Defense Minister Benny Gantz paid a brief visit to Paris last week, to meet his French counterpart, Florence Parly. The meeting was coordinated many weeks in advance, but as the date drew near, the Defense Ministry considered postponing it due to the abundance of hearings in the Israeli Knesset. Ultimately, Gantz decided it was important enough to go. The reason: concern that the French would interpret the postponement as Israeli evasiveness amid the backdrop of the NSO affair. The Defense Minister preferred to confront the French criticism, in the wake of claims that Morrocan intelligence services had used the "Pegasus" spyware, made by private Israeli cyber firm NSO Group, to hack the cellphone of French President Emmanuel Macron, along with other French politicians and journalists. Gantz presented Parly with the preliminary findings of Israel's inquiry into the matter and promised that Israel would share with France any additional information in the future.
Follow Israel Hayom on Facebook and Twitter
It's doubtful whether the ministers, their aides, or any of the French journalists covering the affair were aware that all the while the French press was lambasting NSO's cyber activities, and insinuating that Israel was indirectly to blame, a French company based in Paris was marketing the very same products.
The company's name is Nexa Technologies, and it presents itself as offering "a range of solutions helping governments to address today's homeland security challenges." The colors of the French flag are visible on the homepage of the company's website. For the past 15 years now, Nexa has marketed "a complete range of products able to catch, intercept and manipulate smartphones" to law enforcement agencies around the globe.
And it's not alone. Since 2008, a German company based in Munich by the name of FinFisher has been offering the same exact services – "first-class cyber solutions" for organized crime, terrorism and more. Among other solutions, FinFisher offers to "cover the latest PCs, smartphones, tablets and most common operating systems."
These two companies are just examples. There are quite a few others in Europe that also specialize in offensive cyber capabilities.
Polus Tech, which operates out of Switzerland, is particularly interesting, mainly because one of its founders is Niv Karmi, who also helped found NSO Group (the "N" is for his name). Shortly after its establishment, Karmi departed.
Polus Tech specializes in the tactical infection of smartphones via the Global System for Mobile Communications (GSM) network. The tool the company developed impersonates frequencies. Once a person's phone searches for and connects to a cellular network, the tool essentially connects the phone to the company's computer system -- which gives Polus total control of the phone, without the owner's knowledge, of course.
And there are others; Memento Labs from Italy is active in the field, as is Mollitiam Industries from Spain, which also offers solutions that facilitate surveillance and information gathering from cell phones, desktop computers, and even Macintosh devices. Some of these companies are based in the heart of Europe, others in countries where human rights is not a priority, including in the Persian Gulf. As far as we know, no one in Europe has demanded an inquiry into these companies' activities or has published a list of their clients and who they were tracking. This is particularly egregious and conspicuous amid the backlash being faced by Israel's offensive cyber industry, which is constantly in the headlines.
Let it be noted: Israel must examine the NSO affair thoroughly. If it emerges that the company or any of its clients broke the law or violated the terms of its export permits, it must be punished severely. However, it appears that diplomatic, economic, and other interests are indeed behind this broad smear campaign. "The French hypocrisy screams to the high heavens," says a senior official in one offensive cyber company in Israel. "They are attacking us, while at the same time a company that does the exact same thing is operating right under their noses. And it's not just [in France], but throughout all of Europe."
Encrypted criminals
Israel is a cyber superpower, one on a small list of countries alongside the United States, Russia, China, and Great Britain. Behind Israel are far larger countries, such as Germany and Japan.
In the past, Israel mostly gathered information via signals intelligence (SIGINT). Through a variety of means, it patched into a variety of electronic data-transfer channels to extract tremendous amounts of information. Whatever data wasn't transferred through these channels, however, was out of reach. "It was a world of fishing," explains one prominent expert in the field. "You would sit with your net and wait for the fish to come."
