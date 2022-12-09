The Biden administration took a public stand last year against the abuse of spyware to target human rights activists, dissidents and journalists: It blacklisted the most notorious maker of the hacking tools, Israeli firm NSO Group.

But the global industry for commercial spyware — which allows governments to invade mobile phones and vacuum up data — continues to boom. Even the U.S. government is using it.

The Drug Enforcement Administration is secretly deploying spyware from a different Israeli firm, according to five people familiar with the agency’s operations, in the first confirmed use of commercial spyware by the federal government.

At the same time, the use of spyware continues to proliferate around the world, with new firms — which employ former Israeli cyberintelligence veterans, some of whom worked for NSO — stepping in to fill the void left by the blacklisting. With this next generation of firms, technology that once was in the hands of a small number of nations is now ubiquitous — transforming the landscape of government spying.

One firm, selling a hacking tool called Predator and run by a former Israeli general from offices in Greece, is at the center of a political scandal in Athens over the spyware’s use against politicians and journalists.

After questions from The New York Times, the Greek government admitted that it gave the company, Intellexa, licenses to sell Predator to at least one country with a history of repression: Madagascar. The Times has also obtained a business proposal that Intellexa made to sell its products to Ukraine, which turned down the sales pitch.

Predator was found to have been used in a dozen more countries since 2021, illustrating the continued demand among governments and the lack of robust international efforts to limit the use of such tools.

The Times investigation is based on an examination of thousands of pages of documents — including sealed court documents in Cyprus, classified parliamentary testimonies in Greece and a secret Israeli military police investigation — as well as interviews with more than two dozen government and judicial officials, law enforcement agents, business executives and hacking victims in five countries.

The most sophisticated spyware tools — like NSO’s Pegasus — have “zero-click” technology, meaning they can stealthily and remotely extract everything from a target’s mobile phone without the user having to click on a malicious link to give Pegasus remote access. They can also turn the mobile phone into a tracking and secret recording device, allowing the phone to spy on its owner. But hacking tools without zero-click capability, which are considerably cheaper, also have a significant market.

Commercial spyware has been used by intelligence services and police forces to hack phones used by drug networks and terrorist groups. But it has also been abused by numerous authoritarian regimes and democracies to spy on political opponents and journalists. This has led governments to a sometimes tortured rationale for their use — including an emerging White House position that the justification for using these powerful weapons depends in part on who is using them and against whom.

The Biden administration is trying to impose some degree of order to the global chaos, but in this environment, the United States has played both arsonist and firefighter. Besides the DEA’s use of spyware — in this case, a tool called Graphite, made by Israeli firm Paragon — the CIA during the Trump administration purchased Pegasus for the government of Djibouti, which used the hacking tool for at least a year. And FBI officials made a push in late 2020 and the first half of 2021 to deploy Pegasus in their own criminal investigations before the bureau ultimately abandoned the idea.

In a statement to the Times, the DEA said that “the men and women of the DEA are using every lawful investigative tool available to pursue the foreign-based cartels and individuals operating around the world responsible for the drug-poisoning deaths of 107,622 Americans last year.”

For more than a decade, NSO sold Pegasus to spy services and law enforcement agencies around the world. The Israeli government required the company to secure licenses before exporting its spyware to a particular law enforcement or intelligence agency.

This allowed the Israeli government to gain diplomatic leverage over countries eager to purchase Pegasus, such as Mexico, India and Saudi Arabia. But a mountain of evidence about the abuse of Pegasus piled up.

The Biden administration took action. A year ago, it placed NSO and another Israeli firm, Candiru, on a Commerce Department blacklist — banning U.S. companies from doing business with the hacking firms. The administration is coordinating an investigation into what countries have used Pegasus or any other spyware tools against U.S. officials overseas.

Congress is working on a bipartisan bill requiring the director of national intelligence to produce an assessment of the counterintelligence risks to the United States posed by foreign commercial spyware. The bill would also give the director of national intelligence the authority to ban the use of spyware by any intelligence agency. The White House is working on an executive order with other restrictions on the use of spyware.

