Is NSO Evil? Part 1

NSO Group, creator of the infamous Pegasus spyware, is widely regarded as a vile, immoral company: a sort of 21st century soldier of fortune, a mercenary in the service of corrupt and evil regimes. Yet among its many clients are many liberal democracies, including the US, Germany, the Netherlands and Spain, to name but a few. So, is NSO really as evil as many think it is?

Hosted By

Ran Levi

Co-Founder @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Is NSO Evil? Part 1

On July 18th, 2021, Forbidden Stories – a French journalism nonprofit organization – published details about what it labeled “The biggest cyber surveillance scandal since the Snowden revelations.” 

A year earlier, in 2020, an undisclosed source leaked a list of some 50,000 telephone numbers to Forbidden Stories: phone numbers belonging to human rights activists, politicians, lawyers and journalists from 24 countries. It was a diverse list which included somewhat obscure names such as Janos Banati, the president of the Hungarian Bar Association and nine of his colleagues – next to heads of states such as French president Emmanuel Macron and Mohammed VI, King of Morocco. 

In a coordinated effort, 80 investigative journalists from 17 media organizations reached out to many of the people on the list, convinced them to hand over their phones and had them analyzed by Amnesty International’s Security Lab. The investigation revealed what almost all these different people had in common: they were victims of sophisticated espionage campaigns, carried out by authoritarian states – using the same spyware tool: “Pegasus”, developed by the Israeli cyber-intelligence firm NSO Group. The spyware also gave the collective investigation its name: Project Pegasus. 

The simultaneous release of hundreds of stories, documents and interviews by the various newspapers and online publications had the effect that Forbidden Stories had hoped for. All over the world, journalists and politicians expressed their outrage. Amazon, whose AWS infrastructure was used to infect the targets, terminated all accounts associated with NSO. President Macron, whose mobile phone had to be replaced and its number changed, reached out to Israel’s Prime Minister and demanded an inquiry into the matter. 

For NSO, this was a devastating blow. The company, which was still recovering from the catastrophic PR jab it suffered following the horrific murder of Saudi journalist Jamal Khashoggi, was now spiraling out of control. Sales stopped for months. A hundred employees – some 10% of its workforce – were let go. Moody’s, a credit rating agency, dropped the company’s credit rating and warned of it being at risk of defaulting on its loans. 

A lot of people were quite pleased, to put it mildly, with NSO’s misfortune. “NSO spent years dismissing any criticism and dodging accountability for human rights violations,” said Alaa Mahajna, a lawyer who for years had waged legal battle against the company, “It is very encouraging that most major tech companies and the US government now see the pernicious effect of NSO’s technology.”

This joy was to be expected. After all, NSO is widely regarded as a vile, immoral company: a sort of 21st century soldier of fortune, a mercenary in the service of corrupt and evil regimes. 

But less than six months later it was revealed that the United States – the world’s greatest democracy –  was in negotiations with NSO to use its software. And not only the US: Germany, the Netherlands, Spain and plenty of other countries – many of whom are considered liberal democracies – are NSO’s clients. 

Which leaves us with two potential conclusions: either NSO isn’t as evil as people think, or nobody in power really cares that they are. What’s the real truth here?

NSO’s Beginnings

Shalev Hulio and Omri Lavie met in high school in Haifa, a small city in the north of Israel. They both had the ‘entrepreneurial bug’, and in their twenties co-founded a startup that allowed viewers to point at an item of clothing they saw on TV and purchase it. It was a neat idea, but lady luck wasn’t on their side: the 2008 financial crisis forced them to sell the company for a relatively meager profit. 

The idea for their next venture came a short while later, after Shalev bought a Nokia N95 cell phone. It was a cool looking smartphone, but Shalev was frustrated with its unfamiliar operating system. Omri, on the other hand, was an already ‘experienced’ user: he bought the same phone a whole week earlier. One day, after the nth time that he had to call Omri for help, the irked Shalev blurted out – ‘Why don’t you just take over my phone remotely, and fix it?…’ 

A few months later they launched their second startup: CommuniTake, a company that developed a tool that let tech support reps remotely access their customer’s mobile devices. CommuniTake enjoyed a somewhat moderate success, but then came a phone call that would change their lives forever. 

Shalev Hulio recalled the story to Israeli journalist Ronen Bergman. 

