An infamous Israeli NSO Group looks to bolster its image by scoring customers

WASHINGTON — When Shmuel Sunray accepted the job in the fall of 2019 as chief legal counsel for NSO Group, an Israeli spyware company accused of selling malware used against journalists and dissidents, he knew it would be a challenge.

Founded in 2009 by ex-military and intelligence officers, the company created a hacking tool called Pegasus that promised cops and spies access to criminals’ and terrorists’ private text messages, photos, cameras and microphones.

But NSO’s customers don’t always just go after child pornographers and drug traffickers. In 2018, human rights group Amnesty International accused NSO in court of helping the Saudi government spy on a close associate of Washington Post columnist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul. Then Facebook sued NSO just a day after Sunray started work, alleging the company had helped hack over 1,400 of its customers.

Novalpina Capital, the London-based private equity firm that acquired NSO in February 2019, was already under fire from activists demanding answers about how the firm would address the company’s alleged abuses and advocating for stricter regulation of the spyware industry.

NSO co-founder Shalev Hulio has publicly denied helping the Saudis monitor Khashoggi, and several other attacks linked back to its spyware, but the company recognized it had a potential problem and turned to Sunray. “We need more structure, we need more experience,” Sunray recalled NSO’s executives telling him when they brought him on.

The company’s future might depend on it. NSO is reportedly considering going public with an estimated valuation of up to $2 billion (Sunray declined to comment on those plans). Novalpina, which knows that bad publicity could affect NSO Group’s ability to raise capital, has promised to strengthen oversight of the firm’s activities and increase transparency.

In a series of interviews with Yahoo News over the last several months, Sunray explained some of the details of NSO’s internal processes, which include an elaborate system for scoring countries that wish to buy the company’s products. NSO says it permanently cut ties with four clients so far, giving up $200 million in sales opportunities, though it won’t say which ones. Sunray wouldn’t speak about the details of any sales or customers.

For experts who have followed NSO’s work, like Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, these promises ring hollow.

“A human-rights-respecting framework that is entirely opaque, cannot be checked by anyone, and that security researcher reports indicate concludes selling to Saudi Arabia is just fine is a framework that might as well not exist at all,” Galperin said.

But NSO argues it’s a leader in the shadowy spyware industry, taking on both risk and reward by opening up to the world — at least a little.

“We’re not naive,” Sunray said, acknowledging the impact the company’s software can have on those people targeted by it. “We understand that these tools are very intrusive.”

NSO announced its new human rights policy in September 2019, and Sunray said this policy is always evolving, taking lessons from international bodies and other industries’ compliance regimes. The program is, according to NSO, the “first in the sector” of similar surveillance companies.