Malicious Life Podcast: The Mariposa Botnet
In 2008, The 12 million PCs strong Mariposa Botnet infected almost half of Fortune 100 company - but the three men who ran it were basically script kiddies who didn't even knew how to code.
Malicious Life Podcast
By the time Forbidden Stories published its “Pegasus Project” in 2021, NSO was already knee deep in what was probably the worst PR disaster ever suffered by a cybersecurity company - and then, in November 2021, came the fateful blow: the US Dept. of Commerce added NSO to its “Entity List.” Is NSO to blame for its troubles? Could the company have acted differently to prevent its downfall?
Powered by RedCircle
The Malicious Life Podcast by Cybereason examines the human and technical factors behind the scenes that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution, with host Ran Levi interviewing hackers and other security industry experts about hacking culture and the cyber attacks that define today’s threat landscape. The show has a monthly audience of over 200,000 and growing.
All Posts by Malicious Life PodcastBorn in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:
All Posts by Malicious Life PodcastOn January 19, 2010, at about 4pm, Mahmoud Al-Mabhouh checked into the five-star Al Bustan Rotana Hotel in Dubai, the United Arab Emirates most populous city. He didn’t notice the two individuals, dressed in tennis attire, who were following him.
When Al-Mabhouh traveled away from Syria, where he was residing, he was usually accompanied by several bodyguards – and for a good reason: Mabhouh was the chief of logistics and weapon procurement for Hamas, the palestinian terrorist organization. He was also responsible for the kidnapping and murder of two Israeli soldiers in 1989.
But that afternoon in Dubai, Al-Mabhouh was alone because according to news reports, for some mysterious reason his bodyguards could not get tickets for the same flight, and were scheduled to join him the next day.
A short time after checking into the hotel, Al-Mabhouh left to do some shopping in the city. While he was away, someone reprogrammed his room’s electronic door lock. A short time later, four men stepped out of the elevator at the hotel’s second floor.
Al-Mabhouh came back to his room at around 0830pm. The following morning, a hotel maid who tried to open his door found that it was locked from the inside. When Al-Mabhouch’s room was finally opened, his body was discovered on the bed, with a small bottle of medicine placed on the drawer next to it. It took ten long days for the Emirati police to come to the conclusion that the senior Hamas operative did not take his own life, but was in fact assassinated by the Israeli Mossad.
Mohammed bin Zayed, the UAE’s president, was furious at Israel and ordered all the clandestine security ties between the two countries to be severed. It wasn’t the assassination itself that made him angry – the UAE wasn’t particularly fond of the Palestinian terrorist organization – but the fact that it was carried out on Emirati soil.
Israel, for its part, wished to pacify the fuming monarch: the UAE was an important ally in its fight against Iran, the two countries’ common enemy. The Israeli government was looking for an olive branch. Mohammed bin Zayed, the Israelis knew, was keen on eavesdropping on phone calls of some of the area’s prominent political figures, including the Emir of Qatar and Saudi Arabia’s Crown Prince, two of the UAE’s neighboring countries. And so an 18$ million dollar deal was struck, and in 2013 Bin Zayed got his own copy of Pegasus.
Predictably, it didn’t take long for the UAE to follow the same route that Mexico took.
Ahmed Mansoor is a journalist and a blogger who is an internationally recognized human rights activist. Mansoor, who won several prestigious awards for his fight for reforms and human rights within the United Arab Emirates, was a long time nemesis of the regime. He spent eight months in prison in 2011 for supporting a pro-democracy petition, and was constantly harassed even after his release: his passport was confiscated, 140,000$ dollars were stolen from his bank account and he was fired from his job.
On August 10, 2016, Mansoor received an SMS message with a link to a website that promised to reveal new secrets about detainees tortured in UAE prisons. He got a similar message the next day as well.
But whoever sent these spear phishing messages made a grave mistake, because by 2016 Ahmed Mansoor was an old hand at that particular game. Every year since his arrest in 2011, Mansoor has been targeted by phishing campaigns trying to install spyware on his devices, so he became extra careful when opening messages from unknown senders. Instead of clicking the suspicious links, he forwarded the messages to Citizen Lab – an interdisciplinary organization, based at the University of Toronto, which specializes in researching cyber threats to journalists and human rights activists such as himself.
CItizen Lab’s researchers immediately recognized the domain names present in the links: they were part of a network of domains the investigators already suspected belonged to NSO. Up until then, all the links the investigators received by other victims were deactivated by the attackers by the time they got to Citizen Lab – that is, none produced an infection when tested – but with Mansoor, they struck gold: the links were still active, and when clicked – Pegasus was installed on the honey pot device.
