NSO Group, the world’s most notorious hacking company, could soon cease to exist. The Israeli firm, still reeling from US sanctions, has been in talks about a possible acquisition by the American military contractor L3 Harris.
The deal is far from certain—there is considerable opposition from both the White House and US intelligence—but if it goes through, it’s likely to involve the dismantling of NSO Group and the end of an era. The company and its technology would likely be folded into a unit within L3 Harris. The American firm already has its own offensive cyber division, known as Trenchant, which has quietly become one of the most sophisticated and successful such shops in the world, in large part thanks to a strategy of smart international acquisitions.
But no matter what happens with this potential deal, the changes afoot in the global hacking industry are far bigger than any single company.
Cyber abhors a vacuum
The hacking industry looks dramatically different today from the way it did a year ago.
Two major events have changed the landscape. The US sanctioned NSO Group in late 2021 after determining that government customers had used its Pegasus spyware to “maliciously target” journalists, human rights activists, and government officials around the world.
Within days, amid global concern over spyware abuse, the Israeli ministry of defense followed the American sanctions by severely restricting export licenses so that the country’s roaring hacking industry lost the majority of its customers virtually overnight. The number of countries that its hacking firms could sell to fell from over 100 to 37, a group that includes Western European nations, the United States, Canada, the United Kingdom, Australia, Japan, and India.
That’s still a huge and rich market, but it cuts out dozens of nations in Latin America, Africa, Eastern Europe, and Asia, where Israeli cyber firms had been making a killing selling cutting-edge surveillance tools to customers with deep pockets and a willingness to spend. It’s also where NSO Group kept getting in trouble for getting caught selling powerful hacking tools to authoritarian regimes that abused Pegasus. NSO Group executives say they have terminated eight Pegasus contracts due to abuse.
The defense ministry’s licensing restrictions have sounded the death knell for several smaller shops of hackers and researchers. Nemesis, an Israeli cyber firm that had managed to keep a low public profile, shut down in April. Ace Labs, a spinoff of the billion-dollar tech giant Verint, closed up shop and fired all its researchers earlier this month.
The Israelis’ former customers are not standing idle. New players and old rivals are stepping into the vacuum to provide the hacking capability that more and more governments demand.
“The landscape is shifting and, to a certain degree, diversifying,” said Christoph Hebeisen, director of security intelligence research at the mobile security firm Lookout.
Several European firms are stepping into the gap.
Intellexa is an “alliance” of hacking firms, operating out of several locations in Europe and Asia, that have been able to attract and retain business from nations no longer able to buy Israeli hacking tools. The group boasts Israeli and European talent but avoids the new Israeli restrictions that have stung several of its competitors. Mobile spyware from Cytrox, a North Macedonian hacking firm and founding member of the Intellexa alliance, was found on an Egyptian target last year.
RCS Labs is an Italian hacking firm whose spyware was recently spotted in Kazakhstan. Until as late as 2021, Kazakhstan was reportedly a customer of NSO Group, but it is now restricted. Now the mobile security firm Lookout says it sees the country using RCS’s malware to spy on Android phones. Kazakhstan is an authoritarian nation that recently jailed an opposition leader just a few months after the mass killing of protesters. NSO Group hacking tools were reportedly used to spy on activists there last year. When reached for comment, RCS Labs provided an unattributed statement condemning “any abuse or improper use” of its products that are “designed and produced with the intent of supporting the legal system in preventing and combating crime.”
Besides increased global uncertainty and the restrictions on Israeli hacking companies, several industry executives say they see two more shifts in play.
Many more countries are investing in building their own domestic cyber capability. Most countries haven’t had the resources, expertise, or money to date—and firms like NSO Group have made it economically easier to just buy the tools instead. But now countries desire their own domestic hacking capabilities to insulate themselves from global variables like political strife and human rights criticism.
The archetype is the United Arab Emirates, which spent 10 years hiring former Western intelligence officers to build up DarkMatter, a firm that was famously caught spying on journalists and dissidents. DarkMatter has been replaced in the United Arab Emirates by firms like Edge Group.
Now, according to sources from within the Israeli and European hacking industries, governments of states like Saudi Arabia, Bahrain, Qatar, and Singapore are following in the UAE’s footsteps by offering top financial incentives to attract hacking talent from around the world.
Several industry sources who wished to remain anonymous say they see Chinese actors stepping into the void to try to sell surveillance and cyber tools, especially to African and Asian nations, where Beijing has been aggressively expanding its influence in recent years.
Israeli officials are suggesting to the country’s cyber companies that they should prepare for this situation to potentially last until at least two years from now—incidentally, when the next American presidential election will take place. What happens after that is unclear in more ways than one.
American sanctions and Israeli restrictions may conceivably contribute to the end of NSO Group. But what happens next?
The market is bigger and more visible than ever before, encompassing hundreds of companies selling surveillance tech globally. One of the industry’s top trade shows, ISS World, recently held a show in Prague, and it was bigger than ever on both the company and government delegation sides. Calls from every conceivable corner to regulate the industry internationally have largely failed. As a result, there is still little global transparency or accountability for abuse despite increased attention on the problem.
One thing we are learning is that a vacuum can’t last long in a market where demand is so high.