Season 01: Episode 10

Shoot the Messenger: Espionage, Murder and Pegasus Spyware concludes its first season with its tenth episode.

Up until now, this show has focused on the use of Pegasus in foreign countries. But while we were in the middle of releasing the episodes of this season, a pair of New York Times journalists published a bombshell report that showed that the US government is making monthly payments to the NSO Group despite the official blacklisting of the company.

Last month, Mark Mazzetti and Ronen Bergman published an article in the New York Times describing the secret deal that occurred between the US government and the NSO Group.

Guests: New York Times Reporters Ronen Bergman and Mark Mazzetti

We’d like to extend a special thanks to the Committee to Protect Journalists for their special collaboration on the first season of Shoot the Messenger. For more information on the status of journalists and freedom of the press – visit at cpj.org.

Shoot the Messenger is hosted by Rose Reid and Nando Vila and is a production of Exile Content Studio.

Listen here:

Share:

NANDO VILA: In November of 2021 – several months after media outlets around the world published their biggest findings on Pegasus – the American State Department issued a new rule: an American company is now required to obtain a license to sell any “intrusion software” to other countries.1

This was seen as an effort by the Biden Administration to discourage the sale of surveillance tools to regimes like Saudi Arabia and the UAE.

Two weeks later the Biden Administration pushed the envelope further: it blacklisted the NSO Group.2

At the time, the NSO Group was considering an initial public offering at a $2 billion valuation.3

And an American-based company, L3 Harris, was in serious negotiations to purchase the NSO Group.4

Both deals fell through.

The blacklist sent a signal to potential investors: stay away. The Department of Commerce said that the NSO Group’s practices “threaten the rules-based international order”.5

However, The New York Times recently reported that a US Government agency has bought NSO products – despite the blacklisting and the executive order – and it is using front companies to do it. One of those front companies is called Riva Networks:6

MARK MAZZETTI: If you go to Google, Riva Networks has a website, they have a listed address and a phone number. So I tried calling several times. I tried reaching out to several people in the company. There was no response.

I’m Mark Mazzetti. I’m a Washington correspondent for The New York Times. I’ve been covering national security issues for the last 20 years.

ROSE REID: Mark Mazzetti has been covering the NSO Group for the past several years.

When Mark didn’t get a response from Riva Networks – he went to check it out in person:

MARK: I happened to be up in New York City in February and decided, well, it would be easy enough while I’m up there to go pay a visit to Riva Networks. So I rented a car, drove down the New Jersey Turnpike, and about an hour from New York City is an address in a suburban location, the one listed in public databases. And it’s actually a house in a suburban neighborhood.

ROSE: Mark took a picture of the house – which appears nearly abandoned, and there was a small wooden sign in front that says “Riva Networks” in the kind of white font you would expect from an Etsy jeweler, not a sleek storefront for spyware.

MARK: And, you know, drove in the driveway and came upon a house with a very, very loud dog and knocked on the door. And there was no answer. And there was the sign, it said Riva House, and I decided to take a picture of that because it was a actually a connection to Riva Networks. And I wasn’t able to get more than that during that trip other than the photo.

I recently wrote an article with my colleague Ronen Bergman, called “A Front Company and a Fake Identity: How the US came to use spyware it was trying to kill”.7

RONEN BERGMAN: My name is Ronen Bergman. I’m a staff writer for The New York Times. Based in north Tel Aviv. Writing about national security and terrorism and the Middle East. And one of the topics I cover is cyber and the Israeli offensive cyber industry.

NANDO: Ronen and Mark have been covering the NSO Group together for the past several years – in early April, they collaborated on an article that uncovered the ties among the US Government, Riva Networks and the NSO Group.

RONEN: My colleague and friend, Mark Mazzetti from the D.C. bureau and others, we have devoted, I don’t know, numerous hours and days and weeks on – I don’t know how many – 30, 40, 50 stories on NSO and other Israeli offensive cyber companies.

