Inside the shadowy world of spyware makers that target activists and dissidents

There’s some new competition for NSO, the Israeli company which boasts of its ability to take over phones and computers on behalf of high-paying government clients: Dozens upon dozens of spyware firms that offer a range of surveillance options.

Last month, Facebook said that WhatsApp users were vulnerable to a sophisticated exploit capable of hacking into phones with little more than a few unanswered calls. The new exploit was likely part of Pegasus, a spyware suite created by the Tel Aviv-based NSO Group, which boasts of its ability to take over phones and computers on behalf of high-paying government clients, according to WhatsApp and Citizen Lab, a research center at the University of Toronto. While the U.S. Justice Department recently told Fast Company that it is aware of the exploit, a rep for the agency would not comment on whether it is actively investigating it.

Though NSO is perhaps the most infamous mobile spyware maker—a recent lawsuit alleges that its Pegasus technology was used to help track murdered Saudi dissident Jamal Khashoggi—it is only one of many shadowy firms offering smartphone malware that, while officially designed to target criminals and terrorists, can be used to target activists, lawyers, and other members of civil society. Dozens upon dozens of spyware firms offer a range of smartphone surveillance, from video and audio recording to location and text monitoring, including regimes with dubious human rights records. This technology, for instance, has been used by mysterious elements in countries like Bahrain and Ethiopia, who used Milan-based Hacking Team’s Remote Control System and the U.K.-based Gamma Group’s FinFisher spyware, respectively, to target dissidents both at home and abroad.

NSO has emphatically denied any role in tracking Khashoggi, with the company’s CEO Shalev Hulio telling Israel’s Yedioth Ahronoth earlier this year that “Khashoggi was not targeted by any NSO product or technology, including listening, monitoring, location tracking and intelligence collection.” In January, an NSO spokesperson told Fast Company that the lawsuits were “nothing more than an empty PR stunt to continue the propaganda drumbeat against NSO’s work helping intelligence agencies fight crime and terrorism around the globe.”
Other companies include the Israeli firms Ability (a former NSO Group partner), Verint, and Elbit Systems, which have clients across the globe, as the Surveillance Industry Index toolkit illustrates. And, in recent months, a new alliance of some public and unnamed firms have launched Intellexa, a consortium that hopes to challenges NSO Group and Verint in the burgeoning “lawful intercept” market. In late May, Senpai, a “consulting and R&D company” that specializes in cyberintelligence and AI solutions, joined Intellexa as the fourth official partner (five others are not publicly named), for what seems to be its expertise in AI-based data analytics.

Particularly troubling for civil society is the legal uncertainty of these spyware tools. While security researchers like Citizen Lab keep uncovering instances of abuses, and lawyers of targeted individual take the fight to courts, federal contracts for the sale and deployment of such mobile spyware tools continue with little to no oversight. The industry is a veritable wild west of cyberweaponry, with no sheriffs to protect anyone with a smartphone.

A market of exploits

Karsten Nohl, a cryptographer and managing director at Security Research Labs, says that there are two dimensions to lawful intercept tools: is the smartphone an iPhone or not, and does the exploit require “help” from the phone’s user. Some exploits require users to do something like install a security update—despite warnings—that downloads malware onto their device. Nohl says the simplest exploits are those for Android phones, and that the preferred exploits work over the internet, while others only work in Wi-Fi range. Nohl says that NSO Group can hack most versions of the iPhone and many Android phones, and that this usually happens remotely.

“The most difficult would be a remote exploit of an iPhone, and, as far as I can tell, most of the time NSO Group has a monopoly on this,” says Nohl. “There is nobody else who can promise continuous access to iPhone without help from users.”

Still, when it comes to matters of surveillance, whether state or corporate, we very often don’t know what we don’t know.

Nohl says an iPhone exploit will set a customer back millions of dollars. An Android exploit, on the other hand, costs only hundreds of thousands of dollars. The iPhone ecosystem is clean, with only one software for a number of devices, which creates highly specialized exploit research and development, hence the high market prices. The Android ecosystem is much more fragmented, requiring less effort to design exploits for various vendors and phones, but requiring more work to maintain the exploits over time.

Apple has declined to comment publicly on the capabilities of NSO or other spyware makers. In 2016, after an investigation by Citizen Lab into Pegasus prompted Apple to release a security patch for iPhones, the company neither specified the reason or the culprit, nor did it contact human rights groups. That year, Google and cybersecurity company Lookout said they found traces of NSO spyware on “a few dozen” smartphones in 11 countries, predominantly in Israel, Mexico, Georgia, and Turkey.

