FBI Reportedly Considered Buying NSO Spyware

An investigation by Ronen Bergman and Mark Mazzetti, both journalist at The New York Times Magazine found that, beginning in 2019, the FBI paid millions to NSO as the bureau considered deploying the Pegasus surveillance tool in the U.S.

"NSO is effectively a tool of the Israeli government, one Israel uses to gain diplomatic leverage. Netanyahu used Pegasus to knit together a new generation of global far-right leaders from Israel, Poland, Hungary, India and elsewhere," Mazzetti tweeted.

NSO Group, which was sanctioned by the U.S. Department of Commerce in November 2021 (see: US Commerce Department Blacklists Israeli Spyware Firms) provided its spyware product to the bureau, which tested the software for years with plans to use it for domestic surveillance until the agency finally decided against deploying the spyware, according to the NYT news report.

A spokesperson for the FBI was not immediately available to comment.

FBI's Involvement

The yearlong investigation by Bergman and Mazzetti also alleges that a group of Israeli computer engineers arrived at a New Jersey building used by the bureau in June 2019 and started testing their equipment. The report alleges that the FBI had bought a version of Pegasus, NSO’s premier spying tool.

"For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else - not a private company, not even a state intelligence service - could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone," says the NYT report.

As part of their training on the tool, bureau employees bought new smartphones, with SIM cards from other countries. This version of Pegasus that the FBI bought was zero click, i.e. it did not require users to click on a malicious attachment or link - so the users in the U.S. monitoring phones could see no evidence of an ongoing breach.

"They couldn’t see the Pegasus computers connecting to a network of servers around the world, hacking the phone, then connecting back to the equipment at the New Jersey facility," the news report says. "What they could see, minutes later, was every piece of data stored on the phone as it unspooled onto the large monitors of the Pegasus computers: every email, every photo, every text thread, every personal contact."

NSO Offered Workaround

The NYT report further states that NSO had offered the FBI a workaround and demonstrated a new system, called Phantom, in a presentation to officials in Washington. The latest system could hack any number in the United States that the FBI decided to target.

The report alleges that Israel granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers, and a license was allowed for only one type of client: U.S. government agencies. Previously, Pegasus had not been allowed by the Israeli government to target phones in the U.S.

Such moves should not be a surprise says Jake Williams, a former member of the National Security Agency's elite hacking team and a IANS analyst who told Information Security Media Group: "However we feel about NSO as a company, it makes sense for the US federal government to consider purchasing commercial spyware tools for operations. For one, their use may provide plausible deniability since many countries are using the technology. It's likely cheaper to buy and use NSO's technology for risky operations against sophisticated adversaries than to risk FBI's own implants,".

Williams says that the use of third party tools such as NSO's Pegasus make particular sense when FBI is providing assistance to other law enforcement agencies (domestic or foreign) since they don't have to expose their own tools.

"That means we routinely identify, evaluate and test technical solutions and services for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands," the spokeswoman says.