One day in November, after the announcement that the U.S. Department of Commerce had put Israeli cyberhacking firms NSO and Candiru on its blacklist of companies harming U.S. national interests, NSO CEO Shalev Hulio contacted Candiru CEO Eitan Achlow to discuss their mutual problems.
The two hadn’t spoken in over two years, and their previous conversation ended unpleasantly. Hulio was angry at the time that Candiru had started developing tools to hack smartphones, NSO’s territory, and he had something to say to Achlow on the subject. Achlow, for his part, told Hulio that if he was really demanding that Candiru stop competing with him, that could violate Israel’s antitrust law. The two cut ties and only recently renewed contact.
In a conversation between the two about two weeks ago, Hulio barely had time to ask Achlow how he was doing before the Candiru CEO came at him with an accusation. “Because of you,” said Achlow, apparently struggling to find the words. Candiru’s team believes Hulio is responsible for the media reports about the company, which set off a chain reaction: A joint report by CitizenLab and Microsoft alleging that Candiru’s tools were used for systematic human rights violations, and Candiru joining NSO on the U.S. Department of Commerce’s blacklist.
The Department of Commerce move came as a surprise and without explanation. The companies don’t receive a warning, and they don’t have a right to a hearing before the announcement. The announcement was accompanied by a vague comment stating that the companies had harmed U.S. national interests, or that there was concern they could do so in the future, because their programs were used by foreign regimes to spy on “administration members, journalists, businessmen, social activists, embassy employees and academics.”
Should it wish to, NSO has enough evidence to prove the involvement of several key individuals in approving and promoting its sales as part of diplomatic processes, including former Prime Minister Benjamin Netanyahu, former Mossad chief Yossi Cohen and several senior U.S. officials. The company’s misfortune is that they have all lost their political power. “If [former U.S. President] Donald Trump and Netanyahu were still in power, there’s no chance any of this would have happened,” says a former senior Israeli intelligence official.
Candiru’s offices in Shalom Tower, Tel Aviv, in 2018. Ofer Vaknin
While NSO has a long record of reports alleging its products have been used to hack the phones of civilians, journalists or diplomats, there is less of a public record regarding Candiru. There’s only one such report, the CitizenLab-Microsoft one. CitizenLab, the Canadian research institute responsible for many of the revelations about NSO, reported in July that Candiru’s hacking software targets included the computers of some 100 journalists and human rights activists in the Middle East and elsewhere.
Candiru spent its early years at an office in the Shalom Tower in Tel Aviv, and in recent years moved to Ha’arba’ah Street in the center of the city. During its short life, Candiru has sold its services to more than 10 customers thus far. The company’s customer list, which is being reported here for the first time – even if only partially – is to a great extent a mirror image of the target list exposed by CitizenLab and Microsoft. According to the report, the targets attacked by Candiru’s products were located in the Palestinian Authority, Lebanon, Turkey, Iran, Yemen, Britain, Catalonia, Armenia and Singapore. The list of customers includes Israel’s Shin Bet security service, Saudi Arabia, UAE, Spain (the immediate suspect concerning the targets in Catalonia), Germany and Singapore.
‘Trust the dictator’: Israel’s new method of ‘supervising’ cyber arms exports
After NSO blacklisting, Israel fears U.S. targeting all Israeli offensive cyber firms
U.S. lawmakers call for sanctions against Israeli spyware firm NSO
These accusations are serious, but several other Israeli companies that were found to have had a part in equally serious injustices were not included on the blacklist. A prominent example is Cellebrite of Petah Tikva, whose product enables the company’s customers to hack phones in their possession. Over the past year, the company was reported to have helped countries including Russia, Hong Kong, Turkey and Belarus to search devices belonging to civilians, some of them dissidents. It was not included on the U.S. Department of Commerce blacklist.
One assumption that is now common in the cyber industry – and Candiru doesn’t reject it either – is that Candiru was added to the list due to persistent rumors that Hulio is a secret partner in the company, despite it being NSO’s competitor. TheMarker, Haaretz’s business imprint, has learned that Hulio himself started the rumors about his connection to Candiru.
The owner of NSO, who is known to have a well-developed sense of humor and penchant for pushing boundaries, was said to have developed an amusing habit: In meetings with customers – surveillance bodies all over the world – he maintained that Candiru is actually part of NSO, and therefore there was no point in considering its product, too. At some point, Candiru found out from customers about Hulio’s comments. According to one account, Hulio would say that Candiru’s cellular product is actually an NSO white label – in other words, a repackaging of Pegasus, NSO’s hacking program, under a new brand name.
“Such things have happened,” confirms a source who attended several of the presentations with Hulio. “Hulio would say that he’s a board member at Candiru, or that Candiru is an NSO subsidiary, or that NSO was about to close a deal to acquire Candiru. The purpose was to convey to the customer that there was no point in wasting time examining Candiru’s product after considering NSO.”
