NSO Group

NSO Group Technologies (NSO standing for Niv, Shalev and Omri, the names of the company's founders) is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance of smartphones. It employed almost 500 people as of 2017.

NSO claims that it provides authorized governments with technology that helps them combat terror and crime. The company says that it deals with government clients only. Pegasus spyware is classified as a weapon by Israel and any export of the technology must be approved by the government.

According to several reports, NSO Group spyware has been used to target human rights activists and journalists in various countries,  was used for state espionage against Pakistan, for warrantless domestic surveillance of Israeli citizens by Israeli police, and played a role in the murder of Saudi dissident Jamal Khashoggi by agents of the Saudi government.

In 2019, instant messaging company WhatsApp and its parent company Meta Platforms (then known as Facebook) sued NSO under the United States Computer Fraud and Abuse Act. In 2021, Apple filed a lawsuit against NSO in the U.S., and the US included NSO Group in its Entity List for acting against U.S. national security and foreign policy interests, effectively banning U.S. companies from supplying NSO.

Overview
NSO Group is a subsidiary of the Q Cyber Technologies group of companies. Q Cyber Technologies is the name the NSO Group uses in Israel, but the company goes by OSY Technologies in Luxembourg, and in North America, a subsidiary formerly known as Westbridge. It has operated through various other companies around the world.

Founding
NSO Group was founded in 2010 by Niv Karmi, Omri Lavie, and Shalev Hulio. Hulio and Lavie were school friends who went into the technology start-up sector during the mid-2000s. The pair founded a company - CommuniTake - which offered a tool that let cellphone tech support workers access the customers' devices (but necessitating that the customer grant permission to enable access). After a European intelligence agency expressed interest in the product, the pair realised they could instead develop a tool that could gain access to phones without user authorisation, and market it to security and intelligence agencies. Karmi, who served in military intelligence and the Mossad, was brought on board to help market the tool with the help of his contacts. The first iteration of NSO's Pegasus spyware was finalised in 2011.

Operations
NSO Group has come to employ over 700 personnel globally. Almost all of NSO's research team is made up of former Israeli military intelligence personnel, most of them having served in Israel's Military Intelligence Directorate, and many of these in its Unit 8200. The company's most valuable staff are graduates of the military intelligence's highly selective advanced cyberweapons training programs. NSO seeks to uncover a surfeit of zero-day exploits in target devices to ensure smooth continuous access even as some of the security vulnerabilities exploited by NSO are inevitably discovered and patched, with labs in the company's Herzliya headquarters featuring racks stacked with phones being tested against new exploits.

Relationship with the Israeli state
Pegasus spyware is classified as a military export by Israel and its sale is controlled by the government. According to The New York Times, "Israel's government has long seen Pegasus as a critical tool for its foreign policy." and that it "[...] has treated NSO as a de facto arm of the state, granting licenses for Pegasus to numerous countries [...] with which the Israeli government hoped to nurture stronger security and diplomatic ties." Israel has used the sale of NSO products as a diplomatic bargaining chip to advance its foreign policy interests as well as limiting its sale to or its use against certain states to maintain good relations with certain states. Israel has faced criticism for approving the sale of NSO technologies to countries with poor human rights records. U.S. intelligence officials have also said the Israeli state presumably has backdoor access to data obtained by Pegasus. NSO denies being "a tool of Israeli diplomacy", and denies the presence of a backdoor in its spyware tools.

Israel, wary of angering the U.S. in the wake of the Snowden revelations, required NSO to prevent Pegasus from targeting American phone numbers. Israel has used Pegasus to advance its interests in the region, with Pegasus playing a role in negotiating the Abraham Accords. A New York Times investigation highlighted several instances in which the sale of Pegasus to a particular government coincided with that government's increased support of Israel. Israel has used Pegasus sales in its diplomatic efforts to forge a united front against Iran, thus clearing the sale of the spyware to Azerbaijan, Morocco, the UAE, and Saudi Arabia.

The Israeli government blocked the sale of Pegasus to Estonia and Ukraine for fear that Israel's relations with Russia would be damaged if the spyware was used against Russia. Israel initially authorised the export of Pegasus to Estonia (which made a $30 million down payment to obtain the system), but after a senior Russian official approached Israeli security agencies and informed them that Russia had learned of Estonia's attempts to obtain Pegasus, the Israeli Ministry of Defense decided to disallow Estonia from using Pegasus against any Russian phone numbers following a heated debate on the issue among Israeli officials, and subsequently blocked the sale.

Corporate history
The company's start-up funding came from a group of investors headed by Eddy Shalev, a partner in venture capital fund Genesis Partners which invested a total of $1.8 million for a 30% stake.

