Israeli Police (Mostly) Cleared Of NSO-Related Wrongdoing While NSO Issues Legal Threats To Calcalist Over Cover-Up Claims

from the certainly-not-the-last-we'll-be-hearing-about-all-of-this dept

This won't change much for NSO Group, but at least it helps the Israeli Police rehab its image a bit. An "initial investigation" has (mostly) cleared the Israeli police of wrongdoing in one of the latest surveillance scandals tied to NSO's malware.

The Israeli broadcaster Channel 12 said a police investigation ordered by Israel’s public security minister, Omer Barlev, had concluded that of 26 individuals named in recent reports as having been targeted using NSO Group’s Pegasus software, three named individuals were targeted, with the police successfully hacking only one of the phones.

The investigation apparently is still ongoing, so these early positive results might be undone after further examination. Fortunately, the Israeli police aren't investigating themselves. Instead, the federal police agency is being scrutinized by officers from Israeli intelligence agencies Shin Bet and Mossad.

This doesn't mean Israeli police haven't targeted Israeli citizens with NSO hacking tools. It just means that what's been discovered so far has been lawful, contradicting earlier reports that suggested targets were subjected to attempted (or successful) hacking without the proper paperwork in hand.

Of course, earlier reports also said the police were able to do this by exploiting a "loophole" in the law. And that means the spirit of the law can be violated without anyone engaging in anything that's actually illegal. This is how state-ordained surveillance programs work: by playing right up to the edges of what the law permits.

But that doesn't mean nothing illegal happened.

The only possible illegal hacking was regarding Shlomo Filber, a former director-general of the Communications Ministry and longtime confidant of Netanyahu, according to Hebrew-language television reports.

The Israeli police are apparently hoping that this illegal hacking will be excused because law enforcement never accessed or made use of the data and communications obtained with the use of phone hacking tools. But the police have admitted investigators went beyond what was authorized in the court order.

Police brass told justice officials that the data was downloaded accidentally and was never given to investigators in the Netanyahu cases.

This possibly illegal hacking was discovered during the course of another investigation entirely unrelated to the current investigation about police use of NSO phone exploits.

Filber’s phone was reportedly accessed in 2017, and had the entirety of its content drained using unnamed spyware. The discovery that Filber’s phone had been targeted was made in the course of an unrelated investigation, ordered by the attorney general, into alleged police abuse of the controversial NSO Group’s Pegasus software, though a different technology was used to access Filber’s phone.

NSO Group, for its part, has decided it's time to start suing. Calcalist -- which has broken news of NSO-related hacking several times -- released a list of alleged Israeli targets of NSO malware. This report -- along with a follow-up by Calcalist -- has triggered legal threats from NSO.

Calcalist on Monday published specific, but unsourced, allegations of hacking against 26 targets by police. The bombshell report said NSO Group’s Pegasus program was deployed against senior government officials, mayors, activist leaders, journalists and former prime minister Benjamin Netanyahu’s family members and advisers, all without judicial authority or oversight.

To be clear, NSO doesn't deny the listed names were targets of NSO malware. Instead, it is taking issue with Calcalist's claim that NSO provided customers with malware deployment tools that could be configured to prevent the creation of data logs during deployment and use, thus preventing the creation of digital footprints that could indicate the use of NSO's Pegasus spyware. NSO denied this allegation in a letter threatening legal action, stating that it never provided customers with systems that offered plausible deniability as undocumented feature.

In response to Thursday’s report, NSO wrote to Calcalist that the relevant systems “include full documentation of the actions performed in them,” and that the records are kept for legal purposes and to prevent tampering with evidence. It further denied the newspaper report’s claim that it had sold client software that does not include the documentation feature or only in a limited way.

We'll see what becomes of this legal threat. NSO is already defending itself against two lawsuits brought by US tech companies. It may not be wise to press forward with one of its own and roll the dice on discovery for a third time. Given the nature of NSO and the those it has chosen to sell to, it's not all that unreasonable to believe it may have offered cover-up solutions to certain customers at a comfortable markup.

Filed Under: cover ups, israel, malware, pegasus, spyware, surveillance, threats
Companies: calcalist, nso group

Unknown American VC Firm Apparently Looking To Acquire NSO Group, Limit It To Selling To Five Eyes Countries

from the which-would-be-a-huge-improvement dept

NSO Group -- the embattled, extremely controversial Israeli phone malware developer -- finally has some good news to report. It may have a white knight riding to its rescue -- a somewhat unknown American venture capital firm that could help it pay its bills and possibly even rehabilitate its image.

Integrity Partners, which according to its website deals with investments in the fields of mobility and digital infrastructure, is managed by partners Chris Gaertner, Elad Yoran, Pat Wilkinson and Thomas Morgan.

According to the document of intentions, they will establish a company called Integrity Labs that would acquire control of NSO. It would also stream $300 million to the firm, in order to rebuild the company.

