Shalev Hulio, 39, is the CEO and cofounder of NSO Group, one of Israel’s most successful cybersurveillance companies valued at over $1 billion, and the man ultimately responsible for smartphone hacks of high-profile journalists and world leaders, according to allegations made this week.
Though he’s coming out of the shadows to deal with those allegations, as well as some apparent contradictions in NSO’s own response, in a rare interview with Forbes, Hulio was in good spirits as he attacked the research that underpinned the so-called Pegasus Project, a coalition of nonprofit and media organizations trying to shine a light on NSO’s operations. The project’s reporting follows years of stories alleging that NSO’s tools were used to infect the iPhones of civil rights defenders, reporters and lawyers.
NSO itself claims that it works with governments to help catch the most serious and dangerous criminals – terrorists, gangsters, and pedophiles – with spyware tools that can silently capture all the data from even the latest generation of iPhones. And business is good with NSO boasting of EBITA earnings of $120 million on $250 million of sales for 2020. Hulio, who served as a major in the Israel Defense Forces search and rescue unit, aggressively denied that NSO was involved in attempts to hack French officials, including president Emmanuel Macron, and people close to murdered journalist Jamal Khashoggi. “It’s definitely not related to NSO, it’s definitely not related to Pegasus. This is what I can confirm.”
At the same time, he said NSO couldn’t be held responsible for any abuse of its tools. “We are selling our products to government. We have no way to monitor what those governments do… But if those governments misuse the system, we have a way to investigate. We will shut them down. We have done it before and we will continue to do so… But we cannot be blamed on the misuse that the government did.”
As for the average person, they’ve no need to fear NSO Group, he insists, as his company is only going to flex its technical muscle and break into the Apple and Google phones of serious criminals. “The people that are not criminals, that are not the bin Ladens of the world, there’s nothing to be afraid of, they can absolutely trust on the security and privacy of their Google and Apple devices.”
Such claims do little to cool critics like NSA leaker Ed Snowden, who would like to see a blanket ban on smartphone surveillance tools like NSO’s. “I won’t comment to Edward Snowden,” Hulio says, adding that software like Pegasus is entirely necessary to “save lives” and “keep the safety of the people.”
The 50,000 list question
The release of the Pegasus has sent political shockwaves around the world with one alleged target, Macron, opening an investigation into the case, and the Indian and Mexican governments facing fierce criticism for the alleged use of the tool to monitor opposition politicians, journalists and activists. But, frustratingly for NSO’s detractors, the Pegasus Project left some wiggle room for Hulio in referencing a list of what was alleged to be a list of 50,000 “potential” targets of NSO clients. Believed to have first been obtained by French non-profit Forbidden Stories, the list remains something of a mystery: neither Forbidden Stories nor its media partners have explained where the list came from, what it is or how it’s linked to NSO. Reports subsequently landed with couched language: the data doesn’t confirm targets, only “suggests” them, and in many cases it couldn’t be confirmed if Pegasus actually attempted to infect a phone, or if it had any success in snooping on devices at all.
With the door open for plausible deniability, Hulio reiterates the list has nothing to do with NSO, saying there is no one server containing a list of all its clients’ possible targets and, he adds, that the 50,000 number is “insane.” The average number of targets per NSO customer is at around 100 and the company only sells to between 40 and 45 countries, he adds.
He believes the data has come from what’s known as a Home Location Register (HLR) lookup. The HLR is essentially a kind of database controlled by telecoms companies and shows whether or not a specific mobile number is registered and the phone’s rough location. Telecoms businesses will query the database for mundane tasks like sending SMS text messages, but could, according to telecoms security company AdaptiveMobile, be used as a starting point for cyberattacks. A surveillance company could recruit an HLR lookup provider – easily findable on the web – and ask it to continually check whether a target device was registered and able to receive text messages. Previously, NSO hacks have reportedly launched via links sent via text.