In 2013, NSO's annual revenues were around US$40 million.

In 2014, the U.S.-based private equity firm Francisco Partners bought the company for $130 million.

In 2014, the surveillance firm Circles (which produces is a phone geolocation tool) was acquired by Francisco Partners for $130 million, and thus became a corporate affiliate of NSO's.

In 2015 Francisco was seeking to sell the company for up to $1 billion.

Annual revenues were around $150 million in 2015.

In June 2017, the company was put up for sale for more than $1 billion by Francisco Partners (roughly ten times what Francisco originally paid to acquire it in 2014). At the time it was put up for sale, NSO had almost 500 employees (up from around 50 in 2014).

On February 14, 2019, Francisco Partners sold a majority (60%) stake of NSO back to co-founders Shalev Hulio and Omri Lavie, who were supported in the purchase by European private equity fund Novalpina Capital which specialises in investments in controversial companies. Hulio and Lavie invested $100 million, with Novalpina acquiring the remaining portion of the majority stake, thus valuing the company at approximately $1 billion. The day after the acquisition, Novalpina attempted to address the concerns raised by Citizen Lab with a letter, stating their belief that NSO operates with sufficient integrity and caution.

In July 2021, investors in Novalpina Capital stripped Novalpina Capital of control over its assets (including NSO) after an unresolved personal dispute amongst the co-founders of Novalpina Capital. Berkeley Research Group (BRG), a California-based consultancy firm, was subsequently handed control over the assets (including NSO).

By the time of BRG's takeover, NSO Group was in perilous financial straits, having gone months without a new sale and in risk of missing its debt payments and its November 2021 payroll payments. NSO CEO Shalev Hulio suggested to BRG that the company should improve its financial standing by starting to sell its products to high-risk customers previously deemed unacceptable, responding to objections by joking that missing debt payments was risky too. BRG was categorically opposed to the suggestion despite acknowledging that selling to high-risk customers was the only realistic way of maintaining NSO's business operations. Hulio proposed increasing sales to Israel's western allies (including U.S. law enforcement, the most lucrative prospective market), but the November 2021 U.S. blacklisting of NSO subsequently ended the company's prospects of breaking into the U.S. market (Hulio then devised a plan to split up the company in order to circumvent the U.S. sanctions). According to the Financial Times, NSO also seemed to have been abandoned by the previously doting Israeli government due to a proliferation of Israeli companies offering comparable technologies (including some established by former NSO employees). In a court filing, BRG described NSO as "valueless" to its private equity backers; in December 2021, a group of NSO creditors described NSO as insolvent in a letter to NSO's majority shareholders.

Two of the ousted co-founders attempted to reclaim control over Novalpina Capital's assets by filing a lawsuit in Luxemburg, with a U.K. court allowing the case to proceed to trial in April 2022. In an April 2022 letter, BRG told an EU committee investigating abuse of NSO's products that NSO's management has not been forthcoming in providing information about its business operations, including on the issue of the company's blacklisting in the U.S.

In the months after the November 2021 blacklisting of NSO by the U.S. Department of Commerce that resulted in an U.S. export ban for the company, and amid a campaign by the Israeli government to find a way to prevent the floundering NSO from going under, the U.S. Commerce Department sent a list of questions to NSO about how its spyware products operate. In 2022, L3Harris Technologies, a U.S. military contractor with experience in the spyware technology sector, was conducting talks on the possibility of acquiring NSO. L3Harris sought to acquire NSO's technology and code with the acquisition of the company's employees discussed as well. L3Harris executives travelled to Israel to conduct the talks which were not disclosed to the public. L3Harris reportedly told their NSO counterparts that they had the blessing and backing of the U.S. government and U.S. intelligence in pursuing the acquisition as long as the Pegasus source code and the cache of zero-day vulnerabilities uncovered by NSO could be passed on to the other intelligence agencies of the Five Eyes. The Israeli authorities were reportedly willing to fulfill the latter and reluctant to comply with the former, and also insisted that Israel ultimately retain control over issuing export licences for NSO's products. The Israeli authorities were also opposed to allowing L3Harris' employees to join NSO's development team in NSO's Israeli headquarters. The talks were revealed to the public by the press in June 2022, resulting in a scramble by the parties involved, with White House officials publicly condemning the negotiation in harsh terms, and L3Harris (which is heavily reliant on government contracts) reportedly notifying the U.S. government that they had abandoned the acquisition attempt. There were reportedly attempts to revive the negotiations in the weeks after the preceding negotiations were revealed by the press. An acquisition by a U.S.-based corporation could have lifted the blacklisting of NSO by the U.S. which had barred NSO from receiving exports from U.S. companies, hindering NSO's operations. Experts consulted by The Guardian said that due to the blacklisting of NSO Group, a new corporate entity would likely have had to be created before the U.S. government would allow the acquisition. A senior White House official commented anonymously for the article that made the secret acquisition negotiations public, stating that the White House had not been in any way involved in the deal, further stating that the U.S. government "opposes efforts by foreign companies to circumvent US export control measures or sanctions [...]".

