The surveillance company NSO Group offered to give representatives of an American mobile-security firm “bags of cash” in exchange for access to global cellular networks, according to a whistleblower who has described the encounter in confidential disclosures to the Justice Department that have been reviewed by The Washington Post.
The mobile-phone security expert Gary Miller alleges that the offer came during a conference call in August 2017 between NSO Group officials and representatives of his employer at the time, Mobileum, a California-based company that provides security services to cellular companies worldwide. The NSO officials specifically were seeking access to what is called the SS7 network, which helps cellular companies route calls and services as their users roam the world, according to Miller.
Surveillance companies try to access cellular communication networks to geolocate targets and provide other spying services. Cellular companies seek to prevent such intrusions by restricting access to the SS7 network and using firewalls to block computer queries that seek personal information on their customers.
Miller’s allegations are becoming public at a time when the Justice Department is conducting a criminal investigation into NSO over allegations that its clients have illegally hacked phones and misused computer networks with the company’s technology, according to four people familiar with the probe who described elements of it on the condition of anonymity to discuss matters not authorized for public disclosure. These people did not know what role, if any, Miller’s allegation is playing in that investigation or whether charges ultimately will be filed against NSO, which is based in Israel.
In a statement, NSO said that it had “never done any business with” Mobileum, and that it “does not do business using cash as a form of payment” and is not “aware of any DOJ investigation.”
In Miller’s disclosures to the Justice Department and in an interview with The Post and other members of a global journalism consortium that has been investigating the use of NSO software, he said NSO officials made clear in the call that they wanted access to SS7 so NOS’s clients could conduct surveillance of cellphone users to investigate crimes.
Miller is a former Mobileum vice president who left the company in 2020 and now works as a mobile-security researcher for Citizen Lab, a leading critic of NSO and its surveillance operations.
“The NSO Group was specifically interested in the mobile networks,” Miller said. “They stated explicitly that their product was designed for surveillance and it was designed to surveil not the good guys but the bad guys.”
In Miller’s account to the Justice Department, when one of Mobileum’s representatives pointed out that security companies do not ordinarily offer services to surveillance companies and asked how such an arrangement would work, NSO co-founder Omri Lavie allegedly said, “We drop bags of cash at your office.”
In a statement through a spokesperson, Lavie said he did not believe he had made the remark. “No business was undertaken with Mobileum,” the statement said. “Mr Lavie has no recollection of using the phrase ‘bags of cash’, and believes he did not do so. However if those words were used they will have been entirely in jest.”
Mobileum chief executive Bobby Srinivasan issued a statement saying, “Mobileum does not have — and has never had — any business relationship with NSO Group.”
Miller said in an interview that he first provided an account of the conversation to an online FBI tip portal in 2017, several months after the call with NSO Group, but did not receive any response. He said he made more detailed disclosures to the Justice Department last year and provided copies to the Federal Communications Commission and the Securities and Exchange Commission.
Separately, Miller last year shared his account with U.S. Rep. Ted Lieu, D-Calif., who has a long-standing interest in cellular security and on Dec. 27 sent a criminal referral to the Justice Department. He shared redacted copies of Miller’s disclosures with Paris-based journalism nonprofit organization Forbidden Stories, which shared them with The Post and other members of the Pegasus Project, a global journalism consortium investigating NSO.
“Having such access,” Lieu said in his referral to the Justice Department, “would allow the NSO to spy on vast numbers of cellphones in the United States and foreign countries.”
In an interview, Lieu said the proposed manner of payment — the alleged “bags of cash” — convinced him that a criminal act might have been contemplated, even if the account shared by Miller included no direct evidence of illegality.
“I’m a former prosecutor, and you would do cash transactions because you want to hide it,” Lieu said. “When you have telecom companies and you have software companies, normally they don’t engage in cash transactions.”
He added, “It just looks really fishy, and it doesn’t smell right, and that’s why I want the Department of Justice to investigate.”
