The financial problems of iPhone spyware maker NSO were so bad by the end of last year that it struggled to make payroll – after the company failed to make a single sale over a period of several months.
The company, which sells software to remotely carry out zero-click hacks of both iPhones and Android smartphones, has been in deep trouble ever since it was blacklisted by the US government. However, its plan to overcome its woes could make Pegasus an even nastier threat …
iPhone spyware maker NSO
NSO Group makes spyware called Pegasus, which is sold to government and law enforcement agencies. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is said to be capable of mounting zero-click exploits – where no user interaction is required by the target.
In particular, it’s reported that simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with almost all personal data exposed.
Prime ministers, US State Department officials, senior EU officials, journalists, lawyers, and human rights activists are among those whose iPhones have been hacked by Pegasus.
The US government banned the import and use of Pegasus, depriving the company of its most lucrative customer base: US law enforcement agencies. Apple added to the pressure, suing the company, and alerting owners of infected iPhones.
CEO wants to sell to red-flagged countries
The company was running out of cash by the end of last year, and the Financial Times reports that things were so desperate that it was struggling to meet payroll.
A loan resolved the immediate crisis, but the only future the company’s CEO could see was to tear up its already-dubious rules against selling to governments with poor human rights records.
Faced with an imminent cash crunch so severe that Israel’s NSO Group, manufacturer of the cyberweapon Pegasus, could miss its November 2021 payroll, Shale Hulio had a startling suggestion.
The foul-mouthed CEO told a team representing the company’s majority owners in New York that month: why not start selling again to risky clients? […]
To his audience, the suggestion was alarming. They were managers at Berkeley Research Group, which had been brought in recently by investors in a billioneuro private equity fund run by London-based Novalpina Capital, which owned a majority stake in NSO but had then fallen a apart in a partners’ feud.
BRG’s job was to wrap up the Novalpina fund. Now they were being asked to get involved in decisions about whether or not Pegasus should be sold to countries that even NSO’s own staff may have red-flagged.
Lawyers for BRG understandably said absolutely not, but Hulio had a plan B: spin out a new company, with a new name, and transfer the code and engineers to that.
The new entity would not be affected by the NSO blacklist, and would begin selling again. To guard against the obvious likelihood of NSO MkII being immediately blacklisted, Hulio apparently indicated that the new owner of the company could be “a top US defense contractor.”
The plan seems rather farfetched, as it’s unlikely a US defense company would buy a product on the Commerce Department’s Entity List.
However, there are many in US law enforcement agencies that would still like to use Pegasus, so the possibility cannot be ruled out.
Either way, it shows just how far the Android and iPhone spyware maker is prepared to go, and how hollow its claims are to behave ethically.