The FBI has acknowledged it was responsible for a widely-reported violation of US federal policy prohibiting the use of spyware tools manufactured by Israeli vendor NSO Group, best known for the Pegasus spyware used to snoop on journalists, human rights activists and other innocent civilians in dozens of countries, the New York Times reported on Monday.
After being ordered by the White House in April to investigate which US federal agency violated its executive orders by doing business with the banned vendor, the agency found it was to blame – or rather its contractor, Riva Networks, was.
A senior FBI official told the Times the agency had merely given Riva a handful of Mexican phone numbers to track, claiming they were wanted fugitives and that the agency believed Riva was using a geolocation tool of its own devising. Riva, several US officials claimed, had the ability to exploit vulnerabilities in Mexican cellular networks in order to covertly track users.
Riva was instead using an NSO spyware tool called Landmark, which tracks the location of individuals based on the cell phone towers their phones are communicating with. Riva had renewed its contract with the Israeli spyware purveyor in 2021 without informing the FBI, the official claimed, explaining the agency had informed all of its contractors that same year that they were forbidden from using NSO products, in keeping with the Biden administration's declaration.
The official claimed the FBI only became aware Riva was using Landmark earlier this year, and that no data from Landmark was ever passed back to the agency – based on Riva’s own reports to the FBI, which would presumably not have included any mention of using an illegal spyware tool.
Despite the FBI’s pleas of ignorance, the agency had authorized Riva to acquire NSO’s most infamous product, Pegasus, just a few years before. Further throwing the agency’s claims into question, the cover name used for Riva in the Pegasus purchase, Cleopatra Holdings, was used again when Riva purchased Landmark from NSO. Riva CEO Robin Gamble even used the same pseudonym, William Malone, to sign both contracts, two people familiar with the deals told the Times.
The FBI is not the only US government agency contracting with Riva; the company has been paid by the Drug Enforcement Agency, the Department of Defense, and several others. The White House did not seem particularly energized to punish the federal contractor for violating its much-hyped crackdown on zero-click spyware, declining to comment when asked by the Times whether any penalties would be forthcoming.
While NSO’s Pegasus was initially prohibited from hacking US numbers, it later developed a workaround called Phantom, which the FBI eagerly snapped up in 2019 but claims to have never used.