But there are exceptions. The White House is allowing the DEA to continue its use of Graphite, the hacking tool made by Israel-based Paragon, for its operations against drug cartels.

Similar to Pegasus, the NSO tool, Graphite spyware can invade the mobile phone of its target and extract its contents. But unlike Pegasus, which collects data stored inside the phone itself, Graphite primarily collects data from the cloud after data is backed up from the phone. This can make it more difficult to discover the hack and theft of information, according to cybersecurity experts.

DEA officials met in 2014 with NSO about purchasing Pegasus for its operations, a meeting reported earlier by Vice News, but the agency decided against purchasing the spyware.

Paragon’s sales are regulated by the Israeli government, which approved the sale of Graphite to the United States, according to an official aware of Israel’s defense export licensing agreements.

Even as the U.S. government purchases and deploys Israeli-made spyware with one hand, the Biden administration’s move to rein in the commercial spyware industry with the other has frayed relations with Israel.

Predator Emerges

Tal Dilian, a former general in Israeli military intelligence, was forced to retire from the Israel Defense Forces in 2003 after an internal investigation raised suspicions that he had been involved in funds mismanagement, according to three people who were senior officers in military intelligence. He eventually moved to Cyprus, a European Union island nation that has become a favored destination in recent years for surveillance firms and cyberintelligence experts.

In 2008 in Cyprus, Dilian co-founded Circles, a company that used an Israeli-perfected snooping technology known as Signaling System 7. He sold it off and went on to set up other companies selling surveillance products. He prided himself on recruiting the best hackers, including former spyware experts from the Israeli military’s most elite cyberintelligence unit.

Dilian did not respond to requests for an interview or to written questions submitted to him directly and through his lawyers.

For several years after the sale of Circles, Cyprus was good to Dilian. Then, in 2019, he gave an interview to Forbes from a surveillance van driving through the Cypriot city of Larnaca. He gave a mock demonstration of the van’s ability to hack any nearby phone and steal WhatsApp and text messages from unsuspecting targets.

Cypriot authorities soon issued a request for his arrest through Interpol, the global police agency, for illegal surveillance. His lawyer ultimately succeeded in settling the episode with a 1 million euro ($1 million) fine paid through Dilian’s company, but he was no longer welcome to do business in Cyprus, several Cypriot officials involved in the case said.

Dilian decamped to Athens and set up Intellexa there in 2020, which is when he began to aggressively market his new spyware product, Predator.

Predator requires the targeted user to click on a link to infect the user’s phone, whereas Pegasus infects the phone without any action from the target.

Intellexa also looked out for opportunities that used to be in NSO’s domain. Ukraine had previously tried to acquire Pegasus, but the effort failed after the Israeli government blocked NSO from selling to Ukraine out of concern that doing so would harm Israel’s relationship with Russia.

Intellexa swooped in. The Times obtained a copy of a nine-page Intellexa pitch for Predator to a Ukrainian intelligence agency last year, the first full such commercial spyware proposal to be made public.

For 13.6 million euros for the first year, Intellexa offered Ukraine a basic package of 20 simultaneous infections with Predator and a “magazine” of 400 hacks of domestic numbers, as well as training and a round-the-clock help center. If Ukraine wanted to use Predator on non-Ukrainian numbers, the price would increase by an extra 3.5 million euros.

Ukraine rejected the pitch, a person familiar with the matter said. Ukraine’s reasons for passing on Predator are unclear, but that did not appear to dissuade Intellexa or Dilian. Freed from the strictures of Israeli government regulation and running with virtually no oversight in Athens, the company expanded its clientele.

Meta, as well as the University of Toronto’s Citizen Lab, a cybersecurity watchdog organization, detected Predator in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, Serbia, Colombia, Ivory Coast, Vietnam, the Philippines and Germany. These locations were determined through internet scans for servers known to be associated with the spyware.