It's not all good news, at least not at the outset. The VC firm had pledged to lobby the US government on NSO's behalf to get the recent blacklist lifted, which means NSO would once again be able to purchase US tech solely for the purpose of developing exploits to use against that tech. If Integrity Partners has any interest in remaining true to its name, it should probably backburner this effort until it has engaged in some reputation rehabilitation.

Fortunately, it appears the VC firm is also interested in getting NSO back on the right track. Following neverending reports of NSO exploits being used to target journalists, political opponents, ex-wives, dissidents, and religious leaders, the government of Israel drastically reduced the number of countries NSO could sell to.

Integrity Labs aims to limit that list even further.

Instead of the current 37 clients, the company will reduce its sales to only five clients: the Five Eyes Anglosphere intelligence alliance of New Zealand, the United States, Australia, Great Britain and Canada. The company would initially focus on defensive cyber products as part of its rebranding effort.

With these restrictions in place -- and the United States on the preferred customer list -- it should be pretty easy to get the blacklist lifted. It's not that none of these countries would ever abuse malware to engage in domestic surveillance, but it's a far better list of potential clients than the one NSO had compiled over the last several years, which included a number of known habitual human rights abusers.

But there are still reasons to be concerned. Much of what happens to NSO after this acquisition occurs will still be shrouded in secrecy. There may be a claimed focus on defensive tech, but offensive exploits have always been NSO's main money makers and it will be much more difficult to remain profitable without this revenue stream.

Then there's the chance NSO will enter into a partnership with a different company that may not have the same altruistic goals, which means the malware developer will be able to continue limping along as the poster child for irresponsible sales and marketing. And the market for powerful malware will continue to exist. It will just end up being handled by companies that have remained mostly off the world press radar.

Also, there's the fact that there's very little information about who "Integrity Partners" actually is. While the firm's website lists its partners -- all of whom mention their military experience -- there is no evidence of a portfolio, or any evidence of previous investments. While the firm is listed in Crunchbase (the main database tracking VCs and startups), it shows no investments, and only mentions a single fund the firm has raised... for $350,000. It seems unlikely that that's enough to buy NSO Group.

For now, NSO's financial well-being and reputation are in tatters. The company cannot meet its debt obligations without outside help and its ruinous months-long streak of negative press present challenges even a timely influx of cash may not be able to reverse. But if it can rebrand and retool to provide defensive tech to a very short list of customers it may be able to survive its precipitous plunge into the "Tech's Most Hated" pool.

Filed Under: five eyes, malware, pegasus, spyware, surveillance
Companies: integrity partners, nso group

Whistleblower Alleges NSO Offered To 'Drop Off Bags Of Cash' In Exchange To Access To US Cellular Networks

from the pay-to-play dept

The endless parade of bad news for Israeli malware merchant NSO Group continues. While it appears someone might be willing to bail out the beleaguered company, it still has to do business as the poster boy for the furtherance of human rights violations around the world. That the Israeli government may have played a significant part in NSO's sales to known human rights violators may ultimately be mitigating, but for now, NSO is stuck playing defense with each passing news cycle.

Late last month, the New York Times revealed some very interesting things about NSO Group. First, it revealed the company was able to undo its built-in ban on searching US phone numbers… provided it was asked to by a US government agency. The FBI took NSO's powerful Pegasus malware for a spin in 2019, but under an assumed name: Phantom. With the permission of NSO and the Israeli government, the malware was able to target US numbers, albeit ones linked to dummy phones purchased by the FBI.

The report noted the FBI liked what it saw, but found the zero-click exploit provided by NSO's bespoke "Phantom" (Pegasus, but able to target US numbers) might pose constitutional problems the agency couldn't surmount. So, it walked away from NSO. But not before running some attack attempts through US servers -- something that was inadvertently exposed by Facebook and WhatsApp in their lawsuit against NSO over the targeting of WhatsApp users. An exhibit declared NSO was using US servers to deliver malware, something that suggested NSO didn't care about its self-imposed restrictions on US targeting. In reality, it was the FBI and NSO running some tests on local applications of zero-click malware that happened to be caught by Facebook techies.

But there's more. Recent reports building on the NYT article contain statements that claim NSO approached service providers with (well, let's just say it) bribes to allow access to targets at a higher level that might mitigate some of the defensive efforts deployed by Facebook, Google, and Apple.

Here's what's been alleged in newer reports, like this one by Craig Timberg of the Washington Post:

The surveillance company NSO Group offered to give representatives of an American mobile-security firm “bags of cash” in exchange for access to global cellular networks, according to a whistleblower who has described the encounter in confidential disclosures to the Justice Department that have been reviewed by The Washington Post.

The mobile-phone security expert Gary Miller alleges that the offer came during a conference call in August 2017 between NSO Group officials and representatives of his employer at the time, Mobileum, a California-based company that provides security services to cellular companies worldwide. The NSO officials specifically were seeking access to what is called the SS7 network, which helps cellular companies route calls and services as their users roam the world, according to Miller.

