NSO Group

We're starting to see some information on the Israeli cyberweapons arms manufacturer that sold the iPhone zero-day exploit to the United Arab Emirates so they could spy on human rights defenders.

EDITED TO ADD (9/1): There is criticism in the comments about me calling NSO Group an Israeli company. I was just repeating the news articles, but further research indicates that it is Israeli-founded and Israeli-based, but 100% owned by an American private equity firm.

Posted on August 31, 2016 at 8:16 AM • 57 Comments

Comments

DavidAugust 31, 2016 9:09 AM

Ah, those Israelis again. Manufacture not simply smartphone spying trojans but "cyber-weapons" and "arms". Eternal enemies of humankind and especially of human rights defenders. Drinkers of blood of Palestinian babies (Christian babies are not in vogue these days) and not only during Passover. Implementors of the Protocols of Elders of Zion. The world would be such a better place without them.

paulAugust 31, 2016 9:13 AM

So essentially this is the converse of the old platitude about the internet routing around censorship? The company sells stuff based on assurances that their work will not be used in an unlawful manner, where that apparently means at best "unlawful in the jurisdiction of the purchaser.

CraigAugust 31, 2016 9:35 AM

@David: And what was the point of that conspicuously idiotic comment? That anyone who dares to criticize anything to do with Israel is obviously motivated by anti-Semitism, because Israel is the most moral country in the world and no Israeli would ever do anything wrong?

Clive RobinsonAugust 31, 2016 10:18 AM

It needs to be said that whilst the NSO Group are Israeli, they are just the latest organisation to get caught out doing this sort of thing. Other offenders are known to be in many countries, selling anywhere they can, so it's hardly an Israeli only issue.

It's often been said that commerce has no moral ambiguities, as you need morals for that, (Apple being recently shown to have less than the morals of an ally cat as far as tax is concerned for instance).

RogerAugust 31, 2016 10:57 AM

Israeli company, in this context. Yes, it's particularly egregious to trade money to submit Palestinian (presumably) activists, but examine the facts - most cyber guys there are from 8200. I don't think anyone can put Israel under their thumb the way this lines up. Exploitation brokers have been operating with impunity and detached from any ethical limitations for a while now. Agreed with Clive...basically, "OK. They're located in Israel".

Mata HairyAugust 31, 2016 11:16 AM

NSO is the natural successor of Narus and Verint,

http://www.democracynow.org/2008/10/14/james_bamford_the_shadow_factory_the

and since beltway bucks are fungible, all three firms plus NICE and lots of Mom-and-Pops are part of the US-funded Israeli state surveillance industry. The firms get absorbed piecemeal by US private equity and primes, and next thing you know, Jan Schakowsky gets caught in flagrante delicto with a hot Turkish Sapphite and becomes a super-loyal supporter of Israel's right to exist and shoot off neutron bombs.

The product here is Blackmail. Kompromat. Zersetzung. Ask yourself, how does a compulsive dinkywaver like Huma's hubby get where he is? Foley? Hastert? Clinton? Come on. When Israel gets you by the balls your hearts and minds will follow.

DavidAugust 31, 2016 12:19 PM

Reread the post of Bruce that puts a superfluous double emphasis on Israeli "cyber weapons arms" (as if weapons are not arms; insinuation - Israel - arms dealer state); plus emphasis on "human rights defenders" (as if any of the entities selling phone spy software to LEAs is doing it because it is against human rights defenders) and then make some effort to work the grey tissue, and in the event you succeed you will see how idiotic your own comment is.

And if you are not convinced, read the comment (which I fully and correctly predicted in my post) by @Roger, for whom the company is "trading money" (sic!) to submit the human rights defenders who are "presumably" Palestinian (why "presumably" Palestinian? In UAE? Palestinians? The clueless dumbo obviously knows nothing about the Middle East, geography, Palestinians or UAE, but of course - Israeli company so it must be Israel chasing the non-existing Palestinian human rights defenders in UAE).

And if you are still not convinced, read the KKK style comment of Mata Hairy from which only the explicit reference to the Protocols of the Elders of Zion (which I also predicted in my post) is missing. LOL. The good thing about this crowd is that they are so stupid and predictable.

WaelAugust 31, 2016 12:30 PM

David,

The good thing about this crowd is that they are so stupid and predictable.