Following the Sept. 11 terrorist attacks in 2001, the US legislated the Patriot Act, which expanded the authorities given to law enforcement agencies to collect intelligence. As a result, American agencies received access to all global internet traffic, which the US shared with a small handful of partners around the world. Israel, which wasn't included in this group, was forced to develop independent capabilities in this arena. The task was assigned to Unit 8200 of the IDF's Military Intelligence Directorate.
Maj. Gen. (Res.) Prof. Isaac Ben-Israel, formerly the head of the Directorate of Defense Research and Development at the Defense Ministry, currently the head of the Security Studies Program at Tel Aviv University, and a world-renowned expert in the field, wrote in Forbes in June: "The possibility of physical damage by cyber technology burst into global awareness following the collapse of centrifuges at Iran's uranium enrichment facilities in 2010 [an attack that was attributed to Israel – Y.L]. It was the first time the wider world had been exposed to the possibility of inflicting physical damage by "virtual" cyber-attacks."
Consequently, Israel became a global hub of expertise in the cyber field. First in the area of cyber defense (Israeli company Checkpoint, a trailblazer in this arena, was followed by dozens of other companies), and then in terms of cyber offense.
"The world of cyber forced us to shift from passivity to proactivity," the prominent expert says. "Instead of waiting for the fish to come, we were given the opportunity to hunt anything, anywhere. Unlike cyber defense, the purpose of which is to prevent others from infiltrating you, cyber offense can have several purposes -- the first is to cause physical damage, such as debilitating or impairing [an enemy's] capabilities, and the second is intelligence gathering."
Meanwhile, in 2007, Apple released the first iPhone. One of the dramatic innovations it came with were applications, many of which were encrypted. "If in the past you wanted to listen to a conversation between criminals, you'd go to the judge to get a warrant; but suddenly there was a problem: the criminals began talking in encrypted conversations, which couldn't be tapped," says the senior expert.
This problem became drastically more acute over the past decade, due to several factors that are not necessarily related to one another. The most important of them was Edward Snowden, whose defection to Russia and the information he leaked exposed, for the first time, America's wholesale exploitation of the Patriot Act to collect any and all forms of information from across the globe, including on friendly countries. As a consequence, the law's implementation was restricted, and the use of encrypted applications accelerated after the US gave the approval to encrypt almost everything as part of the Obama administration's privacy and information security reforms. The most popular instant messaging app, of course, is Whatsapp. Others, however, such as Signal and Telegram, are becoming increasingly popular.
Intelligence and police agencies around the world faced a new challenge: Trying to stop criminals or terrorists without having access to the systems they use to communicate. But for countries that didn't benefit from the Patriot Act, such as Israel (or Russia and China), this problem was relatively minor; they'd already developed their own muscles. For the former countries, though, this problem became fundamental and sometimes existential.
The first to throw large sums of money into this field were despotic regimes. NSO signed its first contract with Mexico. Reports soon surfaced that the Mexican authorities were using Pegasus to not only spy on drug traffickers and other criminals but on journalists and anyone the government believed posed a threat to it.
"In a world where conversations are encrypted end-to-end, there's no other alternative today in the war on serious crime and terror," NSO CEO Shalev Hulio told Israel Hayom in an interview two weeks ago, describing the need for software such as Pegasus. "Encryption is a wonderful thing for the normative citizen, but intelligence and law enforcement organizations need tools to prevent the next terrorist attack or crime. Pegasus is a life-saving program. Because of it, terrorist attacks were prevented on just about every continent on the planet, and more than 100 pedophiles were arrested just in recent years."
Without leaving a trace
NSO is currently the world leader in the field of intelligence gathering. It overtook the Italian company Hacking Team, whose computers were breached in 2015 and all of the information stored in them was leaked to the public. This information included a long list of clients from across the globe, including in countries with dubious human rights records, such as Russia, Sudan, Lebanon and Saudi Arabia, who benefited from Hacking Team's "Da Vinci" spyware.