MARK: The article tells the story of how NSO and the private equity fund that owned it broke into the U.S. market, the U.S. government market specifically, and how there was really this, on one hand, appetite for spyware among various U.S. government agencies, but also an effort to mask the U.S. government’s use of these tools. And for this reason, there were certain company cutouts that were used to purchase the tools and in some cases, even fake names established for those companies on contracts to purchase the tools. It was sort of this tale – which is who controls these weapons and the sort of jockeying among nations for controlling.8

LAURENT RICHARD: A scoop like that is happening once in your life as a journalist. And for me and for Sandrine, it was the beginning of the largest and the most complex investigation.

SANDRINE RIGAUD: You realize that your worst nightmare is there in a list. Hundreds of other journalists and on such a massive scale, yeah, it was frightening.

ROSE: This is Shoot the Messenger, a biweekly investigative reporting podcast from EXILE Content Studio.

Every season, we investigate one international news story. You may have heard the headlines; this is the deep dive. I’m Rose Reid.

NANDO: And I’m Nando Vila. When Rose and I started reporting on this project we had one question: what is the biggest threat to journalists today?

When we put up a bulletin board and stuck a pin for every journalist threatened or assassinated in the past 5 years, we found one repeating link over and over. From Mexico, to DC, to the United Arab Emirates: Pegasus.

Over the course of ten episodes, we’re doing a special partnership with the Committee to Protect Journalists for our first season, “Espionage, Murder, and Pegasus Spyware.”

We started this podcast because we have this belief that journalism is fundamental to a free society. That you cannot have a democracy if there isn’t reliable information about how the world works. And without journalists digging that information up, and publishing it to a wider public, well then democratic control is corroded and the powerful can act with total impunity.

The threat of sophisticated spyware like Pegasus is that it essentially makes the work of doing journalism impossible. If powerful actors have access to your digital information, it is essentially impossible to report on them in a way that would ever make them feel threatened.

Up until now, this show has focused on the use of Pegasus in foreign countries. But while we were in the middle of releasing the episodes of this season, a pair of New York Times journalists published a bombshell report that showed that the US government is making monthly payments to a front company of the NSO GROUP despite the official blacklisting of the company.

This is Episode 10: A blacklist, an executive order, and front the companies to circumvent it all…

MARK: A year ago, we reported that the FBI had purchased a license to use Pegasus back in 2019, and we found out that it was testing Pegasus in this New Jersey facility.9

NANDO: Mark wanted to know if the FBI was still using Pegasus.

MARK: We pushed the FBI about the status of their Pegasus license. And in this recent story we did, they said on the record that the contract was canceled or not renewed. And the Pegasus system that – to our understanding – is still sitting in this New Jersey facility, is not active. Because one of the questions we had was, well okay, if you canceled the contract, is there still this spy tool that is in private hands sitting in a facility in New Jersey? And they said it’s been deactivated. So they are on record saying they are no longer using Pegasus even for testing.

RONEN: It’s not just the FBI. It’s also the CIA. That purchased the Pegasus for the Djiboutian10 intelligence services. It was network of front companies, cover names, fake identities that was created to create a gap between the American intelligence community and NSO. So they have some kind of a plausible denial. And it was not just NSO, there are other companies who are selling to the American administration, like Paragon.

MARK: In December, we reported that the DEA has been using a different Israeli firm called Paragon to buy spyware for its operations.11 And others have come forward to sort of give us more information about other U.S. government use of various spyware tools.

NANDO: The FBI, the CIA, and the DEA. The deeper that Mark Mazzetti and Ronen Bergman dive into the murky connections between US government agencies and the NSO Group, the more intricate the web of deception becomes.

Names that have been vague clues when first discovered have become links to transactions and deals between front companies used by US agencies and shell companies set up by the NSO group. The articles that emerge from their research read like something out of a Bourne Identity movie —

RONEN: There are cases where we say we have a document or we review the document. In our last story, Mark and I indicated on a 2018 letter from the American Department of Justice – to the Israeli Ministry of Defense – that is the agency that needs to authorize any sale of any Pegasus to any specific agency and does that only in return of that agency giving a written end user certificate that it would use it only against terrorism and serious crime.

