CatalanGate del The New Yorker (II/III)


On Monday, at crisis meetings with WhatsApp’s top executive, Will Cathcart, and Facebook’s head of security, the company told its engineers around the world that they had forty-eight hours to investigate the problem. “What would the scale of the victims be?” Cathcart recalled worrying. “I mean, how many people were hit by this?” The company’s leadership decided not to notify law enforcement immediately, fearing that U.S. officials might tip off the hackers. “There’s a risk of—you might go to someone who’s a customer,” he told me. (Their concerns were valid: weeks later, the Times has reported, the F.B.I. hosted NSO engineers at a facility in New Jersey, where the agency tested the Pegasus software it had purchased.) Cathcart alerted Mark Zuckerberg, who considered the problem “horrific,” Cathcart recalled, and pressed the team to work quickly. For Gheorghe, “it was a terrifying Monday. I woke up at like 6 A.M., and then I worked until I couldn’t stay awake anymore.”

NSO’s headquarters are in a glass-and-steel office building in Herzliya, a suburb outside Tel Aviv. The area is home to a cluster of technology firms from Israel’s thriving startup sector. The beach is a twenty-minute walk away. The world’s most notorious commercial hacking enterprise is remarkably unprotected: at times, a single security guard waved me through.

On the building’s fourteenth floor, programmers wearing hoodies gather in a cafeteria outfitted with an espresso machine and an orange juicer, or sit on a terrace with views of the Mediterranean. A poster reads “Life was much easier when Apple and BlackBerry were just fruits.” Stairs descend to the various programming groups, each of which has its own recreational space, with couches and PlayStation 5s. The Pegasus team likes to play Electronic Arts’ football game, fifa.

Employees told me that the ­company keeps its technology covert through an information-security department with several dozen experts. “There is a very large department in the company which is in charge of whitewashing, I would say, all connection, all network connection between the client back to NSO,” a former employee said. “They are purchasing servers, V.P.N. servers around the world. They have, like, this whole infrastructure set up so none of the communication can be traced.”

Despite these precautions, WhatsApp engineers managed to trace data from the hack to I.P. addresses tied to properties and Web services used by NSO. “We now knew that one of the biggest threat actors in the world has a live exploit against WhatsApp,” Gheorghe recalled. “I mean, it was exciting, because it’s very rare to catch some of these things. But, at the same time, it was also extremely scary.” A picture of the victims began to emerge. “Likely there are journalists human rights activists and others on the list,” Labunets, the security engineer, wrote on the company’s messaging system. (Eventually, the team identified some fourteen hundred WhatsApp users who had been targeted.)

By midweek, about thirty people were working on the problem, operating in a twenty-four-hour relay, with one group going to sleep as another came online. Facebook extended the team’s deadline, and they began to reverse engineer the malicious code. “To be honest, it’s brilliant. I mean, when you look at it, it feels like magic,” Gheorghe said. “These people are very smart,” he added. “I don’t agree with what they do, but, man, that is a very complicated thing they built.” The exploit triggered two video calls in close succession, one joining the other, with the malicious code hidden in their settings. The process took only a few seconds, and deleted any notifications immediately afterward. The code used a technique known as a “buffer overflow,” in which an area of memory on a device is overloaded with more data than it can accommodate. “It’s like you’re writing on a piece of paper and you go beyond the bounds,” Gheorghe explained. “You start writing on whatever the surface is, right? You start writing on the desk.” The overflow allows the software to overwrite surrounding sections of memory freely. “You can make it do whatever you want.”

I spoke with a vice-president for product development at NSO, whom the firm requested I identify only by his first name, Omer—citing, without apparent irony, privacy concerns. “You find the nooks and crannies enabling you to do something that the product designer didn’t intend,” Omer told me. Once in control, the exploit loaded more software, allowing the attacker to extract data or activate a camera or a microphone. The entire process was “zero click,” requiring no action from the phone’s owner.