Together with researchers from Lookout Security, a data protection company, the investigators discovered that Pegasus used a chain of zero-day exploits to jailbreak the victim’s iPhone. Once installed, Pegasus could eavesdrop on the user using the phone’s camera and microphone, record his Whatsapp calls and messages, and track his movements in real time. Citizen Lab shared its findings with Apple, which promptly pushed out an update to its users that patched the vulnerability.
Mansoor’s story and Apple’s reaction made headlines around the world, but although NSO certainly didn’t enjoy being in the limelight, it seems this new found attention didn’t upset its business too much. Its Pegasus system was the centerpiece of a $2 billion dollars arms deal between Israel and India in 2017 that strengthened the ties between the two states: Narendra Modi, India’s Prime Minister, visited Israel – the first Indian Prime Minister to do so – and two years later, India voted in support of Israel at the UN’s Economic and Social Council – again, a first for the nation. Also in 2017, Israel approved the sale of Pegasus to Saudi Arabia for some $55 million dollars. Its booming business raised NSO’s value to more than 1$ billion dollars, up from $130 million only three years earlier.
On October 2nd, 2018, Jamal Khashoggi – a Sadui journalist and a vocal critic of the Saudi government and royal family – arrived at the Saudi consulate in Istanbul, Turkey. He was accompanied by his fiancee: the goal of his visit to the consulate was to obtain a permit that would allow them to marry. Security camera recorded Khashoggi entering the building at around 1pm.
Unbeknownst to Khashoggi, a group of 15 men arrived at the consulate from Riyadh the night before. They were waiting for him inside.
As the hours went by Khashoggi’s fiancee, who was waiting for him outside the consulate, began to worry: Jamal himself speculated that the Saudis might try to seize the opportunity to kidnap him and send him back to Saudi Arabia. At 4pm, half an hour after the consulate’s working hours and with Jamal nowhere in sight, she phoned one of his friends, an adviser to the Turkish president.
The Turkish police got involved. The Saudis claimed that Khashoggi left the consulate via a back entrance, but that lie was quickly refuted after an examination of footage taken by another security camera facing the building’s rear entrance. A few days later, the grim and gruesome truth came to light: Khasoggi was murdered, and his body dismembered with a bonesaw – possibly, according to one anonymous source, while he was still alive. Another anonymous source claimed that the killers brought Khashoggi’s fingers to Mohammed bin Salman, the Saudi Crown Prince, as proof of the journalist’s assassination.
As expected, public reactions around the world ranged from disgust and horror, to rage against the Saudi royal family. France, Germany and the UK issued a joint statement expressing shock and condemning the killing. The UN’s Secretary-General called the murder ‘deeply troubling’, and four major human rights groups joined forces to demand an independent UN investigation into Khashoggi’s assassination.
By pure chance, just one day before Khashoggi’s fateful visit to the Saudi consulate, Citizen Lab – a research organization dedicated to helping journalists and human rights activists facing cyber threats – published a report detailing how Saudi Arabia used Pegasus to spy on Omar Abdulaziz, a Saudi human rights activist who lives in Canada – and one of Jamal Khashoggi’s closest friends and confidants. There’s little doubt that the Saudis used the information they siphoned off Omar’s phone to track the Khashoggi’s activities and plan his demise.
This ill-timed revelation placed NSO, Pegasus’s maker, in a tough spot. News reports on how the Mexican government used Pegasus to target anti-corruption activists and journalists already tarnished its reputation, and its involvement in Khashoggi’s death greatly amplified the public’s perception of the company as a sort of modern day mercenary in the service of shady and corrupt regimes.
Although the spyware’s sale to Saudi Arabia was approved and maybe even initiated by the Israeli government as part of its diplomatic dealings of the middle-eastern kingdom, a lot of people – including in the cybersecurity community itself – were appalled by the company’s involvement in the brutal murder. Did NSO know about the planned assassination, but did nothing to stop it? Could it be that NSO actively assisted the Saduis in their plans to murder Khashoggi?
In the days following Khashoggi’s murder, NSO denied that its product was involved in any way in the affair, and claimed that a post-mortem analysis of Pegasus’s logs showed no use of the technology against Khashoggi (although nothing was said about its use against Khashoggi’s inner circle of friends, as Citizen Lab claimed in its report.) Still, NSO’s internal ethics committee advised the company to shut down the Pegasus system in Saudi Arabia, which NSO did.
