FBI was interested in.
It was also interested in something NSO had prepared especially for the FBI. Pegasus was blocked from targeting US numbers. But the FBI definitely wanted to target US phone users, so NSO whipped up a very specific product for the feds.
During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target. Israel had granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers. The license allowed for only one type of client: U.S. government agencies.
The presentation made it clear the FBI could target whoever it wanted and needed to seek no assistance from any US cell provider. The exploits were completely independent of US communications infrastructure… other than relying on US content servers for deployment.
But, as the New York Times reports, the FBI still had concerns. Given the malware’s ability to turn a target’s phone into pretty much the FBI’s phone, would deployment raise Fourth Amendment concerns? Presumably, this question centered on how much could be obscured through parallel construction, rather than the FBI’s genuine concern about the privacy rights of Americans. It’s one thing to disguise a wardriving Stingray as a pen register order. It’s quite another to attempt to explain how agents were able to access the content of encrypted communications with a normal wiretap warrant, especially if there’s no cooperating witness to lean on.
As this debate proceeded, the FBI continued to pay for the product it wasn’t sure it could actually use, racking up $5 million in license fees before deciding against rolling this particular constitutional dice. But in doing so, it unwittingly played a part in Facebook’s lawsuit against NSO Group. Documents filed by Facebook and WhatsApp showed an NSO customer was using US-based servers to deploy malware. The assumption at that time was that NSO was enabling access to US servers so foreign governments could deliver malware to targets. Apparently what Facebook observed was the testing conducted by NSO and FBI during this trial run.
When they first presented their case against NSO, Facebook’s lawyers thought they had evidence to disprove one of the Israeli company’s longtime claims — that the Israeli government strictly prohibits the firm from hacking any phone numbers in the United States. In court documents, Facebook asserted it had evidence that at least one number with a Washington area code had been attacked. Clearly someone was using NSO spyware to monitor an American phone number.
But the tech giant didn’t have the entire picture. What Facebook didn’t appear to know was that the attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the F.B.I. of Phantom — the system NSO designed for American law-enforcement agencies to turn the nation’s smartphones into an “intelligence gold mine.”
Five million dollars and one court exhibit later, the FBI is still finding ways to work around encryption that don’t involve constitutionally-questionable phone exploits sold by a morally questionable tech company.
There are plenty of other interesting details in the New York Times article, which I definitely encourage you to click through and read. While the exploits have indeed enabled governments to take down dangerous criminals (including, apparently, notorious drug cartel leader El Chapo), the spread of malware contracts to morally questionable governments was greatly enabled by the Israeli government, which leveraged NSO and its powerful tools to obtain cooperation from countries historically resistant to forming bonds with the Israeli government. While the ends may have been somewhat admirable, the means have resulted in persistent abuse of NSO tools to target people governments don’t like, rather than actual threats to themselves or their constituents.