The software was designed by NSO’s Core Research Group, made up of several dozen software developers. “You’re looking for a silver bullet, a simple exploit that can cover as much mobile devices around the world,” Omer told me. Gheorghe said, “A lot of people, you know, would think about the hackers as being, like, just one person in a dark room, like, typing on a keyboard, right? That’s not the reality—these people are just, like, another tech company.” It is common for tech companies to hire people with backgrounds in hacking, and to offer bounties to outside programmers who identify vulnerabilities in their systems. Facebook’s headquarters have the vanity address 1 Hacker Way. At both NSO and WhatsApp, the engineers closest to the coding are often described by colleagues as quirky introverts, resembling the hacker archetypes of fiction. “They are special people. Not all of them can communicate clearly with other human beings,” Omer said, of the programmers who work on Pegasus. “Some of them don’t sleep for two days. They get crazy when they don’t sleep.”

Late in the week, Facebook’s security team devised an act of subterfuge: they would simulate an infected device, to get NSO’s servers to send them a copy of the code. “But their software was smart enough to basically not be tricked by this,” Gheorghe said. “We never really were able to get our hands on that.”

Omer told me, “It’s a cat-and-mouse game.” Although NSO says that its customers control the use of Pegasus, it does not dispute its direct role in these exchanges. “Every day, things are being patched,” Hulio said. “This is the routine work here.”

At times, WhatsApp users received repeated missed calls, but the malware wasn’t successfully installed. Once the engineers learned about these incidents, they were able to study what it looked like when Pegasus failed. Toward the end of the week, Gheorghe told me, “we said, O.K., we don’t have a full understanding at this point, but I think we captured enough.” On Friday morning, Facebook notified the Department of Justice, which is developing a case against NSO. Then the company updated its servers to block the malicious code. “Ready to roll,” Gheorghe wrote on the internal messaging service that afternoon. The fix was constructed to look like routine server maintenance, so that NSO might continue to attempt attacks, providing Facebook with more data.

The next day, WhatsApp engineers said, NSO began to send what looked like decoy data packets, which they speculated were a way to determine whether NSO’s activities were being watched. “In one of the malicious packets, they actually sent a YouTube link,” Gheorghe told me. “We were all laughing like crazy when we saw what it was.” The link was to the music video for the Rick Astley song “Never Gonna Give You Up,” from 1987. Ambushing people with a link to the song is a popular trolling tactic known as Rickrolling. Otto Ebeling recalled, “Rickrolling is, I don’t know, something my colleague might do to me, not some sort of semi-state-sponsored people.” Cathcart told me, “There was a message in it. They were saying, We know what you did, we see you.” (Hulio and other NSO employees said they could not recall Rickrolling WhatsApp.)

In the months that followed, WhatsApp began notifying users who had been targeted. The list included numerous government officials, including at least one French ambassador and the Djiboutian Prime Minister. “There wasn’t, you know, overlap between this list and, like, legitimate law-enforcement outreach,” Cathcart said. “You could see, wow, there’s a lot of countries all around the world. This isn’t just one agency or organization in one country targeting people.” WhatsApp also began working with the Citizen Lab, which warned victims of the risk that they might be hacked again, and helped them secure their devices. John Scott-­Railton said, “It really was interesting how many people were upset and saddened, but in a deep way not surprised, almost relieved, as if they were getting a diagnosis for a mystery ailment they had suffered for many years.”

Five people in the initial group identified by WhatsApp were Catalans, including elected lawmakers and an activist. Campo, the Catalan security researcher, realized that the cases “were probably just the tip of the iceberg.” He added, “That’s when I found ­myself in the intersection of tech­nology—­a product that I contributed to building—and my home country.”

WhatsApp continued sharing information with the Department of Justice, and, that fall, the company sued NSO in federal court. NSO Group “breached our systems, damaged us,” Cathcart told me. “I mean, do you just do nothing about that? No. There have to be consequences.”

Hulio said, “I just remember that one day the lawsuit happened, and they shut down the Facebook account of our employees, which was a very bully move for them to do.” He added, referring to scandals about Facebook’s role in society, “I think it’s a big hypocrisy.” NSO has pushed for the suit to be dismissed, arguing that the company’s work on behalf of governments should grant it the same immunity from lawsuits that those governments have. So far, the U.S. courts have rejected this argument.

WhatsApp’s aggressive posture was unusual among big technology companies, which are often reluctant to call attention to instances in which their systems have been compromised. The lawsuit signalled a shift. The tech companies were now openly aligned against the spyware venders. Gheorghe described it as “the moment the whole thing just exploded.”