So what am I going to say next, oh great tarot-reader?

hawkAugust 31, 2016 12:33 PM

Yeah, and now it comes out that the Israelis are responsible for the deep craton rattling earthquakes trying to make volcanoes erupt so the European airspace will be closed. Then they can sock the Arab banks and make off like pirates they are. They also slip mind altering chemicals into children's lunches. Is it true that Israel designed the Zika virus but someone inadvertently spilled something in a Miami airport last year and now it's loose? If you don't believe me just ask David.

rAugust 31, 2016 1:04 PM

@hawk,

"They also slip mind altering chemicals into children's lunches."

Actually, that specific piece of speculation belongs to the Chinese.

http://www.cnn.com/2007/US/11/08/toy.recall/ (aquadots)
http://politicalticker.blogs.cnn.com/2007/12/21/china-blasts-obama-call-for-toy-ban/

(contaminated food)
http://www.huffingtonpost.com/christopher-gavigan/whats-for-dinner-lead-and_b_152179.html

(designer drugs)
http://www.nytimes.com/2015/05/29/us/arrest-opens-window-on-chinas-role-in-designer-drug-market.html


While I'm fully aware you were joking about Israel poisoning children, It's not possible to dismiss such behaviour entirely from other global "money traders".

DavidAugust 31, 2016 1:49 PM

@Daniel,
Thank you for providing an additional confirmation of the point I was making. You are the right person in the right forum.

Mata HairyAugust 31, 2016 2:35 PM

Bravo! This post is agitating the hasbarists to a fine hysterical tizzy. In new heights of piteous whining, David equates documented FBI intercepts and sworn testimony on SCI with antisemitism. Because probative SIGINT has a notorious antisemitic bias. And because the Israeli state would never ever spy on us - they only help fine upstanding policemen uphold the law, [oops, not the international humanitarian law of apartheid and genocide, silly!]

Poor David identifies so slavishly with sectarian authority that he cannot distinguish between our good Jew buddies like Philip Weiss and the criminal Zionist state that's exterminating the indigenous population of Palestine with the help of illegal blanket surveillance. He thinks we hate them all, when we merely want to try and imprison the criminal apartheid regime.

DavidAugust 31, 2016 2:45 PM

@Mata Hairy,

I would not dream of accusing you, of all people, of anti-semitism. After all, as you pointed out so eloquently, some of your best friends are Jews.

Mata HairyAugust 31, 2016 3:10 PM

Waah-baby, Waah! Waah! Blood libel against fanatical genocidaires! How very, very ever-so-unfair!

You've been in a big incapacitating panic attack ever since Palestine acceded to the International Criminal Court, and it's a hoot. All the APTs in the world aren't gonna get you outa this. Even those nuke pits you stole from NUMEC aren't gonna get you outa this. You're going down like the Rhodies and you got no one to cry to.

Mata HairyAugust 31, 2016 3:31 PM

We love it when you Khnyoks come and argue and whine, because then we get to link to more of the 6 million incriminating facts for the ICTI crimes against humanity tribunal coming down the pike. So keep it up! There's lots more gory detail to get to! Did I mention the Palestinian chair, or the shaking??!

Mata HairyAugust 31, 2016 3:48 PM

So anyway David, when the Likudniks sterilized every guy in Israel with the DU plume from Cast Lead, and you found out you're all shootin blanks and you're going extinct, were you annoyed? Or were you a good sport about it?

mishehuAugust 31, 2016 3:52 PM

Way to keep on topic... I somehow had higher expectations of people who claim to read Bruce's blog. I haven't had time to read the article, and I'm actually not terribly interested. However, my first impression is that the tool maker isn't responsible for when somebody takes their hammer and bashes in somebody's skull. So perhaps, just perhaps, NSO is selling something to somebody with a wad of cash and not asking any questions about it... The nation of origin of NSO is really not relevant to the story other than the fact that the Arab nations who refuse to acknowledge Israel's existence and legitimacy openly and publicly do so privately when it suits their needs.

DanielAugust 31, 2016 4:06 PM

@Mishehu

"However, my first impression is that the tool maker isn't responsible for when somebody takes their hammer and bashes in somebody's skull."

If you scroll down the main page to the prior post Bruce made on this topic you will see that I address this specific issue in the comments section to that post. If you are too lazy to read the full comment the synopsis is: Israel is sailing very close to the line between tool selling and tool agency. They probably haven't crossed it yet but if they haven't it won't take much for them to cross the line and become complicit in human rights abuses.

mishehuAugust 31, 2016 4:12 PM

@Daniel

Rather broad brush you paint with. Last I heard, NSO Group != Israeli Gov't. Even in the article there's no mention of gov't control or ownership over this company. Therefore, unless you're going to blame America for the business practices of Donald Trump, you shouldn't blame either a nation or a people for the conduct of a privately owned company.