“A European intelligence service heard what we were doing and approached us. ‘We saw that your technology works,’ they told us, ‘why aren’t you using this to collect intelligence?’

Truthfully, we didn’t really understand what they wanted. We said, ‘What’s your problem in collecting intelligence? You sit inside the cell phone carrier.’ They said we didn’t really understand, that the situation was grave. ‘We are going dark, we are getting blind,’ were the exact words they used. ‘Help us.’”

Intelligence agencies did have access to cell phone networks: with a suitable court order, an agency could listen in on calls going in and out of a target’s phone or in some cases even siphon all the data going through the cellular network – but by the early 2010’s, these methods were rapidly losing their effectiveness. Instant Messaging apps, coupled with a growing use of encryption, meant that intelligence organizations had less and less visibility into their targets’ communications over the network, and needed access to the devices themselves. Shalev and Omri already had the technology to take over a cell phone with the user’s permission. Could they do the same, asked the Intelligence officer, without one?…

‘Of course we can.’ Shalev answered. 

“When we told intelligence officials in Europe that we could do this, we said it because that’s the way we Israelis are—always saying everything is possible. But we also did it because we thought we already had the solution.”

As it turned out, they didn’t. Shalev and Omri left CommuniTake and joined forces with an ex-IDF Intelligence and Mossad veteran named Niv Shalem to cofound a company they named after their initials,  NSO, but after half a year of hard work in an abandoned chicken coop they rented not far from Tel Aviv – NSO still didn’t have a working product. Shalem left the new company shortly after its founding, and Shalev and Omri were almost out of money.

What happened next seems, to be honest, a bit too good to be true – but according to Shalev Hulio, he was standing in line at a cafe, waiting for a meeting with an investor who he hoped would throw the fledgling startup a lifeline, when he heard two people talking about a friend of theirs whose hobby was hacking into cell phones. Shalev couldn’t believe his luck: he asked them for the guy’s phone number, and recruited him to work for NSO. A year later, the first version of the spyware was ready. They called it Pegasus, says Shalev, 

“Because what we built was actually a Trojan horse we sent flying through the air to devices.”

El Chapo

Halfway across the world, Mexico had a huge problem on its hands: the notorious Mexican drug cartels, who controlled up to 90% of the cocaine entering the United States, and were a major source of violence and corruption. The Mexicans were desperately looking for ways to hack the encrypted BlackBerry devices used by cartel operatives, but received little help from the NSA. According to media reports, Shalev met with Mexico’s president, Felipe Calderón, showed him what Pegasus was capable of – and closed NSO’s first sale.

Soon after, investigators at Mexico’s Center for Investigation and National Security launched their first espionage campaign. Their target was Joaquín Archivaldo Guzmán Loera, better known as El Chapo: leader of the Sinaloa Cartel, Mexico’s most powerful crime syndicate. The investigators were able to hack into his henchmen devices, see the contents of their messages and pinpoint their locations. A former investigator told the New York Times that – 

“Suddenly we started to see and hear anew. It was like magic. Everyone felt like maybe for the first time we could win.”

The precious data provided by Pegasus helped the Mexican police locate and capture El Chapo in 2014, but the drug lord managed to escape from his cell through a mile-long tunnel dug under the prison. Amazingly, while still hiding from the law, El Chapo tried to arrange a Hollywood movie or a TV show made about his life: he reached out to Kate del Castillo, a local telenovela star, through whom he met actor Sean Penn. In late 2015, Penn and Del Castillo met with El Chapo in Mexico. The drug lord assumed that his whereabouts were unknown to authorities – but he was wrong: Mexican officials were following the meeting via a Pegasus instance embedded in Del Castillo’s phone. Lucky for the actors, the Mexicans decided not to raid the meeting to avoid a deadly shootout – but followed El Chapo for two more months until they finally arrested him in one of his safe houses. El Chapo was extradited to the United States, where he stood trial and was sentenced to life imprisonment. 

NSO’s success in Mexico – the Mexican president even thanked the company’s employees personally in a phone call to the company’s headquarters – opened the floodgates, and Intelligence agencies from all over the world wanted to get their hands on Pegasus. Sales were booming: the company’s annual revenues more than tripled, from US$40 million in 2013 to around US$150 million only two years later. 