Mobileum execs were (understandably) unsure how any of this was supposed to work in the unlikely event they were amenable to a foreign entity's requests for elevated access to US cellular networks. Fortunately, the NSO rep made it extremely clear how this was going to work, according to the whistleblower:

In Miller’s account to the Justice Department, when one of Mobileum’s representatives pointed out that security companies do not ordinarily offer services to surveillance companies and asked how such an arrangement would work, NSO co-founder Omri Lavie allegedly said, “We drop bags of cash at your office."

Simple enough. Except -- to quote C. Montgomery Burns -- at the end of the proposed transaction "the money and the very stupid man were still there." Mobileum execs say no such bribery took place -- not because NSO didn't offer it but because the company refused to accept the generous offer of extremely shady "bags of cash" from the Israeli malware maker.

NSO has its own explanation for these events, which is, basically: "It was a joke, probably."

In a statement through a spokesperson, Lavie said he did not believe he had made the remark. “No business was undertaken with Mobileum,” the statement said. “Mr Lavie has no recollection of using the phrase ‘bags of cash’, and believes he did not do so. However if those words were used they will have been entirely in jest.”

Hahahahahaaaa… here at the home of the zero-click exploit marketed to human rights violators we often joke about bribing tech companies to allow us more access to networks. Oh, our sides ache from the fun we have jesting about subverting networks to compromise targets of evil empires. Ell oh fucking ell.

Mobileum, on the other hand, says it has never done business with NSO and reported this proposed cash drop to the FBI in 2017 but never heard anything back from the agency. Two years later, the FBI was experimenting with NSO malware and trying to gauge the political and constitutional fallout of deploying unregulated malware against US citizens.

Even if NSO is to be believed, there's nothing good awaiting it on the US side of things. The Commerce Department has already blacklisted the company, destroying its ability to purchase US tech for the purpose of compromising it. And the Department of Justice has opened its own investigation into NSO, adding to its list of US-related woes.

NSO could have avoided all of this international attention by being more selective about who it sold to, and stripping customers of their licenses at the first hint of malfeasance. It didn't. And the fact that it may have been pressed into service as a malware-laden extension of the Israeli government's Middle East charm offensive isn't going to save it. NSO has to save itself but it lacks the tools to do so. Whatever it claims in defense of every reported allegation is presumed to be suspect, if not completely false. The reputation it has now is mostly earned. It made millions helping sketchy governments inflict further misery on citizens, dissidents, journalists, and political opponents. The company's honor is no longer presumed if, indeed, it ever was.

Filed Under: bribes, malware, pegasus, phantom, phone networks, spyware, surveillance, whistleblower
Companies: nso group

In 2019, The FBI Took NSO Malware For A Spin Before Deciding It Might Cause Too Many Problems In Court

from the every-so-often,-the-feds-get-it-right dept

The latest disturbing revelation about Israeli malware merchant NSO Group is a bit delayed. NSO has claimed its malware can't be used to target American phone numbers which, even if true, hasn't stopped the malware from targeting Americans.

But two years before NSO's malware malfeasance made headlines around the world, the company was inside the United States, demonstrating its products for federal law enforcement. The latest revelations come via Roman Bergman and Mark Mazzetti, writing for the New York Times.

In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.

What was being tested was NSO's Pegasus -- an exploit so advanced it pretty much rendered encryption obsolete. In some cases, the exploit didn't even need the target's participation to deploy. NSO was selling zero-click malware that compromises phones entirely -- providing access to texts, photos, WhatsApp messages, cameras, mics, and whatever other data might be flowing through it. That's what the FBI was interested in.

It was also interested in something NSO had prepared especially for the FBI. Pegasus was blocked from targeting US numbers. But the FBI definitely wanted to target US phone users, so NSO whipped up a very specific product for the feds.

During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target. Israel had granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers. The license allowed for only one type of client: U.S. government agencies.

The presentation made it clear the FBI could target whoever it wanted and needed to seek no assistance from any US cell provider. The exploits were completely independent of US communications infrastructure… other than relying on US content servers for deployment.

But, as the New York Times reports, the FBI still had concerns. Given the malware's ability to turn a target's phone into pretty much the FBI's phone, would deployment raise Fourth Amendment concerns? Presumably, this question centered on how much could be obscured through parallel construction, rather than the FBI's genuine concern about the privacy rights of Americans. It's one thing to disguise a wardriving Stingray as a pen register order. It's quite another to attempt to explain how agents were able to access the content of encrypted communications with a normal wiretap warrant, especially if there's no cooperating witness to lean on.

As this debate proceeded, the FBI continued to pay for the product it wasn't sure it could actually use, racking up $5 million in license fees before deciding against rolling this particular constitutional dice. But in doing so, it unwittingly played a part in Facebook's lawsuit against NSO Group. Documents filed by Facebook and WhatsApp showed an NSO customer was using US-based servers to deploy malware. The assumption at that time was that NSO was enabling access to US servers so foreign governments could deliver malware to targets. Apparently what Facebook observed was the testing conducted by NSO and FBI during this trial run.

