Federal Agency Acquired NSO Group Malware Via Front Company After NSO Was Blacklisted By Commerce Dept.

A leak of alleged customers' targets - a list that included journalists, human rights activists, religious leaders, government critics, and political figures - turned a trickle of news about Israel-based NSO Group into a steady stream of harrowing revelations.

NSO was the best in the spyware business, offering customers a zero-click exploit that almost fully compromised targets' phones. NSO's Pegasus" malware was wiretaps on steroids, a powerful tool that allowed the interception of communications, remote activation of mics and cameras, and access to content stored on targeted devices.

Power is supposed to go hand-in-hand with responsibility, but no one was acting responsibly here. NSO sold its malware to notorious human rights abusers. Unsurprisingly, the end result was plenty of abusive surveillance.

The US government reacted to this steady stream of negative revelations by slapping NSO with some sanctions. The Commerce Department put NSO Group (and another Israeli malware purveyor linked to surveillance abuse) on its blacklist, effective November 3, 2021. This blacklisting forbade the issuing of licenses for exports, reexports, or transfers (in country) to the persons added to this Entity List."

While this blacklisting did not specifically forbid US government agencies from acquiring NSO malware, you'd think they'd assume it would be best to steer clear of companies currently under sanctions. But common sense didn't prevail here. According to this report from Mark Mazzetti and Ronen Bergman for the New York Times, one federal agency decided it wasn't going to let sanctions and months of bad press separate it from its preferred spyware.

And the agency (which has yet to be identified) knew this would be a PR nightmare, so it decided to let someone else take the fall for this unwise acquisition.

The secret contract was finalized on Nov. 8, 2021, a deal between a company that has acted as a front for the United States government and the American affiliate of a notorious Israeli hacking firm.

Under the arrangement, the Israeli firm, NSO Group, gave the U.S. government access to one of its most powerful weapons - a geolocation tool that can covertly track mobile phones around the world without the phone user's knowledge or consent.

If the veiled nature of the deal was unusual - it was signed for the front company by a businessman using a fake name - the timing was extraordinary.

The timing, indeed. This deal was signed five days after the Commerce Department sanctions went into effect. Hence the use of a front company and fake person in hopes of flying this questionable purchase under the radar.

But it didn't work. The New York Times acquired a copy of the contract. However, it's missing one crucial detail: the name of agency that decided it was worth looking shady as fuck to acquire tech from a company current occupying the spyware Pariah-in-Chief role.

On the other hand, it did work. If administration officials are to be believed, they're unaware this purchase happened.

Asked about the contract, White House officials said it was news to them.

Obviously, someone knows something. The contract exists and appears to be real. But White House officials (speaking anonymously) claim to know nothing about this. The Director of National Intelligence has refused to provide any comment. If anyone knows anything about this, it's probably the FBI, because it used the same front company to acquire NSO's Pegasus malware a few years ago, long before the NSO became internationally infamous.

The secret November 2021 contract used the same American company - designated as Cleopatra Holdings" but actually a small New Jersey-based government contractor called Riva Networks - that the F.B.I. used two years earlier to purchase Pegasus. Riva's chief executive used a fake name in signing the 2021 contract and at least one contract Riva executed on behalf of the F.B.I.

The signature on the contract says Bill Malone," but people familiar with the front company (and the government's use of it) say that's the name used by Robin Gamble, the chief executive of Riva Networks.

And what was being acquired here wasn't NSO's flagship malware - the zero-click exploit known as Pegasus. Instead, the unknown government agency wanted another powerful exploit. This one, called Landmark, turns phones into homing beacons, allowing governments to track people wherever they go. NSO's Landmark has its own sordid past. It has been linked to multiple abuses by Saudi government to track dissidents and government critics.

While I understand front companies might be needed to ensure operational security in extreme cases, this whole thing just looks extremely dirty. A federal agency used a shady company (here's a photo of Riva's supposed headquarters) to buy tech from another shady company, all while being fully aware the company it was buying from had been sanctioned by another federal agency. The government is acting like the Mob. And when it does that, it lays the groundwork for abuse of a product the rest of the government doesn't even know it has.