‘Amoral 21st-century mercenaries’: problems mount for NSO Group

Israeli spyware firm’s problems go from bad to worse as scathing Apple lawsuit follows US blacklisting

Shalev Hulio, the co-founder of Israel’s NSO Group, was in Washington DC on a mission to try to resuscitate the surveillance company’s battered reputation on Capitol Hill shortly before the news broke that he had probably arrived too late to make a difference.

With little advance warning to its allies in Israel, the Biden administration announced on 3 November that it was putting the spyware maker – one of the most sophisticated cyber-weapons companies in the world – on a US blacklist, citing use of the company’s software by regimes around the world for “transnational repression”.

“That’s how little they knew. Then, boom, this came out,” said one person familiar with the matter.

Since then, the news has gone from bad to worse for the company, which has long defended itself against critics by claiming that its principal surveillance tool – the Pegasus software that can penetrate phones and intercept encrypted calls and messages – is used by governments around the world to silently hack into the phones of criminals and suspected terrorists, and save lives.

This week Apple, the world’s largest technology company, became the latest to challenge that narrative when it accused NSO in a scathing lawsuit filed in California of being “amoral 21st-century mercenaries” whose tools had invited “routine and flagrant abuse”.

“For their own commercial gain, they enable their customers to abuse [Apple] products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even US citizens,” Apple said in its lawsuit. While NSO was busy “hiding behind their unnamed customers”, it was committing “multiple violations of federal and state law” as it developed and used – “or assisted others in using” – tools that had harmed Apple’s users, the lawsuit alleged.

The NSO Group chief executive, Shalev Hulio
The NSO Group chief executive, Shalev Hulio (seen in Tel Aviv), visited Washington DC to try to mend relations with the Biden administration. Photograph: Ammar Awad/Reuters

Hours after the lawsuit was filed, activists said Apple began sending threat notification alerts to alleged victims of state-sponsored hackers in Thailand, El Salvador and Uganda. Reuters reported at least six Thai activists and researchers who have been critical of the government received the notification.

At the same time, the credit rating agency Moody’s warned NSO was at risk of defaulting on about $500m (£375m) in debt, which would force the group into insolvency.

For Alaa Mahajna, a lawyer who for years has waged a lonely – and difficult – legal battle against NSO, the company’s barrage of bad news has been vindicating.

“NSO spent years dismissing any criticism and dodging accountability for human rights violations. It is very encouraging that most major tech companies and the US government now see the pernicious effect of NSO’s technology,” he said.

Mahajna represents Omar Abdulaziz, a Saudi dissident living in exile in Canada who experts at the Citizen Lab at the University of Toronto have claimed was hacked in 2018, months before Abdulaziz’s friend, the journalist Jamal Khashoggi, was murdered in the Saudi embassy in Istanbul.

“As the first lawyer to bring legal proceedings against them, I am happy to see that these major actors are seeing what we saw four years ago. The atmosphere is definitely changing. It was and still is hard work for everyone involved, and some of us paid a price, but it is gratifying to see the tide turning,” Mahajna said.

There are other complications on the horizon. One person familiar with the matter said at least one bank working for NSO and related entities had voiced concern about its listing on the US commerce department’s entity list. A person close to NSO said its banking relationships were intact.

While placement on the list does not prohibit the provision of banking services, Kevin Wolf, a partner at law firm Akin Gump, said the listing did prohibit the transfer of any technology or software to the company from the US, a fact that generally made banks and other financial institutions who work for companies on the entity list nervous about the possibility that they could inadvertently fall foul of the rules over the normal course of business and provoke a response from the US government.

Another person familiar with the matter said Berkeley Research Group (BRG), a US-based consulting group appointed in August 2021 to manage the financial fund that owns a majority stake in NSO on behalf of its investors, consulted legal experts at the law firm McDermott Will & Emery to ensure its own work managing the fund did not inadvertently violate the entity list rules. It took those steps, a person said, as a matter of normal business practice and it is understood it received legal advice that the Biden administration’s actions did not prevent BRG from managing the fund’s NSO investment.

