Israeli company that hacked for UAE is sued

The government of the United Arab Emirates used Israeli phone-hacking technology to spy on political and regional rivals as well as members of the media, with the Israeli company itself participating in the cyber-attacks, The New York Times reported on Friday.

Background

An American private equity firm, Francisco Partners Management LLC, owns NSO. After purchasing NSO for a reported $110 million in 2014, Francisco Partners was reportedly exploring a sale last year that would have valued the company at around $1 billion. Three veterans of the Israeli army’s signals intelligence unit A 8200 - Niv Carmi, Omri Lavie and Shalev Hulio - founded NSO in 2010.

Analysis

The Herzliya-based NSO Group uses its Pegasus spyware program to turn smartphones into listening devices. The NSO Group has insisted in the past that it sells its software to clients on the condition that it be used only against crime and terrorism, and has shirked responsibility in instances where it was allegedly used for civil rights abuses.

According to the report, leaked emails have shown that when UAE leaders demanded proof of value, an affiliate of NSO hacked the phone of Abdulaziz Alkhamis, the editor of the London-based newspaper Al Arab, and sent them recordings.

The Emirates sought to intercept the phone calls of Qatar's Emir Sheikh Tamim bin Hamad Ali Thani in 2014, as well as Saudi Prince Mutaib bin Abdullah - considered to be the heir apparent at the time - and Saad Hariri, Lebanon's current prime minister.

It also allegedly advised the UAE on how to best hack the phones of various officials, with the Arab nation’s leaders particularly interested in spying on a Saudi prince, the leader of rival Qatar and Lebanese Prime Minister Saad Hariri — though it was not clear whether those officials were actually hacked.

Documents show the UAE has been using this malware - Pegasus since 2013.

The two lawsuits, filed in Israel and Cyprus, call for company accountability for what they claim is an active role in illegal intelligence gathering. The lawsuits have been filed by a Qatari individual, who claims to have been targeted by the UAE, as well as by Mexican human rights activists who say the government spied on them using Pegasus.

Pegasus infects individuals by sending them text messages tempting them to click an attached link. In the case of the UAE, the NSO affiliate allegedly suggested texts with messages such as: “Ramadan is near — incredible discounts,” as well as “Keep your car tires from exploding in the heat.” When an unwitting target clicks the link, Pegasus is downloaded onto the device and infects it. The software can track calls and contacts collect passwords, read text messages and emails, record calls, and trace the whereabouts of the user.

In 2016, Israel’s Yedioth Ahronoth daily first reported that the Defense Ministry had given the NSO Group permission to sell the software to an Arab company, which went on to target a prominent UAE rights activist. But the scope of the government’s involvement had not been known.

Mexico was scandalized last year by claims that the government using the software had targeted opposition politicians, journalists and human rights defenders in the country.

Israeli companies have been criticized in the past for selling software to monitor internet and phone communication to regimes with poor human rights records, including in Uzbekistan and Kazakhstan, as well as Colombia, Trinidad and Tobago, Uganda, Panama and Mexico, according to the NGO Privacy International.

The company has previously admitted charging customers $650,000 to hack 10 devices, on top of a $500,000 installation fee.

The Pegasus software utilized a chain of previously unknown and unpatched iOS vulnerabilities known as zero - days in Apple’s mobile operating system to jailbreak the iPhones and turn them into highly capable, multifunction surveillance tools. It effectively enables the kind of intrusive, round-the-clock snooping that in the past would have required a huge team of operatives and massive resources. This allowed its malware, codenamed Pegasus, to install on the phone, hovering up all communications and locations of the targeted iPhones. That includes iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram and Skype communications, amongst other data. It can collect Wi-Fi passwords too.

Foreign intelligence services once needed to install microphones in the walls to snoop on their subjects’ private conversations at home. Now, operatives from countries like the UAE — and, potentially, more authoritarian regimes like Russia and China — can just hack a phone.

Apple has now patched the flaws and released an update for iOS. A spokesperson said: "We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits."

Assessment

Our assessment is that there are a number of cybersecurity companies with offensive capabilities. Though the primary intent is to further national security interest, they are often seen to share such capabilities with friendly countries who might use it for unlawful interception.