But then, only three months after the Khashoggi affair blew up, another big story hit the headlines: the Saudis, it seems, have broken into the phone of none other than Amazon’s Jeff Bezos. What got the ball rolling, in this case, was a piece in the National Enquirer tabloid about a secret love affair that the famed CEO was having. Bezos hired a security specialist to investigate how the tabloid obtained this information, and the inquiry concluded that Amazon’s CEO’s phone was hacked by a malicious video file sent to him via WhatsApp by none other than Mohammed Bin Salman, the Saudi Crown Prince himself. The Saduis denied, of course, having anything to do with the hack, but UN officials suggested that the hack might have been “an effort to influence, if not silence, the Washington Post’s reporting on Saudi Arabia,” as Jeff Bezos is the Washington Post’s owner.
Although there wasn’t any proof that Bezos’ phone was hacked using Pegasus – the malware’s operators deleted it from the device well before the investigation was underway – it’s a no brainer to assume that it was, which everyone did.
Then in October 2019, a year after Khashoggi’s murder, Meta filed a lawsuit against the Israeli company in a California court, claiming that Pegasus was used to target some 1400 of its users in India, Mexico, the UAE and several other countries. The list of victims included the by-now familiar type of human rights activists: journalists, lawyers and opposition leaders. Will Cathcart, CEO of WhatsApp – which is owned by Meta, wrote a scathing op-ed – which he published in Bezos’s Washington Post:
“This should serve as a wake-up call for technology companies, governments and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk. […] Companies simply should not launch cyberattacks against other companies. Responsible actors report vulnerabilities when they are found; they do not use their technology to exploit those vulnerabilities.”
And Meta, it turned out, had a very significant “smoking gun” in its hands.
As part of NSOs arms export license, Israel’s Ministry of Defense required the company to design Pegasus so that the malware was incapable of targeting phone numbers on US soil. This was, no doubt, so that NSO’s customers could not spy on American targets. But according to a New York Times report, one of the 1400 phone numbers listed in Meta’s lawsuit had a Washington area code. This meant that NSO was wading into very dangerous waters, since vendors of hacking tools can be prosecuted in the US under the Computer Fraud and Abuse Act.
By the time Forbidden Stories published its “Pegasus Project” – the international investigation I mentioned at the beginning of the first part of this episode – in 2021, NSO was already knee deep in what was probably the worst PR disaster ever suffered by a cybersecurity company. Amazon terminated its cloud accounts. Apple filed a lawsuit against it for hacking into its users’ phones. Sales of Pegasus came to a halt. Mr. X, NSO’s former executive, says that the company was shunned by many in the Israeli cybersecurity community.
“[X] I know some of my friends, my colleagues, executives in the cybersecurity domain who are talking about, we never will, we are never working and we will never work for a company like NSO. We don’t want to share knowledge or even to be mentioned near some people who are working for NSO, etc.”
And it was not only the company’s bottom line that felt the heat: its own employees were suffering as well.
Mr X, at that point, was no longer working for NSO: he was one of the employees who were laid off due to the company’s financial struggles. But one day, a few months after he left NSO…
“[X] I tried to log in my Instagram and my Facebook and I didn’t succeed to log in. The message was that “user is unknown.” Not password, incorrect password or something else. The user is not exist, that doesn’t exist. […] I tried to write a letter to Instagram and Facebook support team to ask guys what is going on with my account. A few letters and zero answers. So even no explanation, nothing. Fully ignored, I was fully ignored.”
It turns out that X wasn’t the only one whose Meta accounts were mysteriously deleted. In an unprecedented move, right after it filed the lawsuit against NSO, Meta decided to delete the personal Facebook and Instagram accounts of many of the company’s employees. One such employee vented his rage in a Linkedin post:
“Yesterday, both of my personal Facebook and Instagram profiles were intentionally disabled by the world’s greatest privacy violator in the history of mankind, AKA Facebook. […] Are you serious, Facebook? Are you personally ‘punishing’ past and current company employees? You’re acting like a cyberbully […]. Would you like the US government to take personal actions against your employees for your violations?”
“[X] I personally and some of my colleagues tried to find the pattern of who was affected, because some employees were affected and former employees were affected. For some supposed former or actual employees, the accounts were disabled. We didn’t, till today I didn’t find a way or a pattern how Facebook decided to close the accounts and why actually, what is the base there, the legal explanation coming from Facebook to close or disable my personal account just because of my role or because of the fact that I’m working for such and such company. So I was very surprised, I don’t understand how Facebook can do it. […] It was very strange feeling because you know, you are punished in your personal life for something that you are doing in your business and it’s pure legal business. So we are not talking about selling drugs or you know killing people, and we use Facebook to coordinate our killing process. So come on. ”
And then, in November 2021, came the fateful blow: the US Dept. of Commerce added NSO to its “Entity List”, which meant that NSO was now banned from buying certain technologies from US companies. The reason for the ban was quoted as “[acting] contrary to the national security or foreign policy interests of the United States.”