There are cheaper options. Rather than attacking phones, Nohl says most spyware vendors offer SS7 spying, which takes advantage of vulnerabilities in the mobile network. SS7, or Signaling System No. 7, is a protocol that allows various phone networks to communicate with one another. When an exploit gives hackers access to SS7, they can capture smartphone user information like voice calls, text messages, location information, and other data. “Of course, your iPhone can be strong as you want security-wise, but if the mobile network leaks information, that’s outside the control of the phone and Apple. Companies like Circles are very actively promoting that they can track the location of a phone through SS7.”

SS7 exploits, Nohl notes, will set customers back on the order of tens of thousands of dollars. He assumes every spyware maker has access to SS7 networks. But Nohl says Android exploits are growing more sophisticated and new competitors are entering the market, putting these tools in the hands of growing numbers of customers.

The Israeli connection

Ability, a Tel Aviv-based spyware firm, sells something called the Unlimited Interception System (ULIN), which, along with a tactical cellular interception system called IBIS (In-Between Interception System) allows Ability to intercept GSM, UMTS, LTE, AND CDMA networks to spy on a target’s smartphone. Mexico spent $42 million on ULIN and other tools in 2016, but Ability has also had customers in China, Singapore, Myanmar, the Czech Republic, Germany, and other countries. The company website states its customers include security and intelligence agencies, military forces, law enforcement, and homeland security agencies in over 50 countries.

While its fortunes have faded recently—last year it settled a lawsuit with investors for misleading financials—Ability is still actively developing new exploits, according to Forbes.

Verint, which has offices in Melville, New York, and Herzliya, Israel, came close to purchasing NSO Group in 2018 for $1 billion before talks fell apart. The company is best known for its security cameras and systems that allow corporations to monitor work places, but it also sells sophisticated mass communication surveillance tools, including smartphone tracking software to government and enterprise customers. Verint’s SkyLock technology, for instance, can track the location of smartphone users by hacking the SS7 protocol, as evidenced in a confidential brochure obtained by 60 Minutes in 2016.

Like a number of known spyware companies, Verint has sold smartphone snooping systems to governments with highly questionable human rights records, such as the United Arab Emirates (UAE), South Sudan, and Mexico. An anonymous former Verint employee, told Haaretz last year that Verint’s phone monitoring technology was used to target gay and transgender people in Azerbaijan.

Spyware makers unite

To compete with the likes of NSO Group and Verint Systems, a number of surveillance startups recently formed a consortium. Known as Intellexa, this alliance aims to become “a one-stop shop for all of our customers’ field intelligence collection needs”—the need, of course, being smart device monitoring, among other electronic devices.

The Intellexa alliance is comprised of cyberintelligence firms Nexa Technologies (formerly Amesys), WiSpear, and Cytrox. Nexa’s “Lawful Intercept” solution allows the operator to spy on voice and data across 2G, 3G, and 4G) networks. The company, which is headquartered in Paris with offices in Dubai and the Czech Republic, also offers an internet interception product that allows users to carry out IP probes to analyze high data rate networks, or use what its website says are Wi-Fi sensors designed to detect a target several miles away.

Nexa didn’t respond to email requests for comment on its system capabilities. However, John Scott-Railton, a Senior Research at Citizen Lab, says the company’s Wi-Fi sensors are likely radio direction finding technology combined with standard Wi-Fi interception attacks.

Intellexa partner WiSpear is a more recent entry into the offensive cyber weapons market. Launched in Israel in 2017 but based in Cyprus, WiSpear sells a specially-outfitted van called SpearHead, which is equipped with 24 antennas that can force a target’s phone or computer to connect to its Wi-Fi-based interceptor at a distance of up to 1,640 feet. After conducting a “man-in-the-middle” attack, SpearHead can download four different kinds of malware onto iOS and Android.

WiSpear’s founder, Tal Dilian, a veteran of the Israeli Defense Forces, is also the founder of Circles, a cyberweapons company based in Cyprus and Bulgaria that merged with NSO Group when both companies were under the ownership of Francisco Partners. The other public Intellexa parter, Cytrox, is a European firm that develops exploits that can target and break into a user’s smart devices. The company, which is currently in stealth mode according to its website, was acquired by WiSpear in 2018. Dilian told the publication that in addition to the three firms, there are five other non-public partners in Intellexa.

“Field intelligence teams must be prepared to overcome any challenge they face,” said Dilian in Intellexa’s February 16th press release announcing the alliance. “They need to be able to access hard-to-reach areas and successfully intercept any device. To make sure they succeed in doing so, they need a versatile platform—portable, vehicle mounted or airborne—with a comprehensive set of capabilities to choose from, depending on the specific operational scenario they face. Intellexa was established to enable just that.”

Intellexa could not be reached for comment on its “airborne” spyware capabilities, but Scott-Railton says drones and other aircraft equipped with intercept technology would be advantageous for firms. “[Drones and aircraft] are actually the best way since you get it via line-of-sight,” he says. “Ground-based has much lower range.”