If Forbidden Stories was leaked data from an HLR lookup service provider, according to AdaptiveMobile chief technology officer Cathal McDaid, it would explain how the information came from a single source, counter to Hulio’s suggestion that no one data store existed. “The operators or companies doing those lookups – querying the HLRs in all the different operators – that could indeed be one company. Or it could be a few companies. There are many of these companies, and size isn’t a limiting factor. If they were HLR lookups, then 50,000 is a very small number, as billions are sent globally every day.” Even so, NSO still denies the data is linked to its operations. Amnesty International, one of the partners in the Pegasus Project, told Forbes it couldn’t comment on the nature of the information in order to protect sources, but stood by its claim that it was linked to NSO.
Regardless of the recent reports, there’s a history going back to at least 2016 of NSO’s spyware tools being used to target journalists and activists. In December 2020, for instance, as many as 36 Al Jazeera journalists’ phones were infected with NSO’s iPhone malware. NSO’s response at the time mirrored its handling of the Pegasus Project revelations, saying it couldn’t comment on specific customer use cases and went on the offensive against Canadian surveillance tracking nonprofit Citizen Lab, which investigated the Al Jazeera incident, saying it “regularly publishes reports based on inaccurate assumptions and without a full command of the facts.”
Hulio insists that if NSO has good reason to suspect misuse of Pegasus, which can reportedly infect the latest iPhones without the user needing to click a thing, the company can investigate and cut off a customer with its “kill switch.” A source familiar with the company claimed in one case, Qatar offered hundreds of millions of dollars to NSO for its spyware, but it declined due to concerns over the human rights record of the country. (A spokesperson at the Qatar embassy in London said such claims were “absurd and entirely without merit or fact.”)
Hulio also sought to explain an apparent contradiction in its response to the Pegasus Project reports: NSO claimed, on the one hand, to have no access or data on customer uses of its product, but, on the other, could say definitively when it was or wasn’t used on certain phones.
While NSO isn’t actively monitoring what customers do with its technology, the company can get access to log files from customers when it has cause to investigate, allowing the company’s auditors to check what numbers were selected for surveillance, Hulio says. When it was handed information from Pegasus Project partners on attempted or successful hacks of 37 specific devices, the company carried out an investigation and claimed that none of the phones had been targeted by its software. That’s why, Hulio adds, he is able to say that French politicians and Khashoggi’s wife were not targets. But, he adds, the company is continuing to investigate.
NSO was founded in 2010, a startup born out of Hulio’s previous business, CommuniTake, set up with friend and business partner, Omri Lavie. It had a tool that allowed telecoms companies to get remote access to a users’ smartphone so they could help with any technical issues. When law enforcement working with a telecoms customer told Hulio and Lavie their tool would be useful to help carry out surveillance on criminals, they had an idea to pivot the business to a phone interception provider. That idea didn’t take at CommuniTake, so Hulio and Lavie left to set up their second business, NSO. In a matter of years, it was courted by private equity company Francisco Partners, which took a controlling stake in 2014, only to be sold to U.K.-based Novalpina Capital and NSO management in 2019. Hulio says Novalpina has a roughly 70% stake, compared to his and Lavie’s sub-10% holdings and the remaining 10% to 20% owned by employees.
Today, Hulio claims that thanks to NSO tools more than 15 terror attacks have been prevented, more than 100 pedophiles across Europe have been arrested, and major cybercriminals have been identified. But, because he says he can’t talk about specific clients, he can’t provide detail or proof. And over the years, Hulio says he has been forced to act over misuse of Pegasus, cutting off customers, though he won’t reveal which countries.
Hulio is happy to boast of those wins but is also willing to distance himself from a client government that uses his tools in ethically questionable ways. He compares NSO to a car manufacturer: if a drunk driver hits someone, they’re to blame, not the car maker. Such arguments may not wash with those who see NSO as less of a car maker than a digital arms manufacturer not doing enough to vet its customers before putting dangerous products in their hands.