Mr. X

“[X] So, NSO in Israel, it was…today we have many, NSO mentioned in many public media and news and etc. etc. A few, actually five years ago, NSO was a very top secret company that nobody talked about much more than required.”

When our interviewee, whom we’ll call Mr. X – you’ll soon understand why – was approached by a headhunter, he was working for an Israeli defense technology company. 

“[X] I thought – okay where is it? and we cannot say where is it, but it’s amazing company. You know, name, location, something? How far it is from my home? We can say nothing. It’s a very secret company.”

X joined NSO as an executive in a technical role. For X, this was a thrilling opportunity. Then, as is now, many if not most of NSO’s employees were veterans of unit 8200 and similar groups in the Israeli intelligence community – but X came from a very different background. 

“[X] I was not coming from special forces and intelligence forces of Israel army. I’m just a regular guy who served the Army and then learned and was educated and graduated by Israeli universities. So for me it was wow, from a technology perspective.”

“[X] We had a great and amazing vibe and feeling that we are developing something that nobody else can do it, and we can do something that before joining NSO I was sure that only in Hollywood movies these, you know. Solutions can work.”

But of course, there was a problem. Pegasus, as its success in Mexico proved, was a powerful tool in the hands of law enforcement agencies. So powerful, in fact, that some people in and outside of the company began to question whether or not governments should be trusted with it. After all, it’s just as easy to deploy the spyware against an opposition leader or a nosey journalist, as it is against a drug lord or a terrorist. 

Maybe unsurprisingly, the Israeli cyber security community is in large part aligned with the liberal values of the American West Coast culture. The ethical implications of NSO’s line of business, says X, were always discussed among the employees. 

“[X] I never heard about people who left the company because of ethical aspects of NSO products. But yeah, people, almost all people were very worried about the usage of NSO products,  and every time after each publication in mass media and social network, people asked the top management, asked questions and requested some answers. How it was done, how was it used, what can you say, how can we be sure that only the legal way and the legit way of usage and so are allowed”

Initially, all these discussions about the ethical aspects of selling spyware were purely theoretical, and largely overshadowed by Pegausus’s success against Mexico’s crime syndicates. But it didn’t take long for them to stop being theoretical, and become very much practical. 

Casa Blanca

In 2012, Enrique Peña took office as Mexico’s president, promising to wage war on the country’s widespread corruption, and make the government more transparent and open. 

But less than two years later, Carmen Aristegui – a prominent and well respected journalist – broke in her website a story about a fishy multi-million real-estate deal between a government contractor and Pena’s wife, Mexico’s First Lady – an affair dubbed the “Casa Blanca” (‘White House’) scandal. The report caused great embarrassment for the president, forcing the presidential couple to surrender the house and apologize to the public. 

But it seems that someone in Mexico’s higher echelons was looking for revenge: not long after, Aristegui was fired from her job and her office was broken into. In 2015 she began to receive text messages from unknown senders with alerts about an unusual charge to her credit card or a problem with her US visa. The seasoned journalist avoided clicking on the attached links, but then the attackers switched to targeting her 16-year-old son who was living in the United States at the time. 

Aristegui wasn’t alone: it soon became clear that the Mexican government and law enforcement agencies were using Pegasus to spy after and harass many other anti-corruption activists across the country, such as several scientists who were in favor of what’s known as the ‘Soda tax’ – a tax on sugary beverages, in an attempt to tackle the country’s high obesity rates, and two local lawyers who were involved in an investigation of extra-judicial killings by the military. All in all, of the 50,000 phone numbers of potential surveillance targets leaked to Forbidden Stories, a full third were of Mexican journalists and activists waging battle against the country’s rampant corruption. 

A lot of the public criticism following these reports was pointed at NSO, whose technology enabled the Mexican government’s wrong doings. The way X describes it, NSO did address this criticism seriously. 

“[X] The company is very cared also because it’s, you know, it’s commercial company, it’s a business. So that once you lose reputation, your business can go down. And this company much more cared about the ethical aspects of using their product rather than some other companies belonging to the government. Because at the bottom line, you know, you have the shareholders, you have the owners, a board that try to run the regular business company, the commercial company and not a government with units that can say, okay, that’s what government decided. And that’s all, we don’t care about anything.”

