NEW YORK (NYTIMES) - The man in charge of Saudi Arabia's ruthless campaign to stifle dissent went searching for ways to spy on people he saw as threats to the kingdom. He knew where to go: a secretive Israeli company offering technology developed by former intelligence operatives.
It was late 2017 and Mr Saud al-Qahtani - then a top adviser to Saudi Arabia's powerful crown prince - was tracking Saudi dissidents around the world, part of his extensive surveillance efforts that ultimately led to the killing of journalist Jamal Khashoggi.
In messages exchanged with employees from the company, NSO Group, Mr al-Qahtani spoke of grand plans to use its surveillance tools throughout the Middle East and Europe, like Turkey and Qatar or France and Britain.
The Saudi government's reliance on a firm from Israel, an adversary for decades, offers a glimpse of a new age of digital warfare governed by few rules and of a growing economy, now valued at US$12 billion (S$16.2 billion), of spies for hire.
Today, even the smallest countries can buy digital espionage services, enabling them to conduct sophisticated operations like electronic eavesdropping or influence campaigns that were once the preserve of major powers like the United States and Russia.
Corporations that want to scrutinise competitors' secrets, or a wealthy individual with a beef against a rival, can also command intelligence operations for a price, akin to purchasing off-the-shelf elements of the National Security Agency or Mossad.
NSO and a competitor, Emirati firm DarkMatter, exemplify the proliferation of privatised spying. A months-long examination by The New York Times, based on interviews with current and former hackers for governments and private companies and others as well as a review of documents, uncovered secret skirmishes in this world of digital combat.
The firms have enabled governments not only to hack criminal elements like terrorist groups and drug cartels but also in some cases to act on darker impulses, targeting activists and journalists. Hackers trained by US spy agencies caught American businesspeople and human rights workers in their net. Cyber mercenaries working for DarkMatter turned a baby monitor into a spy device.
The FBI is investigating current and former American employees of DarkMatter for possible cybercrimes, according to four people familiar with the investigation. The inquiry intensified after a former NSA hacker working for the company grew concerned about its activities and contacted the FBI, Reuters reported.
The rapid expansion of this global high-tech battleground has prompted warnings of a dangerous and chaotic future.
"Even the smallest country, on a very low budget, can have an offensive capability", or initiate online attacks against adversaries, said Mr Robert Johnston, founder of cyber-security firm Adlumin and a key investigator on Russia's 2016 hacking of the Democratic National Committee.
A SECURITY GAP, EXPLOITED
Before NSO helped the Saudi government track its adversaries outside the kingdom, and helped the Mexican government hunt drug kingpins, and earned hundreds of millions of dollars working for dozens of countries on six continents, the company consisted of two high school friends in northern Israel.
Using technology developed by graduates of Intelligence Unit 8200 - Israel's equivalent of the NSA - Mr Shalev Hulio and Mr Omri Lavie started a company in 2008 that allowed cellphone firms to gain remote access to their customers' devices to perform maintenance.
Word spread to Western spy services, whose operatives spotted an opportunity. At the time, US and European officials were warning that Apple, Facebook, Google and other tech giants were developing technologies that allowed criminals and terrorists to communicate through encrypted channels indecipherable to intelligence and law enforcement agencies.
Mr Hulio and Mr Lavie offered a way to circumvent this problem by hacking the end points of the communications - the phones themselves - after the data was decrypted.
By 2011, NSO had developed its first prototype, a mobile surveillance tool the company called Pegasus. NSO's tool could do something seemingly impossible: collect vast amounts of previously inaccessible data from smartphones in the air without leaving a trace - including phone calls, texts, e-mail, contacts, location and any data transmitted over apps like Facebook, WhatsApp and Skype.
"Once these companies invade your phone, they own it. You're just carrying it around," Mr Avi Rosen of Kaymera Technologies, an Israeli cyber-defence company, said of NSO and its competitors.
The company soon had its first client for Pegasus: the government of Mexico, which was engaged in a crackdown on drug cartels. By 2013, NSO had installed Pegasus at three Mexican agencies, according to e-mails obtained by The Times. The e-mails estimated that, altogether, the firm had sold the Mexican government US$15 million worth of hardware and software. Mexico was paying the firm some US$77 million to track a wide array of targets' every move and swipe of their phone.
