NOTE: Al Jazeera has just published my latest piece on how the incoming Biden administration will address Israel, Iran, Saudi Arabia and Middle East issues in general. Please give it a read and promote it via social media.
It in uncharacteristic of me to praise any technology executive or company. In fact, I have often criticized such companies and their policies here. But Microsoft president, Brad Smith, deserves such credit. He published a landmark essay which laid down a marker for all other technology companies. It called out cyber-hacking as a global evil that must be addressed both in the United State and around the world. It called for states to join together to thwart such cyber-attacks, and legislate companies which profit from them out of business.. It is clarion-call for reform of U.S. cyber-security laws and a global effort to confront the cyber-hacking. I’m especially highlighting the portions relevant to the Israeli cyber-hacking company, NSO Group, which is the biggest player in this field:
[One] evolving threat…[is] the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries. This phenomenon has reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place…
NSO represents the increasing confluence between sophisticated private-sector technology and nation-state attackers…Th[ey are] a growing option for nation-states to either build or buy the tools needed for sophisticated cyberattacks…An industry segment that aids offensive cyberattacks spells bad news on two fronts. First, it adds even more capability to the leading nation-state attackers, and second, it generates cyberattack proliferation to other governments that have the money but not the people to create their own weapons. In short, it adds another significant element to the cybersecurity threat landscape…
We need to strengthen international rules to put reckless nation-state behavior out of bounds and ensure that domestic laws thwart the rise of the cyberattack ecosystem. While the world has important international norms and laws to address nation-state attacks, we continue to believe it is important to fill in gaps and continue to develop clear and binding legal obligations for cyberspace.
This should build on the lessons of 2020 and prioritize key and specific areas. For example, it should include the continued development of rules to expressly forbid the type of broad and reckless activity used against SolarWinds and its customers, which tampered with legitimate software and threatened the stability of a broader software supply chain. The international community has been moving in this direction, building on a 2015 report by a United Nations Group of Governmental Experts that received broad UN endorsement last year, as well as multi-stakeholder support by the Global Commission on the Stability of Cyberspace (GCSC). The U.S. government and its allies need to make crystal clear their views that this type of supply chain attack falls outside the bounds of international law…
…Governments should take new and concerted steps to thwart the rise of private sector offensive actors…The sooner governments take action to put this ecosystem out of business, the better.
An early opportunity for the Biden-Harris Administration will come in an appellate judicial case involving the NSO Group itself. NSO has appealed a lower court finding that it is not immune from claims that it violated the U.S. Computer Fraud and Abuse Act by accessing mobile devices without permission. Its argument is that it is immune from U.S. law because it is acting on behalf of a foreign government customer and hence shares that government’s legal immunity. NSO’s proposed recipe would make a bad problem even worse, which is why Microsoft is joining with other companies in opposing this interpretation. The Biden/Harris Administration should weigh in with a similar view.
NSO’s legal approach, while disconcerting, does the world a service by highlighting the path needed to thwart this new cyberattack ecosystem. It’s to ensure that domestic laws clearly and strongly prohibit companies from helping governments engage in unlawful and offensive cyberattacks and investors from knowingly financing them.
Consider the analogy to other forms of societally harmful activity, like human trafficking, narcotics or terrorism itself. Governments not only take strong steps to prohibit the illegal activity itself – such as engaging in drug trafficking – but also ensure that airlines don’t transport the drugs and investors don’t finance the activity.
A similar approach is needed to deter private sector offensive actors. We need steps to ensure, for example, that American and other investors don’t knowingly fuel the growth of this type of illegal activity. And the United States should proactively pursue discussions with other countries that are giving rise to these companies, including Israel, which has a strong cybersecurity ecosystem that can be drawn into dangerous support of authoritarian regimes.