MARK: For some time, Ronan and I had heard about this mysterious company called Cleopatra Holdings. And we, through the Freedom of Information Act, got some documents from the government – many were redacted – And it was through that process and further reporting that we came across this name, Cleopatra Holdings.

RONEN: And when the FBI wanted to buy a Pegasus, they didn’t want to have the name of the FBI written on the contract. So they said to the Israeli government, we have something called Cleopatra, which is a front company. Cleopatra will purchase that. It works for the FBI. Now, the Israelis, wanted to have a formal authorization from the American administration that they are not selling to a private company but to the US government. And so this letter says the Department of Justice authorized Cleopatra holding to purchase NSO products for the U.S. government.

MARK: Well, Cleopatra Holdings, in essence, is a fiction. It’s a company that is made up for the purpose of the U.S. government purchasing various NSO products. And it was some time before we kind of figured out that Cleopatra is actually the front name of an actual real company in the United States, a government contractor called Riva Networks. So we had figured out that there was this company behind Cleopatra that had been involved in the U.S. government purchase of NSO tools for several years.

So even though we had heard about Cleopatra some time ago, we weren’t able to put all the pieces together until a lot more recently, where we then were able to review a contract that mentions Cleopatra. It mentions the other side of the contract, which is this NSO, U.S. affiliate called Gideon Cyber Systems. That was in effect a holding company that Novalpina had set up for U.S. business of NSO. And so it’s really this sort of network of shell companies that were set up that were meant to get business in different places.12

The interesting thing that we found out about this contract that was signed between Cleopatra Holdings and Gideon Cyber Systems was that it was signed five days after the Biden administration puts NSO on the blacklist.

MEDIA CLIP: The commerce department has blacklisted NSO Group, a tech company based in Israel…13
MEDIA CLIP: Israel’s NSO Group has been blacklisted by the United States…14

MARK: I need to be clear that, we don’t necessarily believe that this contract itself is in violation of the blacklisting. There’s a matter of interpretation of exactly what the blacklisting prohibits. It certainly seems to violate the spirit of the policies that the Biden administration has put in place, not only with the blacklisting, but with a more recent executive order that the Biden administration issued, which prohibits the federal government agency from doing business with NSO. Now, the question is, what does it mean? I’ve also been covering the U.S. government for two decades now, and I would never rule out the possibility of just one hand not knowing what the other’s doing and that the timing, while suspicious, is to some degree coincidence.

RONEN: Following a FOIA Lawsuit The New York Times submitted against the FBI,15 they had to give us a lot of documents which showed us that the FBI was very, very close, on the brink of deploying something called Phantom.

ROSE: Phantom is a special adaptation of Pegasus. The NSO Group has unequivocally denied that Pegasus can target US numbers – or numbers with +1. But Phantom can.16

RONEN: And in the very last moment, they backed off. And we were able to review hundreds, if not more documents, some of them obtained through FOIA, and some of them were obtained through other means.

NANDO: The FBI purchased and evaluated Phantom – and was on the verge of deploying it.

This revelation sparked a Congressional Committee to question the FBI Director Christopher Wray on March 8th, 2022. Mark watched those hearings closely –

MARK: We knew that the FBI had purchased the license. Now, after our story came out, the FBI director, Christopher Wray, testified to Congress and was peppered with questions by members of Congress about, well, did you ever use this tool, Pegasus?17

MEDIA CLIP: Director, according to some open source reporting the FBI purchased NSO’s spyware Pegasus in 2019 and evaluated the program under a name called Phantom. Can you confirm if that’s true or not?18

MARK: And Wray said, “No, we didn’t. And actually, we really only, for the most part, purchased it for counterintelligence purposes, to test it, kind of reverse engineer it and see how bad guys, you know, enemies of the FBI, people the FBI is trying to track might use it.”And there’s internal FBI documents that show just how close they came and how they might be able to potentially use the fruits of Pegasus in investigations in court to try to send people to jail. Now, it’s true, they never deployed it, there’s no evidence that they did, but they came a lot closer than they let on.

ROSE: Why would the FBI want to “test” a tool like Pegasus? What does it mean when a US Government “tests” Pegasus for the sake of “national security?”

