Israeli cyber firm negotiated advanced attack capabilities sale with Saudis, Haaretz reveals
Just months before crown prince launched a purge against his opponents, NSO offered Saudi intelligence officials a system to hack into cellular phones ■ NSO: We abide the law, our products are used to combat crime and terrorism
The Israeli company NSO Group Technologies offered Saudi Arabia a system that hacks cellphones, a few months before Crown Prince Mohammed bin Salman began his purge of regime opponents, according to a complaint to the Israel Police now under investigation.
But NSO, whose development headquarters is in Herzliya, says that it has acted according to the law and its products are used in the fight against crime and terror.
To really understand Israel and the Middle East - subscribe to Haaretz
Either way, a Haaretz investigation based on testimony and photos, as well as travel and legal documents, reveals the Saudis’ behind-the-scenes attempts to buy Israeli technology.
In June 2017, a diverse group gathered in a hotel room in Vienna, a city between East and West that for decades has been a center for espionage, defense-procurement contacts and unofficial diplomatic meetings.
Keep updated: Sign up to our newsletter
Email* Sign up
Arriving at the hotel were Abdullah al-Malihi, a close associate of Prince Turki al-Faisal – a former head of Saudi Arabia’s intelligence services – and another senior Saudi official, Nasser al-Qahtani, who presented himself as the deputy of the current intelligence chief. Their interlocutors were two Israeli businessmen, representatives of NSO, who presented to the Saudis highly advanced technology.
>> Israel’s cyber-spy industry helps world dictators hunt dissidents and gays | Revealed
In 2017, NSO was avidly promoting its new technology, its Pegasus 3 software, an espionage tool so sophisticated that it does not depend on the victim clicking on a link before the phone is breached.
During the June 2017 meeting, NSO officials showed a PowerPoint presentation of the system’s capabilities. To demonstrate it, they asked Qahtani to go to a nearby mall, buy an iPhone and give them its number. During that meeting they showed how this was enough to hack into the new phone and record and photograph the participants in the meeting.
The meeting in Vienna wasn’t the first one between the two sides. Prime Minister Benjamin Netanyahu has recently expressed pride in the tightening ties with Gulf states, with Israel’s strength its technology. The message is clear: Israel is willing to sell these countries security-related technologies, and they forge closer ties with Israel in the strategic battle against Iran.
>> $6 billion of Iranian money: Why Israeli firm Black Cube really went after Obama’s team
According to the complaint, the affair began with a phone call received by a man identified as a European businessman with connections in the Gulf states. On the line was W., an Israeli dealing in defense-related technologies and who operates through Cyprus-based companies. (Many defense-related companies do business in Cyprus because of its favorable tax laws.) W. asked his European interlocutor to help him do business in the Gulf.
FILE Photo: Two of the founders of NSO, Shalev Julio and Omri Lavi.
Among the European businessman’s acquaintances were the two senior Saudi officials, Malihi and Qahtani.
On February 1, 2017, W. and the businessman met for the first time. The main topic was the marketing of cyberattack software. Unlike ordinary weapons systems, the price depends only on a customer’s eagerness to buy the system.
The following month, the European businessman traveled to a weapons exhibition in the United Arab Emirates, where a friend introduced him to Malihi, the Saudi businessman.
In April 2017, a meeting was arranged in Vienna between Malihi, Qahtani and representatives of Israeli companies. Two more meetings subsequently took place with officials of Israeli companies in which other Israelis were present. These meetings took place at the Four Seasons Hotel in Limassol, Cyprus, where Israeli cybercompanies often meet with foreign clients.
>> Snowden: Israeli firm’s spyware was used to track Khashoggi
The meetings were attended by W. and his son. They were apparently friendly: In photographs documenting one of them, W. and Qahtani are shown after a hunting trip, with the Saudi aiming a rifle at a dead animal.
In the Vienna meeting of April 2017, the Saudis presented a list of 23 systems they sought to acquire. Their main interest was cybersystems. For a few dozens of millions of dollars, they would be able to hack into the phones of regime opponents in Saudi Arabia and around the world and collect classified information about them.
According to the European businessman, the Saudis, already at the first meeting, passed along to the representatives of one of the companies details of a Twitter account of a person who had tweeted against the regime. They wanted to know who was behind the account, but the Israeli company refused to say.
Offices of Israeli NSO Group company in Herzliya, Israel, Aug. 25, 2016Daniella Cheslow/AP
In the June 2017 meeting, the Saudis expressed interest in NSO’s technology.
According to the European businessman, in July 2017 another meeting was held between the parties, the first at W.’s home in Cyprus. W. proposed selling Pegasus 3 software to the Saudis for $208 million.
Malihi subsequently contacted W. and invited him to Riyadh to present the software to members of the royal family. The department that oversees defense exports in Israel’s Defense Ministry and the ministry’s department for defense assistance, responsible for encouraging exports, refused to approve W.’s trip.
Using the initials for the defense assistance department, W. reportedly said “screw the D.A.” and chartered a small plane, taking with him NSO’s founder, Shalev Hulio, to the meetings in the Gulf. According to the European businessman, the pair were there for three days, beginning on July 18, 2017.
At these meetings, the European businessman said, an agreement was made to sell the Pegasus 3 to the Saudis for $55 million.