The main investors in the financial fund are US pension funds. A person familiar with BRG said it still had limited information about NSO’s decision-making.

Multiple media reports have suggested NSO is focused on trying to convince the Biden administration to remove the company from the entity list.

In response to the Guardian’s questions about its viability in the face of the developments, an NSO spokesperson said: “NSO Group remains strong, proud, and confident, and we will continue to provide technologies to help law enforcements catch paedophiles, terrorists and criminals.”

One person who spoke to the Guardian on condition of anonymity said the administration had been moved to act at least in part because of the number of US citizens who had been targeted using Pegasus in the past – including Americans living and working abroad.

NSO has denied its surveillance tools are used against US-based mobile phones.

The Pegasus project, a major investigation into NSO by the Guardian and other media outlets, which was coordinated by the French media group Forbidden Stories, reported in July that Carine Kanimba, the American daughter of Paul Rusesabagina, the imprisoned Rwandan activist who inspired the film Hotel Rwanda, had been the victim of a near-constant surveillance campaign by a government client using Pegasus in the first half of 2021. Forensic analysis of Kanimba’s phone, conducted by Amnesty International’s security lab, found it had been hacked multiple times while Kanimba, who is also Belgian and was living in Europe, was campaigning and lobbying for her father’s release.

In response to questions about Apple’s lawsuit this week, an NSO spokesperson said in a statement: “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers. Paedophiles and terrorists can freely operate in technological safe havens, and we provide governments the lawful tools to fight it. NSO Group will continue to advocate for the truth.”


Stephanie Kirchgaessner in Washington DC

The GuardianTramp

Related Content

Article image
Hacking of activists is latest in long line of cyber-attacks on Palestinians
Analysis: while identity of hackers is not known in this case, Palestinians have long been spied on by Israeli military

Peter Beaumont

08, Nov, 2021 @4:22 PM

Article image
Israeli spyware company NSO Group placed on US blacklist
Decision against company at heart of Pegasus project reflects deep concern about impact of spyware on US national security interests

Stephanie Kirchgaessner in Washington

03, Nov, 2021 @7:53 PM

Article image
Police use of Pegasus malware not illegal, Israeli inquiry finds
Police have been accused of spying on at least 26 individuals who are not criminal suspects

Bethan McKernan in Jerusalem

22, Feb, 2022 @6:28 PM

Article image
Israeli firm’s spyware linked to attacks on websites in UK and Middle East
Canada-based researchers say new evidence suggests Candiru’s software used to target critics of autocratic regimes

Stephanie Kirchgaessner in Washington

16, Nov, 2021 @4:15 PM

Article image
UN-backed investigator into possible Yemen war crimes targeted by spyware
Exclusive: Analysis of Kamel Jendoubi’s mobile phone reveals he was targeted in August 2019

Stephanie Kirchgaessner in Washington

20, Dec, 2021 @5:00 AM

Article image
Iran accuses Siemens of helping launch Stuxnet cyber-attack
Senior official says German engineering giant supplied US and Israel with details of control system used by Tehran

Saeed Kamali Dehghan

17, Apr, 2011 @6:16 PM

Article image
Jeff Bezos met FBI investigators in 2019 over alleged Saudi hack
Amazon founder interviewed as FBI conducts inquiry into Israeli firm linked to malware

Stephanie Kirchgaessner in Washington

31, Jan, 2020 @12:03 PM

Article image
Israeli firm linked to WhatsApp spyware attack faces lawsuit
Amnesty International fears its staff may be ‘surveilled via NSO Pegasus software’

Dan Sabbagh

18, May, 2019 @5:00 AM

Article image
Stuxnet cyberworm heads off US strike on Iran

Military option 'less likely' after computer sabotage, as Israeli tests are revealed on Natanz nuclear model

Ewen MacAskill in Washington

16, Jan, 2011 @8:19 PM

Article image
Saudi Arabia accused of hacking London-based dissident
Kingdom targeted satirist Ghanem Almasarir with Israeli malware, letter of claim alleges

Stephanie Kirchgaessner in Washington and Nick Hopkins in London

28, May, 2019 @6:00 PM