When they first presented their case against NSO, Facebook’s lawyers thought they had evidence to disprove one of the Israeli company’s longtime claims — that the Israeli government strictly prohibits the firm from hacking any phone numbers in the United States. In court documents, Facebook asserted it had evidence that at least one number with a Washington area code had been attacked. Clearly someone was using NSO spyware to monitor an American phone number.

But the tech giant didn’t have the entire picture. What Facebook didn’t appear to know was that the attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the F.B.I. of Phantom — the system NSO designed for American law-enforcement agencies to turn the nation’s smartphones into an “intelligence gold mine.”

Five million dollars and one court exhibit later, the FBI is still finding ways to work around encryption that don't involve constitutionally-questionable phone exploits sold by a morally questionable tech company.

There are plenty of other interesting details in the New York Times article, which I definitely encourage you to click through and read. While the exploits have indeed enabled governments to take down dangerous criminals (including, apparently, notorious drug cartel leader El Chapo), the spread of malware contracts to morally questionable governments was greatly enabled by the Israeli government, which leveraged NSO and its powerful tools to obtain cooperation from countries historically resistant to forming bonds with the Israeli government. While the ends may have been somewhat admirable, the means have resulted in persistent abuse of NSO tools to target people governments don't like, rather than actual threats to themselves or their constituents.

Filed Under: 4th amendment, doj, fbi, israel, malware, pegasus, phantom, surveillance
Companies: nso group

India's Supreme Court Opens Investigation Into Targeting Of Indian Citizens' Phones By NSO Malware

from the is-it-too-late-to-rebrand-as-'International-Pariah' dept

NSO Group's terrible 2021 is flowing seamlessly into an equally terrible 2022. The leak of a list of alleged targets for its malware -- a list that included journalists, activists, government critics, political officials, and religious leaders -- led to an outpouring of discoveries linking the company to abusive deployments of malware by a number of questionable governments.

NSO is currently being sued by two US companies over its malware. Facebook and WhatsApp claim NSO committed terms of service violations by sending malware via the messaging service. Apple claimed the same thing, pointing to the targeting of iPhones owned by users infected with NSO spyware.

Both companies are notifying users who appear to have been targeted by this malware. All over the world, people are reporting they've been targeted, often due to investigations performed by Canada's Citizen Lab and Amnesty International.

Governments are getting into the act as well. The Israeli government -- which once helped NSO broker deals with nearby authoritarians -- is investigating the company. It has also drastically slashed the number of foreign governments it can sell to. Other governments around the world are engaging in their own investigations following reports of residents (or their elected representatives) having been hit with malware payloads created by NSO.

NSO-related phone infections are now part of a federal case in India. The nation's top court has created a committee to look into allegations Indian citizens have been targeted by NSO's Pegasus spyware.

The Supreme Court-appointed Technical Committee looking into the usage of Pegasus against Indian citizens has issued a public notice asking those who believe they have been targeted using the spyware to come forward and say whether they would be willing to let their device be examined by the committee.

The public notice, published in newspapers across the country on 2 January, requests "any citizen of India who has reasonable cause to suspect that her/his mobile has been compromised due to specific usage of NSO grow Israel's Pegasus software (sic)" to contact the committee.

Those who suspect they've been targeted will turn their phones over to the technical committee for examination. They'll receive an image file of the contents of their phone after relinquishing their phones and receive their device back after it has been forensically examined.

This response was prompted by a lawsuit brought against the Indian government for spying on its own citizens using NSO malware. The court also wants the government to answer a few questions as it moves this litigation forward. It wants to know how the malware was used (interception, eavesdropping, etc.), which government entities have access to Pegasus, and whether or not it has been used to target Indian citizens.

Some of those answers will likely be answered by the examination of submitted phones. The others may never receive direct answers -- not if the government chooses to invoke national security mantras rather than discuss its purchase and use of NSO spyware in open court.

So far, the government has chosen to say nothing about alleged targeting of its own constituents, which hasn't made the Supreme Court very happy.

The bench headed by Chief Justice of India NV Ramana criticised the Union government for its refusal to clarify whether it had purchased and used the spyware, and said it had to accept the prima facie case of the petitioners, including victims of Pegasus hacking, and examine their allegations.

The government will be forced to respond. Forensic examinations will uncover malware infections and perhaps even the source of those infections. Refusing to respond to questions now just means answering harder questions later. And it's just more of the same for NSO Group, which is now primarily known for being the enabler of government corruption and oppression.

Filed Under: india, malware, pegasus, spyware, surveillance
Companies: nso group

Polish Gov't Finally Admits It Deployed NSO Malware, Pretends Targeting Of Opposition Leaders Isn't Abusive

from the don't-be-shitty,-Poland dept

Poland -- like far too many countries -- has a Pegasus problem. The highly intrusive (and highly effective) phone malware sold by Israel's NSO Group for the ostensible purpose of tracking down terrorists and other deadly criminals has been observed (yet again) being deployed to track government critics and political opponents.

When Apple announced its lawsuit against NSO Group for targeting iPhone users, it also announced plans to notify users who had been targeted by NSO spyware. The first beneficiary of this notification program was a Polish prosecutor who was apparently targeted for trying to investigate election irregularities.