SPYING ON CITIZENS
NSO's first client, the Mexican government, was also using the hacking tools for darker purposes - as part of a broader government and industry surveillance effort. The government used NSO products to track at least two dozen journalists, government critics, international investigators looking into the unsolved disappearance of 43 students, even backers of a soda tax, according to Times investigations and research by Citizen Lab, part of the University of Toronto.
Those targets were subjected to a stream of harassing text messages that contained malware. Some messages warned that their spouses were having affairs, others that a relative had passed away.
Though NSO says it sells its services for criminal and anti-terrorism investigations, none of the Mexicans known to have been targeted were suspected in criminal or terrorism investigations.
"NSO technology has helped stop vicious crimes and deadly terrorist attacks around the world," the company said in a statement. "We do not tolerate misuse of our products and we regularly vet and review our contracts to ensure they are not being used for anything other than the prevention or investigation of terrorism and crime."
The company has established an ethics committee, which decides whether it can sell its spyware to countries based on their human rights records as reported by global organisations like the World Bank's human capital index, and other indicators.
NSO would not sell to Turkey, for example, because of its poor record on human rights, current and former employees said.
But on the World Bank index, Turkey ranks higher than Mexico and Saudi Arabia, both NSO clients. A spokesman for Israel's Ministry of Defence, which needs to authorise any contract that NSO wins from a foreign government, declined to answer questions about the company.
SPYING ON AMERICANS
The proliferation of companies trying to replicate NSO's success and compete in what Moody's estimates is a US$12 billion market for lawful intercept spyware has set off a fierce competition to hire American, Israeli and Russian veterans of the world's most sophisticated intelligence agencies - and for the companies to poach talent from one another.
DarkMatter has origins in another company, an American firm called CyberPoint that years ago won contracts from the United Arab Emirates to help protect the Emirates from computer attacks. CyberPoint obtained a licence from the US government to work for the Emiratis, a necessary step intended to regulate the export of military and intelligence services. Many of the company's employees had worked on highly classified projects for the NSA and other US intelligence agencies.
But the Emiratis had outsize ambitions and repeatedly pushed CyberPoint employees to exceed the boundaries of the company's American licence. CyberPoint rebuffed requests by Emirati intelligence operatives to try to crack encryption codes and to hack websites housed on American servers - operations that would have run afoul of US law.
So in 2015, the Emiratis founded DarkMatter - forming a company not bound by US law - and lured at least a half-dozen American employees of CyberPoint to join. Mr Marc Baier, a former official with the NSA unit that carries out advanced offensive cyber operations, became one of the firm's top executives. DarkMatter employed several other former NSA and CIA officers, according to a roster of employees obtained by The Times, some making salaries of hundreds of thousands of dollars a year.
DarkMatter is effectively an arm of the state that has worked directly with Emirati intelligence operatives on numerous missions such as hacking government ministries in Turkey, Qatar and Iran and spying on dissidents inside the Emirates. Besides its breaches of foreign government ministries, DarkMatter also broke into Gmail, Yahoo and Hotmail accounts, according to former employees.
The company did not respond to a request to comment, nor did a spokesman for the Emirati government. Asked whether the ministry had given a licence for the former Israeli intelligence operatives working for DarkMatter, a spokesman for the Israeli Ministry of Defence declined to comment. A lawyer for Baier also declined to comment.
Current and former employees of the spy agency have a lifelong obligation to protect the US' secrets, said Mr Greg Julian, a spokesman for the NSA.
The Justice Department's case, run by prosecutors in Washington, focuses on Internet fraud and the possibly illegal transfer of spying technology to a foreign country. But the prosecutors face headwinds, including diplomatic concerns about jeopardising the US' relationship with the UAE and worries about how pursuing the case could expose embarrassing details about the extent of the cooperation between DarkMatter and US intelligence agencies.
And there is the reality that US laws governing this new age of digital warfare are murky, outdated and ill-equipped to address rapid technological advances.
"You've got a lot of people entering the arena that are new and don't play by the same rules," said Mr Brian Bartholomew, principal security researcher at Kaspersky Lab, a digital security company.
"It's like putting a military-grade weapon in the hands of someone off the street."
