In early August, Omar Abdulaziz got a phone call from someone with an alarming message: Your phone might be hacked by spyware.
The prominent Saudi dissident now living in exile near Montreal had been harassed by agents of the Saudi government before, and they'd even arrested his two brothers earlier in the summer. But having his phone hacked was something new, and Abdulaziz wanted to learn more.
A few days later, he sat down with the man who was on the other end of that phone call: Bill Marczak, a researcher specializing in spyware.
Marczak had discovered that somebody in Saudi Arabia, likely somebody working for the Saudi government, had infected the phone of someone in Canada with Israeli-made surveillance software, and he wanted to know who the target was. So Marczak asked Abdulaziz a strangely personal question: Where do you go every day between 5 p.m. and 8 p.m.?
Abdulaziz said he generally worked out at his university’s gym during those hours. His movements fit the profile of the spyware’s target — somebody who switched their Wi-Fi network between 5 and 8 p.m. And after searching through Abdulaziz’s iPhone, Marczak found a text message with an innocuous message that he believes infected the Saudi dissident’s device.
Two months later, Citizen Lab, a digital rights group where Marczak is a research fellow, told the world in a report that Abdulaziz’s phone had been hacked by the spyware known as “Pegasus,” created by the Israeli company NSO Group.
“Pegasus” is one of the most sophisticated surveillance products in the world that can crack both iPhones and Androids. Once it infects a device, the spyware captures its target’s personal contacts, pictures, and text messages, and it can listen in on conversations.
“I wasn’t surprised,” said Abdulaziz, who spends his days tweeting and making YouTube videos against Saudi government policies. In May, the Kingdom’s agents had flown to Quebec to lure him back to Saudi Arabia, telling him he had two choices: come home and get paid for his silence, or get picked up at an airport and go to prison, according to recordings of those conversations that the Washington Post reviewed.
Abdulaziz was also worried that his friends, family, and fellow critics of Saudi policy could be in danger.
In recent weeks, Abdulaziz had another sinking feeling — that his conversations with slain Saudi journalist Jamal Khashoggi could have been monitored by the Saudi government.
“I didn’t want anyone to be harmed because of it,” Abdulaziz told VICE News. “The guilt is killing me. Maybe they were listening to me and Jamal.”
Abdulaziz is one of a growing number of dissidents from powerful Middle Eastern countries to be targeted by Israeli-made spyware.
Experienced in the dark arts of spying and surveillance that have been tested on Palestinians for decades, some Israeli veterans are now selling their skills to the highest bidder. Israeli spy technology has become the most sought-after tool for repressive regimes waging war on dissent, including Saudi Arabia, Bahrain and the United Arab Emirates, despite the fact that these governments lack official diplomatic relations with Israel.
“The guilt is killing me. Maybe they were listening to me and Jamal.”
Privacy advocates warn that this new marketplace between private Israeli firms and powerful government agencies is creating an environment where repressive regimes can purchase powerful spyware and turn it loose on anyone, anywhere they want, threatening free speech and dissent around the world.
“These are technologies that are developed in one of the world’s most advanced cyberpowers with some of the most extensive surveillance capabilities, and has a [Palestinian] population to practice these capabilities on,” said Edin Omanovic, who leads the state surveillance program for Privacy International, a watchdog group. “They then send these tools to countries that lack rule of law. It’s essentially being used purposefully to target human rights defenders and dissidents.”
“The Wild West”
From August 2016 to August 2018, Marczak and fellow researchers scanned the Internet for servers around the world associated with a specific kind of Israeli-made spyware. In July, he discovered that one of these server operators in Saudi Arabia had infected the phone of someone in Canada with Israeli-made surveillance software. Because this type of spyware is only sold to governments, he determined they were likely working for the Saudi government. In August, Amnesty International reported that one of its researchers, in addition to a Saudi activist, was targeted by the same spyware.
It wouldn’t be the first time researchers have caught Israeli spyware being administered by a repressive regime.
Israel’s surveillance industry is unrivaled. The country, no bigger than the state of New Jersey, has the most surveillance companies per capita in the world, according to a 2016 report by Privacy International, and its products are used in dozens of countries, from the United States to Colombia, from South Sudan to Azerbaijan.
“We are considered to be the best,” said Eran Lerman, a retired colonel who served in senior positions in Israeli military intelligence for over 20 years.
“It’s essentially being used purposefully to target human rights defenders and dissidents.”
This is no accident. It’s the result of the synergy between the Israeli military and private industry, and Israel’s decades of experience building up surveillance capabilities to keep a close watch on the Palestinians it occupies and neighboring hostile states.
The best-known incubator of Israeli high-tech is Unit 8200, the Israeli equivalent of the National Security Agency and the largest Israeli military intelligence unit. Israel’s most elite students are recruited for service into Unit 8200, where they learn how to hack and spy on everyone from Iranian agents to Palestinian teenagers. When they leave their army service, most Unit 8200 veterans go to work in Israel’s booming technology sector. Some Unit 8200 veterans in private industry go back to doing work for the army, but they get paid much more because their private company landed a lucrative contract with the Israeli army.