That initial notification opened the floodgates. The Polish government had access to the spyware and was deploying it for reasons entirely unrelated for the reasons it stated when purchasing it.

Several members of political opposition groups in Poland have produced evidence that they were hacked by Pegasus spyware, raising alarming questions about the Polish government’s use of the software.

[...]

The compromises were discovered by Citizen Lab, a spyware research group based at the University of Toronto, which has done extensive work on Pegasus.

[...]

In the Polish case, Citizen Lab also found evidence of spyware compromises targeting a lawyer representing Polish opposition groups and a prosecutor involved in a case against the ruling Law and Justice party. In both cases, traces of Pegasus spyware were found on the targets’ devices.

"Tip of the iceberg," as AFP reported (via MSN News):

Evidence of the hacking, which has become a major scandal in Poland, was reported by the Canada-based cyber-security watchdog Citizen Lab.

"We think this is just the tip of the iceberg and there'll be more discoveries to come," John Scott-Railton, a senior researcher with the group, told AFP.

"It's shocking and it looks very bad," he said. "Pegasus is a tool of dictators. Its use in these cases point to an authoritarian slide" in Poland.

Throughout this stream of revelations, the Polish government remained silent, apparently hoping the steady stream of news involving misuse by NSO customers would wash away interest in its misdeeds. Waiting it out didn't work. When the plan to ignore it failed, the government started lying.

When asked by the AP in December if Poland had purchased Pegasus, state security spokesman Stanislaw Zaryn would neither confirm nor deny it. However, many Kaczynski allies publicly cast doubt on suggestions of government Pegasus use.

Polish Prime Minister Mateusz Morawiecki called the Citizen Lab-AP findings “fake news” and suggested a foreign intelligence service could have done the spying — an idea dismissed by critics who said no other government would have any interest in the three Polish targets.

Deputy Defense Minister Wojciech Skurkiewicz in late December said “the Pegasus system is not in the possession of the Polish services. It is not used to track or surveil anyone in our country.”

All lies. And all exposed by non-government entities like Citizen Lab and Amnesty International -- both of which have uncovered plenty of device infections by NSO malware. Faced with undeniable evidence, the Polish government has finally admitted its possession of these hacking tools.

Poland’s most powerful politician has acknowledged that the country bought advanced spyware from the Israeli surveillance software maker NSO Group, but denied that it was being used to target his political opponents.

Jaroslaw Kaczynski, the leader of Poland’s ruling conservative party, Law and Justice, said in an interview that the secret services in many countries are using the Pegasus software to combat crime and corruption.

But this admission is accompanied by even more lies. Evidence shows the Polish government targeted opposition figures and investigators looking into a highly irregular, and completely botched election. The evidence is overwhelming but the ruling party is still trying to pretend this is all above-board.

“There is nothing here, no fact, except the hysteria of the opposition. There is no Pegasus case, no surveillance,” Kaczynski said. “No Pegasus, no services, no secretly obtained information played any role in the 2019 election campaign. They lost because they lost. They shouldn’t look for such excuses today.”

Maybe in this particular case the spying did not directly affect election results. But the software is not being used to target terrorists and criminals. It's being used to track opposition officials and investigators who are definitely the sort of people the malware was purchased to target. This is abuse and the government is taking a decidedly totalitarian tack by refusing to admit it engaged in, at the very least, highly questionable use of these hacking tools.

Filed Under: malware, pegasus, poland, politics, spyware, surveillance
Companies: nso group

Investigation Shows Egyptian Government Hacked A Dissident's Phone Twice, Using Two Different Companies' Malware

from the doublecheck-your-work-I-guess dept

Citizen Lab has uncovered more state-level spying targeting political opponents and journalists. There's a twist to this one, though. One of those targeted had his phone infected by two forms of malware produced by two different companies. And yet another twist: both companies have their roots in Israel, which is home to at least 19 entities that develop phone exploits. Here's the summary from Citizen Lab:

Two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known mercenary spyware developer Cytrox.

The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.

Both targets were hacked with Predator in June 2021, and the spyware was able to infect the then-latest version (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp.

Ayman Nour, the lucky recipient of two different strains of malware, is the head of an opposition group who ran against former Egyptian President Hosni Mubarak. Shortly after Nour's election loss, he was jailed for allegedly forging signatures on petitions -- a move generally recognized as retaliation from his victorious opponent.

The other target is a journalist now in exile who has been openly critical of Egypt's new president.

Unsurprisingly, these attacks have been traced back to the Egyptian government. What's more surprising is that attribution can be made since attackers using these powerful hacking tools usually do a little better covering their tracks.

We attribute the attacks on the two targets to the Egyptian Government with medium-high confidence. We conducted scanning that identified the Egyptian Government as a Cytrox Predator customer, websites used in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from Egyptian WhatsApp numbers.

Once again, powerful hacking tools deployed against government critics have been traced back to companies with an Israeli presence. NSO Group has always been located in Israel. Cytrox, however, has moved around, changing both its home base and its name several times to distance itself from its irresponsible malware sales. But the Times of Israel has the receipts.