MARK: I’ll put it in the U.S. context, the concern about U.S. government agencies purchasing off the shelf commercial spyware is: you don’t know what backdoors are inside of the system. So if, for instance, the National Security Agency or the CIA builds these tools in house and they do build these tools in-house, I should, you know, point that out, then, you know, the U.S. government has sort of full visibility into all the code that goes into these tools. Well, if they’re buying them off the shelf, especially from a foreign entity, they don’t have that visibility. So if you’re talking about NSO, the concern has been that if, you know, Pegasus is unleashed in U.S. government networks for use by U.S. government agencies, who knows what kind of Trojan horses or backdoors exist for the Israeli government to penetrate and gather intelligence on U.S. government servers. So that is in a nutshell, one big counterintelligence concern here.

ROSE: Mark and Ronen uncovered a deal for a third NSO product that the FBI purchased called Landmark. The name “Riva Networks” came up again –

MARK: Then we found out more recently about another contract that Riva Networks had entered into with an affiliate of NSO. And on the contract it says the US government is the end user. We still don’t know which government agency is using this tool, but we’re still trying to figure that out. This is a geolocation tool. It acts as a kind of homing beacon. So with this tool, which the company calls “Landmark”, the user of the tool can punch in a cell phone number and it can tell you where specifically that cell phone number is at any given time. So this is another tool that, you know, NSO offers. And we found out that this contract was entered into in November of 2021 with this mysterious US government agency as the end user.19

The only other time I had come across a Landmark was in a story that I had written some years ago with my colleagues where we had found out that Landmark had been used by Saad al-Qahtani, who is a adviser to Saudi Crown Prince Mohammed bin Salman. And your listeners will perhaps know of Qahtani as one of the people believed to be the mastermind of the Khashoggi killing. In reporting we had done some years ago, we found that Qahtani had used a number of NSO tools, including Landmark.

NANDO: Landmark is a geolocation tool – type in any phone number, and you’ll be able to see that phone’s user appear on a map – and just like Pegasus, NSO’s business model requires their customers to pay-per-number – so clients are limited in their “queries” per month.

Although the contract allows for Landmark to be used against mobile numbers in the United States, Mark and Ronen have not found evidence that that has happened.

However – they do have evidence that Gideon (the US front company for the NSO Group) courted major American intelligence agencies… And even pitched Christopher Inglis, just before he became the White House national cyber director:

MARK: This happens in May of 2021 where a group of people affiliated with NSO meet with Christopher Inglis, who’s about to take over as the newly created White House cyber director. And this is the quote he gave, he said: “I told them, you are inheriting more than this exquisite technology. You are inheriting the history of how it’s been used.”

NANDO: It’s reported that Christopher Inglis did not meet with them again – and it was around this time, Gideon gave a presentation to C.I.A. officials.

Cleopatra Holdings still makes monthly payments to Gideon Cyber Solutions for access to Landmark.

Although Mark and Ronen have not discovered which American agency is using Landmark, they’re determined to keep digging:

MARK: What interests me about this story, is that it still feels like we’re really at the early days of this class of weapons and how they’re going to be used. We still are, I believe, still in the dawn of this era where this stuff is going to proliferate so much and unless we all come to some agreement on how it can or should be used, it’s going to wreak a lot of havoc and do a lot of damage.

I think it’s hard to imagine a future where this isn’t just commercialized. You know, we may look back in the period we are now where it’s still in the hands of governments. You know, NSO could go out of business tomorrow and the technology would continue to proliferate. Tools that were once in the hands of a small number of very rich and powerful governments are now in a lot of governments hands. Well, in the future, they could be the hands of criminal networks and corporations and rich people. And it’s hard to see that not happening unless there really is some concerted effort among governments to rein in the proliferation of this technology.

ROSE: So – how did we get – here? Where the demand for Pegasus is so high – it outweighs the risk of it being misused… Threatening the order and functionality of a modern democracy?

That’s after the break.

MIDROLL

ROSE: On this series, we’ve looked at how Pegasus works, how it is used or abused, the company that makes it, and the industry booming around it – and we are left with a few questions –

Like – what circumstances in recent history created the need for a product like Pegasus?