“Like my mother said: The Unit is the biggest high-tech company in Israel,” one Unit 8200 veteran, who requested anonymity to talk freely about their army service, told VICE News.
Many of Israel’s famous surveillance companies have ties to Unit 8200. Cellebrite, the company known for cracking password-protected iPhones, a capability it reportedly markets to law enforcement agencies, recruits heavily from the unit. MER Group, which sells surveillance products to countries around the world, is run by Nir Lempert, the chairman of the Unit 8200 alumni association. Comverse, another surveillance company, was “directly influenced by 8200 technology,” retired Israeli general Hanan Gefen, a consultant for tech companies, told Forbes. And Unit 8200 veterans are easy to find at NSO Group, which was started by Israeli army veterans. (It’s unclear which particular army unit NSO’s founders served in.)
The NSO Group is today the most notorious among Israel’s surveillance giants. The company counts Francisco Partners, a private equity firm with ties to Blackstone and Goldman Sachs, as its majority stakeholder. NSO Group charges government customers $650,000 for the ability to hack 10 Apple or Android phones, in addition to a $500,000 installation fee, according to NSO Group materials reviewed by The New York Times.
The company has repeatedly said its products are only sold to governments, and that they are used to go after terrorists and criminals. It also says that it has an ethics committee to ensure its products are only used for legitimate purposes. “NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company,” the company told Amnesty International.
But Citizen Lab and Amnesty International have exposed how “Pegasus” has been used by NSO's clients to target dissidents and journalists around the world, turning their phones into mobile spy devices.
In 2016, Citizen Lab discovered that “Pegasus” infected the phone of Ahmed Mansoor, a democracy advocate in the United Arab Emirates. (Mansoor is currently serving a 10-year sentence because he posted criticism of Emirati authorities on social media.)
“Like my mother said: The Unit is the biggest high-tech company in Israel.”
That wasn’t the only time the NSO Group reportedly sold its software to the United Arab Emirates, a country that doesn’t tolerate any dissent. An NSO Group affiliate, Circles Technologies, assisted an Emirati security agent in hacking the phone of Abdulaziz Alkhamis, a journalist who frequently writes about Gulf politics, according to emails published in a lawsuit against NSO Group that VICE News reviewed. (The New York Times first reported on the emails.)
Citizen Lab has also found two operators who appear to be using NSO's software in the UAE, one in Bahrain and one in Saudi Arabia.
In addition to targeting Abdulaziz, the Saudi operator of “Pegasus” went after a staffer at Amnesty International who advocated for Saudi women locked up over their activism, and Saudi rights advocate Yahya Assiri, according to Citizen Lab.
“[NSO] has become the go-to company for all the regimes that violate human rights,” said Mazen Masri, who's part of a legal team that sued NSO Group in Israel and Cyprus (where an NSO affiliate is registered) over alleged privacy violations. “If these regimes are willing to pay the price, they can get the system and they can spy on almost anybody with a smartphone.”
But NSO Group isn't alone in pushing its products to Gulf Arab states.
Bahrain appears to have used Cellebrite software’s mobile phone cracking technology. The Intercept reported that software was used to get into the phone of Bahraini activist Mohammed al-Singace, who was tortured in prison and locked up on charges of opposition politics, partly based on evidence obtained from his hacked phone.
“When you sell them to countries like Bahrain and Saudi Arabia, which define serious crime as posting criticism on Twitter, regardless of which company it is — NSO or Cellebrite —you’re going to wind up with these companies’ products being used in human rights violations by these governments,” said Citizen Lab’s Marczak.
“The implications are indeed dire. It quiets civil society and threatens the privacy rights of us all.”
Verint Systems, another Israeli company, also sold surveillance technology to Bahrain, the small Gulf state whose Sunni leaders rule its majority-Shi’a population with an iron first, according to Haaretz. The Israeli paper reported that Verint sold Bahrain systems “typically used by monitoring centers” and “another system used for collecting information from social networks.” Israelis have traveled to the country to train Bahraini security agents in how to use the surveillance system, Haaretz reported.
Israel’s Ministry of Defense, which licenses the export of surveillance tools, did not return requests for comment from VICE News. Neither did the U.S embassies of Bahrain, Saudi Arabia and the United Arab Emirates. NSO Group, Verint Systems and Cellebrite also did not return requests for comment.
The sophisticated nature of this technology, and the secret sales between private companies and foreign governments, make it next to impossible for researchers to definitively pin the use of this spyware on a specific state, but the impact is clear. Human rights defenders warn that these surveillance companies have created a world where authoritarian leaders can reach far beyond their borders to track and terrorize dissidents.
“It’s the Wild West,” said Danna Ingleton, research and policy adviser at Amnesty International. “The opaque nature of the industry denies targets access to law and justice. The implications are indeed dire. It quiets civil society and threatens the privacy rights of us all.”
Cover: A man takes a photo as the sun rises over the city skyline from a balcony on the 42nd floor of a hotel on a foggy day in Dubai, United Arab Emirates, Saturday, Dec. 31, 2016.