“Trojan system for mobile devices”

Another, lesser-known spyware firm is Rayzone, an Israeli company that offers services like location tracking and big data analysis, as well as a “trojan system for mobile devices” that it sells to governments and federal agencies. The Rayzone website mentions malware that allows clients to gather smartphone information like files, photos, web browsing, emails, location, Skype conversations, and other data. The company also boasts that its malware can spy on SMS and other instant messaging services, including WhatsApp.

Many of the above spyware firms make their money with overseas contracts, often under the auspices of their governments’ export controls, but there are several companies with more domestic agendas. The UAE, for instance, is home to DarkMatter, a cybersecurity firm that houses Project Raven, a team of clandestine operatives, some of whom have formerly worked for U.S. intelligence services like the National Security Agency (NSA). Reuters reported in January that for the last several years, Raven operatives used a cyberespionage platform called Karma that can hack the iPhones of activists and political leaders, as well as suspected terrorists.

One of the Reuters sources, Lori Stroud, formerly of NSA contractor Booz Allen Hamilton, was told in a briefing that Raven is the offensive, operational division of the UAE’s NESA (National Electronic Security Authority, now called the Signals Intelligence Agency), which is equivalent to the NSA. While Raven used Karma to spy on regional rivals like Qatar and Iran, it also reportedly used the malware to target UAE citizens who were openly critical of the monarchy. In an interesting turn, anonymous sources told the Intercept that operatives at Dark Matter had discussed hacking the publication’s staff after reporter Jenna McLaughlin had revealed in an Intercept story how the Maryland-based computer security firm CyberPoint had helped assemble a team of American spies and hacking tools for Project Raven.

Across the Mediterranean, the Italian firm eSurv sells an Android spyware platform nicknamed “Exodus.” In March, researchers at the watchdog Security Without Borders said that between 2016 until early 2019 they had found 25 malicious apps uploaded by eSurv to the Google Play Store, where they were disguised as applications from mobile operators. “According to publicly available statistics, as well as confirmation from Google, most of these apps collected a few dozen installations each, with one case reaching over 350,” Security Without Borders reported.

Security Without Borders’ research revealed that Exodus is equipped with “extensive collection and interception capabilities,” and that some modifications triggered by the spyware “might expose the infected devices to further compromise or data tampering.” Italian authorities launched an investigation into eSurv and a related company, STM, in the weeks before Security Without Borders’ report. As part of the investigation, prosecutors said they shut down eSurv’s infrastructure.

Growing a controversial industry

In March, the New York Times reported that the market for “lawful intercept spyware” has an estimated value of $12 billion. The London-based market research company Technavio, however, estimates the lawful intercept market to be $1.3 billion, noting that a key driver for the market is an “increasing number of government initiatives ... to increase the use of lawful interception for periodic monitoring and control of criminal, terrorist, and other illegal activities across communication networks.” With more spyware tools and government intercept initiatives, the potential for abuse is very likely to increase, says Scott-Railton.

“That said, while the new entrants are chasing after investors, it’s pretty clear that many investors are made uncomfortable by the risks that these companies are running,” he says.

Novalina Capital, the private equity firm that recently bought NSO Group from Francisco Partners, has been taking heat the last few months for Pegasus’s human rights record. And with NSO Group facing multiple lawsuits from alleged victims in Canada and Mexico, Novalpina has tried to calm investor nerves with a public relations campaign that is seeing them engage with human rights groups and pledge more stringent internal oversight. NSO is “already relatively permissive about the use of its technology for what Europeans would consider human rights violations,” says Nohl.

Meanwhile, the legal terrain surrounding so-called lawful intercept tools remains murky and largely untrammeled. As a group of lawyers and law students recently wrote at Just Security, “To date, neither domestic legal frameworks governing the sale and deployment of spyware, nor industry self-regulation, is effectively preventing or addressing abuses.”

David Kaye, the U.N. special rapporteur on freedom of expression, recently called for a moratorium on sales of surveillance software. “Surveillance of specific individuals—often journalists, activists, opposition figures, critics, and others exercising their right to freedom of expression—has been shown to lead to arbitrary detention, sometimes to torture and possibly to extrajudicial killings,” he wrote in a report to the U.N. Human Rights Council. “States should impose an immediate moratorium on the export, sale, transfer, use, or servicing of privately developed surveillance tools until a human rights-compliant safeguards regime is in place.”

Nohl points out that what is perfectly legal activity in one country may very well be criminal in another country, especially as it pertains to spying and law enforcement. He says that many countries will feel perfectly entitled to use mobile spyware technologies as tools of political oppression because their laws actually grant them that power.

And companies will keep selling them weapons. While NSO and other Israeli vendors currently dominate the marketplace, it may not always be so. “NSO Group is just so phenomenally profitable that somebody else will have to break into that market,” says Nohl. “And the next competitor might well be a Russian, Chinese, or even North Korean vendor, who might have even less trouble dealing with an even wider range of clients.”