NEW YORK - The Biden administration took a public stand last year against the abuse of spyware to target human rights activists, dissidents and journalists: It blacklisted the most notorious maker of the hacking tools, Israeli firm NSO Group.
But the global industry for commercial spyware – which allows governments to invade mobile phones and vacuum up data – continues to boom. Even the United States government is using it.
The Drug Enforcement Administration is secretly deploying spyware from a different Israeli firm, according to five people familiar with the agency’s operations, in the first confirmed use of commercial spyware by the federal government.
At the same time, the use of spyware continues to proliferate around the world, with new firms – which employ former Israeli cyberintelligence veterans, some of whom worked for NSO – stepping in to fill the void left by the blacklisting. With this next generation of firms, technology that once was in the hands of a small number of nations is now ubiquitous – transforming the landscape of government spying.
One firm, selling a hacking tool called Predator and run by a former Israeli general from offices in Greece, is at the centre of a political scandal in Athens over the spyware’s use against politicians and journalists.
Predator was found to have been used in a dozen more countries since 2021, illustrating the continued demand among governments and the lack of robust international efforts to limit the use of such tools.
The Times investigation is based on an examination of thousands of pages of documents – including sealed court documents in Cyprus, classified parliamentary testimonies in Greece and a secret Israeli military police investigation – as well as interviews with more than two dozen government and judicial officials, law enforcement agents, business executives and hacking victims in five countries.
The most sophisticated spyware tools – like NSO’s Pegasus – have “zero-click” technology, meaning they can stealthily and remotely extract everything from a target’s mobile phone without the user having to click on a malicious link to give Pegasus remote access. They can also turn the mobile phone into a tracking and secret recording device, allowing the phone to spy on its owner.
But hacking tools without zero-click capability, which are considerably cheaper, also have a significant market.
Commercial spyware has been used by intelligence services and police forces to hack phones used by drug networks and terrorist groups. But it has also been abused by numerous authoritarian regimes and democracies to spy on political opponents and journalists.
This has led governments to a sometimes tortured rationale for their use – including an emerging White House position that the justification for using these powerful weapons depends in part on who is using them and against whom.
The Biden administration is trying to impose some degree of order to the global chaos, but in this environment, the United States has played both arsonist and firefighter. Besides the DEA’s use of spyware – in this case, a tool called Graphite, made by Israeli firm Paragon – the CIA during the Trump administration purchased Pegasus for the government of Djibouti, which used the hacking tool for at least a year.
For more than a decade, NSO sold Pegasus to spy services and law enforcement agencies around the world. The Israeli government required the company to secure licenses before exporting its spyware to a particular law enforcement or intelligence agency.
This allowed the Israeli government to gain diplomatic leverage over countries eager to purchase Pegasus, such as Mexico, India and Saudi Arabia. But a mountain of evidence about the abuse of Pegasus piled up.
The Biden administration took action. A year ago, it placed NSO and another Israeli firm, Candiru, on a Commerce Department blacklist – banning US companies from doing business with the hacking firms.
In October, the White House warned of the dangers of spyware in its national security strategy outline, which said the administration would fight the “illegitimate use of technology, including commercial spyware and surveillance technology, and we will stand against digital authoritarianism.”
Congress is working on a bipartisan bill requiring the director of national intelligence to produce an assessment of the counterintelligence risks to the United States posed by foreign commercial spyware. The bill would also give the director of national intelligence the authority to ban the use of spyware by any intelligence agency.
But there are exceptions. The White House is allowing the DEA to continue its use of Graphite, the hacking tool made by Israel-based Paragon, for its operations against drug cartels.
A senior White House official, who spoke on condition of anonymity, said the White House executive order being prepared would target spyware that posed “counterintelligence and security risks” or had been used improperly by foreign governments. If any such evidence emerged against Paragon, the official said, the White House expects that the government would terminate its contract with the company.
“The administration has been clear that it will not use investigative tools that have been used by foreign governments or persons to target the U.S. government and our personnel, or to target civil society, suppress dissent or enable human rights abuses,” the official said. “We expect all departments and agencies to act consistent with this policy.”
Similar to Pegasus, the NSO tool, Graphite spyware can invade the mobile phone of its target and extract its contents. But unlike Pegasus, which collects data stored inside the phone itself, Graphite primarily collects data from the cloud after data is backed up from the phone.
The Biden administration’s move to blacklist NSO and Candiru has had a financial impact. To prevent the blacklisting of other companies, Israel’s Defence Ministry has imposed tougher restrictions on the local cybersecurity industry, including by reducing the number of countries to which those companies can potentially sell their products to 37 from 110, according to two senior Israeli officials and an Israeli tech company executive.
With fewer countries available as potential buyers, many Israeli spyware companies, most famously NSO, have taken a severe financial hit. Three others have gone bankrupt.
This new landscape, however, provided new opportunities for others to seize.
Tal Dilian did just that.
A former general in Israeli military intelligence, Mr Dilian was forced to retire from the Israeli Defence Forces in 2003 after an internal investigation raised suspicions that he had been involved in funds mismanagement, according to three people who were senior officers in military intelligence. He eventually moved to Cyprus, a European Union island nation that has become a favoured destination in recent years for surveillance firms and cyberintelligence experts.
In 2008 in Cyprus, Mr Dilian co-founded Circles, a company that used an Israeli-perfected snooping technology known as Signaling System 7. He sold it off and went on to set up other companies selling surveillance products.
He prided himself on recruiting the best hackers, including former spyware experts from the Israeli military’s most elite cyberintelligence unit.
After Mr Dilian was forced to decamp from Cypruse, he went to Athens to set up Intellexa there in 2020, which is when he began to aggressively market his new spyware product, Predator.
Predator requires the targeted user to click on a link to infect the user’s phone, whereas Pegasus infects the phone without any action from the target. That means Predator requires more creativity to entice already wary targets to click.
Predator infections come in the form of carefully crafted, personalised instant messages and infected links mimicking established websites. Once the phone is infected, the spyware has many of the same snooping capabilities of Pegasus, according to experts. An investigation into Predator by Meta listed about 300 such sites that experts had found were used for Predator infections.
According to confidential employment records reviewed by the Times as well as staff LinkedIn profiles, the company hired at least eight Israelis, several of whom had a background in the country’s intelligence services.
Meta, as well as the University of Toronto’s Citizen Lab, a cybersecurity watchdog organisation, detected Predator in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, Serbia, Colombia, Ivory Coast, Vietnam, the Philippines and Germany. These locations were determined through internet scans for servers known to be associated with the spyware. NYTIMES