In August 2022, Hulio stepped down from his post as CEO, with the company's COO Yaron Shohat temporarily assuming the role until a full-time replacement was to be named. Hulio's resignation from his post as CEO came amid a restructuring of the company as it attempted to focus on pursuing clients among NATO member countries. The reorganisation also entailed a downsizing NSO's workforce, with 100 employees (out of a total of 750 employees) being let go.

In March 2023, it was reported that Omrie Lavie had emerged in control of the company after multiple legal fights between NSO and a US financial firm called Treo, which previously controlled the equity fund that held a majority stake in the Israeli firm.

Foreign offices and export controls
In late 2020, Vice Media published an article in which it reported that NSO Group had closed the Cyprus-based offices of Circles, the company it had acquired in 2014. The article, based on interviews with two former employees, described the integration between the two companies as "awful" and stated that NSO would rely on Circles' Bulgarian office instead. According to Vice, this came just over a year after an activist group known as Access Now wrote to authorities in both Cyprus and Bulgaria, asking them to further scrutinise NSO exports. Access now had stated that they had received denials from both the Bulgarian and Cypriot authorities, with both countries stating that they had not provided export licenses to the NSO group. Despite this, an article written by The Guardian during the 2021 Pegasus scandal quoted NSO Group as saying that it had been "regulated by the export control regimes of Israel, Cyprus and Bulgaria". NSO's own "Transparency and Responsibility Report 2021", published about a month before the scandal, makes the same statement, adding that those were the three countries through which NSO exported its products. Circles' Bulgarian office, in particular, was stated to have been founded as a "bogus phone company" in 2015 by Citizen Lab citing IntelligenceOnline, a part of Indigo Publications. This report was reprinted by the Bulgarian investigation publication Bivol in December 2020, which appended it with public registry documents which indicated that the company's Bulgarian office had grown to employ up to 150 people and had received two loans worth about 275 million American dollars in 2017 from two offshore companies and a Swiss bank registered in the Cayman Islands.

History
NSO was founded in 2010 by Niv Karmi, Omri Lavie, and Shalev Hulio. In 2012, the Federal government of Mexico announced the signing of a $20 million contract with NSO. It was later revealed by a New York Times investigation that NSO's product was used to target journalists and human rights activists in the country.

NSO pitched its spyware to the Drug Enforcement Administration (DEA), which declined to purchase it due to its high cost.

In 2015, the company sold surveillance technology to the government of Panama. The contract later became the subject of a Panamanian anti-corruption investigation following its disclosure in a leak of confidential information from Italian firm Hacking Team.

In August 2016, NSO (through its U.S. subsidiary Westbridge) pitched its U.S. version of Pegasus to the San Diego Police Department (SDPD) In the marketing material, Westbridge emphasized that the company is U.S. based and majority owned by a U.S. parent company. A SDPD Sergeant responded to the sales pitch with "sounds awesome". The SDPD declined to purchase the spyware as it was too expensive.

Around 2016, NSO reportedly sold Pegasus software to Ghana.

In June 2018, an Israeli court indicted a former employee of NSO for allegedly stealing a copy of Pegasus and attempting to sell it online for $50 million worth of cryptocurrency.

In August 2018, the human rights group Amnesty International accused NSO of helping Saudi Arabia spy on a member of the organization's staff.

In April 2019, NSO froze its deals with Saudi Arabia over a scandal alleging NSO software's role in tracking murdered journalist Jamal Khashoggi in the months before his death.

In May 2019, messaging service WhatsApp alleged that a spyware injection exploit targeting its calling feature was developed by NSO. WhatsApp stated that the exploit targeted 1,400 users in 20 countries, including "at least 100 human-rights defenders, journalists and other members of civil society". NSO denied involvement in selecting or targeting victims, but did not explicitly deny creating the exploit. In response to the alleged cyberattack, WhatsApp sued NSO.

In June 2019, NSO began setting up a test facility in New Jersey for the FBI which had procured NSO's services, and began testing a version of Pegasus developed for U.S. government agencies to be used on U.S. phones. After two years of deliberations in the FBI and Department of Justice, the FBI decided not to deploy the tools for domestic use in the summer of 2021, with the New Jersey facility laying dormant as of early 2022. The DEA, Secret Service, and United States Africa Command had also held discussions with NSO which however did not proceed beyond that stage.