According to the European businessman, the details of the deal became known to him only through his contacts in the defense assistance department. He said he had agreed orally with W. that his commission in the deal would be 5 percent – $2.75 million.
But W. and his son stopped answering the European businessman’s phone calls. Later, the businessman told the police, he received an email from W.’s lawyer that contained a fake contract in which the company would agree to pay only his expenses and to consider whether to pay him a bonus if the deal went through.
The European businessman, assisted by an Israeli lawyer, filed a complaint in April 2018. He was questioned by the police’s national fraud squad and was told that the affair had been transferred to another unit specializing in such matters. Since then he has been contacted by the income tax authorities, who are apparently checking whether there has been any unreported income from the deal.
The European businessman’s claims seem to be substantiated by correspondence Haaretz has obtained between Cem Koksal, a Turkish businessman living in the UAE, and W.’s lawyers in Israel. The European businessman said in his complaint that Koksal was involved in mediating the deal.
In a letter sent by Koksal’s lawyer in February of this year, he demanded his portion from W. In a response letter, sent in early March, W.’s attorney denied the existence of the deal. The deal had not been signed, the letter claimed, due to Koksal’s negligence, therefore he was due no commission or compensation of any kind.
These issues have a wider context. From the claims by the European businessman and Koksal’s letter, it emerges that the deal was signed in the summer of 2017, a few months before Crown Prince Mohammed began his purge of regime opponents. During that purge, the Saudi regime arrested and tortured members of the royal family and Saudi businessmen accused of corruption. The Saudis also held Lebanese Prime Minister Saad al-Hariri for a few days in a Riyadh hotel.
In the following months the Saudis continued their hunt for regime opponents living abroad, which raised international attention only when the murder of journalist Jamal Khashoggi in the Saudi Consulate in Istanbul came to light in October.
It has recently been claimed that NSO helped the Saudi regime surveil its opponents. According to an article in Forbes magazine and reports from the Canadian cyber-related think tank Citizen Lab, among the surveillance targets were the satirist Ghanem Almasrir and human rights activist Yahya Asiri, who live in London, and Omar Abdulaziz, who lives in exile in Canada.
These three men were in contact with Khashoggi. Last month, Edward Snowden, who uncovered the classified surveillance program of the U.S. National Security Agency, claimed that Pegasus had been used by the Saudi authorities to surveil Khashoggi.
“They are the worst of the worst,” Snowden said of NSO, whose people he accused of aiding and abetting human rights violations.
NSO’s founders and chief executives are Omri Lavie and Shalev Hulio. The company is registered in Cyprus but its development headquarters is in Herzliya. In 2014 the company was sold to private equity firm Francisco Partners based on a valuation of $250 million.
Francisco Partners did not respond to Haaretz’s request for comment.
In May, Verint Systems offered to buy NSO for $1 billion, but the offer was rejected. The company is awash in cash. Earlier this month all its employees went on vacation in Phuket, Thailand. Netta Barzilai, Lior Suchard, the Ma Kashur Trio and the band Infected Mushroom were also flown there to entertain them.
The Pegasus system developed by NSO was a “one-click system,” meaning that the victim had to press on a link sent to him through phishing. The new system no longer requires this. Only the number of the SIM card is needed to hack into the phone. It’s unknown how Pegasus does this.
Technology sources believe that the technology either exploits breaches in the cellphone’s modem, the part that receives messages from the antenna, or security breaches in the apps installed on a phone. As soon as a phone is hacked, the speaker and camera can be used for recording conversations. Even encoded apps such as WhatsApp can be monitored.
NSO’s operations are extremely profitable.
The company, which conceals its client list, has been linked to countries that violate human rights. NSO says its products are used in the fight against crime and terror, but in certain countries the authorities identify anti-regime activists and journalists as terrorists and subject them to surveillance.
In 2012, NSO sold an earlier version of Pegasus to Mexico to help it combat the drug cartel in that country. According to the company, all its contracts include a clause specifically permitting the use of its software only to “investigate and prevent crime or acts of terror.” But The New York Times reported in 2016 that the Mexican authorities also surveilled journalists and lawyers.
Following that report, Mexican victims of the surveillance filed a lawsuit in Israel against NSO last September. This year, The New York Times reported that the software had been sold to the UAE, where it helped the authorities track leaders of neighboring countries as well as a London newspaper editor.
In response to these reports, NSO said it “operated and operates solely in compliance with defense export laws and under the guidelines and close oversight of all elements of the defense establishment, including all matters relating to export policies and licenses.
“The information presented by Haaretz about the company and its products and their use is wrong, based on partial rumors and gossip. The presentation distorts reality.
“The company has an independent, external ethics committee such as no other company like it has. It includes experts in legal affairs and international relations. The committee examines every deal so that the use of the system will take place only according to permitted objectives of investigating and preventing terror and crime.
“The company’s products assist law enforcement agencies in protecting people around the world from terror attacks, drug cartels, child kidnappers for ransom, pedophiles, and other criminals and terrorists.
“In contrast to newspaper reports, the company does not sell its products or allow their use in many countries. Moreover, the company greatly limits the extent to which its customers use its products and is not involved in the operation of the systems by customers.”
A statement on W.’s behalf said: “This is a false and completely baseless complaint, leverage for an act of extortion by the complainants, knowing that there is no basis for their claims and that if they would turn to the relevant courts they would be immediately rejected.”
