“The Battle for the World’s Most Powerful Cyberweapon”
The New York Times Magazine, January 28, 2022
By Ronen Bergman and Mark Mazzetti
“A Times investigation reveals how Israel reaped diplomatic gains around the world from NSO’s Pegasus spyware — a tool America itself purchased but is now trying to ban.”
In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.
The F.B.I. had bought a version of Pegasus, NSO’s premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.
Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.
But by the time the company’s engineers walked through the door of the New Jersey facility in 2019, the many abuses of Pegasus had also been well documented. Mexico deployed the software not just against gangsters but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist whom the government threw in jail. Saudi Arabia used it against women’s rights activists and, according to a lawsuit filed by a Saudi dissident, to spy on communications with Jamal Khashoggi, a columnist for The Washington Post, whom Saudi operatives killed and dismembered in Istanbul in 2018.
None of this prevented new customers from approaching NSO, including the United States. The details of the F.B.I.’s purchase and testing of Pegasus have never before been made public. Additionally, the same year that Khashoggi was killed, the Central Intelligence Agency arranged and paid for the government of Djibouti to acquire Pegasus to assist the American ally in combating terrorism, despite longstanding concerns about human rights abuses there, including the persecution of journalists and the torture of government opponents. The D.E.A., the Secret Service and the U.S. military’s Africa Command had all held discussions with NSO. The F.B.I. was now taking the next step.
As part of their training, F.B.I. employees bought new smartphones at local stores and set them up with dummy accounts, using SIM cards from other countries — Pegasus was designed to be unable to hack into American numbers. Then the Pegasus engineers, as they had in previous demonstrations around the world, opened their interface, entered the number of the phone and began an attack.
This version of Pegasus was “zero click” — unlike more common hacking software, it did not require users to click on a malicious attachment or link — so the Americans monitoring the phones could see no evidence of an ongoing breach. They couldn’t see the Pegasus computers connecting to a network of servers around the world, hacking the phone, then connecting back to the equipment at the New Jersey facility. What they could see, minutes later, was every piece of data stored on the phone as it unspooled onto the large monitors of the Pegasus computers: every email, every photo, every text thread, every personal contact. They could also see the phone’s location and even take control of its camera and microphone. F.B.I. agents using Pegasus could, in theory, almost instantly transform phones around the world into powerful surveillance tools — everywhere except in the United States.
Ever since the 2013 revelations by Edward Snowden, a former National Security Agency contractor, about U.S. government surveillance of American citizens, few debates in this country have been more fraught than those over the proper scope of domestic spying. Questions about the balance between privacy and security took on new urgency with the parallel development of smartphones and spyware that could be used to scoop up the terabytes of information those phones generate every day. Israel, wary of angering Americans by abetting the efforts of other countries to spy on the United States, had required NSO to program Pegasus so it was incapable of targeting U.S. numbers. This prevented its foreign clients from spying on Americans. But it also prevented Americans from spying on Americans.
NSO had recently offered the F.B.I. a workaround. During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target. Israel had granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers. The license allowed for only one type of client: U.S. government agencies. A slick brochure put together for potential customers by NSO’s U.S. subsidiary, first published by Vice, says that Phantom allows American law enforcement and spy agencies to get intelligence “by extracting and monitoring crucial data from mobile devices.” It is an “independent solution” that requires no cooperation from AT&T, Verizon, Apple or Google. The system, it says, will “turn your target’s smartphone into an intelligence gold mine.”
The Phantom presentation triggered a discussion among government lawyers at the Justice Department and the F.B.I. that lasted two years, across two presidential administrations, centering on a basic question: Could deploying Phantom inside the United States run afoul of long-established wiretapping laws? As the lawyers debated, the F.B.I. renewed the contract for the Pegasus system and ran up fees to NSO of approximately $5 million. During this time, NSO engineers were in frequent contact with F.B.I. employees, asking about the various technological details that could change the legal implications of an attack.
The discussions at the Justice Department and the F.B.I. continued until last summer, when the F.B.I. finally decided not to deploy the NSO weapons. It was around this time that a consortium of news organizations called Forbidden Stories brought forward new revelations about NSO cyberweapons and their use against journalists and political dissidents. The Pegasus system currently lies dormant at the facility in New Jersey.
