How the U.S. Came to Use NSO Spyware It Was Trying to Kill

How the U.S. Came to Use NSO Spyware It Was Trying to Kill

WASHINGTON — The secret contract was finalized on Nov. 8, 2021, a deal between a company that has acted as a front for the United States government and the American affiliate of a notorious Israeli hacking firm.

Under the arrangement, the Israeli firm, NSO Group, gave the U.S. government access to one of its most powerful weapons — a geolocation tool that can covertly track mobile phones around the world without the phone user’s knowledge or consent.

If the veiled nature of the deal was unusual — it was signed for the front company by a businessman using a fake name — the timing was extraordinary.

Only five days earlier, the Biden administration had announced it was taking action against NSO, whose hacking tools for years had been abused by governments around the world to spy on political dissidents, human rights activists and journalists. The White House placed NSO on a Commerce Department blacklist, declaring the company a national security threat and sending the message that American companies should stop doing business with it.

The secret contract — which The New York Times is disclosing for the first time — violates the Biden administration’s public policy, and still appears to be active. The contract, reviewed by The Times, stated that the “United States government” would be the ultimate user of the tool, although it is unclear which government agency authorized the deal and might be using the spyware. It specifically allowed the government to test, evaluate, and even deploy the spyware against targets of its choice in Mexico.

Asked about the contract, White House officials said it was news to them.

“We are not aware of this contract, and any use of this product would be highly concerning,” said a senior administration official, responding on the basis of anonymity to address a national security issue.

Spokesmen for the White House and Office of the Director of National Intelligence declined to make any further comment, leaving unresolved questions: What intelligence or law enforcement officials knew about the contract when it was signed? Did any government agency direct the deployment of the technology? Could the administration be dealing with a rogue government contractor evading Mr. Biden’s own policy? And why did the contract specify Mexico?

The secret contract further illuminates the ongoing battle for control of powerful cyberweapons, both among and within governments, including the United States.

The weapons have given governments the power to conduct targeted, invasive surveillance in ways that were unavailable before the advent of the tools. This power has led to abuses, from the Mexican government spying on journalists who were investigating military crimes to Saudi Arabia using NSO technology to hack the devices of political dissidents. The use of spyware against journalists and opposition figures sparked a political scandal in Greece.

Rampant abuse of commercial spyware has led to growing calls from Western political leaders to limit access to them. And yet their power makes the tools alluring to intelligence services, militaries and law enforcement agencies in democracies and autocracies alike. The story of NSO’s push to break into the United States market brings to life how these tensions have played out.

President Biden signed an executive order last week to clamp down on government use of commercial spyware. It prohibits federal departments and agencies from using hacking tools that might be abused by foreign governments, could target Americans overseas or could pose security risks if installed on U.S. government networks. The order covered only spyware from commercial entities, not tools built by American intelligence agencies, which have similar in-house capabilities.

Even as the Biden administration has showcased its efforts to drive NSO out of business, it was clear even before the revelation of the latest contract that some agencies have been drawn to the power of these cyberweapons.

Elements of America’s expansive national security apparatus in recent years have bought the weapons, deployed them against drug traffickers, and have quietly pushed to consolidate control of them into the hands of the United States and its closest allies. As The Times reported last year, the F.B.I. purchased access in 2019 to NSO’s most powerful hacking tool, known as Pegasus, which invades mobile phones and mines their contents.

A subsequent Times investigation has found:

  • The secret November 2021 contract used the same American company — designated as “Cleopatra Holdings” but actually a small New Jersey-based government contractor called Riva Networks — that the F.B.I. used two years earlier to purchase Pegasus. Riva’s chief executive used a fake name in signing the 2021 contract and at least one contract Riva executed on behalf of the F.B.I.

  • The deal unfolded as the European private equity fund that owns NSO pursued a plan to get U.S. government business by establishing a holding company, Gideon Cyber Systems. The private equity fund’s ultimate goal was to find an American buyer for the company.

  • A potential deal last year with L3Harris, the American defense giant, to buy NSO’s hacking tools and take on the bulk of its work force was far more advanced than previously known. Despite NSO being on the Commerce Department blacklist, L3Harris executives had discussions with Commerce Department officials about the potential deal, according to internal department records, and there was a draft agreement in place to finalize it before the White House publicly objected and L3Harris dropped its plans.

This article is based on more than three dozen interviews with current and former American and Israeli government officials, corporate executives, technology experts and a review of hundreds of pages of government documents, some of them produced under Freedom of Information Act requests by The Times.

In February 2019, Novalpina Capital, a London-based private equity fund, purchased NSO for approximately $1 billion. At the time, NSO still had a near-monopoly on premier hacking tools for mobile phones, and the fund was confident it could expand the business by attracting new government clients around the world.

NSO had spent nearly a decade winning business with its army of elite hackers and the promise and power of its signature tool, Pegasus, which had the ability to extract all of the contents of a mobile phone, from emails to photos to videos.

