(W5) From: Wells Jr., Willard B. (Bond) Sent: Thursday, Januag 15, 2015 8:56 AM To: (W5) Cc: Subject: Request for Review/Comment Attachments: New NSDR function v2.docx Bill: NS will strive to continue to work with forward. A good example wa-slide at the TWG that showed vendors ST has worked with - the very ?rst one - Westbridge - is a company that approached the Intelligence Division and that NS then set up the meeting where Westbridge came to ST and conducted a demonstration of their technology] product. Hook forward to working this thrOugh, Thanks, Bond W. Bond Wells. .lr. Deputy Assistant Administrator Director, Office of Special Intelligence Pace 1 (bile) Sent: Wednesday. September 28, 2016 5:46 PM To: lame) Subject: Fwd: Article Attachments: Everything We Know About NSO Group_ The Professional Spies Who Hacked iPhones With A Single Remember these guys? interesting article. Resi ctfulli. Begin forwarded message: Fromim?a) 28 2016111411746 AM EDT (We) Subject: FW: Article Really interesting read from Forbes. You will recognize Ornri from our Westbridge Meeting with N5 and ST. Pace 2 Everything We Know Abou NSO Group: The Professional Spies Who Ha,? Forbes Thon- Forbes SM [norm crime, privacy andnacuriry in sacum M180 PM . 51mi? Everything We Know About SO Group: The Professional Spies Who Hacked iPhones With A Single Text uni-300091! Mama-u. N30 Group employees? lives must seen: no different from others in the Israeli tech scene. Theyuim up every morning at their o?oe in Hemlia, in Tel Aviv?a northern dim-let, take the lift in the plain looking complex - all grey and sandy exteriors through smart card-lock doors and into to their similarly spartan of?ces. On the way they give a nod to their neighbours. fraud analyst: from ERIC?owned 33A, whose job it is to trawl the dark web far qbemrimimln' latest escaped ee. They might even have time for a brief eonfah with sta?'ers at their sister oompamy. a secure designer. Then theyset?e down to code. But for the last six years, their everyday routine has been nothing 168 than awardinary: create the world's most invasive mobile spy kit without ever exposing their work Now. though. they?ve been busted exploiting iPhones in some of the 10f? 9/23/20163137 PM Pace 3 Everything We Know About N30 Group: The Professional Spies Who 201?? most astonishing attacks yet seen in the world of private espionage. The company, awarding to analyses from Citizen Lab and Lookout Mobile Security, discovered three previo wily-unknown and unpatched vulnerabilities (known as zero-days) were exploited by the ?rm, with just one click of a link in a text required to silently jailbreak the phone. This allowed its malware, codenamed Pegasus, to install on the phone. hoovering up all communications and locations of the targeted iPhones. That includes iMessage, Gmail, Viber, Faoeboolt, WhatsApp, Telegram and Skype communications, amongst other data. it can collect Wi-Fi passwords too. Apple has now patched the ?aws and released an update for A spokesperson said: 'We were made aware of this vulnerability and immediately W935 We advise all of our customers to always download the lat?t versiOn of ?08 to protect themselves against potential security exploits." Who are NSO Group? NSO Group has been able to keep it: surreptitious work under wraps until now. Previous articles only recorded their move into America and limited information on contracts: one allegedly for the former RimdoMartinelli and another form mm whose father' 1.8 dating Martine?i?s sister. Like Mam?ndli, armada is facing a corruption probe in Panama. but over alleged dismpandes with the WhatsApp rival, Criptext, he provided to the government)- Laband Lookout, it?s almost certain N90 also supplies to the United Arab Emirates (UAE). Ahmed Mansoor, an intemationally?recogiimd human rights defender. alerted Citizen Lab researchers Bill Marcela and John Scott-Ramon that his iPhcne 6 was targeted on 10 August. They subsequently investigated the malmre (full technical details ofwhieh can befound here and heat). and within 10 days ofbeing informed Apple issued the The researcher: later discovered Mexican journalist Rafael Cabrera had been targeted too. And looking at the domains registered by N80, they determined Pegasus could have been used across Turkey. Israel. Thailand, Qatar, Kenya. Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, and Bahrain, though there was Paoe4 9/28f20l6 3:37 PM Eventing We Know About N50 Group: The Professional Spies Who 30f?! no clear evidence. mm .- a: - same: n-u- b?mn .. um m1.? n?u-u-I? on. 0:9 I..- I mm?. d395- lhe?ml an ?a bimbo-warfare. I?ve been following N80 for the last two years. But founder Omri Lavie keeps a remarkably tight ship. He never speaks to pm, recently emailing me: do not give interviews." That was despite an introduction through a friend in Tel-Aviv and requests spanning over two years. In another exchange. he asked me to stop contacting current and former employees. Today, despite the furore, Lavie simply said: ?I?m not interested. Thank you. ?Co-founder Shalev Hulio had not responded to messages. Both are believed to be alumni of WW manyofthe country's security entrepreneurs Former workers are also too afraid to speak, one telling me in June lutyear: know a lot about their products and how it works but I'm not allowed to publish I have a lot to lose and nothing to gain if I share all my knowledge about them.? Though it doesn?t have a website and has almost eradicated its onlioe presence since founding, FORBES understands that in 2015, as the company expanded, N30 moved in the same of?oebuildingastheanli- -fnudunitofRSA.I mm: 2013, before NSO arrived. The company's most recently-imam owner is private equity ?rm handset) Poitier: Management LLC which purchased N80 for $120 million in 2014. reported in 2015 it was seeking a sale that would have valued the ?rm at nearly $1 billion It was said to be earning $75 million a year at the time. On his Linkedln pro?le, lavie says he's out in Washington DC, wo?dng with NSO's American sales arm WestBridge Technologies, the website Pace 5 9f28f2016 3:37 PM Everydung We Know About NSO Group: The Professional Spies Who http:/wawforbes 4 of? for which he set up in 2013. It also does not have a working website, just the domain westbridge.us. Using the same Gmail. be registered the sites Iavieequityoom and lavieequityoom, as well as NSOGroup.com in 2010. Lavie and his oo?entrepreneurs also founded Kaymera. a company designed to solve the exact problems NSO created: a super-secure phone for government ot??a?als. The CEO of Kaymera is Avi Rosco, former head of Online Threats Managed Services group. One source told FORBES Rosen took some of the RSA team along to Kaymera. FORBES understands Romero is based just out door to NSO too. It would be little surprise if they shared resources. many punters NSC has close pewter-ships with a variety of other Israeli surveillance ?rms as they seek to spread their spy kit across the world. These include Ability Inc, a mug supplier of an its-yet unproven technology called mm LAW The tool cerium allowing inoettaeption of calls and texts, and collection of target locetion, all with just a phone number, according to the ?rm. 0f N80, Ability founder and CEO Anatoly Hurgin told me earlier this year: thinkit?s one of the best companies in this ?eld.? That?s something even Scott-Ramon agrees with: ?Pegasus is really nextalevel stuff.? Hutgin indicated N50 and Ability worked together, Hurgin?s team covering thenetworksideand mieavingmalmon devices. mom.cm-uwmgm.mqrm minimum-ducting. {whet Aw H-r?n?u Geode-r mt. According to taro scum, Frandsoo Perm which has bases in San Francisco and London, . recently brought another Israeli spy team under its wing: {?rs-leg. The oompany.tt10ugh it?s now Page 6 91?28l2016 3:37 PM Everything We me About NSO Group: The Professional Spies Who of? based beMecn Cyprus and Bulgaria, was founded by former IDF commander Ial?llan. Circloo does similar work to Ability, was. though it?s another secretive company. much like its deal with Frandsco Partners. Neither Dilian nor Francisco Partners had mponded to requests for comment at the time of publication. But a claimed the deal was done shortly after the N80 purchase in 2014 for a similar price: $130 million. That sane report, the company recorded revenue of $40 million. From the Hacking Team ?les, it's apparent Circles and the lulian ?rm meillmhieinma too. It?s a mighty incestuous market. Another Israeli company that (unimd?ahbr) made headlines of late for hacking iPhones. Cellebrite. has also been in communication with N80, though they operate at di?erent levels of police mvesogaoons. Earlier this year, shortly iPhooe 5C that belonged to San Bemardino shooter