The blacklisting spelled a financial disaster for NSO, who could no longer hope to break into the US market. The company’s CEO resigned a few days later after only two weeks on the job. Berkeley Research Group, a consultancy that represents NSO’s private equity owners, described the company as “valueless.” A group of NSO creditors said in a letter to its shareholders that NSO was “insolvent.” Shalev Hulio, who temporarily replaced the resigning CEO – was forced to step down as well.
Is NSO to blame for its troubles? Could the company have acted differently to prevent its downfall?
hile it’s obvious that Pegasus was indeed used against thousands of innocent victims, whose lives were often destroyed or even lost because of the information found on their phones by some of the company’s more crooked clients – it’s worth noting that the spyware was also put to very good use by numerous intelligence agencies against criminals and terrorists. Ronen Bergman, an Israeli journalist, quoted a “very senior” member of a European intelligence agency, who shared with him a few of the crimes and terror attacks that Pegasus helped prevent:
“He told of pedophiles who groomed children to meet with them, meetings that should have ended in the ruination of their childhood, but for the abusers’ last-minute arrest. And he even talked of a gang of Hell’s Angels who captured a rival gang member and began to cut off one finger after another, but who were most surprised when the local police special forces interrupted the torture party. […]
Carlos claims that NSO’s systems helped, for example, to map ISIS’s method of recruiting volunteers and sending them from Europe to Syria and Iraq. It also helped to later locate those militants who returned to the West, including his own country —a favorite target for Islamic State cells. One of the militants who returned and was under surveillance sent a WhatsApp message to his family one day, telling them he was going to become a shahid (martyr) and blow up an underground train. He was arrested by the counterterrorism unit as he took the first step down into the station. A terrible tragedy had been thwarted.”
These sorts of successes – and especially Pegasus’s contributions to them – are often kept secret so as to not tip off future targets.
Furthermore, it’s not clear how much freedom did NSO have in deciding its own future. In fact, it seems that at least to some degree, NSO was nothing more than a pawn in the hands of politicians who wished to use its technology for their own goals.
A good example of this occurred in 2020, when Israel and the United States negotiated an historic peace deal between Israel and several of its neighboring Arab states, an initiative which was later named the Abraham Accords. This peace deal was extremely imperative for both Benjamin Netanyahu and Donald Trump, each one for his own political reasons: The American president was even willing to overturn past American policy and sell F-35 fighters and Reaper drones – two cutting edge weapon technologies – to the United Arab Emirates, in order to get Mohammed Bin Zayed’s consent to the deal.
As stated earlier, after the Khasshogi fiasco NSO decided to remove Saudi Arabia from its list of clients. The Saudis insisted that they should be able to continue using Pegasus – and they had a significant leverage on Israel and the US. According to the New York Times, the Saudis hinted that without Pegasus – they will ban Israeli airplanes from using their airspace, which was an important component of the accords. After a phone call between Prime Minister Netanyahu and the Saudi Crown Prince, NSO was ordered to renew Sadui Arabia’s Pegasus license – a directive that came directly from Netanyahu himself, with the implicit blessing of the Trump administration.
This story also depicts the sort of ‘double standard’ presented by many western governments: condemning NSO for the crimes done using its technology- while simultaneously buying and using this same technology for their own purposes. And no one exemplifies this double standard better than the US government itself.
In February of 2022, only three months after NSO was added to the Dept. of Commerece’s Entity List, the New York Times revealed that the FBI was secretly evaluating Pegasus – marketed in the US under the name “Phantom” – in one of its facilities in Washington D.C.. This evaluation process, claimed a source quoted by the paper, came after a “long process” of negotiations between US officials and NSO, and the software license was acquired using a financial “vehicle” not easily linked to the bureau. Remember that phone number with a Washington area code that Meta claimed was also targeted by Pegasus, thus violating the Computer Fraud and Abuse Act? It turns out that this phone number was the one used by the FBI in its testing of the spyware.
The same piece in the New York Times also revealed that the CIA bought and paid for Pegasus to be used by the government of Djibouti, a tiny African country, in its fight against terrorism. Djibouti has a poor human rights record when it comes to, among other things, arresting and prosecuting journalists.
These revelations raise the obvious question: if the US government bought Pegasus for one of its alleys and was considering purchasing the system for its own use – why then was NSO added to the Entity blacklist?
