New NSO CEO steps aside, crisis surrounding Israeli cyber firm continues

The US Commerce Department announced last week that it had added the cyber offense firms NSO Group and Candiru to its blacklist.

 NSO GROUP branch in the Arava Desert. Picture taken with a drone.  (photo credit: AMIR COHEN/REUTERS)
NSO GROUP branch in the Arava Desert. Picture taken with a drone.
(photo credit: AMIR COHEN/REUTERS)

Former Partner CEO Isaac Benbenisti dropped out of becoming NSO Group’s CEO, a position in which he would have replaced founding CEO Shalev Hulio.

A source close to NSO said that Hulio would remain CEO to help stabilize the company during this uncertain time. There has been no announcement yet that Benbenisti, who already is a senior official in NSO’s business division, was resigning.

The decision on Thursday regarding Benbenisti and Hulio follows last week’s announcement by the US Commerce Department to blacklist NSO; a major report this week that NSO technology was used by the Shin Bet (Israel Security Agency) to spy on Palestinian rights activists who are alleged to double as terror financiers; a conviction on Wednesday night of a Spanish-Palestinian activist for terror financing; and an escalating fight between Israel and the US over issues surrounding NSO and Palestinian NGOs.

The Commerce Department announced last week that it had added the cyber offense firms NSO Group and Candiru to its blacklist, for engaging in “activities that are contrary to the national security or foreign policy interests of the United States.”

At the same time, France and Israel had seemed to move on from tensions over the alleged targeting of French President Emmanuel Macron’s phone using NSO’s Pegasus software, with a planned ministerial-level bilateral meeting this week.

ISRAELI CYBER firm NSO Group’s exhibition stand is seen at ISDEF 2019, an international defense and homeland security expo held in Tel Aviv in 2019. (credit: KEREN MANOR)
ISRAELI CYBER firm NSO Group’s exhibition stand is seen at ISDEF 2019, an international defense and homeland security expo held in Tel Aviv in 2019. (credit: KEREN MANOR)

Four companies were added to the list: NSO Group and Candiru of Israel, Positive Technologies of Russia, and Computer Security Initiative Consultancy PTE Ltd. from Singapore, the department said in a statement.

The State Department said the companies trafficked in cyber tools used to gain unauthorized access to computer networks, though it later added that it will not sanction NSO in any way, despite it being on the blacklist, and will not take any action against any of the companies’ host-governments.

The addition of the companies to the list for engaging in activities contrary to US national security or foreign policy interests means that exports to them from US counterparts are restricted. For instance, it makes it far harder for US security researchers to sell them information about computer vulnerabilities.

However, from a bare economic perspective, it is more of a public relations problem since NSO does not do any business in the US.

News outlets across the world reported in July on a leaked list of about 50,000 phone numbers, which they claimed were targets of NSO’s Pegasus software used to hack into phones.

“NSO regrets the decision, since its technologies do indeed support the US’s national interests and policies by preventing terror and crime, and accordingly we will act in order to reverse the decision,” the company said in response.

The company said that it was looking forward to presenting information that “makes clear that we have the most strict guidelines in the world [as well as] plans to advance human rights, which are based on American values that we deeply relate to – which have already caused us to end our engagements with governmental agencies that used our products inappropriately.”

Candiru, which has a lower public profile than NSO, had not issued a response at press time.

“With this move, the US government has acknowledged what Amnesty and other activists have been saying for years,” said Amnesty International. “NSO Group’s spyware is a tool of repression, which has been used around the world to violate human rights. This decision sends a strong message to NSO Group that it can no longer profit from human rights abuses without repercussions.

“This is also a day of reckoning for NSO Group’s investors – will they continue to bankroll a company whose technology has been used to systematically violate human rights?”

Broadening its comments beyond NSO, Amnesty said that “the threats posed by surveillance technology are bigger than one company. This dangerous industry is out of control, and this must spell the end of the impunity spyware companies have so far enjoyed. We need an immediate global moratorium on the export, sale, transfer and use of surveillance technology until there is a human rights-compliant regulatory framework in place.”

Gil Naveh, a spokesperson for Amnesty International Israel, said: “This decision shows the complete and utter failure of Israeli systems of oversight and accountability. Both the Israeli Defense Ministry and Israeli courts did not properly do their job of preventing human rights violations with the use of Israeli security exports.

“We call for the Israeli Defense Ministry to immediately halt all of NSO’s activity, and for the Israeli systems to hold accountable all of those who were responsible for this outrageous negligence.”

