The Rise and Fall of NSO Group
He looked the journalist in the eyes, a serious expression on his face: “When I first heard there are accusations that our technology [had] been used on Jamal Khashoggi or on his relatives, I started an immediate check about it.”
Shalev Hulio – 40-years-old with a round, almost childlike face and a usually jovial demeanor – had come on the prime-time CBS television show “60 Minutes” to bet his reputation and the reputation of his cybersurveillance company NSO Group on one claim.
“And I can tell you very clear,” he said, drawing in a pause and not dropping eye contact with reporter Lesley Stahl, “we had nothing to do with this horrible murder,” insisting later that NSO technology had not been used on the journalist or his relatives.
Ever since the brazen assassination of Saudi journalist and dissident in Turkey five months earlier, the Israeli spyware company had been thrust into an uncomfortable spotlight. NSO Group had dealt with scandals before, but this time the accusations were of a different magnitude. The company had been accused by a friend of the murdered journalist of having sold its spyware tool to Saudi Arabia, which then used it to intercept messages between the two dissidents in the weeks and months leading up to Khashoggi’s assassination.
On that day in March 2019, in front of millions of viewers, Hulio unequivocally denied all involvement of NSO Group in the grisly murder and the targeting of Khashoggi’s relatives.
But today, his past claims seem to be catching up with Hulio.
New revelations – part of the Pegasus Project, an investigation by 17 media organizations in 10 countries, coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab – show that not only Khashoggi’s friend, but numerous members of his close entourage were selected for surveillance by NSO Group customers. His Egyptian wife; his son Abdullah; a number of friends; and even the Turkish prosecutor in charge of the investigation into his murder were all selected for surveillance. AI Security Lab even found, through a forensic analysis of her phone, that his Turkish fiancée, Hatice Cengiz, was hacked just a few days after the murder.
Despite those findings, NSO Group wrote in a letter to Forbidden Stories and its partners that their technology “was not used to listen, monitor, track or collect information regarding [Khashoggi] or his family members mentioned in your inquiry.”
For months, more than 80 journalists around the world had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance in at least 10 countries. The consortium’s investigation has documented numerous misuses of Pegasus, which NSO Group clearly stated in a recent transparency report is “not a mass surveillance technology.” In India, Mexico, Azerbaijan, Morocco, Saudi Arabia, Hungary and other increasingly authoritarian countries around the world, Pegasus has been used to spy on, track down, and silence anyone who threatens the stability of these regimes. Journalists, dissidents, human rights defenders: no one can escape the tentacles of the sophisticated spyware tool, which can penetrate any smartphone and extract even the best hidden bits of information.
Forbidden Stories investigated the history of the Israeli company that built a spyware empire and in the process became synonymous with the most serious breach of private life: stealing the contents of your phone.
When Shalev Hulio tells his story, he likes to present himself as the archetype of the successful serial entrepreneur.
Hulio and his childhood – and later military training – friend Omri Lavie were always creating, investing and, in most cases, succeeding in Israel’s blooming tech startup ecosystem. In their early 20s, the two friends founded MediaAnd, a product placement startup. It was the early 2000s, a fast-paced, exciting moment, and Hulio and Lavie made the most of their early success. They rode the wave of the startup boom to VIP parties in Los Angeles and basketball games with the CEOs of the entertainment industry.
In 2008, their luck seemed to dip, if only temporarily. MediaAnd took a big hit due to the global recession, and Hulio and Lavie started back at zero. That same year, the first iPhone was released in more than 80 countries. The pair saw in it an opportunity to “remake themselves” in a new market.
Their next startup, Communitake, allowed users to take control of any smartphone from a distance. They sold it to mobile operators to help with tech support. But the mobile operators weren’t the only ones interested in this capability.
As smartphones became ubiquitous, so too had encrypted messaging services that protected information as it transited from one device to another. Intelligence agencies who had long relied on wiretapping – which intercepts information in transit – were left in the dark.
Without knowing it, Hulio and Lavie had solved the problem for them: agencies could simply pirate the phone itself, bypassing encryption and giving them all of the information they needed and more. The way Hulio tells it, the two Israeli entrepreneurs were approached by intelligence agencies interested in their technology. Hulio and Lavie knew little of the opaque world of cyber-intelligence but they decided to give it a shot. They brought on Niv Carmi, a former Mossad intelligence operative and security expert and created NSO Group in 2010. The trio (Niv, Shalev and Omrie, or NSO, for short) operated with clear roles: Niv Carmi handled the tech and Hulio and Lavie the business.
