Targeting U.S. Officials Could Mean Death Sentence for Israeli NSO

Reports saying U.S. State Department personnel in Uganda were victims of spy tech is perhaps the most devastating blow to NSO yet – and the company shouldn’t expect Jerusalem to come to its aid

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
An image of the NSO Group website on a cellphone.
An image of the NSO Group website on a cellphone.Credit: JOEL SAGET - AFP
Omer Benjakob
Omer Benjakob

Just as things looked like they couldn’t get any worse for Israeli spyware firm NSO Group, they did.

The latest revelation was a bombshell scoop by Reuters this weekend that U.S. officials in Africa were victims of the firm’s surveillance spyware (Pegasus) – this despite the oft-repeated claim by NSO that no Americans, and certainly no American officials, could be targeted by its technology.

NSO’s technology allows its clients, usually state intelligence agencies, to remotely hack into cellphones. This includes iPhones, making use of a loophole in Apple’s defenses that was only recently made public.

The Israeli company has long claimed that its software cannot be used to target Americans, even theoretically, and that any phone number beginning with a U.S. country code (+1) is automatically blocked by the system. This explains why during the Project Pegasus exposé earlier this year, no U.S. number could be found among the 50,000 phone numbers possibly selected as potential targets by NSO’s clients worldwide.

However, the Reuters story showed that this is not really the case. Saturday’s report was attributed to official U.S. sources and was followed by additional confirmation in the form of a CNN report about dozens of U.S. officials being targeted.

But it is not just those sources who are making the claim. The news was also confirmed by the Wall Street Journal, which stated that Apple – which is suing NSO for taking advantage of a “zero-click exploit” in the iPhone’s iMessage system to infect smartphones – had warned U.S. State Department officials that 11 of its personnel in Uganda had been targeted.

Though NSO’s system does not work on U.S. numbers, clearly it can be used against any Americans using non-U.S. numbers. The officials targeted in Uganda were using local phones, thus allowing a NSO client to easily circumnavigate the supposed restriction.

This simple “hack” highlights the paradox NSO has placed itself in. The group has long tried to claim it does not know what clients are doing with its tech, saying it has no “back door” to the spyware and only imposes technical limitations (for instance, barring American or Israeli numbers from being put into the system) as part of its software and terms of use. This has historically provided NSO with plausible deniability.

Yet the latest reports show the limits of this deniability and the lethal paradox the firm now finds itself in: Though the phone numbers were not American, the phones and Apple IDs they were linked to were.

In fact, the emails linked to the Apple IDs – the same ones linked to the iMessage service that comes built into iPhones – were clearly American addresses. These were reportedly email accounts that even ended with a “.gov” domain – a sure sign that the owner was a U.S. official.

The NSO Group offices in southern Israel. Credit: Sebastian Scheiner/AP

In other words, the same loophole that allowed NSO’s clients to hack into the officials’ phones could just as easily have been used to identify them as Americans.

NSO’s claim that it has no control over how its clients use its tech, barring a few minor technical restrictions, now puts the company in a bind. How is it possible that the firm’s software is smart enough to take advantage of the iMessage “exploit” but not check the email account affiliated with it? In fact, one could argue that, nowadays, phone numbers are a much less important identifier than emails. NSO’s plausible deniability now seems to be purposefully obtuse, if not negligently naive – and may prove to be its death knell.

This concern can be seen in the spyware firm’s response. While usually laconic in its media responses, this time NSO responded swiftly to the news, quickly saying it was investigating – rather than denying any wrongdoing – and announcing that it had cut its service to the relevant client (most likely either Rwanda or Uganda itself, though an NSO spokesman refused to address the identity of the firm’s clients or confirm if either country was behind this incident, which is a clear breach of its terms of use).

The latest news also helps explain why NSO was placed on a U.S. Department of Commerce blacklist last month for “malicious cyber activities.” It also undercuts any illusions the company’s top brass may have harbored about lobbying the Biden administration to get itself removed from the list.

NSO has long wanted to enter the U.S. market, and was planning to go public in the near future. Both dreams are now over. The latest news shows how the White House and the tech world have both had enough of NSO. (In addition to Apple, Facebook is also suing NSO for using its WhatsApp messaging service to hack phones in Mexico.)

And Israel? Will Startup Nation keep wasting its precious political capital in D.C. by trying to help the firm make amends with the Americans? Even without knowing who the actual client is, it is highly likely that the client’s partnership with NSO began as part of then-Prime Minister Benjamin Netanyahu’s big diplomatic turn to Africa in the second half of the last decade. Netanyahu, for example, visited Rwanda in 2016 and, as Amitai Ziv noted during the Project Pegasus probe earlier this year, the country’s first potential usage of NSO began a year later.

The deal Netanyahu was eyeing with Rwanda had to do with both normalizing ties with other African states and them taking in African asylum seekers who had sought refuge in Israel. It seems unlikely that the current Israeli administration will see any benefit in defending a firm that a U.S. National Security Council spokesperson just said “poses a serious counterintelligence and security risk to U.S. personnel.”

“The Biden-Harris administration has mobilized a government-wide effort to counter and curb proliferation of these commercial hacking tools, which have been used to further transnational repression and human rights abuses, and represent a counterintelligence and security threat for U.S. officials,” the spokesperson said over the weekend. It is unlikely that Prime Minister Naftali Bennett, Foreign Minister Yair Lapid or any Israeli officials will stand in their way.

Click the alert icon to follow topics:

Comments