Mata HairyAugust 31, 2016 4:17 PM

'The nation of origin is really not relevant other than it's a genocidal apartheid regime that maintains itself solely by serious crimes of concern to the international community so Israel has a Ricardian comparative advantage in technology used for suspension and denial of derogable and non-derogable human rights.'

There, fixed it for ya.

WaelAugust 31, 2016 4:19 PM

@Mishehu,

I somehow had higher expectations of people who claim to read Bruce's blog

Start with yourself! And David is the one who stared the off-topic comments, right off the bat through the first comment.

Way to keep on topic.

Then, in the same breath:

Arab nations who refuse to acknowledge Israel's existence and legitimacy openly and publicly do so privately when it suits their needs.

What gives? Consistency is virtue!

Ergo SumAugust 31, 2016 4:56 PM

Yes, the NSO group and UAE got red handed in this case, but it's not like the only group that sells 0-day exploits. Nor is it the only country that purchases these exploits:

https://www.washingtonpost.com/world/national-security/nsas-use-of-software-flaws-to-hack-foreign-targets-posed-risks-to-cybersecurity/2016/08/17/657d837a-6487-11e6-96c0-37533479f3f5_story.html

While the article implies that NSA used these tools to exploit foreign targets, the same exploits could easily be used for US targets as well.

Ross SniderAugust 31, 2016 5:04 PM

What we're starting to see is the cyberwarfare that many experts, including Bruce Schneier, maintained a steadfast skepticism of for a long time.

Global and domestic and individual surveillance, global and domestic and individualized cyber-propaganda, plus global and targeted penetrations of critical infrastructure.

The capability sets that these cyber weapons bring are seeing applications that old technologies for surveillance, espionage, propaganda and sabotage brought - and by many of the same actors for many of the same reasons.

It is not a surprise that traditional leading firms in arms dealership (in Israel, Germany, Russia and the United States) continue with business selling to their typical and historic customers.

What is possibly a surprise is that the 'freeing' technology that so many opined about (internet) has, for the most part, seen it's greatest and most influential entrance to the stage as a combination of entertainment (pornography and netflix) and weaponry (cognitive wrt propaganda/censorship/surveillance as well as cyber wrt sabotage/espionage). The immediate opposite of the promise of the technology has manifest.

Somewhere between human rights advocacy organizations and technologists the idea that our technology stacks should themselves be rectified to harden them from weaponization is lost, with those advocacy groups suggesting to the governments and industries that benefit and exploit these weapons for wealth and power that they 'please stop' - as though that were a viable alternative.

Sancho_PAugust 31, 2016 6:18 PM


To me the single important point in that story would be:
What about the NSA here?

I mean, did they know about the vulnerability?
If yes, since when?
It’s a foreign ”cyber-weapons arms manufacturer” (tm @Bruce), bought by a US company, their customer obviously was UAE (but I guess they had other customers, too, also with other products before).
They should have known about the product.

If the answer is no, what is the reason for their ignorance?
Do they sleep or are they wasting taxpayer’s money in some other way (like money laundering)?
I have a bad feeling regarding their “70 years ahead” (https://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html#c6732780) when I think of serious information loss (Secretary of State email, Sony, OPM, DNC).
My estimate would be they are 5 years behind.

So back to yes, they knew.
How many US VIPs use the vulnerable iPhone?
Was it really a NOBUS vulnerability?

ModeratorAugust 31, 2016 6:41 PM

@Daniel, I have deleted your reprehensible comment. This is not the forum for you.

william andersonAugust 31, 2016 6:48 PM

NSO is not an israel company, but a U.S. california company now.
So USA is attacking citizens worldwide, which is against FBI law.

Raul RabinovichAugust 31, 2016 6:51 PM

Iphone with iOS the most unsecure device.
Actually there are 5 remote exploits on sale on underground market against iOS devices. Better, change immediately the iphone

dennisAugust 31, 2016 6:52 PM

@ r wrote , "While I'm fully aware you were joking about Israel poisoning children, It's not possible to dismiss such behaviour entirely from other global "money traders"."

It's definitely not kosher, it's called MSG, and it's not classified as poison.

I take your "money trader" remark as euphemism, because in the real world it's printing money or more technically referred to as selling money. :)

rAugust 31, 2016 7:09 PM

@dennis,

It was in reference to something @Roger & @David just said above "trading money", I expanded it to include things with a) a short t2m/ttm (time-to-market) and b) little consumer protections/oversight.