RONEN: The need was, Intelligence collection, SIGINT. Intelligence collection, of course, is nothing new. The regular is classic wiretapping. And then after September 11, and the shock that the American intelligence community suffered from, led to mass collection of data. The former chief of the NSA and then the CIA, General Michael Hayden said, “Ronen, you know, so in old times, if we wanted to know when the Kremlin orders to launch the long range ballistic missiles towards the US from the base, the secret base in the Ural Mountains, then we needed to hack into the line, the phone line from Moscow to the mountains. But, after September 11, we realized that if we want to collect information on terrorists, then we need to be in the same mean of communication that the terrorists use, like Gmail. And so the US intelligence started to collect everything. At the same time, the new apps for messaging like Skype or later BBM and later WhatsApp or Telegram or Signal appeared. First, they were free and very much available to anyone. You didn’t need to be Moscow Kremlin Center that has a special phone line.

Even if the cell phone provider is happy to assist the police – then they would have a problem: they could monitor the communication, but it meant nothing, it was encrypted and the problem became much more severe after a person by the name of Edward Snowden showed up in a hotel in Hong Kong and said to the world that the U.S. is spying on everybody, including on American citizens, creating massive uproar in America and worldwide.

MEDIA CLIP: Breaking details on that whistleblower who leaked top secret documents about the government surveillance of Americans.20
MEDIA CLIP: Edward Snowden is a wanted man. He’s already leaked information about the government tracking America’s phone records.21
MEDIA CLIP: The Guardian revealed the National Security Agency is collecting telephone records of millions of Verizon customers under a secret court order issued in April.22

RONEN: Because suddenly it turns out that the NSA is collecting information about all of us, not just suspects. It was a untargeted mass surveillance. The American administration at the time decided to change course.

NANDO: We’ve covered end to end encryption on this series before – the ability for two users to communicate with each other in guaranteed privacy. Because the messages are encrypted from the beginning to the end – even the provider of that messaging platform, like WhatsApp or Signal, cannot see what you are writing. Private communication has been heralded as one of the greatest achievements of the past decade – but it’s this advancement that has sparked the proliferation of spyware.

RONEN: A phrase attributed to President Obama who said privacy is more important than security. People feel that they have privacy to speak about whatever they want. It helps so much with the spread of democracy, the fight for freedom, the encouragement and development of civil societies. But on the other hand, this is also a safe haven for villains, like drug traffickers or pedophiles or organized crime lords, because they also understand that they have a safe haven. And it’s very, very hard to conduct a police investigation or intelligence collection on counterterrorism. The core point of everything discussed about Pegasus. Here is the demand. Here is the need from both democracies and tyrannies. From both police forces who are trying to catch drug lords, and ruthless espionage services who are trying to crack down on dissidents.

ROSE: And another question we have been mulling over – how did the NSO Group become a singular star player in the spyware industry?

RONEN: Israel was one of the first to lead the development of offensive cyber tools, whether for intelligence collection or for causing damage to a targets, enemy country or infrastructure. Because of having been able to do that on behalf of the country before, it led to the development of a very, very advanced – some would say the most advanced – private industry for offensive cyber in the world.

I met the founders of Omri Lavi and Shalev Hulio, back in 2007 in the chicken house, the hen house. It was just renovated. You can still feel the stench of the chicken and the mud. But on my way out, I met those two from Haifa, young people. They were not in the typical background and profile of most of the other people in that chicken house. And a few years later, I learned that that startup that I met back there, the chicken house, developed into something else.

RONEN: They understood that there’s much more potential into doing the same, but for intelligence collection purposes. They realized that law enforcement agencies, intelligence organizations all over the world following the development of technology, the appearance of those apps like Skype or WhatsApp or BlackBerry BBM, they became deaf and blind, and they were trying to fill the gap.

ROSE: Even with a warrant to tap someone’s phone – if a user was using an encrypted messaging service, a cell phone provider or telecom company cannot provide access to a user’s messages – they can provide the raw data – but with end to end encryption – it’s indecipherable.

