Israel’s private cyberattack sector has rocked global headlines in recent years, whether praised for stopping ISIS terrorism or scorned for facilitating human rights violations. But with all of the ups and downs, sometimes where things stand and where things are going seem covered in a thick haze.
The Magazine recently interviewed a wide number of key sources in or observing this sector (mostly anonymously, due to sensitivities) to cut through to the heart of the issues. It became clear that there are at least four trends and countertrends which will determine the fate of the sector.
Until November 2021, Israel’s cyber offense firms seemed to be expanding without limits, and years of media and human rights criticism had at most affected the industry’s tactics, but not at a strategic level.
Between 2011 and 2023, at least 74 governments contracted with commercial firms to obtain spyware or digital forensics technology, according to data collected by the Carnegie Endowment for International Peace.
According to the Carnegie Endowment report, autocratic regimes were much likelier than democracies to purchase commercial spyware or digital forensics. Its statistics showed that 44 regimes classified as closed autocracies or electoral autocracies purchased surveillance technologies during the relevant years, as compared to 30 electoral democracies or liberal democracies.
Those statistics are interesting, but most significantly, the report crowned Israel as the leading exporter of spyware and digital forensics tools documented in its global inventory. It said 56 out of 74 governments have bought their commercial spyware from Israeli firms or Israel-connected firms, such as NSO Group, Cellebrite, Cytrox (connected to Intellexa) and Candiru. (The report likely does not have as full exposure to how widespread such tools are emanating from autocratic countries like China or Russia.)
But in November 2021, when the US Commerce Department put Israeli cyber offense firms NSO Group and Candiru on what is effectively a blacklist (no formal global sanctions, but blocked from doing business in the US and tagged with a loud label of disapproval), both companies, and the sector in general in the Jewish state, suffered a body blow.
It did not help that, over time, NSO kept changing how many of its clients had violated the cyber tool limitations it had imposed on them as part of the licensing contract – from three countries, to five to 10.
That is trend No. 1.
Trend No. 2 is that no matter how badly the US, the global media and human rights groups disliked NSO and some of the other Israeli players in the field, the Israeli defense establishment was deep in their corner to help at least some of them survive.
What is surprising about this trend is that, within Israel, it was bipartisan, with everyone from Naftali Bennett to Benny Gantz to Benjamin Netanyahu supporting the sector and deemphasizing regulation.
The Magazine has learned that NSO, in the hope of getting off the list, and likely in coordination with Israeli officials, even developed a major new aspect to its technology to be able to immediately identify any time a client tries to use its tools to hack a government cellphone.
However, after several months, it became clear that Israeli governmental support alone would not help NSO Group and others survive.
Despite any fighting on behalf of the sector, many in the sector feel that Israeli government officials failed to sufficiently go to the mat for them.
And yet, the Magazine learned that surprising trend No. 3 is that NSO Group and some other cyber firms were saved by none other than Europe.
Yes, there was an earlier stage where NSO and other Israeli firms made a ton of money from new Abraham Accords countries like the UAE, Bahrain and Morocco, even with some Israeli technology being sold to Saudi Arabia. But after November 2021, the Defense Ministry blocked the firms from selling to most of these and other autocratic countries. With only a few dozen countries still permitted, the crucial remaining clientele was European.
Despite the EU often being a lead critic against Israel regarding human rights, the Magazine has exclusively seen multiple emails from clients from Western European countries thanking NSO for its assistance as recently as February 10 of this year.
In the February 10 email, the official (virtually all of NSO’s clients are government law enforcement or intelligence agencies) said that the company’s technological services had an enormous impact on “our society.”
Moreover, in a January 23 email from a separate client which is also a Western European country, the client said that NSO’s technology had helped lead to the confiscation of a large volume of drugs and explosives and probably even the prevention of a murder.
NSO has experienced serious shock waves. Its longtime CEO and face of the company, Shalev Hulio, was finally forced out a few months ago. But despite that and several months when it toyed with the idea of switching to a cyber defense company, the Magazine has learned that NSO is sticking almost entirely to cyber offense and that it has made a comeback, defying the numerous bankruptcy predictions.
It may not return to the level of dominance, profitability and power it reached in its heyday, but since it has not lost a single European client, the Magazine understands it also is not leaving the world stage anytime soon.
After meeting with certain EU officials in Brussels in February, I understood that they often separate the questions of public criticism of human rights and doing business when it comes to Israel and other countries in the Middle East, even if they are not democratic.
Incidentally, the reason that NSO will not likely regain its former stature is not only because it has failed for around 18 months to get off the US Commerce Department’s black list. It is also because its fall left room for new competitors to pick up all the autocratic state business that NSO was forced to shed.
All of this brings us to the fourth trend, the new notorious names making rounds in the media since mid-2022, such as Tal Dilian’s Intellexa and associated entities.