The downfall of Hacking Team (which, incidentally, now operates anew under the name of the aforementioned Memento Labs), opened the market for widespread competition. NSO, which was already established and had a proven product to offer, was the first to jump into the vacuum. It currently employs some 850 people at its offices in Herzliya Pituah, and has contracts in 45 countries at an estimated worth of around $250 million.
Alongside NSO, there are over 10 companies in Israel operating in the same market. Most of them don't perform the surveillance work themselves, rather sell user licenses and install their systems. The software is used by the local authorities that purchased it, which creates a barrier between the companies and any undesirable exploitation of their products.
A former employee at one of these companies explains: "Let's say you're in talks with a certain agency in a certain country. You don't really speak the language, and you really don't know the person they are surveilling. They will tell you it's a terrorist or drug trafficker, but it could be anyone. This buffer is critical for us; otherwise we'd get arrested for committing crimes."
This buffer is also the main defense employed by NSO and its advocates. "The accusations against [NSO] are ridiculous. It's like blaming Peugeot because a car it sold was used by a terrorist in a ramming attack," says Ben-Israel. "The French would roll their eyes: They've sold weapons to Morocco that have killed and done far more damage than Israeli cyber."
To put it simply, Pegasus allows its clients to hack and extract any information they want from cellular phones, including text messages (encrypted ones as well) and photographs, without leaving a trace. It also allows its clients to remotely activate the targeted phone's camera and microphone.
Israeli company Candiru does the same thing, only with desktop computers. It is located in Tel Aviv, employs some 80 people, and the estimated worth of its yearly contracts is some $50 million.
Cognyte (which split from Verint Systems) is located in Herzliya and employs hundreds of people in a variety of fields, including gathering information from cell phones. In the past, it specialized in audio tracking and recording systems, a field that became largely irrelevant following the general shift to encrypted conversations and text messages. The scope of its annual sales is estimated in the hundreds of millions of dollars.
Quadream, which gathers intelligence strictly from Apple's operating system (IOS), is situated in Ramat Gan and employs about 80 workers. Quadream sells its products through its Cyprus-based parent company, and its annual contracts are estimated to be worth tens of millions of dollars.
Cellebrite, which employs some 700 people and whose main offices are in Petah Tikva, can also be added to this list. Its sales last year were estimated at around $180 million.
In the past, the company specialized in transferring data between devices and has since transitioned into the field of digital forensics. It was Cellebrite that helped the FBI unlock the iPhone of San Bernardino terrorist Syed Rizwan Farouk in December 2015.
Another member of this club is Paragon Solutions, which was co-founded by Brig. Gen. (ret.) Ehud Schneorson, the former commander of Unit 8200. Paragon also tackles end-to-end encryption across various applications. The company has several dozen employees and is based in Tel Aviv.
Concerns of impropriety
There are companies, however, that also sell to dubious regimes, such as Saudi Arabia, Morocco and the United Arab Emirates. "These countries pay the most," says a senior official in the Israeli defense establishment. "Countries like this can pay 10 and sometimes 20 times more than a developed country, such that the temptation is considerable." And still, some of these Israeli companies (Candiru, for example), have ethical boards that occasionally don't approve sales to certain countries due to concerns that their products will be maliciously exploited.
And then there's DarkMatter, a cybers company owned by the UAE's intelligence services. It was founded several years ago so the Emirates wouldn't have to rely on foreign elements for offensive cyber capabilities (or pay the accompanying exorbitant sums), and to give it full independence in the field. Its headquarters are in Abu Dhabi, but it has a subsidiary in Cyprus that employs several Israelis who were enticed with large sums of money.
Vulnerabilities worth their weight in gold
All of the aforementioned companies are predicated on one central factor: vulnerability. They search for breaches in software, then attack, penetrate and essentially seize control of devices and the information they contain. There's an entire global vulnerabilities market. There's even an American company, Zerodium, which essentially functions as a pricing index for the vulnerabilities market, characterizing and setting their price.