Cytrox was part of a shadowy alliance of surveillance tech companies known as Intellexa that was formed to compete with NSO Group. Founded in 2019 by a former Israeli military officer and entrepreneur named Tal Dilian, Intellexa includes companies that have run afoul of authorities in various countries for alleged abuses.

Four executives of one such firm, Nexa Technologies, were charged in France this year for “complicity of torture” in Libya while criminal charges were filed against three company executives for “complicity of torture and enforced disappearance” in Egypt. The company allegedly sold spy tech to Libya in 2007 and to Egypt in 2014.

It appears there's a healthy market for powerful phone exploits. But the market consists of unhealthy governments more interested in tracking and surveilling critics than engaging in counterterrorism or investigating serious criminal activity. NSO claims it only sells malware for those more acceptable reasons. Cytrox/Intellexa has never offered any such assurances, possibly because it has an international rap sheet that would immediately undercut its assertions.

It's an ugly world out there. Plenty of companies operating out of free countries are willing to sell exploits to governments they know will abuse them to commit human rights violations. If NSO Group shuts down its malware arm, it won't make things safer for dissidents, government critics, and journalists. There are plenty of companies willing to fill this void. And they're very good about obscuring who they are and what they do.

But one thing is undeniable: malware merchants are enabling abusive governments and it's going to take more than a few sanctions and fines to prevent this from happening in the future. So far, the countries these companies call home have done little about these residents who are making the world a worse place to live. That has to change. And it appears it's going to be investigative journalists and security researchers applying the pressure through investigations and exposés. Governments need to stop abdicating their responsibilities and allowing private citizens with finite resources and zero power to do their work for them.

Filed Under: ayman nour, dissident, egypt, hacking, malware, pegasus, predator, spyware, surveillance
Companies: cytox, nso group

After Weeks Of Reports Of Misuse Of Its Exploits, NSO Group Considering Shutting Down Its Malware Service

from the if-you-can't-beat-'em,-quit dept

RIP NSO Group. Cause of death: investigative reporting.

It's probably too early to celebrate the demise of Israel's most infamous export, but it's looking like NSO is running out of options. The Israeli government recently (and drastically) reduced the number of approved governments NSO could sell its powerful Pegasus malware to, trimming down the permitted list from 102 countries to 37. That followed blacklisting by the US Commerce Department, which means American tech companies aren't permitted to sell exploits, hardware, or devices to NSO without securing a waiver they're unlikely to receive.

That followed weeks of revelations about how NSO customers were using its Pegasus spyware. According to multiple reports, governments and the occasional king were using NSO tools to target journalists, dissidents, government critics, religious leaders, US State Department employees, an ex-wife, an ex-wife's lawyer, and government officials.

I guess when it's no longer feasible to sell spyware to authoritarians and human rights violators, the only option is to default on your debts and shut down your most toxic product.

The NSO Group, the controversial technology company recently blacklisted by the United States over the illegal use of its spyware, is reportedly considering shutting down its Pegasus operation and selling the entire company to an American investment fund, Bloomberg reported on Monday.

The report, citing officials involved in the talks, said that there are two potential suitors for the embattled company, who have discussed a potential takeover and the shuttering of Pegasus unit, in exchange for a $200 million injection of capital and a pivot into strictly defensive cybersecurity services.

NSO needs the cash. It has millions in debt and whatever plans it had for paying it back have been severely curtailed with its blacklisting by the US government and its reduced customer base.

The U.S. restrictions put added pressure on NSO, which needs to pay back about $450 million in debt, just two years after a management buyout that valued the company at about $1 billion. Moody’s Investors Service said last month there’s an increasing risk the company will violate the terms of its loans.

The problem with ditching Pegasus is that it's NSO's most valuable product. This premium phone exploit accounts for half of NSO's business. Fifty percent of NSO is worth far less than the $200 million the company is hoping to obtain. Now that it's blacklisted, it can't purchase exploits or devices from the US, which means it will be extremely difficult to develop new hacking tools worth selling. There may be a market for defensive tech, but that's likely to be far less popular with foreign governments than zero-click exploits that can be deployed remotely.

Here's how it looks for NSO on the home front, as reported by Israeli newspaper Haaretz:

Defense officials think the sanctions could soon bring about the company’s collapse and a shutdown of its operations. The company depends upon constant innovation: It’s one Apple or Android cellphone update away from the failure of its products. If it doesn’t manage to hold onto the best personnel in the world, the kind who would continue to find vulnerabilities in the operating systems, they won’t have a product.

Senior officials have told Haaretz that the move by the United States has totally paralyzed the company’s future operations. “They’re not able to buy a pen at a Walmart store,” the officials quipped. If an American company wants to sell them products, it needs a special permit.

According to this report, the Israeli government believes its local tech companies are being unfairly targeted by US sanctions. The country is home to 19 companies developing offensive exploits, but so far the US has only blacklisted NSO Group and Candiru. The government appears to have been caught off guard by the sanctions handed down by the Biden Administration after having received much more support and cooperation from the previous president, Donald Trump.