In April 2020, Motherboard reported about an incident that occurred several years prior in which an NSO employee used a client's Pegasus tool to spy on a love interest (a female personal acquaintance) during a work trip to the UAE. The employee broke into the client's office outside of office hours to use the tool, prompted an alert and an investigation by the client. The employee was detained by authorities, and fired by NSO, Motherboard's sources said. Sources also told Motherboard that NSO leadership held a meeting to prevent similar incidents in the future, and subsequently adopted more rigorous screening of employees that interact with clients.

In July 2020, Motherboard reported that the US branch of NSO was pitching its brand of Pegasus to the US Secret Service during 2018.

In November 2021, the United States added the NSO Group to its Entity List, for acting "contrary to the foreign policy and national security interests of the US" and it effectively bans the sale of hardware and software to the company. The listing deprived NSO of U.S. technology on which NSO relies, crippling its operations. Israeli officials subsequently unsuccessfully attempted to get the blacklisting overturned, and NSO reportedly tried and failed multiple times to meet with the U.S. Bureau of Industry and Security to attempt to obtain export waivers.

In December 2021, 86 human rights organisations sent a joint letter calling on the EU to impose global sanctions against NSO Group and seek to "prohibit the sale, transfer, export and import of the Israeli company's surveillance technology" due to the risks NSO's technology poses for human rights globally.

In January 2022, Calcalist published an investigatory piece detailing the widespread unlawful use of Pegasus by the Israeli Police. Although the Israeli Police formally denied this, some senior police officials have hinted that the claims were true. On February 1, the police admitted that there was, in fact, misuse of the software. On February 7, a second Calcalist report revealed that the warrantless surveillance was very widespread, including that of politicians and government officials, heads of corporations, journalists, activists, and even Avner Netanyahu, the son of then-Prime Minister, Benjamin Netanyahu. After outcry and calls for a state commission of inquiry, including from the current police commissioner himself, the Minister of Public Security (the minister responsible for the police), Omer Bar-Lev, announced that he will be forming a commission of inquiry, to be chaired by a retired judge, and whose powers will basically be indistinguishable from a state commission.

In September 2023, the Citizen Lab attributed with high confidence that an exploit of iOS 16.6 was being used to install Pegasus spyware on Apple devices without user interaction. Apple said that devices in Lockdown Mode was able to block the loophole and issued an update to fix the vulnerability.

Pegasus
NSO Groups offers the smartphone spyware tool Pegasus to government clients for the exclusive intended purpose of combating crime and terrorism. The first version of Pegasus was finalised in 2011. Pegasus spyware is classified as a weapon by Israel and any export of the technology must be approved by the government. The Israeli Ministry of Defense licenses the export of Pegasus to foreign governments, but not to private entities.

Pegasus is compatible with iPhone and Android devices. It can be deployed remotely. Once deployed, it allows the client to access the target phone's data and sensors, including: location data, texts, emails, social media messages, files, camera, and microphone. The client-facing side of the tool is user friendly, and all that may be required (depending upon the case) of the client to begin deployment of Pegasus is to enter the target's phone number into the tool.

Phantom
Phantom is a phone hacking product marketed by Westbridge, the United States branch of NSO Group. According to a former NSO employee, "Phantom" is the brand name for the Pegasus in the U.S., but the two tools are otherwise identical. Israel required NSO Group to program Pegasus so as not to be able to target US phone numbers. NSO then launched Phantom for the U.S. market for use on U.S. targets, receiving permission from Israel to develop it as a specialty tool for exclusive use by U.S. governmental agencies.

Circles
In 2014, the surveillance firm Circles was acquired by Francisco Partners, becoming a corporate affiliate of NSO Group. Circles' product is a phone geolocation tool. The firm has two systems. One operates by connecting to the purchasing country's local telecommunications companies’ infrastructure. The other separate system, known as the “Circles Cloud”, is capable of interconnecting with telecommunications companies across the globe.

In December 2020, the Citizen Lab reported that Supreme Council on National Security (SCNS) of the United Arab Emirates was set to receive both these systems. In a lawsuit filed against the NSO group in Israel, emails revealed links between Circles and several customers in the United Arab Emirates. Documents also revealed that Circles sent targets’ locations and phone records to the UAE SCNS. Aside from Israel and the UAE, the report named the governments of Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Vietnam, Zambia, and Zimbabwe as likely customers of Circles surveillance technology.