Syed Rlzwun Famok Cellebrite's head of forensic strategy Ben Peron told FORBES his employer was in touch with companies like NSO. He didn?t discus their pmcisc relationship. I would say are more involved in the intelligence world and typically they would want to be following an individual withOut that individual knowing," he told FORBES, noting Cellebrite would inspect phone: after thefd been seized by police, not before like NSO. ?They are complementary use cases, Perot: added. There?s been some mover of sta? between the ?rms too One notable Warned in 2013. N80 also employs cit-staffers from a variety of other notable Israeli intelligence vendors, including Nice Systems and Elbit (the letter [85! year Amongst lavie's Linkedln contacts is a notable individual: mm. He is the oo-founder of two vulnerability mseardt organizations: VUPEN md Zemdium. They make maney from buying and selling zero-days. That included a remote jailbreak, for which ngdiumpaidjl million earlier this year. it may be that the two have worked together, though neither responded to requests for mart. Citizen Lab's Scoot- Railton told FORBES he thought N80 was more than capable of doing the vulnerability research on it: own. ?Given NSO's public statements about Pace 7 twosome 3:37 PM . Everydiing ilk Know Abou NSO Group: The Professioml Spies Who ?60f7 their capabilities, and the size of their company, it would not he surprisitg to 1mm they?d developed their own exploits,? he said. There are plenty of privacy concerns about NSO's tactics, exploiting devices without informing vendors and therefore leaving every phone vulnerable when they could be ?xed 'That the companies whose spyware was used to target democracies speaks volumes about the lack of accountability and effective regulation in the mas-border commercial spyware trade,?I Citizen Lab concluded in its report. But one industry source close to the company had a different take. think ther much less shady than the hype would make you believe. All technoloy can be abused, and they of all seem to do legal, upon-continued business.? N80 Group sent a statement to FORBES via email in which it said its mission was to makethe world a safer place 'hy providing authorized governments with technology that helps them combat terror and trime". ?The company sells only to authorized governmental agendas, and fully complies with strict export control laws and regulations. Moreover, the company doe; NOT operate any of its system; it is strictly a technology company.? the statement continued. The agreements signed with the company's mstomers require that the company's products only he used in a lawful manner. Speci?cally, the products may only be used for the prevention and investigation of crimes. The company has no knowledge of and mat con?rm the speci?c cases mentioned in your inquiry.? 11): competition N30 Gmup is, then. one of the most valued malware creators amongst governments. it frequently did battle with another (in)famous out?t, Italy's Hacking Team. In Wail WM 3 now-departed Hacking Team mobile malware specialist, Alberto Pelliucione, told his colleagues that NSO only did mobile exploits. But it was able to sell an 6 exploit kit for up to $18 million. ?At that time they were able to exploit i036 remotely and silently if the phone 'was jailbmken.? wrote Peliicione in 2014. It would Pace 8 9128/20l6 3:37 PM appear skills have vastly improved since then. The email notes N80 was able to hack Google's Android OS as well as BladeBerry. But the company is not lmown to target PCs. something Hacking Team and rival ?nFisher have long been known to exploit. Other newcomers are trying to to Mum. cyber- arms dealers are no new phenomenon As long as police and intelligence need outside help to crack into Apple and Google mobiles, expect more ?rms to try to take their own slice of the market. Now N50 has lost a cn'?cal exploit, it?d be a good tine for them to pounm. I ?15.11? IIZEI Updated on 30 August, 2.45pm to include more con?rmation ofthe Circles acquisition, nportedfy in die region of $1.30 million in 2014. Tips and comments are welcome at TFox-Bmuster?forbesmm or for W. Get me on miner @iblametom and doxbrewsterwabberllot?chillmet for Jabber maypred chat. RECOMMENDED BY FORBES .1 Trumdenmnleorlmatt 70f7 2016 Al Everything We Know About NSO GYOUPI Tl: Professional Spies Who He. 9/28/20163137 PM Pade 9