Like many of those who have run NSO, Dilian is a graduate of Israeli Military Intelligence.
In an extensive Lawfare blog post on March 24, Winnona DeSombre Bernsen – who previously spent five years in the cyber threat intelligence industry tracking nation-state and criminal cyber threats (at Google and Recorded Future) – detailed how Dilian stepped into areas of NSO’s business.
Dilian was once a founder of an NSO subsidiary but went his own way almost a decade ago and created Intellexa. Dilian has been accused of not bothering with even the partial measures that NSO may have tried to use to mitigate human rights violations – or at least to mitigate the company’s exposure to its clients violating rights.
According to many reports and even some official criminal probes in Greece, Dilian has used a mix of hacking technologies and psychological warfare on behalf of many of the countries that NSO eventually cut off because they abused its hacking tools. He has also, according to those reports, done business with other autocratic governments which NSO deemed too volatile even before any governments were in its face.
According to one account, both Dilian and NSO set up booths in the UAE at one of various recent security conferences there. As representatives of autocratic country after country were told by NSO representatives that they were not even allowed to speak to them, client after client then disappeared into Dilian’s booth for extended conversations.
In an extensive report by the Carnegie Endowment for International Peace from March 14, Dilian’s talent at making it either hard or impossible to track and penalize Intellexa was clearly highlighted.
With the Carnegie Endowment quoting the Lighthouse Reports, it noted that “three companies called Intellexa were registered, in Greece, Ireland and the British Virgin Islands. All three were owned by an Irish holding company, Thalestris. As Inside Story dug into company registers in Greece and Cyprus, they found that Thalestris also controlled companies named Apollo, Hermes, Mistrona, Dernova, Lorenco and Feroveno – some of which were seemingly registered to a rubble-strewn vacant lot in downtown Limassol.”
Furthermore, “Thalestris, in turn, was partly dependent on money from another Virgin Islands entity, Chadera Enterprises, which – behind a veil of anonymity – was ultimately controlled by Dilian and two of his associates.”
The Carnegie Endowment report also said that the EU is hopelessly split between countries that are trying to start to move toward greater oversight of cyber offense firms on one side, versus countries such as Bulgaria, Cyprus, Greece, Hungary, Italy and Malta, which are havens for spyware companies and are often trying to attract more such firms.
As a result of such firms changing corporate names and country headquarters, when law enforcement focuses on individual companies and individual countries, enforcement becomes a futile game of whack-a-mole. Either the founders behind the company, or some portion of the company’s employees with a sufficient mix of technical and sales talent, will generally regroup under a new name or in a new place, leaving regulators scratching their heads.
There is another wrinkle in this fourth trend of new players who could make it harder for the entire Israeli cyber offense sector to keep its name clean, or at least avoid a certain threshold of dirt that harms the business.
The latest name from this group is Team Jorge.
If some Israelis thought that a mix of criminal probes and negative media coverage would start to push Dilian out of the headlines and limit the harm he might bring on other companies in hurting Israel’s brand, Team Jorge may make the reputational damage attributed to Dilian look minuscule.
According to a report by The Guardian and a range of other global media on February 15, Team Jorge is a team of Israeli contractors, including former intelligence and special forces officials, who are responsible for having manipulated more than 30 elections around the world through hacking, sabotage and automated misinformation.
This is the part where any Israeli detractors, hard-core privacy activists and competitors from other countries pounce to toss Team Jorge in with NSO and Dilian. All three companies, they say, come from graduates of Israel’s intelligence community gone wild. And if Israel cannot restrain its former intelligence officials, an alliance of international media, human rights activists and government officials fighting for privacy rights, or competitors of Israel, will use this label to put all of these Israeli firms in their place.
There is one problem with this theory: NSO’s expertise is only in hacking, and Dilian is also mostly focused in hacking, according to various reports, sprinkling in some psychological warfare as a sideshow.
In contrast, Team Jorge’s primary expertise is social influence campaigns and psychological warfare, with maybe some occasional hacking as tactical support.
In other words, if Israel or some other country would want to stop former Israeli intelligence officials who are making headlines from doing what they do, they would be dealing with completely different phenomena with NSO/Dilian versus Team Jorge.
To stop a company like NSO, the Lawfare blog post said, export license regulations are only a fraction of the answer. The problem with export licenses, said the blog post, is that those rules are made for physical items which need to be shipped and leave a clearer physical trail to track and follow. Cyber products can be moved around with much less of a physical trail and can be relabeled much more easily as a “network traffic management system.”
Given that there is less or nothing physical to inspect, some companies just assume that EU export license officers will not follow up on whatever paperwork they file. Still others just export their products without filing a license.
The Israeli firm NFV Systems was shut down recently – but only after it got away with selling surveillance technology without a license for about five years.