In September 2021, Forensic News published shipping records showing that in 2020 Circles supplied equipment to Uzbekistan's State Security Service (SGB).

Use of undercover private investigators to pursue critics
In October 2018, Associated Press reported that two Citizen Lab researchers were being pursued by undercover operatives with false identities. The undercover agents had been inquiring about their work involving NSO Group, and also appeared to be trying to goad the researchers into making anti-Semitic or otherwise damaging remarks. After growing suspicious, one researcher contacted AP reporters. Together, they managed to arrange a sting during a meeting with a suspected undercover operative at a hotel luncheon with AP journalists secretly awaiting nearby; after the journalists approached the operative to question him, the operative fled, bumping into chairs and circling the room as he tried to get away. There also appeared to be two additional undercover operatives in the room. The operative that met the researcher appeared to be filming the researcher with a hidden camera during the meeting, and one of the operatives standing nearby appeared to be recording the meeting as well. The operative was later identified as a former Israeli security official. Responding to the AP report, NSO denied any involvement. It was later also uncovered that the identified undercover agent had previously worked on a case linked to the Israeli private intelligence agency Black Cube; NSO Group subsequently denied contracting Black Cube, and Black Cube denied involvement as well.

In February 2019, Associated Press reported that at least four more individuals - three lawyers involved in lawsuits against NSO Group for alleged sales of NSO spyware to governments with poor human rights records, and one journalist who had been covering said litigation - were being pursued by undercover operatives for their work on NSO. Undercover agents again tried to goad the individuals into making racist or anti-Israel remarks. Two of the individuals were surreptitiously recorded by the undercover operatives. Channel 12, an Israeli television channel, obtained and aired the secret recordings made by the undercover operatives shortly before the AP published the revelations. Channel 12 claimed the two individuals were attempting to smear NSO Group on behalf of Qatar. Channel 12 also confirmed that Black Cube undercover investigators were involved.

WhatsApp lawsuit
In May 2019, messaging service WhatsApp alleged that a spyware injection exploit targeting its calling feature was developed by NSO. Victims were exposed to the spyware payload even if they did not answer the call. WhatsApp told the Financial Times that "the attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems." NSO denied involvement in selecting or targeting victims, but did not explicitly deny creating the exploit. In response to the alleged cyberattack, WhatsApp sued NSO under the Computer Fraud and Abuse Act and other US laws in a San Francisco court on October 29. WhatsApp stated that the exploit targeted 1,400 users in 20 countries, including "at least 100 human-rights defenders, journalists and other members of civil society". WhatsApp alerted the 1,400 targeted users. In at least one case, the surveillance was authorized by a judge.

NSO employees had complained to WhatsApp about improved security, according to the court filings by WhatsApp and its parent company Facebook:

"On or about May 13, 2019, Facebook publicly announced that it had investigated and identified a vulnerability involving the WhatsApp Service . WhatsApp and Facebook closed the vulnerability, contacted law enforcement, and advised users to update the WhatsApp app. Defendants subsequently complained that WhatsApp had closed the vulnerability. Specifically, NSO Employee 1 stated, 'You just closed our biggest remote for cellular ... It's on the news all over the world.'"

In April 2020, NSO group blamed its government clients for the hacking of 1,400 WhatsApp users, including journalists and human rights activists. However, the firm did not disclose the names of the clients which, as Citizen Lab stated, include authorities in Saudi Arabia, UAE, Bahrain, Kazakhstan, Morocco, and Mexico. In court filings WhatsApp alleged that its investigation showed that the hacks originated from NSO Group servers rather than its clients'. WhatsApp said "NSO used a network of computers to monitor and update Pegasus after it was implanted on users' devices. These NSO-controlled computers served as the nerve centre through which NSO controlled its customers' operation and use of Pegasus." WhatsApp said that NSO gained "unauthorised access" to WhatsApp servers by reverse-engineering the WhatsApp app to be able to evade security features. NSO responded "NSO Group does not operate the Pegasus software for its clients".

Apple lawsuit
In November 2021, Apple Inc. filed a complaint against NSO Group and its parent company Q Cyber Technologies in the United States District Court for the Northern District of California about the FORCEDENTRY exploit used to deploy the Pegasus spyware package, requesting injunctive relief, compensatory damages, punitive damages, and disgorgement of profits. The "zero-click" exploit was discovered by the Canadian Citizen Lab after Saudi activist Loujain al-Hathloul's iPhone was hacked. Technical information uncovered by Bill Marczak's team at the lab allowed Apple to warn thousands of its users, including U.S. State Department employees in Uganda. Researchers also discovered that spyware from QuaDream, another Israeli vendor, took advantage of the same vulnerability in iPhones.