Anybody paying close attention to the surveillance industry over the past several years knows that the NSO Group, a notorious spyware maker from Israel, is a major source of ongoing drama. The seller of frighteningly powerful surveillance tools, the firm has—for years—been linked to shady clients (read: despotic regimes), which have frequently used its products to spy on journalists, political activists, and other vulnerable groups.
In November of 2021, after years of ongoing scandals, the Biden administration formally blacklisted the NSO Group, shutting it off from American investment opportunities. But the New York Times now reports that not every part of the government was on the same page about that decision.
Indeed, only five days after the White House blacklisted the spyware firm, an unknown federal agency used a front company to procure one of NSO’s most creepy products—a geolocation tool, known as “Landmark.” We still don’t know which part of the government pushed through that “secret contract,” but what we do know is this: it was acting in clear violation of the White House’s policy.
The “Secret Contract” Was Used to Track Targets in Mexico
The government’s decision to blacklist NSO in 2021 marked the beginning of a broader push by the Biden administration to rein in the excesses of the commercial spyware industry. As a result of that action, NSO was placed on the U.S. Commerce Department’s “Entities List”—an official tally of foreign firms that have been deemed as working contrary to U.S. interests. Getting put on that list means U.S. companies can’t do business with you unless they first acquire a special license from the government. The move was clearly designed to crush NSO financially—cutting it off from vital funding and support supplied by American firms. Since that time, the White House has only continued to go after the spyware industry writ large—passing a slew of regulatory reforms, including another executive order last week, all of which have sought to curb the harmful behavior of the industry’s worst offenders.
The White House’s very public efforts at reform make the revelation that an unknown federal agency procured NSO’s tool all the more bizarre.
While the nitty gritty details of this secret contract haven’t been spelled out, there’s enough information to paint a picture of highly suspicious behavior on the part of...someone. As the Times notes, the tool at the heart of the deal—Landmark—allows NSO clients to quietly track the physical locations of specific mobile users without their knowledge. Previous reporting has shown that the tool takes advantage of SS7, a telecom protocol that is known to have longstanding security deficiencies. The 2021 agreement involving the tool apparently allowed the U.S. government to “test, evaluate, and even deploy the spyware against targets of its choice in Mexico,” and two sources interviewed by the Times also said that the surveillance product was used to make “thousands” of queries related to targets in Mexico. Frighteningly, the parameters of the contract also allowed for the targeting of mobile users within the United States, though there is no evidence that anything like that has taken place, the Times writes.
Why, exactly, was Mexico a target? The answers to that question—like a lot of the details of this arrangement—is unknown.
One thing is for sure: whoever purchased Landmark certainly made a concerted effort to cover their tracks. The Times report that this unknown government agency—whatever it was—entered into an agreement with a front company, dubbed “Cleopatra Holdings,” in order to negotiate a contract with Gideon Cyber Systems—a holding company owned by the private equity firm, Novalpina Capital. Novalpina is the primary owner of NSO, having purchased the spyware vendor back in 2019, in an effort to rehabilitate its image amidst ongoing scandals. The contract was signed by a person named “Bill Malone,” who was said to be the CEO of Cleopatra Holdings. In reality, “Cleopatra” was actually Riva Networks, a secretive government contractor based in New Jersey that has a long history of procuring services for federal agencies, the Times reports. “Malone,” meanwhile, was a pseudonym used by Riva’s CEO, Robin Gamble. The Times states that when its reporters visited the listed address for “Cleopatra Holdings,” they found an odd looking office and were greeted at the door by a person who told them that she’d “never heard of” the company in question.
Riva Networks has sold NSO’s surveillance tools to the U.S. government before. Prior to the Biden administration’s 2021 blacklisting order, the FBI purchased a variant of NSO’s infamous “Pegasus” spyware; Riva was involved with that deal and used the same front identity to help the bureau procure the malware, the Times reports.
White House Calls the Deal “Highly Concerning”
Somewhat comically, the White House seems to be claiming ignorance about the contract: “We are not aware of this contract, and any use of this product would be highly concerning,” an administration official told the Times.
That response begs the question: uh, what happened here? Are you guys lying? Did a federal agency go rogue with this particular purchase? What gives?
The federal government has consistently proven itself to be of two minds about powerful cyber tools like Landmark and Pegasus: the executive branch, on the one hand, has consistently sought to acknowledge the dangers that such products pose...while the national security community has often seemed to be champing at the bit to deploy them—knowing full well how useful they can be.
Indeed, the Biden administration’s very public-facing efforts at industry reform have been flanked by the national security establishment’s ongoing drive to possess the uncanny powers offered by the spyware industry’s top players. The FBI reportedly spent close to two years deciding whether it should procure spyware systems from NSO Group; the products were being considered as a potential domestic surveillance tool, the Times previously reported. At the same time, other U.S. actors have sought to peel the spyware tools away from NSO’s original company and refurbish them as American cyberweapons. Last summer, the American defense giant L3Harris mulled a potential acquisition of the spyware company which, the Times now reports, was “far more advanced than previously known” and involved discussions with the Commerce Department to green light the deal, despite NSO’s blacklisted status.
Caught between a desire to bolster the spyware industry or kill it, the government is clearly at odds with itself. Which of these perspectives is going to win out in the long term? I guess we’ll have to wait to find out.