The Israeli government may be reeling a bit from the last few months of negative press targeting NSO, but it really can't blame anyone else for the mess the company is in or the sanctions that have greeted the steady stream of reporting about misuse of its Pegasus spyware. It was directly involved with the sale of the malware to a number of known human rights abusers.

[I]n Israel it is acknowledged that oversight of contracts NSO entered into was too lax. The Netanyahu government gladly traded in spyware, with the Mossad reportedly assisting in the initial mediation of the transactions.

[...]

The company’s sales momentum over the past decade is closely linked to the diplomatic and intelligence-related steps that Netanyahu took, which improved relations with countries in various parts of the world, and where NSO’s technology often served as an asset that brought Israel to the table for the improvement of ties. In the past, Netanyahu ordered the defense establishment to advance offensive cybertechnology deals, and it appears he preferred that overly energetic oversight not be imposed on the deals or the parties to them.

Welp. The shitbirds have come home to roost, as the saying goes.

And if the Israeli government thinks the US Commerce Department overreacted, it won't be pleased with the latest demands from members of the federal government.

More than a dozen Democratic lawmakers have called on the Biden administration to sanction four cyber surveillance firms for "enabling human rights abuses" by "selling powerful surveillance technology to authoritarian governments."

The letter, led by Sen. Ron Wyden of Oregon and House Intelligence Chairman Adam Schiff of California, asks the Treasury Department to sanction Israeli spyware vendor NSO Group, Emirati cybersecurity firm DarkMatter and European surveillance firms Nexa Technologies and Trovicor -- as well as the firms' top executives.

This would go beyond the blacklisting already in place. The Global Magnitsky Human Rights Accountability Act allows the US president to sanction people and companies for human rights abuses. In this case, the abuses would have been aided and abetted by NSO, rather than participated in directly by NSO execs or employees. While it normally is used to sanction government officials, it has been used in the past to sanction private parties with ties to human rights abusers.

Whether or not sanctions ever arrive, it appears NSO's days are numbered. But there are still plenty of malware purveyors out there. And there are plenty of authoritarians willing to pay top dollar for spy tech that enables them to more efficiently oppress their countries' populations. The exploit market will remain lively. It just may be that one of the most recognizable names in the business will no longer be in business.

Filed Under: exploits, malware, pegasus, spyware, surveillance
Companies: nso group

Polish Prosecutor First Beneficiary Of Apple's 'You've Been Hacked By NSO Spyware' Notification Program

from the anything-that-screws-with-NSO-and-its-customers-is-fine-with-me dept

Concurrent with Apple's announcement that it was suing Israeli tech company NSO Group over its iPhone exploits was its announcement that it would be notifying customers of suspected hacking attempts utilizing NSO's extremely powerful Pegasus malware.

Apple is notifying the small number of users that it discovered may have been targeted by FORCEDENTRY. Any time Apple discovers activity consistent with a state-sponsored spyware attack, Apple will notify the affected users in accordance with industry best practices.

Unlike Apple's lawsuit -- which might nudge the CFAA towards a more expansive interpretation of "unauthorized access" that could adversely affect security research -- this notification practice is undeniably good. It undercuts the abusive acts of state actors by giving their targets a heads up about phone hacking attempts.

This won't pose much of a problem for Apple, as it's out of the legal reach of most of NSO's customers. Even if foreign surveillance agencies did obtain the equivalent of a warrant to hack phones and intercept communications, any accompanying gag orders would be useless. We'll see how this disclosure process works out if a US-based government agency utilizes NSO malware -- something that seems even less likely now that the Commerce Department has blacklisted NSO.

The notification program has already paid off for one Polish government employee, who was recently informed by Apple she was targeted by NSO spyware. (h/t 9to5Mac)

Ewa Wrzosek is a prosecutor, a member of the Association of Prosecutors "Lex Super Omnia". She exposed herself to the authorities on April 23, 2020, when she initiated an investigation into the so-called "Envelope elections". On the same day, however, the investigation was taken from her and discontinued, and disciplinary proceedings were initiated against Wrzoski. Since then, the prosecutor has repeatedly criticized the changes in the Polish judiciary after 2015.

Yesterday evening, Ewa Wrzosek announced on Twitter that she had received a notification from Apple about a possible attack by state services on her iPhone using Pegasus.

The "Envelope Elections" were a hasty and apparently unlawful attempt to hold an election during the first few months of the COVID pandemic. Last May, the failed presidential election managed to rack up a hefty tab to be settled by Poland residents, but didn't actually result in the election of anyone.

Poland’s abandoned presidential election, which was scheduled for 10 May but took place without any voting, still generated high costs. Private broadcaster TVN has revealed that invoices issued in connection with the preparations amounted to almost 70 million zloty of costs for the state postal service, Poczta Polska.

The run-up to the planned election was fraught with chaos and controversy, as the Polish government pushed ahead with preparations for a fully postal vote before relevant legislation had been passed. Many local authorities refused to cooperate, on the basis that doing so without the law in place would be illegal.