Note that the Microsoft statement targets for blame/responsibility not just NSO, but the venture capitalists profiting from its products and conduct. That would include Franciso Partners and Novalpina Capital, companies which respectively once owned, and currently own NSO. If governments restrict investments in these noxious products, then it will cut off the financial oxygen the companies need to survive.
This Microsoft statement joins an amicus brief filed by American, and the world’s largest technology companies, including Cisco, Google, Dell, Github, LinkedIn and VMware, supporting Whatsapp’s lawsuit against NSO. The suit accuses the Israeli company (and its clients) of hacking the electronic communications of 1,400 human rights activists from around the world. NSO took billions in sales from repressive regimes in the Middle East, Africa and Asia, enabling them to monitor those posing political threats to their rule. In many cases, these victims end in prison, bankrupted by bogus criminal court charges, or dead. Finally, these companies are saying: Enough.
And if the Israeli government won’t tell them itself “Enough,” then Pres-elect Biden and the U.S. Congress must be called upon to do the right thing and end this betrayal of the rights of assembly, speech and press freedom guaranteed under the US constitution and the UN Charter.
NSO’s “Zero-Click” Exploit, “Kismet,” Targets Al Jazeera
Citizen Lab is the leading cyber-forensic NGO exposing the misdeeds of NSO Group. It has published an account of a new company’s “product” employed largely by Gulf States against their internal and external foes, mainly Saudi Arabia and United Arab Emirates. Over the past year, a “zero-click” exploit named “Kismet” has targeted iPhones via Apple’s iMessage app. The victims were scores of executives, journalists and editors at Al Jazeera and Al Araby.
Al Jazeera is the leading media company in the region and offers a global audience an independent perspective on regional affairs. Al Jazeera reports on stories that could never be aired by the media outlets of these autocratic regimes. It is based in Qatar and largely funded by the Qatari government (as is Al Araby), which itself is in the midst of a battle with Saudi Arabia and its allies (which include UAE). There have been hacks and cyber-attacks by both sides against the other. But none have previously involved such an escalation in cyber-hacking technology.
A one-click exploit will permit the hacking of electronic devices with no action needed by the target. Unlike others, it does not require the recipient to click on a link in order to download malware. The mere act of communicating with the target’s device allows penetration of the device and access to its contents and capabilities. Kismet offers the nation-state client the following capability:
…Recording audio from the microphone including both ambient “hot mic” recording and audio of encrypted phone calls, and taking pictures. In addition, we believe the implant can track device location, and access passwords and stored credentials.
These features permit an intelligence agency to monitor everything typed on the device, everything spoken within range of it, every phone call made or received. It also will take pictures of whatever is happening within range of the phone. It can also mimic the phone user him or herself by accessing the devices credentials. Finally, access to the user’s passwords enables the hacker to gain access to any password protected website the user visits, including bank accounts, medical history, and other critical personal data.
Here Citizen Lab elaborate on the nature of the professional threats to these journalists:
The Al Jazeera attacks are part of an accelerating trend of espionage against journalists and news organizations. The Citizen Lab has documented digital attacks against journalists by threat actors from China, Russia, Ethiopia, Mexico, the UAE, and Saudi Arabia, among others. Other research groups have documented similar trends, which appear to be worsening with the COVID-19 pandemic. Often these attacks parallel more more traditional forms of media control, and in some cases physical violence.
The increased targeting of the media is especially concerning given the fragmented and often ad-hoc security practices and cultures among journalists and media outlets, and the gap between the scale of threats and the security resources made available to reporters and newsrooms. These concerns are likely particularly acute for independent journalists in authoritarian states who, despite the fact that they play a crucial role in reporting information to the public, may be forced to work in dangerous conditions with even fewer security tools at their disposal than their peers in large news organizations.