Does "money traitors" feel better?

DanielAugust 31, 2016 7:16 PM

@Moderator

Wait...what?

Two trolls come in and thread crap all over the place and your response is to tell them to "cool it" and yet my mild observation...that the Jewish state may be replicating some facets of Nazism...is so heinous that it has to be deleted?

Ok. It's your crib not mine. But your arbitrary standards do not leave this blog looking good....

MahershalalhashbazAugust 31, 2016 8:57 PM

This is all very unfair antisemitic hate speech regarding NSO. NSO doesn't need your stupid American zero days. We don't care about your big American vulns. We don't waste our time spying on your dumb American private lives.

Why should we? Israel gets it straight from NSA! All your bathroom selfies of you flexing and making that intense face, and those soulful full-length portraits of your diminutive chubby, we get it unminimized, under strict rules that we should please pretty please obey US law (not that it's binding or anything) and only laugh at them for a year. Also we have to destroy upon recognition of like, Jan Schakowsky (Oy, talk about a Third Party relationship being driven almost totally by the needs of the partner!) or other official stuff.

http://www.theguardian.com/world/interactive/2013/sep/11/nsa-israel-intelligence-memorandum-understanding-document

https://www.theguardian.com/world/2013/sep/11/nsa-americans-personal-data-israel-documents

65535August 31, 2016 9:26 PM

Not only is the NOS group profiteering off of human rights advocates it is probably going to sell another copy of the iPhone hack to other marginal states.

Remember the fact that a copy of a zero-day exploit is only a copy and can be resold to others – at the expense of the UAE. Fraud is not new.

DroneAugust 31, 2016 11:34 PM

The United Arab Emirates buying "Cyber-Weapons" from Israel is so obviously self-defeating via self-infection - it is comical. And yes, the UAE actually PAID for the Trojan that now infects them!

GarySeptember 1, 2016 6:16 AM

Bruce, probably best to clarify the real status of NSO Group which is that it's U.S. owned with operations in Israel. We don't call Apple a Chinese company even although the majority of their products are manufactured there.
Hopefully the distinction will stop the trolls ...

wiredogSeptember 1, 2016 6:20 AM

Being a resident of the DC area I keep reading that as "National Symphony Orchestra", which would be an awesome cover for a cyber espionage group.

H.B. GarySeptember 1, 2016 7:47 AM

@Gary is right. These trolls oversimplify everything. To be precise, NSO is a privatized arm of 8200, the domestic and international surveillance agency of the Israeli Defense Force, funded by US foreign aid and private investment. Israeli and US state surveillance Amts collaborate with other countries' clandestine services in a structure exemplified by the Safari Club: each country commits acts that would be illegal in the other. This structure also permits crimes in universal jurisdiction using eyes-only coordination agreements that give foreign agents 'sources and methods' impunity inside the US. So NSO is part of the efficient government, in Bagehot's sense: specifically, a joint criminal enterprise of US and allied intelligence services that negates and rewrites domestic law at will. The complement, Bagehot's dignified government, is purely ceremonial - Congress and the courts have no role and the executive is a puppet of the intelligence agencies directed, since the mid 1980s, by intelligence-agency nomenklatura. So knock it off with the thoughtcrime, trolls. NSO is Big Brother and you love Big Brother, and Oceania has always been at war with Eurasia.

zSeptember 1, 2016 9:36 AM

"Cyber weapons arms manufacturer" is melodramatic. It's just a zero-day exploit and a payload. By that logic, the Kali Linux USB on my keychain is a "mobile cyber weapons stockpile and manufacturing facility", which might be fun to tell people at parties, but would not be an appropriate way to explain the subject to the general public. Let's not start sounding like fear-mongering, ill-informed Congressmen.

SteveSeptember 1, 2016 11:46 AM

>>> [NSO is] owned by an American private equity firm.

Yes, by http://www.franciscopartners.com, which recently purchased Dell Security (Including SonicWALL) and already owned WatchGuard firewall brands...

What a boon for an exploit vendor- to have internal access to source code of several major firewall vendors...

Dirk PraetSeptember 1, 2016 3:40 PM

@ z

By that logic, the Kali Linux USB on my keychain is a "mobile cyber weapons stockpile and manufacturing facility"

It actually is in the hands of an experienced OSCP (Offensive Security Certified Professional) using it against entities that are not too big on security in general and patching in particular. Which still is the majority.

