NEW YORK: A startling revelation made by a US paper has made claims about a secret contract between a company that acts as a front for the US government and the American affiliate of NSO Group, an Israeli hacking firm notorious for its hacking tools that have been used to spy on political dissidents, human rights activists, and journalists.
According to a report published in New York Times, the contract, signed on November 8, 2021, violates the Biden administration’s public policy, which had only five days earlier placed NSO on a Commerce Department blacklist, and bans American companies from doing business with it. The NYT report says that the contract gave the US government access to a powerful geolocation tool that can track mobile phones around the world without the user’s knowledge or consent.
The contract stated that the “United States government” would be the ultimate user of the tool, although it is unclear which government agency authorized the deal and might be using the spyware. The contract specifically allowed the government to test, evaluate, and even deploy the spyware against targets of its choice in Mexico. The story highlights the ongoing battle for control of powerful cyberweapons and the tension between the allure of the power of these tools and the growing calls to limit access to them.
The report says that the secret contract further illuminates the ongoing battle for control of powerful cyberweapons, both among and within governments, including the United States.
The NYT story discusses the power and abuse of commercial spyware, including the NSO technology, which has been used by governments to conduct invasive surveillance on journalists and political dissidents. Despite growing calls to limit access to these tools, their allure to intelligence services and law enforcement agencies in democracies and autocracies alike persists. President Biden recently signed an executive order to clamp down on government use of commercial spyware, but it only covers spyware from commercial entities and not tools built by American intelligence agencies. The article suggests that some agencies have already been drawn to the power of these cyberweapons, despite efforts to limit their use.
It says a subsequent Times investigation has found:
-
The secret November 2021 contract used the same American company — designated as “Cleopatra Holdings” but actually a small New Jersey-based government contractor called Riva Networks — that the F.B.I. used two years earlier to purchase Pegasus. Riva’s chief executive used a fake name in signing the 2021 contract and at least one contract Riva executed on behalf of the F.B.I.
-
The 2021 contract was for the same NSO geolocation tool once used by an adviser to Saudi Arabia’s Crown Prince Mohammed bin Salman as part of a brutal campaign against perceived threats to the kingdom.
-
The deal unfolded as the European private equity fund that owns NSO pursued a plan to get U.S. government business by establishing a holding company, Gideon Cyber Systems. The private equity fund’s ultimate goal was to find an American buyer for the company.
-
A potential deal last year with L3Harris, the American defense giant, to buy NSO’s hacking tools and take on the bulk of its work force was far more advanced than previously known. Despite NSO being on the Commerce Department blacklist, L3Harris executives had discussions with Commerce Department officials about the potential deal, according to internal department records, and there was a draft agreement in place to finalize it before the White House publicly objected and L3Harris dropped its plans.
The NYT revelations are based on more than three dozen interviews with current and former American and Israeli government officials, corporate executives, technology experts and a review of hundreds of pages of government documents, some of them produced under Freedom of Information Act requests by The Times.
The story went on revealing that in February 2019, Novalpina Capital, a London-based private equity fund, purchased NSO for approximately $1 billion. At the time, NSO still had a near-monopoly on premier hacking tools for mobile phones, and the fund was confident it could expand the business by attracting new government clients around the world.
NSO had spent nearly a decade winning business with its army of elite hackers and the promise and power of its signature tool, Pegasus, which had the ability to extract all of the contents of a mobile phone, from emails to photos to videos.
Novalpina Capital also had a bigger goal, according to three people with knowledge of the fund’s strategy. Seeing a big potential market, it wanted to sell spyware to the United States and its closest “Five Eyes” intelligence partners: Britain, Canada, Australia and New Zealand.
At the same time, NSO had been ensnared by years of scandal over revelations of the abuses of Pegasus by numerous governments. In Saudi Arabia, aides to Crown Prince Mohammed bin Salman had used Pegasus against associates of Jamal Khashoggi, the Washington Post journalist killed by Saudi operatives in Istanbul in October 2018.
An NSO spokesperson said the company’s technologies “are only sold to allies of the U.S. and Israel, particularly in Western Europe, and are aligned with the interests of U.S. national security and governmental law enforcement agencies around the world.”
But although Novalpina had acquired NSO in the belief that it could weather the criticism of how Pegasus had been deployed, the fallout from suggestions that Pegasus was linked to Mr. Khashoggi’s murder never subsided. By the middle of 2020, NSO was seen as radioactive by some in the investment fund’s leadership. The fund began looking to unload the firm.
During the Trump administration, NSO was already beginning to break into the U.S. government market, and in 2019 the F.B.I. purchased a license for Pegasus. The bureau had two aims: to study the spyware to see how adversaries might use it and to test Pegasus for possible deployment in the bureau’s own operations inside the United States.
To make the purchase, the F.B.I. used Riva Networks, the small, New Jersey-based contractor, but used a cover name for the company, “Cleopatra Holdings.” According to public records, Riva has years of experience selling products and services to the Defense Department and other government agencies.
