A lot has been written about Pegasus, the mobile phone hacking software sold by the Israeli company NSO Group to all sorts of regimes, good(?) and bad, on the pretext that it can be used to track down terrorists. Of course, if it can track terrorists down, Pegasus can track anyone down. The software seems to have an unlimited ability to turn your phone into a personal spy—on yourself. So it was refreshing (in a weird confirmatory way) to learn that Pegasus is not alone. Of course, there simply has to be many similar spyware systems around, and a case that went before the U.S. Dept. of Justice highlighted one:
Three Former U.S. Intelligence Community and Military Personnel Agree to Pay More Than $1.68 Million to Resolve Criminal Charges Arising from Their Provision of Hacking-Related Services to a Foreign Government
That’s the headline from a DoJ press release from last September (why practically every word starts with a capital letter I don’t know—perhaps they were just chuffed). The press release said:
“According to court documents, the defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., “hacking”) for the benefit of the U.A.E government between 2016 and 2019. Despite being informed on several occasions that their work for U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a “defense service” requiring a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.”
“These services included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer hacking and intelligence gathering systems – i.e., one that could compromise a device without any action by the target. U.A.E. CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.”
“Between January 2016 and November 2019, the defendants and other U.A.E. CO CIO employees expanded the breadth and increased the sophistication of the CNE operations that CIO was providing to the U.A.E. government. For example, over an 18-month period, CIO employees, with defendants’ support, direction and supervision, created two similar “zero-click” computer hacking and intelligence gathering systems that leveraged servers in the United States belonging to a U.S. technology company (U.S. Company Two) to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a U.S. Company Two-provided operating system. The defendants and other CIO employees colloquially referred to these two systems as “KARMA” and “KARMA 2.”
Perhaps this story didn’t get the coverage it deserved in the mainstream press because the offence these chaps were charged with were more like white collar crimes such as not getting a license to trade their ‘KARMA.’ There’s no colourful illustration just yet of precisely how it was used (that’s for a further instalment). But there’s more to it, and we might want to ask ourselves why the UAE, who had bought Pegasus wanted KARMA too? Did they, in their negotiations for the famous rapprochement with Israel want something with which they could spy on Israeli diplomats which wouldn’t potentially have an Israeli cyber ‘backdoor?’ In any case, just how many cyber spying software programs are in use by governments? And how many of these spyware outfits reside in the private sector without any significant regulation? The market’s global. The laws are parochial. More later on this one, I suspect.