Microsoft, Google, Cisco, and others filed a legal brief in support of WhatsApp’s suit. Goodwin, the Microsoft executive, helped to assemble the coalition of companies. “We could not let NSO Group prevail with an argument that, simply because a government is using your products and services, you get sovereign immunity,” she told me. “The ripple effect of that would have been so dangerous.” Hulio argues that when governments use Pegasus they’re less likely to lean on platform holders for wider “back door” access to users’ data. He expressed exasperation with the lawsuit. “Instead of them, like, actually saying, ‘O.K., thank you,’ ” he told me, “they are going to sue us. Fine, so let’s meet in court.”

Microsoft, too, has a security team that engages in combat with hackers. Although Pegasus is not designed to target users through Microsoft platforms, at least four people in Catalonia running Microsoft Windows on their computers have been attacked by spyware made by Candiru, a startup founded by former NSO employees. (A spokesperson for Candiru said that it requires its products to be used for the “sole purpose of preventing crime and terror.”) In February, 2021, the Citizen Lab identified evidence of an active infection—a rarity for spyware of this calibre—on a laptop belonging to Joan Matamala, an activist closely connected to separatist politicians. Campo called Matamala and instructed him to wrap the laptop in aluminum foil, a makeshift way of blocking the malware from communicating with servers. The Citizen Lab was able to extract a copy of the spyware, which Microsoft dubbed DevilsTongue. Several months later, Microsoft released updates blocking DevilsTongue and preventing future attacks. By then, the list of activists and journalists targeted “made the hairs on the back of our neck stand on end,” Goodwin said. Matamala has been targeted more than sixteen times. “I still have the aluminum paper stored here, in case we ever have a suspicion of having another infection,” he told me.


Last November, after iPhone users were allegedly targeted by NSO, Apple filed its own lawsuit. NSO has filed a motion to dismiss. “Apple is a company that does not believe in theatrical lawsuits,” Ivan Krstić, the engineer, told me. “We have this entire time been waiting for a smoking gun that would let us go file a suit that is winnable.”


“You still have to choose which chef you want to prepare your food.”


Cartoon by Frank Cotham

Apple created a threat-intelligence team nearly four years ago. Two Apple employees involved in the work told me that it was a response to the spread of spyware, exemplified by NSO Group. “NSO is a big pain point,” one of the employees told me. “Even before the stuff that hit the news, we had disrupted NSO a number of times.” In 2020, with the launch of its iOS 14 software, Apple had introduced a system called BlastDoor, which moved the processing of iMessages—including any potentially malicious code—into a chamber connected to the rest of the operating system by only a single, narrow pipeline of data. But Omer, the NSO V.P., told me that “newer features usually have some holes in their armor,” making them “more easy to target.” Krstić conceded that there was “a sort of an eye of a needle of an opening still left.”

In March, 2021, Apple’s security team received a tip that a hacker had successfully threaded that needle. Even cyber warfare has double agents. A person familiar with Apple’s threat-intelligence capabilities said that the company’s team sometimes receives tips from informants connected to spyware enterprises: “We’ve spent a long time and a lot of effort in trying to get to a place where we can actually learn something about what’s going on deeply behind the scenes at some of these companies.” (An Apple spokesperson said that Apple does not “run sources” within spyware companies.) The spyware venders, too, rely on intelligence gathering, such as securing pre-release versions of software, which they use to design their next attacks. “We follow the publications, we follow the beta versions of whatever apps we’re targeting,” Omer told me.

That month, researchers from the Citizen Lab contacted Apple: the phone of a Saudi women’s-rights activist, Loujain al-Hathloul, had been hacked through iMessage. Later, the Citizen Lab was able to send Apple a copy of an exploit, which the researcher Bill Marczak discovered after months of scrutinizing Hathloul’s phone, buried in an image file. The person familiar with Apple’s threat-intelligence ca­pabilities said that receiving the file, through an encrypted digital channel, was “sort of like getting a thing handed to you in a biohazard bag, which says, ‘Do not open except in a Biosafety Level 4 lab.’ ”

Apple’s investigation took a week and involved several dozen engineers based in the United States and Europe. The company concluded that NSO had injected malicious code into files in Adobe’s PDF format. It then tricked a system in iMessage into accepting and processing the PDFs outside BlastDoor. “It’s borderline science fiction,” the person familiar with Apple’s threat-intelligence capabilities said. “When you read the analysis, it’s hard to believe.” Google’s security-­research team, Project Zero, also studied a copy of the exploit, and later wrote in a blog post, “We assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.” In the NSO offices, programmers in the Core Research Group printed a copy of the post and hung it on the wall.

