NSO Group Closes Cyprus Office of Spy Firm

NSO recently closed the Cyprus office of phone network exploitation company Circles and fired a number of staff, according to two former NSO employees.

by Joseph Cox
August 21, 2020

Controversial phone hacking company NSO Group has closed the Cyprus office of Circles, a surveillance firm that previously merged with NSO, and fired a number of staff, according to two former NSO employees.

Cyprus is a hotbed for surveillance companies that sometimes set up shop in the country and then sell their technology from the region.

“They fired all the Cyprus office,” one of the former NSO employees told Motherboard.

“All Cyprus site was closed recently; all of the people fired,” the second former employee added. Motherboard granted the sources anonymity as they weren’t authorized to speak to the press about internal company issues, and to avoid retaliation from NSO.

Do you work at NSO Group or Circles? Did you used to? We’d love to hear from you. Using a non-work computer or phone, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Circles focuses on geolocating devices and intercepting communications via access to SS7, a network and related protocol that is particularly used by phones when roaming. Circles created its own phone company to gain this access for surveillance purposes.

Other surveillance companies have bought their way into the SS7 network for as little as $22 an hour. The main underlying issue with SS7 is that the network does not authenticate who sent a request, so if someone gains access, SS7 will treat their requests to reroute communications as legitimate, letting spies listen in on texts, calls, or locate the device too.

Read also:
Suicidal empire

An NSO spokesperson told Motherboard in an emailed statement that “In order to ensure that we are operating as efficiently as possible, we have recently restructured the development of one of our tactical search and rescue products, and shifted resources to other existing group locations. These changes will further our mission to prevent terrorism and serious crime.” Circles has another base in Bulgaria, the two former employees said.

NSO merged with Circles in 2014 after American private equity firm Francisco Partners bought Circles for $130 million. While Circles focuses on network exploitation, NSO develops malware for targeting cellphones themselves. Its main product, dubbed Pegasus, is capable of infecting Android and iPhone phones, and can siphon photos, messages from encrypted messaging programs, turn on a device’s microphone, and much more. Together, the two suites of tools could form a powerful surveillance capability; SS7 attacks can also be used to deliver malware to target devices.

“They exaggerated their system’s abilities.”

But months before the Cyprus office closure, one of the former employees described to Motherboard how Circles’ product didn’t necessarily match well with NSO’s.

“The idea was that the sum will be greater than its parts. That they will increase the attack vector, but in reality there were few successes in integration. They exaggerated their system’s abilities,” the former NSO employee said of Circles.

The source said NSO had “awful integration with Circles.” The second former employee said the integration “wasn’t great.”

But one of the sources added that the SS7 geolocation system itself worked “very well” in Mexico. Mexico is one of NSO’s largest clients, with journalists and researchers uncovering extensive use of NSO products in the country. NSO malware was used to target lawyers, journalists, and politicians in Mexico.

Read also:
‘Listen to us now’: Putin unveils new Russian nuclear arsenal

According to a lawsuit filed in 2014 in Israel and Cyprus and mentioned by Haaretz, an official from the United Arab Emirates’ Supreme Council for National Security emailed Eric Banoun, a Circles executive, and asked them to intercept the communications of the editor of the Al Arab newspaper even though this was not included in the client’s license. Shortly after, Ahmad Ali al-Habsi, the official, received an email with the recordings.

Motherboard previously reported how NSO pitched a product codenamed Landmark to the Los Angeles Police Department. A former NSO employee previously said that Landmark is an SS7-based geolocation capability.

Cyprus has attracted multiple surveillance firms in recent years.

“While Cyprus is working to shake its reputation as a haven for Russian criminal cash, I can’t imagine that the country is thrilled to see that a growing number of shady surveillance vendors are setting up shop,” John Scott-Railton, senior researcher from Citizen Lab, based in the Munk School of Global Affairs at the University of Toronto, which has extensively followed NSO’s work, told Motherboard.

“There is historic jurisdictional affinity between arms dealers and money launderers. Both prefer to disguise who they do business with, and how they move their money. I read the preference for places like Cyprus as yet another indication that spyware vendors have more in common with arms traders than software startups,” he added.

Last year, Cyprus authorities arrested employees of surveillance firm WiSpear after the company demonstrated its so-called spy van to Forbes in the country. The CEO of WiSpear Tal Dilian is an original co-owner of Circles.

Read also:
Cyprus police arrest three in Israeli-owned ‘spy van’ investigation

In a March 2019 letter addressed to various human rights groups including Amnesty International, Stephen Peel, founding partner at European private equity firm Novalpina Capital wrote that some of NSO’s products are exported from Cyprus. Novalpina bought a majority stake in NSO in February 2019.

In May 2019, activist group Access Now wrote to authorities in Bulgaria and Cyprus, asking them to further scrutinize NSO exports due to abuses of NSO’s technology.

Published at https://www.vice.com/en_us/article/ep48kp/nso-group-cyprus-circles-bulgaria-ss7