Mirroring the Microsoft statement, Citizen Lab calls for increased vigilance and regulatory oversight of bad actors like NSO Group:
Journalists and media outlets should not be forced to confront this situation on their own. Investments in journalist security and education must be accompanied by efforts to regulate the sale, transfer, and use of surveillance technology. As the anti-detection features of spyware become more sophisticated, the need for effective regulatory and oversight frameworks becomes increasingly urgent. The abuse of NSO Group’s zero-click iMessage attack to target journalists reinforces the need for a global moratorium on the sale and transfer of surveillance technology…
These safeguards should include strengthening and expanding regional and international export controls, enacting national legislation that constrains invasive new surveillance technology such as zero-click spyware, and the expansion of mandatory due diligence requirements for spyware developers and brokers.
Circles: Hacking the Global Communications System
Earlier this month, Citizen Lab released another report concerning a different Israeli cyber-hacking company, Circles, which became a subsidiary of NSO Group in 2014. The former offers clients a different set of hacking products which permit the interception of electronic communications by exploiting vulnerabilities in the systems of global telecommunication providers:
These commands allow the attacker to track the victim’s location, and intercept voice calls and SMS text messages. Such capabilities could also be used to intercept codes used for two-factor authentication sent via SMS.
Unfortunately, most U.S. wireless networks and those around the world are vulnerable to these exploits. Clients in 25 countries have deployed the company’s technology to hack the phones of targeted individuals.
Among them is Israel itself, which likely means the Shin Bet is using Circles to target its own citizens or Palestinians. However, there is one anomaly to Circles’ conventions in this instance: it always identifies client states with a word starting with the first letter of the country. In this case, it uses the word “Lexus.” If Israel was the customer, the world should start with an “I.” It’s very possible the “L” might refer to Lebanon, since Israeli intelligence constantly monitors Lebanese targets. But Lebanon is a highly unlikely customer, since Israel’s defense ministry would prohibit any sales of cyber-technology to a hostile neighbor. So my guess is that an Israeli intelligence agency is targeting Lebanon using Circles. I approached an Israeli security source about this. He refused to comment.
Finally, an Israeli lawsuit by Amnesty International against NSO Group found that the company researched specific individuals on behalf of UAE intelligence. NSO offered the targets’ physical location and phone records as proof of the worth of its technology before purchase. This gives the lie to one major defense NSO uses to absolve itself of responsibility for excesses of its clients. It claims that does not monitor how its products are used, does not operate its products on behalf of customers, and does not know who is targeted. In this case, that is clearly a lie.
Human Rights Don’t Exist in Brazil
There is a criminal organization in Brazil using NSO Group’s Pegasus to infect devices for hack for hire, to incite terrorism, blackmail people, produce illegal pornography and assist in assassinations. They also have other advanced malware, like UEFI implants and even persistent implants for Kindle and Raspberry Pi. Plus face/voice recognition on every camera and microphone they can get into, in public or private places.
Brazil won’t do anything to stop them. Only the FBI, CIA and NSA can stop them.
There is also the possibility that they were engaged on the hack of Bezos’ smartphone.
If you know of any security researcher who wants to reverse engineer the exploits they are using, I am more than willing to help them.
If you want a story about how they operate, I am willing to work with you to expose them.
Let me see if I’ve got this right.
NSO is regulated by Israel’s Ministry of Defence which grants or denies licences between NSO and its foreign-sovereign customers and NSO acted in compliance with Israel’s MOD.
NSO is an agent of various dodgey States that target dissidents but who are themselves shielded against lawsuits by the doctrine of “foreign sovereign immunity”.
Hardly seems fair to me.
@ Forrest: No, of course you don’t have this right. The operative words in your comment are “regulated” and “compliance.” Is NSO “regulated” in any sense that a western democratic society would recognize? No. Has MoD ever denied an export license to a military or cyber-tech exporter? No. So in what sense does NSO “comply” with anything? You can make up so-called regulations which prohibit so-called violations of so-called export rules. But if you don’t enforce them, you’re making a laughingstock out of the term “regulation.” Which Israel does of course.
