3rd Party Risk Management , Endpoint Security , Governance & Risk Management
FBI Reportedly Considered Buying NSO Spyware
US Venture Capital Firm Integrity Partners Now in Negotiations for ControlThe FBI bought and tested the flagship spyware of Israel's NSO Group, Pegasus, to use it for domestic surveillance last year, according to recent reports.
See Also: OnDemand | All the Ways the Internet is Surveilling You
An investigation by Ronen Bergman and Mark Mazzetti, both journalists at The New York Times Magazine, found that, beginning in 2019, the FBI paid millions to NSO as the bureau considered deploying the Pegasus surveillance tool in the U.S.
"NSO is effectively a tool of the Israeli government, one Israel uses to gain diplomatic leverage. Netanyahu used Pegasus to knit together a new generation of global far-right leaders from Israel, Poland, Hungary, India and elsewhere," Mazzetti tweeted.
NSO Group, which was sanctioned by the U.S. Department of Commerce in November 2021 (see: US Commerce Department Blacklists Israeli Spyware Firms) provided its spyware product to the bureau, which tested the software for years with plans to use it for domestic surveillance - until the agency finally decided against deploying the spyware, according to the NYT news report.
An FBI spokesperson tells Information Security Media Group:
“The FBI works diligently to stay abreast of emerging technologies and tradecraft - not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties. That means we routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands. There was no operational use in support of any investigation, the FBI procured a limited license for product testing and evaluation only.”
FBI's Involvement
The yearlong investigation by Bergman and Mazzetti also alleges that a group of Israeli computer engineers arrived at a New Jersey building used by the bureau in June 2019 and started testing their equipment. The report alleges that the FBI had bought a version of Pegasus, NSO’s premier spying tool.
"For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else - not a private company, not even a state intelligence service - could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone," the NYT report says.
As part of their training on the tool, bureau employees bought new smartphones with SIM cards from other countries. This version of Pegasus that the FBI bought was zero-click - meaning it did not require users to click on a malicious attachment or link - so the users in the U.S. monitoring phones could see no evidence of an ongoing breach.
"They couldn’t see the Pegasus computers connecting to a network of servers around the world, hacking the phone, then connecting back to the equipment at the New Jersey facility," the news report says. "What they could see, minutes later, was every piece of data stored on the phone as it unspooled onto the large monitors of the Pegasus computers: every email, every photo, every text thread, every personal contact."
NSO Offered Workaround
The NYT report says that NSO offered the FBI a workaround and demonstrated a new system, called Phantom, in a presentation to officials in Washington. The latest system could hack any number in the United States that the FBI decided to target.
The report alleges that Israel granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers, and a license was allowed for only one type of client: U.S. government agencies. Previously, Pegasus had not been allowed by the Israeli government to target phones in the U.S.
Such moves should not be a surprise, says Jake Williams, a former member of the National Security Agency's elite hacking team and an IANS Research analyst, who tells ISMG: "However we feel about NSO as a company, it makes sense for the U.S. federal government to consider purchasing commercial spyware tools for operations. For one, their use may provide plausible deniability since many countries are using the technology. It's likely cheaper to buy and use NSO's technology for risky operations against sophisticated adversaries than to risk FBI's own implants".
Williams says that the use of third-party tools such as NSO's Pegasus make particular sense when the FBI is providing assistance to other law enforcement agencies - domestic or foreign - so the agency doesn't have to expose its own tools.
Takeover in Negotiation Follows Revelations
In January 2021, NSO was planning a public listing with a potential valuation of $2 billion. Now it is reported by local newspaper Haaretz that NSO is in talks to sell its assets to the U.S. venture capital firm Integrity Partners to establish a company called Integrity Labs that would acquire control of NSO for an injection of $300 million. And this week the chairman of NSO Group, Asher Levi, said he was leaving NSO, but he told Haaretz it is for other reasons than the continual stream of revelations about misuse of Pegasus.
The demise began in July 2021 when an international consortium of journalists reported a leak of approximately 50,000 potential NSO spyware targets, including high-ranking officials and human rights campaigners, for possible surveillance by those leveraging the firm's Pegasus spyware.
Further revelations of misuse continued and by November, the U.S. Department of Commerce had added the NSO Group to its Entity List for allegedly engaging in activities "contrary to the national security or foreign policy interests of the U.S." Those on the Entity List cannot purchase U.S. technologies or goods without a license provided by the Department of Commerce
At the time, an NSO spokesperson told The Hill that the firm was "dismayed by the decision, given that our technologies support U.S. national security interests and policies by preventing terrorism and crime." NSO has echoed the claims in recent months, saying its software is used for legitimate law enforcement purposes.
Following the blacklisting, NSO's spyware was then reportedly detected on at least nine Apple iPhones belonging to U.S. State Department officials who are located in Uganda or whose work focuses on the African nation (see: Report: NSO Group Spyware Found on State Department Phones).
In November 2021, the Israeli government's Ministry of Defense cut the official list of countries to which Israeli companies’ cyber spyware could be exported from 102 to 37, reducing the surveillance tool export market by two-thirds. The latest list restricts cyber spyware companies in Israel from doing business with some countries that were previously customers, such as Morocco, Mexico, Saudi Arabia and the United Arab Emirates (see: Report: Israel Cuts Cyber Export List to 37 Countries).
One recent revelation that affected Israeli public opinion was allegations that Israel's police used Pegasus spyware on its own citizens, with reported targets including local mayors and protesters who criticized former Prime Minister Benjamin Netanyahu, among others (see: Israeli Officials Deny Claims of Improper Spyware Use) and conducted warrantless phone taps (see: NSO Group Spyware Reportedly Used by Israeli Police Force).