Novalpina Capital also had a bigger goal, according to three people with knowledge of the fund’s strategy. Seeing a big potential market, it wanted to sell spyware to the United States and its closest “Five Eyes” intelligence partners: Britain, Canada, Australia and New Zealand.

At the same time, NSO had been ensnared by years of scandal over revelations of the abuses of Pegasus by numerous governments. In Saudi Arabia, aides to Crown Prince Mohammed bin Salman had used Pegasus against associates of Jamal Khashoggi, the Washington Post journalist killed by Saudi operatives in Istanbul in October 2018.

An NSO spokesperson said the company’s technologies “are only sold to allies of the U.S. and Israel, particularly in Western Europe, and are aligned with the interests of U.S. national security and governmental law enforcement agencies around the world.”

But although Novalpina had acquired NSO in the belief that it could weather the criticism of how Pegasus had been deployed, the fallout from suggestions that Pegasus was linked to Mr. Khashoggi’s murder never subsided. By the middle of 2020, NSO was seen as radioactive by some in the investment fund’s leadership. The fund began looking to unload the firm.

Novalpina set up Gideon Cyber Systems, a U.S.-based holding company, in 2020. Novalpina’s strategy for Gideon was to strip NSO’s powerful hacking tools, including Pegasus, and the company’s work force from NSO’s Israeli leadership and put the spyware under Gideon’s management — in essence making NSO an American company. Then, the thinking went, the private equity fund could sell Gideon to a large American military contractor or other U.S. investor, paving the way for the United States and its closest allies to have the tools in their arsenals.

During the Trump administration, NSO was already beginning to break into the U.S. government market, and in 2019 the F.B.I. purchased a license for Pegasus. The bureau had two aims: to study the spyware to see how adversaries might use it and to test Pegasus for possible deployment in the bureau’s own operations inside the United States.

To make the purchase, the F.B.I. used Riva Networks, the small, New Jersey-based contractor, but used a cover name for the company, “Cleopatra Holdings.” According to public records, Riva has years of experience selling products and services to the Defense Department and other government agencies.


How Times reporters cover politics. We rely on our journalists to be independent observers. So while Times staff members may vote, they are not allowed to endorse or campaign for candidates or political causes. This includes participating in marches or rallies in support of a movement or giving money to, or raising money for, any political candidate or election cause.

In a 2018 letter to the government of Israel, the Justice Department authorized “Cleopatra Holdings” to purchase Pegasus on behalf of the F.B.I. The Times has reviewed a copy of the letter, and a redacted version was produced as part of The Times’ Freedom of Information Act lawsuit against the F.B.I.

For Novalpina, the fact that the F.B.I. had purchased a license to use Pegasus was significant. Getting the bureau’s validation — and that of other U.S. government agencies — was an essential step toward convincing a U.S. investor to purchase the weapons.

The F.B.I. installed the first Pegasus system in a Riva facility in June 2019. An F.B.I. spokesperson declined to comment on why the bureau used a cover name to make the purchase, or say what safeguards were put in place to ensure that an operational spy tool located in a private facility was not being abused. The spokesperson said that license was no longer active and “the software is no longer functional.”

As it continued trying to generate U.S. government interest in NSO’s hacking tools, Novalpina had to address concern within American spy agencies that the tools posed a counterintelligence risk — that they might contain back doors that would allow Mossad or other Israeli intelligence services to gain access to American secrets if the tools were used on U.S. government networks.

To try to overcome this problem after President Biden took office, Gideon began working with another American firm, Boldend, with deep ties to the C.I.A. and other intelligence agencies, which helped arrange meetings with government officials.

During a virtual meeting on May 5, 2021, the team pitched Christopher Inglis, a former top National Security Agency official working for Paladin Capital who was about to become the White House national cyber director, on what they were doing to address concerns about deploying Israeli technology inside U.S. government systems.

At the meeting, Mr. Inglis was cautiously supportive of the approach, but he said they needed to consider the reputational baggage of NSO.

“I told them, ‘You are inheriting more than this exquisite technology, you are inheriting the history of how it’s been used,” Mr. Inglis said in an interview.

He also said the technology should not be used for offensive purposes — to hack American adversaries — but instead as defensive tools to help test the vulnerabilities of U.S. systems.

Around this time, the team also gave a briefing to C.I.A. officials about the technology, according to two people.

Once Mr. Inglis moved to the White House job two months later, the team did not hear from him again. In fact, Mr. Inglis entered a White House in the midst of an effort to put NSO out of business because of concerns about how its products were enabling human rights abuses and undercutting dissent and press freedoms around the world.

That effort accelerated when, in the middle of 2021, Biden administration officials learned that American diplomats based in Uganda had been hacked by Pegasus, the first known use of the spyware against the U.S. government.

On Nov. 3, 2021, the Biden administration publicly announced its decision to put NSO on the Commerce Department blacklist, in effect trying to put it out of business and putting the United States on record as seeking to rein in the proliferation of commercial spyware.