One Israeli official told the New York Times they suspect that the blacklisting might have been a “part of something bigger, a plan to neuter Israel’s advantage in cyberweapons.” In June of 2022 it was revealed that L3Harris – a major American defense contractor – was conducting talks on the possibility of acquiring NSO. When the talks were exposed to the public by the press, White House officials publicly condemned the negotiations and L3Harris abandoned the acquisition attempt – but sources in Israel told the Times that there are –
“a handful of American companies, some with close ties to intelligence and law-enforcement agencies, interested in buying the company. Were that to happen, the new owner could potentially bring the company in line with U.S. regulations and start selling its products to the C.I.A., the F.B.I. and other American agencies eager to pay for the power its weapons offer.”
In other words, blacklisting NSO might have been an attempt to pressure Israel to allow the sale of the company to an American defense contractor, thereby giving the US government complete control of its technology – and, maybe more importantly, grant it access to the rare and unique skills of its employees, almost all of whom are veterans of Israel’s military intelligence.
“The State of Israel cannot allow itself to lose control of these types of companies,” a senior Israeli official said, explaining why such a deal was unlikely. “Their manpower, the knowledge they’ve gathered.” Foreign ownership was fine, but Israel had to maintain control; a sale was possible “only under conditions that preserve Israel’s interests and freedom of action.”
“[X] It’s not only about NSO. We see in different armies, in the US Army, in European armies, in Israel armies, some generals and some combat experts and former combat units specialists going to train different special units in different countries. We can see some experts special forces or intelligence units going to consult Boeing, Lockheed, Raytheon, Thales and some other companies. So it’s not different. We use and we understand that we transfer some knowledge to those people and we train them and we use them in the army. But we cannot take this knowledge from their brain. and we cannot forbid them to work and to use this knowledge for their business and for their technological growth.”
As of the airing of this mini-series, NSO’s future is murky. In March 2023 it was reported that Omri Lavi – one of the two co-founders – had regained control of the company after multiple legal fights with other investors. The company’s financial situation remains undisclosed.
If there’s anything to be learned from NSO’s story, it’s that when it comes to global politics – there’s no such thing as pure Good and pure Evil, no complete demarcation between Black and White.
Mr X. frowns about what he considers to be the hypocrisy of NSO’s detractors.
“[X] I compared it with the usage of F-16 developed by Lockheed Martin. If some US Army by mistake ruin a building and hundreds of people are killed, nobody comes to Lockheed Martin and say ‘you developed weapon that is killing people’. And here we’re talking about direct kill. In NSO’s product, we are talking about collecting intelligence, collecting information for law enforcement agencies. […] So here, NSO actually put on the table a way to do the same, to collect the same information, to do the same action, but in a much more secure and safe way, without putting under the risk the team, without putting the agent under the risk, et cetera.”
But if Lockheed Martin, Thales, Raytheon and plenty of other weapon manufacturers all do essentially the same thing that NSO does – why was NSO singled out and ostracized so badly?
One answer might be its unique position in the cyber security industry. As Will Cathcart, CEO of WhatsApp, wrote in his op-ed: “Companies simply should not launch cyberattacks against other companies.” It’s bad enough being an attacker in a community of defenders – but it’s even worse when your targets are the very same companies that your friends and colleagues are working for.
And there’s another possible answer. When an F-16 fighter or Reaper drone drops a bomb from high altitude, its victims are faceless and nameless: merely a number in a brief newspaper report. After all, that’s the nature of modern kinetic warfare.
But NSO’s victims do have names and faces, and they often survive the attacks to tell their tale – which helps us see them as fellow human beings and identify with their suffering. And when we feel the victims anguish, it’s only natural to direct our anger at the one we see as responsible for that pain.
And you know what? Maybe that’s a good thing.
In 2008, The 12 million PCs strong Mariposa Botnet infected almost half of Fortune 100 company - but the three men who ran it were basically script kiddies who didn't even knew how to code.
NSO Group, creator of the infamous Pegasus spyware, is widely regarded as a vile, immoral company: a sort of 21st century soldier of fortune, a mercenary in the service of corrupt and evil regimes. Yet among its many clients are many liberal democracies, including the US, Germany, the Netherlands and Spain, to name but a few. So, is NSO really as evil as many think it is?
In 2008, The 12 million PCs strong Mariposa Botnet infected almost half of Fortune 100 company - but the three men who ran it were basically script kiddies who didn't even knew how to code.
NSO Group, creator of the infamous Pegasus spyware, is widely regarded as a vile, immoral company: a sort of 21st century soldier of fortune, a mercenary in the service of corrupt and evil regimes. Yet among its many clients are many liberal democracies, including the US, Germany, the Netherlands and Spain, to name but a few. So, is NSO really as evil as many think it is?
Get the latest research, expert insights, and security industry news.
Subscribe