The United States signed a secret contract with Israeli spyware firm NSO group to acquire an infamous phone hacking tool in 2021, shortly after it blacklisted the company, according to a New York Times report on Sunday.
According to The Times, the contract was signed on November 8 between a company called “Cleopatra Holdings” (in reality a US government contractor, Riva Networks) and NSO’s American affiliate, to acquire a geolocation tool that can secretly trail an individual’s mobile phone without their knowledge or consent.
However, the contract explicitly states that the US government would be the user of the software, though it was unclear which government agency would utilize it. The documents state that it was authorized to “test, evaluate, and even deploy the spyware against targets of its choice in Mexico,” The Times wrote.
Only five days before the contract was signed, President Joe Biden’s administration blacklisted the Israeli firm, accusing it of providing spyware software to authoritarian governments which activated the software against journalists and activists.
The report comes a week after Biden signed an executive order pledging to restrict its use of such commercial spyware tools.
White House officials told The Times they had no knowledge of the contract, but said it was “highly concerning.”
The Pegasus software, perhaps the best-known example of spyware from NSO, was used to target more than 1,000 people across 50 countries, according to security researchers and a July 2021 global media investigation, citing a list of more than 50,000 cellphone numbers. The US has already placed export limits on NSO Group, restricting the company’s access to US components and technology.
Officials would not say if US law enforcement and intelligence agencies currently use any commercial spyware. The FBI last year confirmed it had purchased NSO Group’s Pegasus tool “for product testing and evaluation only,” and not for operational purposes.
White House officials said Monday they believe 50 devices used by US government employees, across 10 countries, had been compromised or targeted by commercial spyware.
Despite NSO’s assertions that the program is supposed to be used to counter terrorism and crime, researchers found the numbers of more than 180 journalists, 600 politicians and government officials and 85 human rights activists.
Pegasus use was most commonly linked to Mexico and countries in the Middle East. Amnesty International has alleged Pegasus was installed on the phone of Jamal Khashoggi’s fiancée just four days before the journalist was killed in the Saudi consulate in Istanbul in 2018. NSO has denied the allegation that its software was used in connection with Khashoggi’s murder.
The family of Paul Rusesabagina, credited with saving more than 1,200 lives during the Rwandan genocide, a story depicted in the movie “Hotel Rwanda,” has also alleged it was targeted by spyware. Rusesabagina was lured back to Rwanda under false pretenses and jailed on terrorism charges before his release last week. Rwanda has denied using commercial spyware.