Some of the most criticized names in the secretive business of selling high-end surveillance tools to government spies have continued to thrive despite international efforts to regulate the market, fresh research shows.
The people behind some companies that have come under fire for enabling repressive governments to spy on human rights advocates, opposition leaders and journalists have renamed those companies, started new ones or shifted from one country’s legal jurisdiction to another — and sometimes done all three, according to a study by the Atlantic Council’s Cyber Statecraft Initiative and researchers at American University.
Current export regulations and other policies “are reliant on self-reporting,” said Trey Herr, senior director of the initiative. “We have got to get the policy side cooperating internationally, or this market is going to expand out of control.”
In its work, shared with The Washington Post ahead of its publication Wednesday, the group tracked the evolution of the high-priced hacking tools most often targeted by government and private lawsuits. Those include Pegasus, the powerful and often misused spyware sold by Israel-based NSO Group, and Predator, a spying tool developed by the Intellexa Consortium. Both NSO and Intellexa have been barred from U.S. dealings by the government.
The Post and others in a media consortium reported in October that Vietnamese government agents tried to install Predator on the phones of members of Congress and others in Washington. The Post reported in December that Pegasus was found on the phone of an Indian journalist who had sent questions to a powerful ally of Prime Minister Narendra Modi.
The Atlantic Council researchers also charted the path of hundreds of more obscure companies, investors and suppliers, and said they presume others escaped detection while selling similar software for infecting phones and computers.
The hacking tools have proved to be nefarious and effective weapons against advocates of free speech and political participation around the globe. Often undetectable, they have been used by state agencies to spy on Thai activists, Mexican journalists and relatives of Saudi exile Jamal Khashoggi before his murder. While many makers say they sell only to non-sanctioned governments for use against terrorists and major criminals, in practice their tools have been wielded by authoritarian regimes — as well as ostensibly democratic ones — to spy on their critics and political foes.
Google researchers reported last week that unpublished hacking techniques devised by NSO and other spyware vendors have been used in the last year by Russian intelligence. Russia might have bought the tools from those companies or their affiliates, from a reseller, or from another government, Google expert Billy Leonard said, adding that it could also have hacked any of those entities.
NSO declined to comment on how its exploits could have reached the Kremlin, except to say that it does not sell to the Russian bloc and that sometimes other companies’ tools are mistaken for NSO’s.
“NSO does not sell its products to Russia or its close allies,” Vice President Gil Lainer told The Post. “Our technology is exclusively provided to vetted U.S. and Israel-allied intelligence and law enforcement agencies. Pegasus continues to play a crucial role in thwarting terrorist activities, breaking up criminal rings, and saving thousands of lives.”
Last year President Joe Biden issued an executive order with procedures to ensure “that the United States Government does not contribute, directly or indirectly, to the proliferation of commercial spyware that has been misused by foreign governments or facilitate such misuse.”
National Security Council spokesman Sean Savett said: “Our actions to date — unprecedented financial sanctions, export controls, and visa restrictions — have imposed tangible costs on commercial spyware vendors that have enabled misuse.” An administration official added that some companies “are struggling to move their money around,” while spyware executives are worried about getting banned from travel to the United States.
A State Department official, speaking on condition of anonymity to describe ongoing policy deliberations, pointed to a 2023 joint declaration in which what are now 17 countries pledged to share information about spyware, to prevent exports for malicious use by others, and to use it only “consistent with respect for universal human rights, the rule of law, and civil rights and civil liberties.”
“What we have done is focus on the malign actors, the vendors who don’t care to whom they’re selling or how their products are being used, or they are well aware and are completely fine with it,” the official said, with the aim of “making it less likely that these technologies fall into the hands of those who would misuse it.”
But the new study points to limited success, years after an investigative journalism initiative’s exposureof rampant Pegasus misuse.
The U.S. government added NSO in 2021 to a list of entities barred from doing business in the United States, and Meta’s WhatsApp is suing it for allegedly hacking its servers to reach victims. But other corporations in the industry, some with connections to NSO, are not facing dire consequences, the Atlantic Council said. One of them, QuaDream, a spyware company founded by an NSO veteran, only shut down after it was exposed by researchers at Microsoft and the nonprofit Citizen Lab. Its former chief executive did not respond to requests for comment.
Predator’s vendor Intellexa and NSO affiliate Circles were both founded by Tal Dilian, who formerly commanded a technology unit of the Israeli military. When he was put under U.S. sanctions in March along with his partner and five entities of the Intellexa Consortium, the Treasury Department called Dilian “the architect behind its spyware tools.”
Yet while Intellexa’s online profile has since vanished, some affiliates were not punished by the United States, the report said, making the impact of sanctions hard to evaluate. Treasury characterized the consortium as “a complex international web of decentralized companies controlled either fully or partially by Dilian.”
India, like Israel, is a hotspot for surveillance vendors, the report said, noting that neither country requires past corporate names or top executives to be named in corporate filings, as do some other nations.
Other complications that arise in the effort to impose control over spyware are laid out in two interactive maps of the industry, one by the Atlantic Council team and one released in August by SurveillanceWatch.io, a consortium of privacy advocates.
Both maps show that some countries that advocate for more controls over spyware vendors are also home to some of their key investors or subsidiaries. European countries have also been big buyers of spyware, including 14 European Union members that bought from NSO.
Even among close allies such as the Five Eyes network — comprising Australia, Canada, New Zealand, the United Kingdom and the United States — agencies often fail to compare notes that might help them stop vendors from selling to unscrupulous users.
“None of these states has a clear understanding that ‘I am buying from X and they also sell to Y,’” Herr said. The Atlantic Council team recommended that regulators focus on key people instead of their companies and require more information from companies seeking export licenses.
The United Kingdom and France are leading a broad effort at discussion and consensus that has included more than two dozen countries, plus technology companies and civil society. Half a year after that started, there is little reason to think anything concrete will emerge, some participants told The Post.
In a sign of growing frustration, a group of nonprofits on Tuesday called on the European Union to impose a moratorium on all spyware use until a framework for authorized use can be established.