The tool they developed, which they called Pegasus, offered a plug-and-play spying solution for intelligence agencies and police forces that couldn’t afford to develop their own tools. The goal, the narrative went, was to sell to these agencies who would use the tool to fight all sorts of crime, from terrorism to money laundering to drug trafficking.
The startup methodically imposed itself upon the growing cyber-surveillance world – going from upstart challenger to the business-to-beat in a matter of years. And Mexico, a client willing to spend outrageous quantities of money for technologies fit for a spy movie, became their first fiefdom.
The Mexican “El Dorado”
When NSO Group entered the smartphone interception market in the early 2010s, the field was dominated by a handful of actors. Perhaps most notably the Italian spyware company Hacking Team. At that time, Mexico was equipping itself with cyber-espionnage products primarily for fighting drug trafficking, and had already become a key client of Hacking Team. So when Hacking Team got wind that NSO had signed a contract worth $32 million with the Mexican Attorney General’s office (FGR, by its initials in Spanish), it sent the Italians into a state of near shock.
“When we were selling our solutions for hundred of thousands of dollars, NSO Group managed to negociate million dollar contracts,” said a former Hacking Team employee. “We were already behind in a sense.”
In July 2017, the contract amount was published by Mexican online news outlet Aristegui Noticias. Carmen Aristegui, the founder of the site, found herself unwittingly in the eye of the storm. A few months earlier, she had learned that she herself had been targeted by Pegasus. “As an NSO victim myself, it pushed me to get more information, to dig further,” she said. “I wanted answers as a journalist and for myself.”
In the contract published by Aristegui Noticias at the time, NSO Group boasted that Pegasus had “unique offerings” in comparison with “any other solution available on the market.” In a world still dominated by malware links sent via email attachment, they proposed cutting-edge “SMS infections” – messages containing malicious spyware links that could be specifically engineered depending on the target. As soon as the target clicked, the phone was automatically infected.
The messages were almost shockingly specific, Aristegui remembered. She received a number of texts regarding her bank account balances and another saying that the hacker group Anonymous had tried to pirate her media’s website. The messages, analyzed by the digital rights organization Citizen Lab at the University of Toronto, which specializes on surveillance, were attributed to NSO Group’s Pegasus.
At the time, the journalist was not aware of how wide of a net clients of NSO group had cast – not just in Mexico but around the world. According to the leak accessed by Forbidden Stories and its partners, at least 180 journalists and 85 human rights defenders around the world were selected as targets of this spyware tool, in addition to politicians, businesspeople and even heads of state.
Mexico, in particular, was a ravenous client. In all, more than 15,000 numbers were selected by several Mexican agencies between 2016 and 2017 alone. Among these numbers were dozens of people close to then-candidate Andres Manuel Lopez Obrador, the current Mexican president. The numbers of at least three of his sons, his wife, several of his brothers, his campaign manager, his driver and – yes – his cardiologist were all selected for surveillance.
Aristegui already knew that her son, 16-years-old at the time, and two of her colleagues had been targeted at the same time as her. But the data accessed by Forbidden Stories has revealed additional potential targets in her own entourage: her CNN producer, her personal assistant and even her sister. “It was a huge shock to see their names in that list,” she said.
The Mexican government liked Pegasus so much it ended up equipping several of its agencies with the spyware tool: in addition to the Attorney General’s office, Mexico’s intelligence bureau and army were also given access. In turn NSO Group continued to provide their clients with juicier offers – each technology more sophisticated than the last.
The Israeli company had become the spyware seller to beat.
On the cutting edge
NSO Group’s rising star began to worry Hacking Team. A number of employees were tasked with gathering information on the new competitor. The Italian spyware company invited NSO Group employees for dinner and tried to extract their secrets, and even went so far as to try to infiltrate NSO product demos to learn more about how Pegasus worked, according to internal emails leaked in 2015.
“I started to get worried when I learned that NSO mastered ‘zero click’ attack vectors,” said a Hacking Team insider. “We were not doing research in that direction.”