I'm on the 2016 rolling release myself and I have added some useful additional features which I feel are missing, such as my favourite Gnome shell extensions, transparent traffic torification, TBB, disabling of unnecessary startup daemons, a paranoid ufw setup, some additional hardening and replacement of the pretty useless Metasploit Framework by the Community Edition (which you have to register for with Rapid7). Anyone interested can set up his/her own virtual pentesting lab, get some cool (free) training at http://www.cybrary.it, and which you can further complement with hands-on target practicing on vulnerable VM's from https://www.vulnhub.com .

A young Padawan of mine has actually become quite hooked on these to the point that he finds their challenges way more interesting than gaming and now wants to become the next Julian Assange. Needless to say that his mom is not amused.

JohnSeptember 1, 2016 6:39 PM

@ Gary,

"USA-owned" doesn't mean it's always owned by Americans. It just means the parent company is registered under U.S. jurisdiction.

CarpetCatSeptember 1, 2016 8:13 PM

Off-Topic

Does Isreal has Neutron bombs? AKA, the "W" bomb? I read this above, but had thought they only had traditional nukes?

I know the Chinese stole the plans some years ago, but this would have me re-think my RealLife(tm) Risk neverending game.

always more adsSeptember 1, 2016 10:11 PM

At what point does the Citizen Lab / Intercept / Wikileaks cease to be a free advertising platform for newly privatized IC functions? Is it only after they've become recruitment centers?

I know that the FBI and DOJ have been playing Stonewall against these great offerings making there way to potential new customers with plenty of cash, but the turn to these alternative media contacts is, interesting, to say the least...

Basic ResearchSeptember 4, 2016 9:19 AM

Because technology is in control of mankind the eternal hatred in the Middle East spills over into The West. A simple startpage web search easily finds the facts”

“The company that the researchers linked the spyware back to is extremely secretive. It is based in Herzelia, an area of near Tel Aviv that is home to a thriving tech culture. It was founded by Shalev Hulio and Omri Lavie in 2009, according to HulioandLavie's LinkedIn pages. Several of its employees previously worked for United 8200, the Israeli Army's cyber division, which is known to produce spying software.”
http://www.khou.com/tech/shadowy-israeli-firm-behind-apple-hack-tool/309418384
Israeli Entrepreneurs Play Both Sides of the Cyber Wars
Startups such as NSO and Kaymera play opposing sides of the cyber wars, with one selling offensive spying capabilities to governments while the other peddles products that defend against that same technology.
http://www.bloomberg.com/news/2014-09-29/israeli-entrepreneurs-play-both-sides-of-the-cyber-wars.html

Some intelligent looking money managers:
http://www.franciscopartners.com/team

Clinton used iPad for personal email at State
So Israel knew everything move our ‘extremely careless’ Secretary of State Clinton made. In addition dozen of her phones that were smashed with hammers.
http://www.cnn.com/2015/03/31/politics/hillary-clinton-ipad-e-mail-devices/

I’m the Greatest
Edward Snowden was always right of course. Did USA citizens know USA government employees can spew their taxpayer funded propaganda at these web sites? It legal!

This whole nonsense could be stopped if former government security specialists were prevented from seeking enumeration off the knowledge they gained while employed. But its not going to stop. Look at the revolving door between the White House and Silicon Valley corporations. Politicians don’t mind the data-mining if it keeps them employed and in charge.

MarkHSeptember 5, 2016 8:04 AM

Sad to see the deterioration of comments on this blog ...

As to the absurd focus on Bruce's characterization of NSO as "Israeli", especially because it is now owned by a US firm:

Is it WRONG to say that Burger King, or Ingersoll Rand are US companies? They were started in the US, have the great majority of their plant and operations in the US, but now are owned by businesses outside the United States.

What does all this nattering have to do with security?

LarrySeptember 6, 2016 10:39 PM

@ Basic Research, "Politicians don’t mind the data-mining if it keeps them employed and in charge."

Politics is about data mining and statistics, so it's unfair to say they are polar opposites. That's why I doubt politicians mind as long as they are presented with workable numbers. You mentioned Snowden. There are still lots of gaps, from the distant past, to be filled by Snowden's archives and even if Snowden's archive fills the gap it doesn't wanton baseless assumptions.

tbdSeptember 7, 2016 4:22 PM

@Larry the Federation of American Scientists, when compiling Congressional Research Service (CRS) Reports, rely on statistics, facts and workable numbers

its up to the politicians to disregard it, ask Yellen to print more money or borrow against Social Security or implement restrictive zoning laws by honoring promises brought about for repaying lobbyist funds (for reelection...NEVER pocketing it).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.