Whistleblower Alleges NSO Offered To 'Drop Off Bags Of Cash' In Exchange To Access To US Cellular Networks
from the pay-to-play dept
The endless parade of bad news for Israeli malware merchant NSO Group continues. While it appears someone might be willing to bail out the beleaguered company, it still has to do business as the poster boy for the furtherance of human rights violations around the world. That the Israeli government may have played a significant part in NSO's sales to known human rights violators may ultimately be mitigating, but for now, NSO is stuck playing defense with each passing news cycle.
Late last month, the New York Times revealed some very interesting things about NSO Group. First, it revealed the company was able to undo its built-in ban on searching US phone numbers… provided it was asked to by a US government agency. The FBI took NSO's powerful Pegasus malware for a spin in 2019, but under an assumed name: Phantom. With the permission of NSO and the Israeli government, the malware was able to target US numbers, albeit ones linked to dummy phones purchased by the FBI.
The report noted the FBI liked what it saw, but found the zero-click exploit provided by NSO's bespoke "Phantom" (Pegasus, but able to target US numbers) might pose constitutional problems the agency couldn't surmount. So, it walked away from NSO. But not before running some attack attempts through US servers -- something that was inadvertently exposed by Facebook and WhatsApp in their lawsuit against NSO over the targeting of WhatsApp users. An exhibit declared NSO was using US servers to deliver malware, something that suggested NSO didn't care about its self-imposed restrictions on US targeting. In reality, it was the FBI and NSO running some tests on local applications of zero-click malware that happened to be caught by Facebook techies.
But there's more. Recent reports building on the NYT article contain statements that claim NSO approached service providers with (well, let's just say it) bribes to allow access to targets at a higher level that might mitigate some of the defensive efforts deployed by Facebook, Google, and Apple.
Here's what's been alleged in newer reports, like this one by Craig Timberg of the Washington Post:
The surveillance company NSO Group offered to give representatives of an American mobile-security firm “bags of cash” in exchange for access to global cellular networks, according to a whistleblower who has described the encounter in confidential disclosures to the Justice Department that have been reviewed by The Washington Post.
The mobile-phone security expert Gary Miller alleges that the offer came during a conference call in August 2017 between NSO Group officials and representatives of his employer at the time, Mobileum, a California-based company that provides security services to cellular companies worldwide. The NSO officials specifically were seeking access to what is called the SS7 network, which helps cellular companies route calls and services as their users roam the world, according to Miller.
Mobileum execs were (understandably) unsure how any of this was supposed to work in the unlikely event they were amenable to a foreign entity's requests for elevated access to US cellular networks. Fortunately, the NSO rep made it extremely clear how this was going to work, according to the whistleblower:
In Miller’s account to the Justice Department, when one of Mobileum’s representatives pointed out that security companies do not ordinarily offer services to surveillance companies and asked how such an arrangement would work, NSO co-founder Omri Lavie allegedly said, “We drop bags of cash at your office."
Simple enough. Except -- to quote C. Montgomery Burns -- at the end of the proposed transaction "the money and the very stupid man were still there." Mobileum execs say no such bribery took place -- not because NSO didn't offer it but because the company refused to accept the generous offer of extremely shady "bags of cash" from the Israeli malware maker.
NSO has its own explanation for these events, which is, basically: "It was a joke, probably."
In a statement through a spokesperson, Lavie said he did not believe he had made the remark. “No business was undertaken with Mobileum,” the statement said. “Mr Lavie has no recollection of using the phrase ‘bags of cash’, and believes he did not do so. However if those words were used they will have been entirely in jest.”
Hahahahahaaaa… here at the home of the zero-click exploit marketed to human rights violators we often joke about bribing tech companies to allow us more access to networks. Oh, our sides ache from the fun we have jesting about subverting networks to compromise targets of evil empires. Ell oh fucking ell.
Mobileum, on the other hand, says it has never done business with NSO and reported this proposed cash drop to the FBI in 2017 but never heard anything back from the agency. Two years later, the FBI was experimenting with NSO malware and trying to gauge the political and constitutional fallout of deploying unregulated malware against US citizens.
Even if NSO is to be believed, there's nothing good awaiting it on the US side of things. The Commerce Department has already blacklisted the company, destroying its ability to purchase US tech for the purpose of compromising it. And the Department of Justice has opened its own investigation into NSO, adding to its list of US-related woes.
NSO could have avoided all of this international attention by being more selective about who it sold to, and stripping customers of their licenses at the first hint of malfeasance. It didn't. And the fact that it may have been pressed into service as a malware-laden extension of the Israeli government's Middle East charm offensive isn't going to save it. NSO has to save itself but it lacks the tools to do so. Whatever it claims in defense of every reported allegation is presumed to be suspect, if not completely false. The reputation it has now is mostly earned. It made millions helping sketchy governments inflict further misery on citizens, dissidents, journalists, and political opponents. The company's honor is no longer presumed if, indeed, it ever was.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bribes, malware, pegasus, phantom, phone networks, spyware, surveillance, whistleblower
Companies: nso group
Reader Comments
Subscribe: RSS
View by: Time | Thread
According to The Times of Israel, Quadream’s REIGN spyware is said to have used same exploit as NSO Group’s Pegasus (https://www.timesofisrael.com/second-israeli-company-exploited-apple-flaw-to-hack-into-iphones-repo rt/)
[ link to this | view in chronology ]
why?
Why wouldn't NSO have just purchased an SS7 capable phone switch? Then they'd be able to track and trace every phone and phone call on the planet?
[ link to this | view in chronology ]
Re: why?
Because a switch by itself is worthless, the important part is that it is linked to the SS7 network and that you can't just buy.
[ link to this | view in chronology ]
Are there no Apple stores in Israel? Are there no Amazon deliveries? No private addresses? Nobody that can supply a "new business" a router or two?
Sorry, not buying the "can't purchase US tech" line, except "directly, under their own name".
[ link to this | view in chronology ]
Re:
It's in the same realm as a no-contact order. Suppose you've assaulted someone, and the judge orders you to have no contact with the victim. Sure, you can ignore that and contact the victim anyways. But if you do, you're most definitely getting a jail sentence. Legally enforceable orders should not be mistaken for polite suggestions.
[ link to this | view in chronology ]
"However if those words were used they will have been entirely in jest."
Can we see if he's still laughing when hes undergoing the same treatment many of his victims received?
[ link to this | view in chronology ]