Meanwhile NSO Group kept improving their technology. Already discrete, Pegasus became nearly invisible: so-called ‘zero-click’ infections meant that targets need not even click on a link for their phone to be compromised. NSO Group’s team of more than 500 researchers found ways to exploit certain vulnerabilities in smartphones that allowed them to enter the device quietly through the backdoor, instead of knocking at the front as they had in the past.
“The real big tectonic shift in our understanding of NSO’s capabilities happened when we saw no engagement attacks,” said John Scott-Railton, a senior researcher at Citizen Lab whose team has tirelessly tracked down Pegasus around the world over the past near decade. “It’s one thing to educate people about links and suspicious text messages. It’s another thing to say, basically, there is nothing that you can do. And that’s a very bad place to be.”
In 2014, Francisco Partners, a private investment firm, bought NSO Group for $120 million – another turning point in the company’s trajectory. “When this happened, we said to ourselves ‘OK, they have a lot of money, they can invest in research,’” said the former Hacking Team employee. “They are going to do big things.”
A significant amount of the new budget seems to have been allocated to scouring smartphones for new vulnerabilities in software code, something hackers call ‘zero-days.’ In 2020, more than two-thirds of NSO’s 750 employees worked in research and development. Unlike some other spyware companies, NSO Group also decided to focus almost exclusively on infecting smartphones, and not computers. “If you think about it, mobile phones also are a bigger part of people’s lives than their computers ever were,” Scott-Railton said. “The targeting of mobile phones is even more comprehensive and invasive than targeting computers.”
Their investments almost immediately paid off: in 2017, Pegasus was able to infect targets through a vulnerability in the secure messaging platform WhatsApp, an app used by more than 1 billion people around the world at the time. Apple’s iPhones, which are generally considered to be among the most secure smartphones on the market, have not been spared from the attacks. As part of the Pegasus Project, Amnesty International’s Security Lab has documented dozens of successful infections in iPhones, including new models running on the latest version of iOS – released in May of this year.
“It’s just a cat and mouse game. And in this situation, the cat is kind of always ahead,” said Claudio Guarnieri, the director of Amnesty International Security Lab and the developer of the analysis used to pinpoint phone infections throughout the Pegasus Project. “When you have hundreds of people and thousands more that do it as contractors spending their days and nights going out and seeking vulnerabilities in software, these vulnerabilities will be found and exploits will be developed.”
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” said Ivan Krstić, head of Apple Security Engineering and Architecture. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
In the Israeli tech world, Hulio himself is said to only use Samsung phones running on Android, which he regularly changes.
Friends in high places
In 2015, Hacking Team – ironically and for them, tragically – was hacked. The leaked internal documents were enough to sink the Italian company for good, and created an opening in the cyber-surveillance market that NSO quickly took advantage of.
In its 2018 “Hide and Seek” report, about the global reach of NSO Group, Citizen Lab reported that 36 clients around the world operated Pegasus. This included the United Arab Emirates – a country that was already known to be quite fond of spying on journalists and dissidents. Around 2008, UAE elites ran a secret service unit that employed former US intelligence agents to spy on dissidents and journalists. Called Project Raven, this unit only became known to the public years later.
At the time NSO Group was created, diplomatic relations between Israel and Gulf countries like the UAE were far from being normalized. Nonetheless, the company managed to ink contracts with these countries – thanks in part to Israeli diplomacy. “The export of these systems is used as a tool in diplomacy,” said a UK-based lawyer who is involved in litigation against NSO. “Netanyahu used Israeli tech to open access and opportunities for the state of Israel, like using them as some kind of ambassadors.”
After several months of negotiations, Saudi Arabia signed a contract worth $55 million, according to Israeli news outlets. It was most likely NSO Group’s largest contract. “Companies like NSO made the road before Israel signed the Abraham accords with the Gulf countries [a normalization pact finalized in 2020 between Israel, UAE and Bahrain],” said a lawyer representing the victims of NSO Group in Israel. “So you can imagine that they could be protected.”
Because of their invasiveness, and the high potential for misuse, spyware tools like Pegasus must obtain export licenses directly from the Israeli Ministry of Defense. According to the UK-based lawyer, a number of criteria must be followed in order to export cyber-surveillance technologies abroad. But because these criteria are not public it is hard to know whether export licenses are being properly vetted, they said.