Legal experts said they know of no law that would make it illegal merely to gain access to SS7 in the United States or pay for a service in cash. But some types of surveillance are illegal in the United States if not explicitly authorized by a legal process, such as a court order, as happens when police get permission to conduct wiretaps. Unauthorized hacking also violates U.S. law, the experts said.
Orrin Kerr, a law professor at the University of California at Berkeley who specializes in computer crimes, said Miller’s account of the conversation does not necessarily describe a crime but suggests the possibility of criminal intentions.
“It’s very suspicious and may be part of an attempted crime,” Kerr said. “But it’s hard to tell without more details.”
Privacy experts long have complained that the SS7 network is rife with security flaws that are easily exploited for surveillance by nations with advanced capabilities and by private vendors that offer similar capabilities to clients worldwide. Companies with access to SS7 can send queries seeking location and other information about anyone with a cellphone. They also can use SS7 to divert calls and eavesdrop on calls.
NSO is best known for its Pegasus spyware, which it leases to intelligence and law enforcement agencies in dozens of countries. Pegasus can turn a targeted smartphone into a potent surveillance tool, allowing operators to track the user’s locations, listen to calls, retrieve pictures and monitor social media activity.
The company long has said that Pegasus is intended for investigating terrorists, pedophiles and other serious criminals and that targeting and other decisions on deploying the system are made by clients, not NSO. It has vowed to investigate misuses.
Some of the company’s clients, however, have used the technology to target the phones of politicians, journalists, human rights workers, academics and others, as reported last year by The Post and other members of the Pegasus Project.
In addition to Lavie, the people whom Miller identified as representing NSO during the 2017 call were Shalev Hulio, a second co-founder who also is the company’s chief executive, and Eran Gorev, who at the time was an operating partner for Francisco Partners, an investment firm that had a controlling interest in the NSO Group.
Hulio did not personally respond to a list of questions from The Post, but Gorev said in an emailed response to questions from The Post that he had no recollection of the call and was not currently involved with the company. “If such a meeting actually took place, I would absolutely never make a comment like this. If someone else made that comment, it would clearly have been made in jest and a colloquial expression / cultural misunderstanding.”
The U.S. Justice Department declined to comment on the NSO Group or Lieu’s criminal referral.
The people familiar with the Justice Department investigation said the probe concerns allegations of unauthorized intrusions into networks and mobile devices in the United States by NSO customers using NSO technology, such as the Pegasus spyware. Reuters in 2020 reported that the NSO Group was under investigation by the Justice Department.
The FBI has interviewed several people about NSO in recent months, including the Mexican journalist Carmen Aristegui, whose phone, independent investigators say, has been hacked by Pegasus, according to people familiar with the inquiry who spoke on the condition of anonymity to discuss sensitive matters.
Additionally, a phone used by Aristegui’s son and having a Mexican phone number received malicious NSO links in 2016 while he was attending school in the United States, although it is not known whether the attempt to infect his phone was successful or if a successful hack occurred while he was in the United States, say investigators for Citizen Lab. NSO has said that phones with U.S. phone numbers or geographically located in the United States cannot be infected by Pegasus.
The FBI also interviewed a U.S. citizen in detail last year about a Pegasus hack, said that person, who spoke on the condition of anonymity to discuss an ongoing investigation. The alleged hack happened while this person was traveling overseas and using a phone with a foreign phone number.
The U.S. Commerce Department blacklisted the NSO Group in November, curbing its access to American technologies, and the activities of the company and its clients have been investigated by officials in numerous other countries, including by Israel’s own attorney general, in response to news reports of abuses in recent years.
Miller’s attorney, John Tye of Whistleblower Aid, said abuses by NSO customers make the company’s efforts to gain access to SS7 particularly worrying, given that the network includes information on every cellular customer in the world.
“Now we know that NSO Group tried to purchase access to our mobile communications,” Tye said. “This should terrify every American. We urge the Department of Justice to investigate whether any laws were broken.”
– – –
The Washington Post’s Ellen Nakashima and Elizabeth Dwoskin, and the Guardian’s Stephanie Kirchgaessner to this report.