Apple shipped updates for its platforms that rendered the exploit useless. Krstić told me that this was “a massive point of pride” for the team. But Omer told me, “We saw it coming. We just counted the days until it happened.” He and others at the company said the next exploit is an inevitability. “There might be some gaps. It could take two weeks to come up with a mitigation on our side, some work-around.”

During interviews in NSO’s offices last month, employees exchanged nervous glances with hovering public-relations staffers as they answered questions about morale in the midst of the scandals, lawsuits, and blacklisting. “To be honest, not every time the mood is actually good,” Omer said. Others claimed loyalty to the company and belief in the power of its tools to catch criminals. “The company has a very strong narrative that it tries to sell internally to the employees,” the former employee told me. “You’re either with them or against them.”

Israel has become the world’s most significant source of private surveillance technology in part because of the quality of talent and expertise produced by its military. “Because of the compulsory service, we can recruit the best of the best,” the former senior intelligence official told me. “The American dream is going from M.I.T. to Google. The Israeli dream is to go to 8200,” the Israeli military-intelligence unit from which spyware venders often recruit. (Hulio, who describes himself as a mediocre student whose upbringing was “nothing fancy,” often emphasizes that he did not serve in Unit 8200.) NSO has historically been regarded as an appealing job prospect for young veterans. But the former NSO employee, who quit after becoming concerned that Pegasus had facilitated Jamal Khashoggi’s murder, told me that others had become disillusioned, too. “Many of my colleagues decided to leave the company at that stage,” the former employee said. “This was one of the major events that I think caused many of the employees to, like, wake up and understand what’s going on.” In the past few years, the departures have been “like a snowball.” Hulio, in response to questions about the company’s problems, said, “What worries me is the vibes of the employees.”

In 2019, NSO was saddled with hundreds of millions of dollars in debt as part of a leveraged-buyout deal in which a London-based private-equity firm, Novalpina, acquired a seventy-per-cent stake. Recently, Moody’s, the financial-services firm, downgraded NSO’s credit rating to “poor,” and Bloomberg described it as a distressed asset, shunned by Wall Street traders. Two top NSO executives have left, and relations between the company and its backers have deteriorated. Infighting among Novalpina’s partners led to the transfer of control of its assets, including NSO, to a consulting firm, Berkeley Research Group, which pledged to increase oversight. But a BRG executive recently claimed that coöperation with Hulio had become “virtually non-existent.” Agence France-Presse has reported that tensions emerged because NSO’s creditors have pressed for continued sales to countries with dubious human-rights records, while BRG has sought to pause them. “We indeed have some disputes with them,” Hulio said, of BRG. “It’s about how to run the business.”

NSO’s troubles have complicated its close alliance with the Israeli state. The former senior intelligence official recalled that, in the past, when his unit turned down European countries seeking intelligence collaboration, “Mossad said, Here’s the next best thing, NSO Group.” Several people familiar with those deals said that Israeli authorities provided little ethical guidance or restraint. The former official added, “Israeli export control was not dealing with ethics. It was dealing with two things. One, Israeli national interest. Two, reputation.” The former NSO employee said that the state “was well aware of the misuse, and even using it as part of its own diplomatic relationships.” (Israel’s Ministry of Defense said in a statement that “each licensing assessment is made in light of various considerations including the security clearance of the product and assessment of the country toward which the product will be marketed. Human rights, policy, and security issues are all taken into consideration.”) After the blacklisting of NSO, Hulio sought to enlist Israeli officials, including Prime Minister Naftali Bennett and Defense Minister Benny Gantz. “I sent a letter,” he told me. “I said that as a regulated company, you know, everything that we have ever asked was with the permission, and with the authority, of the government of Israel.” But a senior Biden Administration official said that the Israelis raised only “pretty mild complaints” about the blacklisting. “They didn’t like it, but we didn’t have a standoff.”