As for so-called “dodgey states,” I don’t call kleptocratic murderers “dodgey.” I call them by the terms I used above. And thanks for exposing your role as a shill for NSO. The argument about sovereign immunity fails because NSO cannot claim it is both independent of its clients and an agent of them, at the same time. It is either one or the other. And if you or NSO’s lawyers believe this argument will fly, you either have wings yourself or you’re fools (or both).
I don’t see Raytheon, Boeing and General Dynamics getting haled into Court over arms sales to the same dodgey States that NSO does business with; which, arms sales that have resulted in massive civilian deaths in Yemen, Libya, etc.
But more to the point, how can NSO get a fair trial when ‘required parties’, their sovereign clients, are shielded by the FISA?
NSO’s sovereign clients hacked and injured WhatsApp, and as such, they are ‘required parties’ and should be joined to the lawsuit pursuant to Rule 19.
https://casetext.com/statute/united-states-code/title-28-appendix/federal-rules-of-civil-procedure/rules-of-civil-procedure-for-the-united-states-district-courts-1/title-iii-pleadings-and-motions/rule-19-required-joinder-of-parties
Without these sovereign governments as parties, this suit, as a matter of basic fairness, should be dismissed.
Don’t you agree?
@ Forrest: Unfortunately, selling weapons that kill millions isn’t a crime, though it should be. As for Yemen, the main problem is that our government has permitted the weapons to flow to Saudi Arabia. If we refused to fuel this war, then it wouldn’t matter what Raytheon made or sold. It wouldn’t be killing Yemenis. I don’t know where you got information that the US is arming either side in Libya. I strongly doubt this.
But hacking people’s private communications and damaging the intellectual property of major companies like WhatsApp and others IS a crime. Not to mention being an accessory to the murder of journalists–it too is a crime.
As for adding the Saudis as defendants in the case: why? NSO produced the malware. It sold the malware. It knows what use was made of the malware. It didn’t stop or control the use. It’s liable. Plain and simple. All this is easy to prove. As for making Saudi Arabia or MBS a defendant, why should a court do anything that benefits NSO, as you suggest?
MBS will be held accountable in other ways for other crimes. THere are lawsuits pending against him for the murder of Jamal Khashoggi. He will get his due.
The day you and I agree on anything will be a cold day in hell.
Your animus toward NSO notwithstanding, NSO’s lawyers are not fools, as you claim.
NSO’s lawyers will assert a claim of ‘derivative immunity’, under common law, as well as FISA.
Common law derivative immunity is frequently asserted by domestic contractors working with the U.S. government, but it is less clear, whether derivative immunity can be applied to contractors working for foreign governments.
NSO will cite the U.S. Court of Appeals for the Fourth Circuit’s opinion in Butters v. Vance International.
In Butters, the court found that Vance International, a security firm working with the Saudi government, was derivatively immune from suit—not under common law doctrine, but under the FSIA.
NSO will rely on a parallel analysis by the Butters court, wherein, before holding that Vance International was derivatively immune under the FSIA, the court also suggested that derivative sovereign law under common law—already available to private contractors for the U.S. government—should be extended to private contractors for foreign governments.
Pundits, Richard.
We are all pundits.
Are we not?
@ Forrest: Please don’t regurgitate NSO’s legal strategy. I outlined it already in my post and you’re essentially repeating it. Repetition is borning. No foreign company will get away with claiming immunity due to being a vendor for a foreign government. Sovereign immunity is meant to protect foreign states. Derivative immunity is meant to protect contractors working for the US government, not foreign governments. There is reason to protect sovereign states. But no reason to protect third party vendors for those states who violate both US domestic and international law. Especially when the vendor does extenstive damage not only to individual US citizens, but to companies which are the backbone of the US economy.
You are done in this thread. And don’t bother pimping for NSO here.
Unluckily, to sell weapons that kill millions isn’t a crime, there should be a law to stop selling weapons that kill civilians.