MK Moshe “Mossi” Raz (Meretz) said that “the US’s decision regarding NSO was a matter of time. This company not only embarrasses us around the world and not only entangles Israel in political turmoil, but its actions are also dangerous and harmful – and Israel should not sponsor them. I intend to turn to the defense minister and prime minister and demand that they act against NSO as soon as possible.”

After the July condemnations of NSO and some lost clients and investor momentum, Prime Minister Naftali Bennett established an inquiry into the cyber firm run by a mix of the Defense and Foreign ministries, the Mossad, the National Security Council, and others.

Macron demanded explanations from Israel at the time, and Defense Minister Benny Gantz traveled to Paris to clarify that the French president was not being spied on. In the meantime, Macron prohibited his cabinet members from meeting with Israeli ministers.

Bennett and Macron met recently at the UN Climate Change Conference in Glasgow, and Bennett promised to be more transparent. The leaders said they would move forward with close cooperation between their countries.

LAST WEEK, NSO had seemed intent on a rebranding campaign with Hulio making a lateral move to being vice chairman of the company’s board and global president.

Though details were somewhat hazy, the idea seemed to be to make Benbenisti the new face of the company, while Hulio would focus on drumming up business in new cell phone and cyber areas, and likely remain in control of significant aspects of the company behind the scenes.

The change in strategy just a week later seemed to reflect a high degree of flux and fluidity in NSO’s stability and vision for its future.

The July reports – which came from the Pegasus project, a group of 17 media organizations that have been provided information from a mix of Amnesty, the University of Toronto Citizen Lab and Forbidden Stories – broke open to the public the most damaging information yet to come to light regarding the cell phone hacker.

According to the July reports, NSO’s Pegasus hacking malware was found on 37 cell phones, out of a list of 65 numbers that were checked against more than 50,000 cell phones that were targeted.

They discovered that among 1,000 numbers from the list were at least 65 business executives, 85 human-rights activists, 189 journalists, several Arab royal family members, and more than 600 politicians and government officials, including cabinet ministers, diplomats and security officers.

Top officials whose cell phones appear on the list included Macron, Iraqi President Barham Salih, South African President Cyril Ramaphosa, and leaders from Pakistan, Egypt and Morocco.

Countries accused of abusing NSO technologies included Hungary, India, Mexico, Saudi Arabia, the UAE, Bahrain, Morocco and others.

NSO itself admitted it had cut off at least five governmental clients who abused its technology to go after exactly the kinds of people on the above list – even if it is not those same people.

An NSO source reportedly leaked to NPR that as a result of the current crisis, the company specifically ended its contracts with the Saudis and the UAE.

However, a deeper investigation by The Jerusalem Post found that there was very little concrete information in these reports. Most of what was reported in July did not break new ground as much as it added color to prior reports for years that some of NSO’s clients have abused Pegasus.

Some outlets directly involved with breaking the NSO story have admitted that they do not know who provided the 50,000 number list and cannot vouch for its credibility, aside from the 37 cell phones where malware was found.

As questions grew about the list, Amnesty gave two messages: not all of the numbers are from NSO, but the numbers from NSO clients showed who NSO clients might go after.

The list of 50,000 cell phones was itself always problematic to close observers, given that each NSO client is usually limited to a dozen or a few dozen targets and the company only has around 60 clients.

Avi Yariv, a cyber expert and chairman of the InnoTech conference, said, "A large part of the crime and threats against countries takes place in cyberspace. A country needs tools to defend itself - both defensive tools and intelligence gathering ones against those who threaten it. This is the reason why the onslaught against NSO as a company that sells offensive cyber products as if it is a problematic issue - is merely hypocrisy and insincerity.”

Yariv adds: "The development and export of such products are essential for countries and organizations that protect themselves and their citizens. Today it is NSO, tomorrow it could be any other cyber intelligence company. If the Israeli government does not react to the US sanctions against NSO - it might destroy by its own hands an important, leading part of the Israeli innovation and cyber industry.”

Cyber expert Guy Mizrahi said, "the State of Israel sells huge amounts of heavy and light weapons... All of these are designed to deter and kill people. In the case of cyber, suddenly everyone tries to be innocent... many more people have died from kinetic weapons than from cyber weapons, but despite this - the criticism of the sale of weapons is nil and the criticism of the sale of Trojan Horse malware and other cyber intelligence tools is enormous."

Mizrahi: "The State of Israel needs to think about whether the sale of weapons is a legitimate thing. If so, cyber weapons are weapons."

Despite their general support for NGO, both cyber experts supported tighter regulations regarding the sale of cyber weapons. 

Lahav Harkov and Reuters contributed to this report.