Following this logistic and political failure (there was some speculation this process was fast tracked to give the incumbent president the best chance to win), Wrzosek began an investigation. That appears to have proven unpopular with the party controlling the Polish government. Given this history, it's not much of a leap to presume she's being targeted by her own government.

The twist is that the Polish government has never officially confirmed it has ever acquired NSO malware. But governments rarely discuss surveillance programs, especially their most controversial ones. However, there is a paper trail that suggests at least one government agency is in possession of NSO's most powerful surveillance tool.

For nine months, the Ministry of Finance has not been able to decide whether the Justice Fund, which is in the hands of the Minister of Justice Zbigniew Ziobro, had the right to transfer PLN 25 million to the CBA for the purchase of a modern surveillance system, tvn24.pl learned.

The fact that the Central Anticorruption Bureau received money from this fund and allocated it to the purchase of the most modern surveillance system for telephones and computers was revealed on tvn24.pl almost exactly a year ago.

Now, reporters of the "Black on White" program suspect that the system bought by the anti-corruption service is probably the Israeli Pegasus. - This system was created to prevent terrorist attacks, kidnappings, human trafficking and drug smuggling - journalists from "Black and White" explained.

If so, there's a good chance the targeted phone is compromised. Wrzosek has asked for answers from the Minister of Justice, but she's unlikely to receive any acknowledgements or apologies. If it is what it looks like, the prosecutor is being targeted in retaliation for her attempted investigation by the same government she works for.

As Apple continues to notify users targeted by NSO malware, hopefully those targeted will continue to inform the rest of the world how the company's "for bad guys and terrorists ONLY" exploits are actually being used.

Filed Under: ewa wrzosek, malware, pegasus, poland, spyware
Companies: apple, nso group

Apple Notifies More Victims Of NSO Malware Hacking Attempts

from the [extremely-1960s-Batman-splash]-THWART!!! dept

Apple's announcement that it was suing Israeli malware purveyor NSO Group for targeting iPhone users was coupled with another, equally dismaying (I mean, for NSO…) announcement: it would be informing targets of malware anytime it detected a suspected intrusion.

Actually, this may be more of a concern for NSO's customers. After all, they're still paying the same licensing fees even if their targets are being warned of hacking attempts. It can't make them happy and -- since it appears many of NSO's customers like to target non-terrorists and non-criminals -- there's really nothing they can do about it. Local entities may be sworn to secrecy with court orders (if those are even obtained) but there's nothing preventing Apple from alerting users that malware might be present on their phones.

Given the long list of seemingly inappropriate targets for NSO's Pegasus spyware -- which includes journalists, activists, dissidents, government critics, political figures, religious leaders, lawyers, ex-wives, etc. -- Apple's policy is the Right Thing To Do. NSO's customers agree to use the spyware to target terrorists and dangerous criminals. They clearly don't do that. If NSO won't stop them (and it won't [until very recently]), this is one way to mitigate the damage.

And so the disclosures have flowed. A Polish prosecutor who dared to offend the ruling party in that country was one of the first notified by Apple's new program. Since then, the floodgates have opened, potentially ruining the surveillance plans of several governments. Here's Carly Page for TechCrunch, rolling out the details on Apple's unwelcome mat.

Apple has sent threat notification alerts to victims of state-sponsored hackers in Thailand, El Salvador and Uganda, just hours after filing a lawsuit against Israeli spyware maker NSO Group.

At least six Thai activists and researchers who have been critical of the government have received the notification, according to Reuters, including Prajak Kongkirati, a political scientist at Bangkok’s Thammasat University, researcher Sarinee Achananuntakul and Thai activist Yingcheep Atchanont of the legal monitoring group iLaw. Citizen Lab, which tracks illegal hacking and surveillance, identified in 2018 a Pegasus spyware operator active within Thailand.

Also on the list: the president of the Democratic party in Uganda (the same nation where US State Dept. employees were targeted) and a dozen employees of El Salvador newspaper, El Faro, which has long been a critic of that country's government.

None of the people listed are legitimate targets for this powerful spyware. NSO has claimed for years its exploits only target the worst of the worst. And for roughly the same number of years, investigations and leaks have shown governments are using the spyware to target critics and political opponents who only pose a threat to their power, rather than public safety or national security.

Fortunately, there's another entity watching these people's backs. Prior to Apple's notification program, it took in-depth research by entities like Canada's Citizen Lab to discover the source of hacking and properly attribute it to NSO malware. Apple presumably can make these determinations much faster, heading off future interception and eavesdropping.

If NSO doesn't like it, it can suck it. It chose to sell to governments with long histories of targeting critics and violating human rights. Its customers can likewise suck it. They've given themselves an infinite amount of leash and NSO's exploits have let them take full advantage of this. Even a minimal amount of thwarting of nefarious doings is welcome in a world where the powerful go unpunished and unchecked far too often.

Filed Under: hacking, malware, pegasus, surveillance
Companies: apple, nso group