Often, the best way to get something is to simply ask for it. That’s probably what the Israeli government thought when it sent an email to several American researchers and firms who make so-called zero-days, tools that take advantage of vulnerabilities in software that are unknown to the company that makes the software.
Motherboard has obtained a copy of the letter, which more than half a dozen sources described as unsolicited and unusual in how blunt and direct it was. Motherboard confirmed that at least five American firms received the letter, and multiple sources told us it was sent to many more. The letter provides a rare peek into how governments approach researchers who find, develop, and sell zero-day exploits, which are sensitive and often expensive hacking tools that are used to break into smartphones, computers, and internet browsers.
“The Government of Israel Ministry of Defense (GOI-MOD) is interested in advanced
Vulnerabilities R&D and zero-day exploits for use by its law enforcement and security agencies for a wide variety of target platforms and technologies,” reads the letter, which was sent by an employee of the Israeli mission to the US in New York City in February 2015.
”I don’t know what the mission was given how bizarre it was.”
While the language in the letter is standard government-speak for requesting information from potential contractors, the fact that it was sent to multiple firms that apparently had no prior contact with the Israeli government made it unusual.
“There wasn’t a single thing about this that was normal,” said one person who received the letter, who spoke of condition of anonymity because they work in a sensitive industry. “I don’t know what the mission was given how bizarre it was.”
Another source, who also spoke on condition of anonymity, said this was “very irregular” given that he had never spoken with the sender or anyone from the Israeli government before. However, another source who received the letter didn’t think the approach was strange, and instead saw the letter as an easy, albeit blunt way to get an idea of the cost of capabilities from a variety of vendors. Essentially, it could have been market research.
“This is standard contractual [Request for Information]," another security researcher told Motherboard, after reviewing the letter and referring to the language used in it. This researcher, who used to work as a US government contractor, did not originally receive the letter. "I've seen plenty of RFIs just like this from US government agencies."
Got a tip? You can contact Lorenzo Franceschi-Bicchierai securely on Signal on +1 917 257 1382 and Joseph Cox on Signal on +44 20 8133 5190. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here.
Israel is one of the leading countries when it comes to the lawful intercept and hacking businesses. But as an Israeli source pointed out, ultimately, the country is still small with a limited number of researchers, so it “only makes sense” for the government to reach out to providers overseas.
A spokesperson for the Israeli consulate in New York told Motherboard to contact a spokesperson for the Ministry of Defense in Israel. That spokesperson referred back to the spokesperson in New York City. None of the spokespeople replied to our questions about the letter.
The former consulate employee who sent the email with the letter attached also did not respond to multiple requests for comment.
The email with the attached letter was sent by a person who at the time used to work for the Israeli Ministry of Defense Mission to the US, according to his LinkedIn account. According to WHOIS data, the email domain he used—goimod.com—has been registered to the government of Israel since 2001, and it is still registered as being owned by the government. The domain was used by the Ministry of Defense until late 2015, when they migrated it to mission-ny.mod.gov.il.
It’s no secret that governments around the world use hacking tools to go after criminals, terrorists, and child predators. Sometimes, governments themselves, through highly specialized teams inside their intelligence agencies, develop those hacking tools. Other times they purchase them from companies that are part of one of the least known and understood parts of the cybersecurity industry: zero-day exploit developers.
As encryption makes it harder to track criminals via more traditional surveillance techniques, such as wiretaps carried out by telecom or internet providers, governments have had to turn to hacking to access data in the course of criminal investigations and intelligence operations. In turn, this has created a niche, albeit growing, corner of the cybersecurity industry. One that Israel was clearly eager to tap into.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.