Abuse of the spyware firm NSO Group’s cell phone surveillance technology was exposed as long as five years ago, but the Israeli-based firm was still able to enlist influential officials from both Republican and Democratic administrations and prestigious D.C. law firms as lobbyists and advisers, a SpyTalk review has found.
In an eye-opening story on Monday, “How Washington power brokers gained from NSO’s spyware ambitions,” Washington Post reporter Drew Harwell identified several past and present recipients of NSO Group’s largess, including two former Homeland Security department secretaries, Tom Ridge and Jeh Johnson; Michael Flynn, the disgraced former Trump White House national security adviser; and Ron Rosenstein, Trump’s deputy attorney general from 2017 to 2019, “during which he decried the ‘lawless’ attack on [Saudi exile dissident Jamal] Khashoggi and oversaw the FBI.”
Khashoggi was murdered and his corpse dismembered in the Saudi consulate in Istanbul on Oct. 2, 2018, after which the regime secretly infiltrated the cell phones of at least two people close to him, according to other reports by The Post. Two months earlier, Amnesty International had accused NSO Group of helping Saudi Arabia spy on a member of the organization's staff.
Flynn disclosed on his federal financial forms in 2017 that NSO parent companies paid him roughly $100,000 between 2015 and 2017. He did not disclose his duties on their behalf and has not responded to media requests for comment.
The Post and its 16 reporting partners, led by the Paris-based journalism nonprofit Forbidden Stories, found evidence that such authoritarian governments as Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates had used NRO spyware against journalists, dissidents, officials and even wayward family members.
And the firm found Washington partners to expand its business and/or protect itself. The NSO Group paid the influential D.C. law firm Pillsbury Winthrop Shaw Pittman $75,000 a month, for example, to advise NSO on “potential business partners,” “U.S. government procurement regulations” and “assistance with education of government officials about NSO’s technology,” according to Justice Department filings reviewed by the Post. In 2019 NSO hired another influential law firm, King & Spalding, to defend it when WhatsApp sued it for allegedly helping hack 1,400 of the messaging app’s users.
The same year NSO also engaged Gérard Araud, France’s former ambassador to the United States; and Juliette Kayyem, a Department of Homeland Security official under President Barack Obama, to help smooth its image after a Saudi dissident filed a lawsuit in Israel accusing NSO of helping surveil Khashoggi before his death, The Post reported. (Exposure of the arrangement caused Kayyem, now a CNN national security analyst, to resign as a contributor to The Post’s opinion section, but she said she was still “working to ensure that this technology is used appropriately and that fundamental human rights are protected and respected in the process.” Kayyem could not immediately be reached for comment on whether she is still being paid by the firm.)
Other big names connected to NSO but overlooked by The Post include the Democratic strategy firms SKDK and Beacon Global Strategies, which "provided communications & business strategy advice" to the spyware firm, according to New York Times investigative reporter Kennth P. Vogel. SKDK’s managing partner is Anita Dunn, until recently a senior Biden White House adviser. Beacon was co-founded by Jeremy Bash, a CIA and DOD chief of staff in the Obama administration who is also now a national security analyst for NBC News and MSNBC. SKDK severed its ties with NSO in “late 2019,” and Beacon in “early 2020,” according to Vogel. Dunn managed to leave the White House without ever having to reveal her clients because she kept her salary below the disclosure threshold, according to The Intercept’s Lee Fang. NSO parent company Q Cyber Technologies “has also benefited from the legal services of Dan Jacobson,” named in March as general counsel for the Biden’s White House’s Office of Administration, The Post reported.
All this comes years after the malignant use of NSO’s Pegasus spyware was exposed by Citizen Lab, a digital rights group at the Munk School at the University of Toronto. In August 2016, Citizen Lab revealed it had traced spyware on a UAE human rights defender’s phone to NSO. In November 2017, the Citizen Lab’s John Scott-Railton and Bill Marczak expanded on their findings in a major feature in the business magazine Fast Company, revealing how “infiltration attempts with Pegasus begin with a link sent to a target, in the form of a tweet, an innocuous email, or a taunting text message. Once opened in the phone’s web browser, the link connects to one of those servers, where software determines the type of device and installs a remote exploit for the specific operating system.”
NSO has long insisted its spyware was designed to help government agencies hunt down terrorists and child trackers and that it specifically prohibits its misuse against law-abiding citizens and others. “NSO products are used exclusively by government intelligence and law enforcement agencies to fight crime and terror,” its web site declares. Yet the revelations by The Post, in concert with its 16 media partners, along with previous reports, say otherwise. And that’s not entirely new.
As far back as June 2017, Citizen Lab and the New York Times revealed that “Mexican government officials had used Pegasus to spy on the mobile devices of journalists, human-rights activists, lawyers, and others looking into murders, corruption, and the disappearance of dozens of college students.” Fast Company reported. Emails obtained by the tech site Motherboard in 2017 also revealed NSO’s U.S. affiliate Westbridge Technologies was pitching its spyware to the DEA and major urban police departments. But NSO was also using Westbridge to pitch its wares to “U.S. intelligence and police officials on its hacking tool as early as 2014,” The Post reported this week.
The eavesdropping National Security Agency declined to comment. The CIA did not immediately respond to a request for comment.
Barry Meier, the former Newsday, Wall Street Journal and New York Times investigative reporter and author, most recently, of Spooked: The Trump Dossier, Black Cube and the Rose of the Private Spies, says the issue of NSO and its D.C. enablers demands more transparency, especially from TV networks who engage some as regular national security analysts. He cited MSNBC’s employment of former senior CIA and Defense Department official Jeremy Bash, whose firm had an undisclosed, paid consultancy with NSO, a prime example of the need for transparency. In 2014 the firm, founded in 2010 by three veterans of Israel’s electronic spying Unit 8200, was bought out by a U.S. private equity firm.
“There should be wall-to-wall coverage” of these arrangements, Meier said on the SpyTalk podcast. “I would like to see MSNBC...bring him back on and ask him to tell the public what he knew about this—and for MSNBC to explain to its audience why it never apparently revealed to its viewers every time he was on that he had a commercial relationship with NSO.”
Neither MSNBC or Beacon Global Strategies responded to a request for comment.