Whether because of genuine moral and ethical concerns or simply to keep its business running smoothly, NSO did take real substantial steps to make sure that Pegasus was only used by legitimate entities. For example, it has a very strict policy of only selling Pegasus to governments. Omri Lavie – one of NSO co-founders – revealed in a 2017 interview to an Israeli podcast that although the company does occasionally get business inquiries from shady, possibly criminal organizations – these inquiries get rebuffed after the very first phone call. 

“We’re very stringent. Although we don’t need to, we take it upon ourselves to follow both the US regulations and the EU regulations – that is, we voluntarily follow two sets of regulations, only to make sure we’re not placing any of [our customers] in an uncomfortable position. We also have a very strict internal ethics committee that examines things that governments don’t usually take into account, like corruption and human rights issues, things like that. I can say that our ethics committee has cost us quite a lot of money due to lost contracts. Many times, although we did get authorizations from the United States, Israel and the European Union – we still decided not to sell to certain countries.

Look, we’re selling [Pegasus] as a black box. I sell the system to the customer, and I have no idea what he does with it. That’s actually the reason why we only sell to governments and follow regulations: because I have no way of knowing what that customer will do with the system. […] we’re not exposed to it, and we don’t want to be exposed to that information. I don’t want to be an intelligence partner for my clients.” 

Although there’s reason to believe that Omri was telling the truth when he said that NSO has no desire to be involved in the actual operation of Pegasus, it’s likely that the reality is a bit more complicated. After all, Pegasus isn’t a washing machine or a microwave oven – an appliance you can simply hand over to your customer after the sale and forget about. It’s a complicated, dynamic software that requires adequate training to operate and constant technical support – which means that try as it may, NSO can’t actually completely disassociate itself from its clients and their actions. Moreover, according to a lawsuit filed against the company in 2019, NSO also provides its clients with a service that helps them compose effective phishing messages to use against their targets: if true, this casts yet further doubts about NSO’s claims about Pegasus being a “black box” after the sale. 

The Periphery Doctrine

Shortly after its founding, NSO hired Avidgor Ben-Gal, a former Major General of the IDF and a celebrated hero of the Yom Kippur War in 1973, to serve as its chairman of the board of directors. Utilizing his deep connections in the Israeli government, Ben-Gal quickly integrated NSO into the Israeli military industrial complex. It was a decision that would go on to have a major impact on the company’s future. 

In the early 1950’s, soon after Israel’s founding in 1948, then-Prime Minister David Ben Gurion formulated what came to be known as “The Periphery Doctrine.” The goal was to pursue close ties with non-Arab nations throughout the Middle-East such as Turkey and Ethiopia, as a sort of counterweight to the Arab coalition that was threatening Israel’s existence. A big part of these close diplomatic ties came about through the sale of weapons – guns, fighters and warships – built by Israel’s thriving Defense Industry. Israel even sold its weapons to Iran – after the 1979 revolution – because it believed that it might benefit Israel in its fight against Saddam Hussian’s Iraq. 

NSO’s Pegasus was treated no differently than any other Israeli-made weapon sold to a foreign nation: like all other arms export sales, every sale the NSO does had to be reviewed and approved by the Israel’s Ministry of Defense, and in some cases, sales were initiated by the Israeli government itself as part of its diplomatic negotiations. The Mexico sale is a great example of this: although there’s no direct evidence that NSO’s success in aiding the Mexican government in its battle against the drug cartels contributed to the diplomatic relationships between the two countries, in the years following the sale Mexico largely stopped voting against Israel at United Nations conferences where pro-Palestinian resolutions were being considered. 

The problem is that while the Ministry of Defense cares a whole lot about protecting Israel’s security, it’s not as mindful – to put it mildly – to matters such as human rights abuse by governments who buy Israeli-made weapons, and in many cases doesn’t keep an eye on how these weapons are being used after the sale. Nevertheless, this regulatory oversight was often cited by NSO in response to criticism against unethical usage of Pegasus by its clients – and for the first few years of its existence, it was enough to silence all but its loudest detractors. 

But everything changed on October 2nd, 2018, at around 1pm, when Jamal Khashoggi – a Saudi dissident journalist – entered the Saudi consulate in Istanbul, Turkey. The ghastly events that followed led to public backlash that shook the company to its core. 

All this and more, in the next episode of Malicious Life.