That’s the purpose (or beauty) of Pegasus – it doesn’t break end to end encryption – it bypasses it completely…

RONEN: And it’s always about national security versus democracy. They fail to ask a very simple question, which is “why would many law enforcement agencies and intelligence services in Western Europe are paying, in Germany, are paying so much money, hundreds of millions into the pocket of NSO? Are they hacking dissidents? Are they trying to destroy the German and civil society?” I don’t think so. I think that they believe that there is no way to conduct an investigation against serious crimes without looking into the means of the channels of communication between them.

People say, you know, it’s only thanks to Pegasus that we were able to catch this, the biggest network of pedophile material production in the world. They saved people. They saved children. They saved babies who were victims of those horrible Satan network.

I think that this kind of behavior – that on one hand, the leaders of the country are saying “this is a threat, a threat to national security” – at the same time, the intelligence agencies are buying the so-called, the alleged counter intelligence risk, I think this shows the dilemma. And if you want one sentence to phrase it, I said it in nowadays in the current situation – you cannot do without Pegasus, and you cannot do with Pegasus.

NANDO: Sometimes, it’s worth reminding ourselves just how quickly technology has transformed everything about the way we live. I remember I sent my first text message when I was a senior in high school, in 2003. That was only twenty years ago. Now, living a normal life without access to the communication tools provided by smartphones seems unfathomable. You simply cannot hold a regular job, or keep a family without them.

But by allowing our lives to be dominated by digital communication, we’ve unwittingly given the powerful the perfect tool of control. Now, thanks to things like Pegasus, it’s remarkably easy for anyone to know everything about us.

If they can know literally everything about us, they will know exactly when and how we plan to make changes that would threaten their power. Which essentially gives them a constant leg up. We live in a time when everyone is obsessed with politics. The political fights we see on cable news and social media are a huge source of acrimony. But when you dig into something like Pegasus, and you see that the powerful can essentially monitor all of us at all times, you wonder, what are we even fighting about? This is the real fight. Because without tackling the issue of surveillance, politics and democracy are essentially reduced to a fiction.

ROSE: NSO declined to speak with us for this series after several requests.

Thank you for joining us for this first season of Shoot the Messenger, “Espionage, Murder and Pegasus Spyware.”

Over the next few weeks we’ll share some bonus material with you and feature other shows we love in our feed.

And we’ll be back with our second season on July 11 – which asks “Who Killed the President of Haiti?” This 10 part series launches a few days after the anniversary of President Jovenel Moise’s assassination. Two years later, and we are still searching for answers, and Haiti still has no president. And no elections are on the horizon.

CLAUDE JOSEPH: President Moïse knew he was fighting against big interests that could have consequences on his life and his family’s life.

MEDIA CLIP: MARTINE MOÏSE: The person that killed him shot him from head to toe…23

JACQUI CHARLES: When I got the Haitian police report, what was clear to me was “Oh my God, he was just a sitting duck this entire time and did not know.

ROSE: That’s on Season 2 of Shoot the Messenger.

NANDO: Hosted by me, Nando Vila and Rose Reid. Produced by Rose Reid, with Sabine Jansen, Nora Kipnis, and Ana Isabel Octavio.

Written by Rose Reid. With story editing by Gail Reid.

Production assistance by Stella Emmett and Alvaro Cespedes.

Daniel Batista oversees audio at Exile Content Studio.

Sound design and mixing by Pachi Quinones.

Executive producers are myself, Rose Reid, Carmen Graterol, and Isaac Lee.

We have a lot of people we want to thank on this first season: Isaac Lee, Joel Simon, Ale Uribe, Juan Arenas, Jason Saldana, Julie Shapiro, Ben Riskin, Matt Dysart, Sonic Union

For more information on the status of journalists and freedom of the press – visit The committee to protect journalists at cpj.org.

To learn more about EXILE, our other podcasts and films, visit exilecontent.com.

We want to hear from you – so find us on Twitter and Instagram @exilecontent.

Or, send us a voice memo with your questions about Pegasus to stm@exilecontent.com.