The secret Uganda deal that has brought NSO to the brink of collapse

In February 2019, an Israeli woman sat across from the son of Uganda’s president, and made an audacious pitch — would he want to secretly hack any phone in the world?

Lt General Muhoozi Kainerugaba, in charge of his father’s security and a long-whispered successor to Yoweri Museveni, was keen, said two people familiar with the sales pitch.

After all, the woman, who had ties to Israeli intelligence, was pitching him Pegasus, a piece of spyware so powerful that Middle East dictators and autocratic regimes had been paying tens of millions for it for years.

But for NSO, the Israeli company that created Pegasus, this dalliance into east Africa would prove to be the moment it crossed a red line, infuriating US diplomats and triggering a chain of events that would see it blacklisted by the commerce department, pursued by Apple, and driven to the verge of defaulting on its loans, according to interviews with US and Israeli officials, industry insiders and NSO employees.

A few months after the initial approach, NSO’s chief executive, Shalev Hulio, landed in Uganda to seal the deal, according to two people familiar with NSO’s east Africa business. Hulio, who flew the world with the permission of the Israeli government to sell Pegasus, liked to demonstrate in real time how it could hack a brand new, boxed, iPhone.

The eventual business was small for NSO. A person familiar with the transaction said it brought in between $10m and $20m, a fraction of the $243m that Moody’s estimated the privately owned NSO made in revenues in 2020.

But about two years after the sales pitch, someone deployed Pegasus to try to hack the phones of 11 American diplomats and employees of the US embassy in Uganda, according to two US officials, who spoke after notifications were sent out by Apple when the iPhone maker discovered and closed a flaw in its operating system in November.

It is not clear who tried to hack the US citizens. Uganda’s neighbour, Rwanda, had also been using Pegasus to hack phones inside Uganda, but the revelation shocked the US. NSO has always told its customers that US phone numbers are off-limits. In this case, all 11 targets were using Ugandan numbers, but had Apple logins using their state department emails, according to the two US officials.

NSO said it shut down the hacking systems for “customers relevant to this case” and is investigating the issue. The presidential press secretary for Museveni and the minister of information for the Ugandan government did not reply to a request for comment. A person close to Museveni said they “were not authorised to speak on the subject”.

Israeli and US officials declined to confirm that the Ugandan hack directly triggered a decision to blacklist NSO. But one US official who discussed the issue with Israel’s defence ministry said: “Look at the entire sequence of events here — this is careful, not by chance.” He added that putting NSO, one of the jewels of Israel’s tech community, on a US blacklist was designed to “punish and isolate” the company.

The blacklisting, which came in November, means that NSO cannot buy any equipment, service or intellectual property from US-based companies without approval, crippling a company whose terminals ran on servers from Dell and Intel, routers from Cisco, and whose desktop computers run on Windows operating systems, according to a spec sheet from a sale to Ghana, in West Africa.

In recent weeks, for instance, Intel asked all its employees to cease any ongoing business relationships with NSO, one person familiar with the matter said. Intel said in a statement that it “complies with all applicable US laws, including US export control regulations”.

A new CEO, Itzik Benbenisti, hired from Partner Communications, one of Israel’s largest telecom providers, quit two weeks into his new job after the blacklisting. And while the company tried to cheer up its employees with a Hannukah party in the beach resort of Eilat, Hulio — who retook the reins after Benbenisti stepped down — was less sanguine in a recent phone call with an old business associate.

“We always knew this thing had an expiration date,” he told the friend, complaining that some clients had asked to shift their contracts to lesser-known rivals, according to a person familiar with the conversation.

After spending a decade in the favour of the Israeli government, NSO now finds itself as an irritant in relations between Israel and the US, using up vital foreign “policy bandwidth we need to talk about Iran”, said a foreign ministry official who asked for anonymity.

That is a reversal for NSO, which former prime minister Benjamin Netanyahu used as a diplomatic calling card with several countries, including the UAE, Morocco, Bahrain and Saudi Arabia, which did not have official relations with Israel.

The reputational damage has also made it difficult to keep hiring the most promising graduates of Israel’s elite signals intelligence units, who have the skills to repeatedly outwit the defences of both Android phones and iPhones.

For example, when Google reverse-engineered the hack used against American diplomats in Uganda, they found an elegant, tiny piece of code that adapted software from 1990s Xerox machines to fit a so-called Turing machine — essentially a complete computer — into a single GIF file.

“Pretty incredible, and at the same time, pretty terrifying,” said Google’s engineers. “Wow. Just wow,” tweeted Yaniv Erlich, an Israeli professor of computer science at Columbia University.

“You can count on one hand the number of teams in the world that could create something like that,” said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which found the malware and brought it to Apple’s attention.

NSO said it had hired 30 new employees in recent weeks. “There is an understanding among our employees that there is a wide gap between media reports and the reality,” a spokesperson said.

Meanwhile, NSO has also fallen into the crosshairs of Silicon Valley, after angering Apple and Meta by hacking into iPhones and WhatsApp.

Apple’s two-pronged approach — it has notified many of the targets of NSO’s hacks, while suing the company in US courts — sent a “shockwave” through the industry, said a person familiar with the matter.

Apple and Citizen Lab have also shared NSO’s technical secrets, worrying rival companies enough to ask their clients to dial down the use of other spyware, scared of getting caught in Apple’s dragnet, said a former senior executive at an Israeli tech group.

“There is a sense that this is a full-on war against the entire industry,” he said, adding that high-level Israeli employees of NSO and other similar firms are “staying put” in Israel to avoid being pulled in for questioning in the US and its allies.

For now, the US pressure had left NSO with few options, said company insiders. Moody’s has downgraded NSO’s debt as the company’s free cash flow turned negative in 2020 and is expected to remain negative this year. “There’s a high risk NSO might not be in compliance” with a covenant on the $500m in loans it took in 2019 to go private at a $1bn valuation, said Moody’s.

It has hired Moelis & Co, a NY-based investment bank to see if it can sell off parts of the company to raise cash, even offering to change Pegasus into a “defensive” product if that makes it more palatable to US investors.

Last Wednesday, that window also narrowed — 18 US senators wrote to secretary of state Antony Blinken and Treasury secretary Janet Yellen to sanction NSO under the Magnitsky Act, alongside a handful of other cyber surveillance firms.

If the US acts upon that request, NSO would be cut off from the US banking system and its employees would be barred from travelling to the US.