Shalev Hulio, the co-founder of Israel’s NSO Group, was in Washington DC on a mission to try to resuscitate the surveillance company’s battered reputation on Capitol Hill shortly before the news broke that he had probably arrived too late to make a difference.
With little advance warning to its allies in Israel, the Biden administration announced on 3 November that it was putting the spyware maker – one of the most sophisticated cyber-weapons companies in the world – on a US blacklist, citing use of the company’s software by regimes around the world for “transnational repression”.
“That’s how little they knew. Then, boom, this came out,” said one person familiar with the matter.
Since then, the news has gone from bad to worse for the company, which has long defended itself against critics by claiming that its principal surveillance tool – the Pegasus software that can penetrate phones and intercept encrypted calls and messages – is used by governments around the world to silently hack into the phones of criminals and suspected terrorists, and save lives.
This week Apple, the world’s largest technology company, became the latest to challenge that narrative when it accused NSO in a scathing lawsuit filed in California of being “amoral 21st-century mercenaries” whose tools had invited “routine and flagrant abuse”.
“For their own commercial gain, they enable their customers to abuse [Apple] products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even US citizens,” Apple said in its lawsuit. While NSO was busy “hiding behind their unnamed customers”, it was committing “multiple violations of federal and state law” as it developed and used – “or assisted others in using” – tools that had harmed Apple’s users, the lawsuit alleged.
Hours after the lawsuit was filed, activists said Apple began sending threat notification alerts to alleged victims of state-sponsored hackers in Thailand, El Salvador and Uganda. Reuters reported at least six Thai activists and researchers who have been critical of the government received the notification.
At the same time, the credit rating agency Moody’s warned NSO was at risk of defaulting on about $500m (£375m) in debt, which would force the group into insolvency.
For Alaa Mahajna, a lawyer who for years has waged a lonely – and difficult – legal battle against NSO, the company’s barrage of bad news has been vindicating.
“NSO spent years dismissing any criticism and dodging accountability for human rights violations. It is very encouraging that most major tech companies and the US government now see the pernicious effect of NSO’s technology,” he said.
Mahajna represents Omar Abdulaziz, a Saudi dissident living in exile in Canada who experts at the Citizen Lab at the University of Toronto have claimed was hacked in 2018, months before Abdulaziz’s friend, the journalist Jamal Khashoggi, was murdered in the Saudi embassy in Istanbul.
“As the first lawyer to bring legal proceedings against them, I am happy to see that these major actors are seeing what we saw four years ago. The atmosphere is definitely changing. It was and still is hard work for everyone involved, and some of us paid a price, but it is gratifying to see the tide turning,” Mahajna said.
There are other complications on the horizon. One person familiar with the matter said at least one bank working for NSO and related entities had voiced concern about its listing on the US commerce department’s entity list. A person close to NSO said its banking relationships were intact.
While placement on the list does not prohibit the provision of banking services, Kevin Wolf, a partner at law firm Akin Gump, said the listing did prohibit the transfer of any technology or software to the company from the US, a fact that generally made banks and other financial institutions who work for companies on the entity list nervous about the possibility that they could inadvertently fall foul of the rules over the normal course of business and provoke a response from the US government.
Another person familiar with the matter said Berkeley Research Group (BRG), a US-based consulting group appointed in August 2021 to manage the financial fund that owns a majority stake in NSO on behalf of its investors, consulted legal experts at the law firm McDermott Will & Emery to ensure its own work managing the fund did not inadvertently violate the entity list rules. It took those steps, a person said, as a matter of normal business practice and it is understood it received legal advice that the Biden administration’s actions did not prevent BRG from managing the fund’s NSO investment.
The main investors in the financial fund are US pension funds. A person familiar with BRG said it still had limited information about NSO’s decision-making.
Multiple media reports have suggested NSO is focused on trying to convince the Biden administration to remove the company from the entity list.
In response to the Guardian’s questions about its viability in the face of the developments, an NSO spokesperson said: “NSO Group remains strong, proud, and confident, and we will continue to provide technologies to help law enforcements catch paedophiles, terrorists and criminals.”
One person who spoke to the Guardian on condition of anonymity said the administration had been moved to act at least in part because of the number of US citizens who had been targeted using Pegasus in the past – including Americans living and working abroad.
NSO has denied its surveillance tools are used against US-based mobile phones.
The Pegasus project, a major investigation into NSO by the Guardian and other media outlets, which was coordinated by the French media group Forbidden Stories, reported in July that Carine Kanimba, the American daughter of Paul Rusesabagina, the imprisoned Rwandan activist who inspired the film Hotel Rwanda, had been the victim of a near-constant surveillance campaign by a government client using Pegasus in the first half of 2021. Forensic analysis of Kanimba’s phone, conducted by Amnesty International’s security lab, found it had been hacked multiple times while Kanimba, who is also Belgian and was living in Europe, was campaigning and lobbying for her father’s release.
In response to questions about Apple’s lawsuit this week, an NSO spokesperson said in a statement: “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers. Paedophiles and terrorists can freely operate in technological safe havens, and we provide governments the lawful tools to fight it. NSO Group will continue to advocate for the truth.”
