It’s been a rough few years for the NSO Group. The spyware vendor, once a shadowy, little-known hawker of technically sophisticated cyber weapons, has suffered a seemingly endless string of highly visible controversies over the past few years. Revelations that it sells to authoritarian regimes, that its products have been used to surveil journalists, activists, politicians, and even potentially world leaders, have marred its reputation—potentially beyond repair.
Now, beset by ongoing lawsuits, declining sales, scurrying investors, and unendingly negative press coverage, the company has entered a sort of financial spiral and seems so strapped that it’s struggling to pay its own employees.
But Shalev Hulio, the CEO of the notorious cyberweapons distributor, apparently has a new plan to rebound from the company’s ongoing legal and fiscal tailspin: start re-selling its noxious spyware to the very governments that got it into trouble in the first place. This means selling its products to countries that have been deemed “elevated-risk” clients, reports the Financial Times. Such clients had apparently been categorized as risky during a due diligence review by a now defunct internal committee. While we can’t say for certain which countries those are, you can probably assume they wouldn’t be places where civil liberties and democratic norms are a huge thing.
According to the FT report, Hulio recently pitched this idea to a roomful of suits tasked with representing the company’s largest financial investors. Those suits—a bunch of executives from the global consulting firm Berkeley Research Group—had been sent to the meeting to help “wrap up” a private equity fund that had originally been formed to support NSO but which imploded last year due to infighting and legal disputes. Amidst those discussions, Hulio started trying to sell them on this whole “risky” clients strategy. For whatever reason, this was reportedly viewed by Hulio as a profitable strategy. BRG folks promptly rejected the idea.
FT reports that, after the meeting, Hulio told NSO creditors that BRG’s decision had impacted the company financially and BRG apparently found itself on the defensive. An email sent by BRG attorneys to NSO creditors shows them affirming their decision not to allow sales to risky clients:
“You are demanding that (BRG) blindly sanctions the sale of . . . Pegasus . . . to elevated risk customers without a thorough governance review,” BRG attorneys apparently wrote in December. “Please note that in no circumstance is (BRG) prepared to do so.”
Are we to assume that NSO is having trouble being profitable without selling its services to some of the worst governments on the planet? Some might look at that situation and consider changing their business strategy to one that doesn’t require scandal-prone buyers as their prime clientele.
Why NSO Group is So Strapped Right Now
It’s not just lawsuits and controversy causing NSO trouble, however. The spyware vendor has faced increased financial difficulties ever since it was effectively blacklisted by the U.S. government last fall.
In November, the U.S. Commerce Department added NSO to its Export Administration Regulation “Entity List.” The EAR list is basically a long tally of foreign companies whose activities have been deemed as “contrary to U.S. national security and/or foreign policy interests.” Getting put on this list means that any U.S.-based business that wants to provides goods or services to a blacklisted company has to acquire a special license from the U.S. government before it can do so. For obvious reasons, this can greatly hobble a company that relies on American tech companies, of which NSO is one. The blacklisting took place not long after the November meeting between BRG and NSO, FT reports.
Ironically, NSO’s blacklisting took place after the U.S. government reportedly spent several years deciding whether it should become one of the spyware merchant’s clients. In January, the New York Times Magazine reported that the FBI had spent the better part of two years mulling a potential acquisition of a surveillance system called “Phantom,” which could reputedly hack any mobile phone in the U.S. The bureau ultimately decided against the acquisition.
Gizmodo reached out to the Berkeley Research Group, which referred us to an external communications firm, which did not respond to us by press time. We also reached out to the NSO Group for comment on this story and will update it if they respond.