Vulnerability researchers are the most required resource in the cyber world today. They help block breaches for the defensive side and identify breaches for the attacking side. There is no state or private actor that doesn't employ vulnerability researchers. States do this to protect themselves and attack enemies; the large companies – Microsoft, Google, Apple and others – employ them to fortify their status and immunize their products. Offensive cyber companies employ them to detect the breaches around which they build the products they sell. The starting salary for a junior vulnerability researcher is at least NIS 50,000 ($15,500) per month. A senior vulnerability researcher will make double that amount if not more.
Unit 8200 selects its vulnerability researchers meticulously and cultivates them. Many of them routinely receive enticing offers from the private sector. "When a 23-year-old intelligence officer who makes NIS 10,000 ($3,100) a month gets an offer of NIS 120,000 ($37,000), plus a fat signing bonus, he has to face a very tough dilemma," says the senior expert in the field.
Most cybersecurity companies that discover vulnerabilities reveal them to the public for free. Offensive cyber companies, however, guard such information rigorously. "This is our gold," says a senior manager at one offensive cyber company. "A company can fall because of an exposed vulnerability."
According to the senior manager, some vulnerability researchers today prefer freelancing. "They live in some tax haven, find a vulnerability, and then sell it to the company in which it was found so that it can take measures to protect itself. Some vulnerabilities are sold for millions of dollars."
There are various ways to exploit a vulnerability and penetrate a system. Some of the hacking programs, such as Pegasus, allow the attacker to infiltrate without requiring the target to do anything ("zero-click"). Other programs require the target to take some sort of action – for example, clicking on a link ("one-click") – to facilitate a hack.
To understand just how hot this market is right now, one only has to peruse the list of American companies looking to hire vulnerability researchers and enter the field of offensive cyber. The list includes high-profile companies such as Lockheed-Martin, Northrop Grumman and others. The American administration has allocated billions of dollars to these companies for research and development. According to reports, Israeli defense giant Elbit could also be looking to become a player in this arena.
What the Americans won't do, the Europeans will. More than a few offensive cyber companies are currently active in numerous European countries, all offering the exact same products. This hasn't stopped their governments from attacking Israel. "This has nothing to do with human rights, and everything to do with business," says Ben-Israel. "They can stop with their sanctimony. No one on the planet has another solution to the problems of crime and terror in a world of encrypted communications."
What are 'ethics'?
In 2020, Israeli defense exports in the cyber field reached an estimated worth of some $6.85 billion, according to data provided by the Defense Ministry, which oversees the sales. Offensive cyber products accounted for about $415 million of this sum. This lucrative market directly provides a living for thousands of families in Israel, and tens of thousands more indirectly, because it contributes to the growth of many companies that feed off of it.
This is the main reason for the world war being fought between Israeli offensive cyber companies. They are all clawing for clients and employees; some of them are not above leaks, smear campaigns and sometimes even threats. All of these companies, incidentally, highlight their ethical criteria, which brings a chuckle to the senior defense official who spoke to Israel Hayom anonymously. "It's unclear what they mean by 'ethics.' They steal employees from 8200; that's ethical?"
The decision some of these companies have made to operate from abroad is not coincidental. Offensive cyber exports from Israel require the approval of the Defense Ministry's Defense Exports Control Agency (DECA), while Israeli companies operating abroad are not subject to this oversight.
Any company seeking to export military capabilities from Israel needs approval from DECA. As a rule of thumb, weapons can only be sold to government agencies, not to private elements that could exploit them commercially. Although the contract itself is between the company and a foreign state, it includes a commitment by the said state to DECA not to use the systems maliciously.
The law in Israel states that approval of all sales requires unanimous agreement by the defense and foreign ministries. If the Foreign Ministry representative objects but the Defense Ministry representative insists, an "escalation" mechanism is enacted, whereby the decision is kicked up the chain to the ministries' deputy director generals, then the director generals, and finally, in extreme cases, to the ministers themselves. "This has happened on more than one occasion, including with sales of offensive cyber [capabilities] to Gulf states. The prime minister was also deeply involved in the matter," says the senior defense official.