Despite this, NSO has been authorized on multiple occasions to sell to countries known for human rights violations. “It shows that the criteria are not really that strict,” the lawyer said. “And also that [there is] not much [concern for] issues like human rights.”
Perhaps the best illustration of the privileged relationship between Israel and NSO Group is the contract signed with Saudi Arabia in 2017. At the time – and still today – it is a punishable offense for Israeli citizens to travel to Saudi Arabia without proper authorization.
In July of 2017, news outlets in Israel reported that Shalev Hulio had traveled to Riyadh without the required right of passage documents to negotiate a contract with the Saudis. One individual aware of these negotiations told journalists from the Pegasus Project that the Israeli delegation escaped any legal consequences, thanks to their contacts at the highest level of the Israeli state.
Despite well-documented repression of civil society in Bahrain since the emergence of the Arab Spring there in 2011, NSO Group still sold its spyware to the kingdom. Among the numbers selected for surveillance by the Bahraini client in our data were dozens of journalists, human rights activists and dissidents. According to a person familiar with the operations of NSO, the company recently terminated its contracts with Saudi Arabia and the emirate of Dubai over human rights concerns. Precise reasons were not given for Dubai, but the targeting of high level royal officials was a factor in the company’s decision.
The enormous contract bolstered NSO Group’s activities for the next several years, and initiated a sort of “Roaring 20s” atmosphere. Employees were treated to all-expenses-paid vacations in Thailand and Sardinia, replete with beach parties, luxurious 5-star-hotels, and live performances. DJ sets, stand-up shows, fire-eating acts – the party never seemed to stop.
All the while NSO Group continued selling Pegasus, and in the wrong hands, the technology’s victim count kept ticking upward. But a few intrepid researchers had already begun to follow the Israeli enterprise’s traces – scant as they were – and would soon begin to put together the puzzle.
Since the mid-2000s, Citizen Lab, an interdisciplinary research lab at the University of Toronto, has tracked cyber-surveillance, documenting abuses of these sorts of technologies against civil society around the world.
One of the cases they documented was that of Emirati activist Ahmed Mansoor. Since his first arrest in 2011 for holding anti-government opinions, the activist had been regularly spied on by the UAE. His passport was confiscated, his bank account emptied and even the smallest of his movements were monitored.
In the early 2010s, NSO Group was just one of a number of spyware companies Citizen Lab was keeping tabs on. But one night in 2016, as he prepared to go to sleep, Bill Marczak, an analyst for the Canadian tech lab, received a message from Mansoor on the encrypted messaging app Telegram. “He was like, ‘Bill, I got this weird SMS, take a look at it,’” Marczak remembered.
Marczak immediately recognized the link, which he had memorized by heart: it was one of dozens of malicious links he had identified and attributed back to NSO Group previously. “So we had this list of of NSO group websites. And we were kind of like, ‘Well, this is interesting, but what do we do with this? We don’t have any targets yet,” he said.
With Mansoor’s message in hand, Citizen Lab had found the first known victim of the Israeli spyware. Several months later, Citizen Lab released an explosive report on Mansoor’s targeting: “The Million Dollar Dissident.”
The report would be a turning point for NSO Group: security analysts had for the first time lifted the veil on the secretive spyware company and abuse by their Emirati client.
“With the title ‘Million Dollar Dissident,’ we wanted to highlight the fact that real resources were being put into targeting dissidents, not just that was an afterthought,” said Scott-Railton, at Citizen Lab. “The targeting of dissidents had to sit in the same mental box as targeting heads of state, ambassadors, big corporations. NSO allowed us to make that argument and to demonstrate it.”
Less than a year after the report was released, Mansoor nonetheless found himself in prison, arrested and charged with “insulting the status and prestige of the UAE and its symbols, including its leaders” and “publishing false reports and information on social media.” On March 20, 2017, just a few minutes before midnight, Emirati special forces arrived at the activist’s house and forcibly detained him. He was locked in a windowless cell with no bed or light source. Journalists from the Pegasus Project have found that his phone number was selected for surveillance just a few days before his arrest, as well as in the hours that followed.
