The Israeli spyware firm has signed contracts with Bahrain, Oman and Saudi Arabia. Despite its claims, NSO exercises little control over use of its software, which dictatorships can use to monitor dissidents
The Israeli firm NSO Group Technologies, whose software is used to hack into cellphones, has in the past few years sold its Pegasus spyware for hundreds of millions of dollars to the United Arab Emirates and other Persian Gulf States, where it has been used to monitor anti-regime activists, with the encouragement and the official mediation of the Israeli government.
NSO is one of the most active Israeli companies in the Gulf, and its Pegasus 3 software permits law enforcement authorities to hack into cellphones, copy their contents and sometimes even to control their camera and audio recording capabilities. The company’s vulnerability researchers work to identify security threats and can hack into mobile devices independently (without the aid of an unsuspecting user, who, for example, clicks on a link).
The company works only with state authorities, but it doesn’t distinguish between democracies and dictatorships, as in the Gulf; despite its claims, it does little to supervise how its technology is used. Israel put NSO in touch with Arab states in the region, and Israeli representatives even took part in marketing meetings between intelligence officials in the Arab states and NSO executives. Some of the meetings were held in Israel.
NSO has a dedicated team that works with Gulf states, and all of its members have foreign passports. It’s the company’s most profitable division, with annual revenue of hundreds of millions of dollars. Every Gulf state has a nickname based on the first letter of the country’s name and an automotive manufacture: Saudi Arabia is called Subaru, Bahrain is BMW and Jordan is Jaguar. The practice within NSO is to use these names rather than the country’s real name.
According to intelligence obtained by Haaretz, in the past few years NSO has signed contracts with Bahrain, Oman, Saudi Arabia and the emirates of Abu Dhabi and Ras Al-Khaimah. NSO does not do business with Qatar because Israel prohibits it.
During meetings in the Gulf, company representatives often illustrated their software’s hacking capabilities by using cellphones they brought for the purpose. Company policy ostensibly prohibits breaking into devices that do not belong to NSO for demonstration purposes. However, for particularly enthusiastic customers, NSO representatives have also hacked into noncompany devices, solely to show what Pegasus can do. From conversations with company employees, it is clear that Gulf officials were very excited about the technology, and one contract was signed for $250 million.
NSO invests great efforts into the Gulf states because of the oil-rich countries’ deep pockets. “A product that you sell in Europe for $10 million you can sell in the Gulf for 10 times that,” said one person familiar with NSO’s financial activity.
NSO’s basic plan, which permits only hacking into phones in the customer’s country with a local phone number, includes 25 software licenses. The intelligence agent in the state that purchased the spyware inputs a phone number and in most cases can get into the device within a few hours, after which the phone’s contents can be copied. NSO imposes technical limitations to protect the agent’s identity and also restrict the spyware’s capabilities, such as blocking camera access. Recently NSO hired Israeli military veterans to provide intelligence analyses in light of the Gulf states’ difficulties in producing high-quality information out of the flood of files and messages on the target devices.
NSO can fully control its software remotely: Employees can shut it down at any time or look at the information being collected in real time. They shut down activity in Mexico after journalists investigating the disappearance of students were put under surveillance. In the Gulf states, no such action has been taken. The company claims to verify that its product is used only to follow criminals, but NSO employees say that supervision is nonexistent and that the company cannot fully track the intelligence targets of various authorities due to legal and linguistic limitations, as well as a lack of interest.
To prevent intelligence information from leaking out, Pegasus “commits suicide” if a device with the software enters five countries: Israel, Iran, Russia, China and the United States. So if a Saudi citizen whose cellphone has been infected with the spyware lands in Moscow, his device recognizes that it’s in Russia and the software is wiped from the phone. The purpose is to avoid getting in trouble with states that will not tolerate espionage within their borders, such as China and the United States, or in the case of Iran, to avoid exposing secrets to hostile countries.
In the wake of the murder of Jamal Khashoggi in the Saudi consulate in Istanbul in October 2018, after which it was claimed that the kingdom’s intelligence services used NSO technology to track the dissident Saudi American journalist, many of the company’s employees protested the use of the spyware to facilitate murder, and a few even quit. In a conversation with employees, NSO Group CEO Shalev Hulio denied any connection to the incident. The company has a governance, risk and compliance committee that is supposed to determine which potential customers do not meet its ethics standards, but the definitions for legitimate surveillance targets differ from one country to another. In states such as Saudi Arabia, in contrast to a country like France, a “terrorist” could be someone using democratic means to oppose the regime.
NSO said in response: “The claims in the article are false and untrue. We are very proud of our technology, which each and every day helps to foil terror and prevent serious crime and pedophilia around the world, while meeting fully our compliance and human rights policy, which is unprecedented in the world.”
Published by Chaim Levinson in Haaretz on August 23, 2020