Several sources who were interviewed for this story claimed that the process in DECA is cumbersome and very slow. One of them said that the average amount of time it takes to approve a request, or not, once it has been submitted, is four months, which can complicate such business transactions.
On the other hand, DECA is the bulletproof vest for these companies, their kosher certificate. These companies emphasize that if a client has indeed violated the terms of his license – for example, by spying on journalists or human rights activists – it is immediately voided. The problem is that it's usually difficult to prove such violations, and DECA's oversight mechanism, which is mandated by law, is convoluted and not always effective.
Information from computers in Gaza
The list of countries that purchase offensive cyber systems can be roughly divided into three groups. The first, the "white countries," include all the Western countries. The second, the "black countries," included hostile regimes or those that grossly and systematically violate human rights, which disqualifies them from being sold offensive cyber capabilities – Russia, China, North Korea, Iran, and others.
The third group includes "gray countries," where sales are examined on a case-by-case basis. "It's hard to know the criteria by which approval is or isn't given," says the senior official in one Israeli cybersecurity company. "The interest of the companies is obvious, but there were more than a few cases in which the State of Israel was the one that pushed them to sell to one such country or another."
Case in point: The New York Times reported last month that Israel helped several offensive cyber companies (among them NSO, Candiru, Quadream, Verint and Cellebrite) sell to Saudi Arabia. The government's interest was clear: help an Israeli ally in its fight against Iran, ISIS and al-Qaida; "clear a path" for other Israeli defense companies in Saudi Arabia and, down the road, for the sale of civilian goods; and beat foreign companies to the punch for similar Saudi contracts.
Saudi Arabia, however, according to the report, improperly used some of the capabilities it received. Numerous reports (which were denied) linked Pegasus to surveillance activities the preluded the assassination of Saudi journalist Jamal Khashoggi. The UAE has also been suspected of employing these capabilities against human rights activists, while similar claims have been made against the Mexican government.
One of the more sensitive affairs in recent months has involved Candiru. A study published by the University of Toronto's Citizen Lab Research Institute (which is also behind some of the reports about NSO Group in recent years) led to an investigation by Microsoft, which said Candiru had created and sold a software exploit that can penetrate Windows.
Candiru's tools also exploited weaknesses in other common software products, like Google's Chrome browser. The company's "tools" were reportedly found in computers in Iran, Yemen, Turkey, Armenia, Great Britain, Spain and Hungary. It's safe to assume that in the Western countries, all surveillance activities were carried out lawfully and with a warrant, but the damage caused by their exposure had been done.
Subscribe to Israel Hayom's daily newsletter and never miss our top stories!
However, more than half of the offensive tools were found on computers in Gaza. One doesn't need a rich imagination to understand who has an interest in gathering classified information from computers in Gaza, and to whom these computers belonged. An analysis of the affair reveals that defense agencies in Israel don't just rely on their own capabilities, rather occasionally need help from civilian companies with expertise in the field.
The paradox is that Microsoft's investigation was carried out by its offices in Herzliya. "It caused Israel significant damage," says the senior defense official who is intimately familiar with the matter. "Now it will be harder to fight terror in Gaza. The missiles that will fly from there could hit Microsoft's offices and its employees."
And this, in a nutshell, is the crux of the argument presented by offensive cyber companies: They are an essential tool for mitigating crime and terror, without which intelligence and law enforcement agencies around the world are helpless. The concern within these Israeli companies is that the current wave will lead to new draconian measures that will limit them. A senior Israeli defense official confirmed that "the matter is indeed being examined in light of the recent reports, and there will likely be changes."
"If the sale of these systems is banned, only bad will come of it," says a senior official at one Israeli cyber company. Isaac Ben-Israel agrees: "If Israel doesn't sell [these tools], others will. A lot of knowledge will be drained from here, because more companies will move their operations abroad, without oversight. The Israeli cyber industry will take a hit, the country's revenue will take a hit, and of course, our security will take a hit. Here and across the globe."