An F.B.I. spokeswoman said that the bureau examines new technologies “not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties. That means we routinely identify, evaluate and test technical solutions and services for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands.” The C.I.A., the D.E.A., the Secret Service and Africa Command declined to comment. A spokesman for the government of Djibouti said the country had never acquired or used Pegasus.
In November, the United States announced what appeared — at least to those who knew about its previous dealings — to be a complete about-face on NSO. The Commerce Department was adding the Israeli firm to its “entity list” for activities “contrary to the national security or foreign policy interests of the United States.” The list, originally designed to prevent U.S. companies from selling to nations or other entities that might be in the business of manufacturing weapons of mass destruction, had in recent years come to include several cyberweapons companies. NSO could no longer buy critical supplies from American firms.
It was a very public rebuke of a company that had in many ways become the crown jewel of the Israeli defense industry. Now, without access to the American technology it needed to run its operations — including Dell computers and Amazon cloud servers — it risked being unable to function. The United States delivered the news to Israel’s Ministry of Defense less than an hour before it was made public. Israeli officials were furious. Many of the headlines focused on the specter of an out-of-control private company, one based in Israel but largely funded offshore. But authorities in Israel reacted as if the ban were an attack on the state itself. “The people aiming their arrows against NSO,” said Yigal Unna, director general of the Israel National Cyber Directorate until Jan. 5, “are actually aiming at the blue and white flag hanging behind it.”
The Israelis’ anger was, in part, about U.S. hypocrisy: The American ban came after years of secretly testing NSO’s products at home and putting them in the hands of at least one country, Djibouti, with a record of human rights abuses. But Israel also had its own interests to protect. To an extent not previously understood, Israel, through its internal export-licensing process, has ultimate say over who NSO can sell its spyware to. This has allowed Israel to make NSO a central component of its national-security strategy for years, using it and similar firms to advance the country’s interests around the world.
A yearlong Times investigation, including dozens of interviews with government officials, leaders of intelligence and law-enforcement agencies, cyberweapons experts, business executives and privacy activists in a dozen countries, shows how Israel’s ability to approve or deny access to NSO’s cyberweapons has become entangled with its diplomacy. Countries like Mexico and Panama have shifted their positions toward Israel in key votes at the United Nations after winning access to Pegasus. Times reporting also reveals how sales of Pegasus played an unseen but critical role in securing the support of Arab nations in Israel’s campaign against Iran and even in negotiating the Abraham Accords, the 2020 diplomatic agreements that normalized relations between Israel and some of its longtime Arab adversaries.
The combination of Israel’s search for influence and NSO’s drive for profits has also led to the powerful spying tool’s ending up in the hands of a new generation of nationalist leaders worldwide. Though the Israeli government’s oversight was meant to prevent the powerful spyware from being used in repressive ways, Pegasus has been sold to Poland, Hungary and India, despite those countries’ questionable records on human rights.
The United States has made a series of calculations in response to these developments — secretly acquiring, testing and deploying the company’s technology, even as it has denounced the company in public and sought to limit its access to vital American suppliers. The current showdown between the United States and Israel over NSO demonstrates how governments increasingly view powerful cyberweapons the same way they have long viewed military hardware like fighter jets and centrifuges: not only as pivotal to national defense but also as a currency with which to buy influence around the world.
About the Authors:
Ronen Bergman is a staff writer for The New York Times Magazine, based in Tel Aviv. His latest book is “Rise and Kill First: The Secret History of Israel’s Targeted Assassinations,” published by Random House.
Mark Mazzetti is a Washington investigative correspondent, and a two-time Pulitzer Prize winner. He is the author of “The Way of the Knife: the C.I.A, a Secret Army, and a War at the Ends of the Earth.”
- “NSO Group Pitched Phone Hacking Tech to American Police: A brochure and emails obtained by Motherboard show how Westbridge, the U.S. arm of NSO, wanted U.S. cops to buy a tool called Phantom.” By Joseph Cox, Motherboard, May 12, 2020.
- “F.B.I. Secretly Bought Israeli Spyware and Explored Hacking U.S. Phones: Israel used the NSO Group’s software as a tool of diplomacy. The F.B.I. wanted it for domestic surveillance. Then everything soured. Here are highlights of a New York Times Magazine investigation.” By Michael Levenson, The New York Times, January 28, 2020.