Days later came a well-disguised step in the other direction: Gideon, the U.S. affiliate of NSO, entered into the contract with “Cleopatra Holdings” — Riva Networks — specifying that the U.S. government would get access to NSO’s premier geolocation tool, what the company calls Landmark.

Landmark turns phones into a kind of homing beacon that allows government operatives to track their targets. In 2017, a senior adviser to Saudi Arabia’s crown prince, the same person accused of orchestrating the killing of Mr. Khashoggi, used Landmark to track Saudi dissidents.

Under the contract with Gideon, U.S. government officials had access to a special NSO portal that allowed them to type in mobile phone numbers, which enabled the geolocation tool to pinpoint the specific location of the phone at that moment without the phone user’s knowledge or consent. NSO’s business model requires clients to pay for a certain number of “queries” per month — one query being each individual attempt to locate a phone.

Under this contract, according to two people, there have been thousands of queries in at least one country, Mexico. The contract also allows for Landmark to be used against mobile numbers in the United States, although there is no evidence that has happened.

The November 2021 contract was signed under the name “Bill Malone,” identified as the chief executive of Cleopatra Holdings. In fact, the man who signed the contract is Robin Gamble, the chief executive of Riva Networks, according to two people familiar with the connection between Riva and Cleopatra.

A Times reporter recently visited the Washington, D.C., address for Cleopatra Holdings identified in the 2018 Justice Department letter to the Israeli government. The office had signs near the door saying it was monitored by 24-hour surveillance, and the lobby displayed an American flag on a stand and a framed certificate from a military special operations unit. There were no signs for Cleopatra Holdings, and the person who answered the door said she had never heard of the firm, but asked for the reporter’s business card.

An address for Riva Networks listed in a public database appears to be a residential home in a suburban New Jersey neighborhood. Nobody answered when a reporter knocked on the door. Mr. Gamble and the company did not respond to numerous requests for comment.

The decision to put NSO on the Commerce Department blacklist scared off most potential acquirers. But one soon emerged: L3Harris, a defense industry giant that specializes in selling electronic warfare and surveillance technology to the Defense Department, F.B.I. and U.S. spy agencies. According to the company’s 2021 annual report, more than 70 percent of the company’s revenue came from U.S. government contracts.

Four people familiar with the situation said L3Harris received cautious indications of support for pursuing an acquisition from officials inside several American and law enforcement agencies. L3 Harris did not respond to messages seeking comment.

L3Harris executives also held meetings with senior Israeli officials led by Major. Gen. Amir Eshel, the defense ministry’s director general at the time, who would have needed to authorize such a deal, given the Israeli national security interest in NSO. The executives told the Israelis that American intelligence agencies supported the acquisition as long as certain conditions were met, according to five people familiar with the discussions.

L3Harris also lobbied the Commerce Department to get NSO removed from the blacklist, according to documents obtained by The Times from a Freedom of Information Act request.

The Commerce Department sent a list of questions to NSO, which included questions about whether Americans outside the United States were protected from having NSO’s products deployed against them. The department also asked if NSO would “shut down access to its products if the U.S. government informs them that there is an unacceptable risk of the tool being used for human rights abuses by a particular customer?”

On May 13, 2022, Tania Hanna, the head of L3Harris’s government relations department, requested a meeting with Matthew Borman, a top Commerce Department official overseeing the blacklist.

Days later, a lawyer from the firm representing L3Harris, Covington & Burling, requested a meeting with Commerce Department officials that “involves an issue that is important from a U.S. and Israel national security/foreign policy perspective.”

A meeting was scheduled for June 15 between Mr. Borman and David Kornick, the president of L3Harris’s Intelligence and Cyber division, according to an email exchange. Because of extensive redactions in the Commerce Department documents, it is unclear whether the meeting took place. A Commerce Department spokesman declined to comment.

The negotiations between L3Harris and NSO got so far that the two parties put together a draft agreement, with plans to finalize the deal in June of last year, according to a copy of the agreement and emails reviewed by The Times.

There was a parallel discussion going on about NSO’s fate in Israel.

Senior officials in Mossad and the Shin Bet, Israel’s domestic intelligence service, wanted to nationalize the company so that it could continue selling its products to Israeli intelligence.

The prime minister at the time, Naftali Bennett, instead decided to support NSO’s sale to L3Harris, but on the condition that NSO would be free to sell its products to Israeli intelligence agencies.

What the Israelis didn’t know was that there was already stiff opposition inside the White House to the L3Harris deal. When news of the potential acquisition leaked on the site Intelligence Online, White House officials went public with their opposition, and said they would push to block any sale of NSO to a defense contractor with national security clearances. The L3Harris deal was dead.

But the secret contract for access to the phone-tracking tool was not. Cleopatra Holdings still makes monthly payments to Gideon Cyber Solutions for continued access to Landmark.