Since that first report, Citizen Lab has multiplied its revelations about the Israeli company. Allegations of abuse started to cascade upon NSO Group. In the summer of 2018, several Mexican journalists, including Carmen Aristegui, filed a legal complaint against NSO in Israel. A Qatari journalist, also a target, filed a case in Cyprus, one of the three countries where NSO is legally based. In December 2018, Omar Abdulaziz, the friend of Jamal Khashoggi, took NSO to court in Israel. The following year, Amnesty International and even Facebook joined the growing list of plaintiffs after more than 1,500 people’s phones were revealed to have been targeted through a security flaw in the encrypted messaging service WhatsApp.
The leaked data accessed by journalists of the Pegasus Project shows that lawyers in some of these cases have also been selected as targets.
“Not only do they hack people because of their political activities. But if these people are seeking any kind of accountability, they will go after the people helping them,” said the UK-based lawyer, involved in litigations against the company.
“Personally I’m not surprised, but it is still scary,” said the lawyer representing NSO victims in Israel. “They have no limits. And when it comes to their pockets, I think they can go further that they than they did.”
Same old song and dance
The Khashoggi murder on October 2, 2018 was another inflection point for NSO Group, who found its name associated with the assassination of the journalist making headlines around the world. Even months after the murder, the company was unable to get past the affair.
Around the same time, Hulio and Lavie were pushing to break free of Francisco Partners, the firm that had owned 70 percent of the company’s shares since 2014. They found the right match in Novalpina, an investment fund founded by European venture capitalists. In February 2019, Novalpina helped the duo buy back the company for a sum that’s estimated at $850 million.
In June 2019, nearly a year after the Khashoggi murder, Novalpina embarked on a mission to rid NSO of its negative image. The investment fund released a new governance plan, which adhered to the UN principles on business and human rights. “This is an ambitious goal, wholly without precedent within the cybersecurity industry (in fact, it remains rare in any industry),” Novalpina wrote in a press release.
Investor Stephen Peel assured that “Novalpina and NSO are committed to do whatever necessary to ensure NSO’s technology is used only for its intended lawful purpose.”
NSO Group transformed its Business Ethics Committee into the Governance, Risk and Compliance Committee and, according to the company, met once a month to assess its sales and launch investigations into misuse of Pegasus by various clients.
Two years later, NSO Group released its first Transparency and Responsibility report on the final day of June 2021. The 32-page report, published less than three weeks before the Pegasus Project revelations, aimed to take an “unflinching, hard-nosed look” at how NSO Group’s products are used around the world.
The company stated that since its creation, NSO Group has rejected more than $300 million in contracts because potential buyers did not adhere to international human rights standards. They also claimed that they had ended five contracts for similar reasons.
At nearly the exact moment that the long-awaited report was being released, Amnesty International’s Security Lab was detecting traces of Pegasus infections in the phones of Carine Canimba, the daughter of Rwandan dissident Paul Rusesabagina, and that of an Indian journalist. Wadah Khanfar, former director of Al Jazeera and one of Jamal Khashoggi’s close friends, was also compromised at the same time.
Confronted with our findings, CEO Shalev Hulio said: “The company cares about journalists and activists and civil society in general. We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in the Transparency and Responsibility report, we have shut down system for customers who have misused the system.”
“NSO’s commitment to human rights is more public relations exercise than any meaningful attempt to change course. Their recent transparency report reads like a sales brochure,” said Danna Ingleton, Director of Amnesty Tech. “If NSO is genuine about reforming, why does it continue to attack civil society and attempt to silence us in court?”
“There can no longer be any doubt as to the scale of the human rights abuses NSO’s technology facilitates or that the surveillance industry is out of control.”
For NSO Group the consequences of years of abuse of their system by their customers seems to be catching up to them: following the first day of revelations by the Pegasus Project, Amazon Web Services shut down infrastructures and accounts linked to NSO Group.
Additional reporting by Amitai Ziv (Haaretz), Stephanie Kirchgaessner (The Guardian), Holger Stark (Die Zeit), Dana Priest (The Washington Post), Kai Bierman (Die Zeit), Kristiana Ludwig (Süddeutsche Zeitung), Carmen Aristegui (Aristegui Noticias), Paloma Dupont de Dinechin (Forbidden Stories).