Some shady firms use intermediaries in other countries to sell to authoritarian countries so that they will not need to pack up if they get caught by their home country because legally, there is nothing to catch.
Various reports say that Israeli company Quadream sells its primary hacking tool through a sister company in Cyprus that holds Quadream stock and sells Quadream tools but is not Israeli and therefore is not under the jurisdiction of the Israeli Defense Ministry’s export laws.
Some cyber and intelligence professionals would say that despite whatever mistakes NSO or Cellebrite or others have made, the fact that they sell their products with some oversight is better than the Chinese or the Russians with no oversight.
In other words, removing Israeli firms would not mean fewer cyber offensive weapons being sold around the world. It would just mean they would be sold by others. If Dilian replaced NSO in some cases, China and Russia could replace Dilian.
That might be the worst-case scenario, but still other Israelis with cyber intelligence backgrounds say that sometimes when the US shoved Israeli companies out, they were replaced by US competitors. Whether the US competitors might be more careful or ethical than Israeli competitors can be debated (there have been extensive exposés of ex-US intelligence officials going rogue, working for autocratic states), but such a replacement definitely would raise questions about the ethics of the US move.
None of this even touches the Team Jorge problem, which has to do with social media influence, or more simply: lying to lots of people online.
The Guardian, in partnership with 30 media outlets worldwide, reported that Team Jorge, led by former Israeli special forces operative Tal Hanan, overlaps with Demonan International (where Hanan is CEO), a company endorsed by the Defense Ministry.
Allegedly, Team Jorge offers its services to those looking to meddle in elections worldwide, as well as to corporate clients. In addition, reports said that a key component of the team’s efforts to sway election outcomes is through social media.
According to The Guardian, Team Jorge used software known as Advanced Impact Media Solutions. This software controls over 30,000 fake social media profiles, all of which are used to spread disinformation or propaganda at high speed.
Team Jorge allegedly uses a “blogger machine” that creates websites which its fake social media accounts can use to increase the distribution capacity of its propaganda exponentially.
Going way beyond NSO’s technological activities, the report said that the team sabotaged one election campaign by sending “a sex toy delivered via Amazon to the home of a politician, with the aim of giving his wife the false impression he was having an affair.”
Once again, none of the above likely involves former Israeli intelligence officials disclosing classified information.
The endless (futile?) regulation maze
If the main issue, then, is lying, since when did it become illegal for politicians to lie?
Lying and promoting false rumors during election campaigns are unfortunately as old as campaigning, and certainly much older than today’s fancy technologies, let alone massive social media machines.
However, ever since Russia interfered with the US election in 2016 and in other elections across the globe, many democracies started to define large social media campaigns, especially if they are run by foreigners, as not only a crime but a severe threat to national security.
And yet this shift in public opinion probably has not gone anywhere near far enough to lead to a comprehensive crackdown by EU countries on Israel’s cyber offense sector.
In February, the Magazine and some other reporters met with top EU officials to discuss the dangers of social media influence campaigns.
A major, thorough EU report noted how whereas China might distort day-to-day local news and “tactical” facts, Russia was ready to distort whole wider narratives which might encompass months or years of global historical events.
The Magazine pressed certain EU officials about whether they would be willing to block the wider Russian distortions, especially if it could be demonstrated that these distortions were linked to sanctionable or war crimes activities in Ukraine.
The response was an ode to the importance of free speech, even in the face of such massive and destructive Russian distortions.
And these were the kinds of officials who were more worried about privacy, as opposed to EU intelligence officials, who certainly consider privacy but whose main job is national security.
The Lawfare blog post seemed to hope to rally the EU, and later the US, to better define what activities could be listed as illegal. If anyone tries to apply this in the area of social media influence campaigns, it might be even more impossible than getting these countries to clearly state what kinds of cyber hacking business activities are illegal.
The Magazine has found that, among Israeli government and defense officials, there is little appetite for a law to prohibit its former intelligence officials from engaging in certain activities, even if those activities are not specifically defined as criminal. In fact, we understand that Israeli government officials’ appetite for even more basic regulation of enforcing privacy standards for Israeli citizens in the commercial Israeli sector is weaker today than in the past.
Israel would like to allow cyber activities to hack “bad guys” and to help foreign law enforcement and intelligence agencies or social media campaigns to undermine regimes like the Islamic Republic of Iran. But how to do so while reining in some very similar activities that Israel would find undesirable?
Given Israel’s desire to allow cyber activities against bad guys, Israeli officials may be willing to continue to take the occasional black eye and embarrassing situation, to keep the Jewish state at or near the top of the cyberwarfare game.
For its part, NSO is smaller than before but has stabilized and survived. But even if it does someday exit the arena, the record almost certainly indicates that another Israeli competitor would take its place.