"A Front Company and a Fake Identity: How the U.S. Came to Use Spyware It Was Trying to Kill" 2 April 2023

The secret contract — which The New York Times is disclosing for the first time — violates the Biden administration’s public policy, and still appears to be active. The contract, reviewed by The Times, stated that the “United States government” would be the ultimate user of the [NSO group] tool, although it is unclear which government agency authorized the deal and might be using the spyware. It specifically allowed the government to test, evaluate, and even deploy the spyware against targets of its choice in Mexico...

...Even as the Biden administration has showcased its efforts to drive NSO out of business, it was clear even before the revelation of the latest contract that some agencies have been drawn to the power of these cyberweapons...

...A subsequent Times investigation has found:

• The secret November 2021 contract used the same American company — designated as “Cleopatra Holdings” but actually a small New Jersey-based government contractor called Riva Networks — that the F.B.I. used two years earlier to purchase Pegasus. Riva’s chief executive used a fake name in signing the 2021 contract and at least one contract Riva executed on behalf of the F.B.I.
• The 2021 contract was for the same NSO geolocation tool once used by an adviser to Saudi Arabia’s Crown Prince Mohammed bin Salman as part of a brutal campaign against perceived threats to the kingdom.
• The deal unfolded as the European private equity fund [Novalpina Capital] that owns NSO pursued a plan to get U.S. government business by establishing a holding company, Gideon Cyber Systems. The private equity fund’s ultimate goal was to find an American buyer for the company.
• A potential deal last year with L3Harris, the American defense giant, to buy NSO’s hacking tools and take on the bulk of its work force was far more advanced than previously known. Despite NSO being on the Commerce Department blacklist, L3Harris executives had discussions with Commerce Department officials about the potential deal, according to internal department records, and there was a draft agreement in place to finalize it before the White House publicly objected and L3Harris dropped its plans.

...On Nov. 3, 2021, the Biden administration publicly announced its decision to put NSO on the Commerce Department blacklist, in effect trying to put it out of business and putting the United States on record as seeking to rein in the proliferation of commercial spyware.

Days later came a well-disguised step in the other direction: Gideon, the U.S. affiliate of NSO, entered into the contract with “Cleopatra Holdings” — Riva Networks — specifying that the U.S. government would get access to NSO’s premier geolocation tool, what the company calls Landmark.

Landmark turns phones into a kind of homing beacon that allows government operatives to track their targets. In 2017, a senior adviser to Saudi Arabia’s crown prince, the same person accused of orchestrating the killing of Mr. Khashoggi, used Landmark to track Saudi dissidents...

...Under this contract, according to two people, there have been thousands of queries in at least one country, Mexico. The contract also allows for Landmark to be used against mobile numbers in the United States, although there is no evidence that has happened...

...Four people familiar with the situation said L3Harris received cautious indications of support for pursuing an acquisition from officials inside several American and law enforcement agencies. L3 Harris did not respond to messages seeking comment...

...Cleopatra Holdings still makes monthly payments to Gideon Cyber Solutions for continued access to Landmark.