“Hulio is a brilliant salesman,” says another industry source. “He’s charismatic, makes you identify with him and inspires trust, but it’s not clear that his boundaries are in the right place. He has super creative ways of competing. He knows how to ruin business for his competitors, and regarding the stories about the connection with Candiru, he really screwed them royally.”
The companies that became rivals
Even assuming that the claims about Hulio’s Candiru holdings are a complete fiction, the companies’ owners have significant financial ties. To a great extent, Candiru grew out of NSO. The company was started in 2014 by Eran Shorer and Yaakov Weizman, graduates of IDF Military Intelligence Unit 8200, who came from NSO. Weizman was a vulnerability assessor for the company; Shorer was involved in quality control.
Soon after Candiru was founded, Isaac Zack became an investor in the company. He was a former NSO board member, and he became Candiru’s largest shareholder and chairman of the board. Zack had served on NSO’s board back in the days when Hulio and his partner Omri Lavie were going to investors and trying to raise initial capital for the company. Zack was a friend of Lavie’s father, who had worked for the Evergreen Venture Partners fund, and was also involved in one of Hulio and Lavie’s previous startups, MediAnd, a firm that did not survive. Lavie and Hulio gave Zack a share of the company, as is common for board members of early-stage startups, to show they had someone with proven professional experience at the new company.
At that time, Zack was not necessarily focused on cybersecurity. Much more of his attention was turned to produce. Zack and several partners had founded Basta Online, a startup that sought to offer home deliveries from Tel Aviv’s Carmel Market. Zack’s greengrocer businesses never took off, but he was not left penniless. When the private equity firm Francisco Partners bought control of NSO in 2014 at a reported market valuation of $170 million, Zack received a few million dollars and continued on to his next stop: Candiru.
Photos: Ofer Vaknin and Vardi Kanaha
Zack invested an unknown sum in Candiru and became the company’s largest and most prominent shareholder. At first, the company founded by three former NSO employees intended to create a product similar to that of their previous employer, for computers rather than smartphones. Shorer was the CEO for the first few years.
Candiru developed a product – or in other words an attack tool – that broke into computers and extracted their data. Similar to NSO, the product was designed for intelligence and investigative bodies. Sales were reasonable until 2017. At the beginning, and as long as Candiru did not compete with NSO, Hulio – who by then was well connected in the intelligence world – even helped Candiru make sales. He introduced Candiru’s representatives to security middlemen who took them to meetings with intelligence services all over the world. One was David Meidan, a former senior Mossad official, who is known During this period, sales totaled a few tens of millions of shekels a year, and like NSO, Candiru overcame geopolitical obstacles that only a few years earlier seemed unimaginable, selling services to Saudi Arabia and the United Arab Emirates.
Meanwhile, Zack, Hulio and Lavie founded an investment fund named the Founders Group, which participated in early round investments in startups including Vroom, a platform for selling used cars, which had its Nasdaq IPO last year; and medical equipment company Art Medical. Zack and Lavie, who is no longer involved in NSO, founded a defensive cybersecurity company in 2017 named the Orchestra Group. Zack is the company’s chief operating officer.
The year 2017 was very bad for Candiru. New orders approached zero, and the company fell into a crisis that led it to hire a new CEO in 2018: Eitan Achlow, an Israel Air Force veteran and a former Comverse executive. The vice president of sales, Sefi Goren-Gertz, who didn’t get along with Achlow, was quickly fired, and later got into a legal battle with the company – which became the basis for many of the reports on Candiru. During this period, the company made the strategic decision to enter the cellular sector and compete with NSO while continuing to sell its computer hacking tools.
Saudi Crown Prince Mohammed bin Salman. SAUDI ROYAL COURT/ REUTERS
The tensions between Hulio and Zack and Candiru ignited when Hulio heard about Candiru’s decision to compete with NSO. His anger was driven in part because he heard about it for the first time not from Zack, his friend and business partner, but from Eran Gorev, the manager of Francisco Partners’ Israeli operations and NSO’s chairman. After that came the angry conversations between Hulio, Zack and Achlow, and then the falling out and the media reports.
Candiru’s very existence was revealed by Amitai Ziv in TheMarker in January 2019. After that came a few more reports in TheMarker and Calcalist, and from there it snowballed into articles in the international media, and then the worst nightmare for all cyber security companies: a CitizenLab report. As the stream of coverage intensified, the break between the former friends grew even deeper. When Zack sat shiva for his father last week, Hulio did not even visit to offer his condolences.
The battle with Washington
Similar to NSO, Candiru is also preparing for the battle with Washington in an attempt to remove its harsh decree, but many at the two companies think they have reached the end of the road. Candiru is expected to present its explanations to the Americans: The journalistic targets in Lebanon work for Hezbollah’s Al-Manar TV station. The activists in Catalonia were spied on by the Spanish government, whose operations are subject to court orders. As for Iran, there is almost no need to explain at all. And regarding the Palestinian Authority – can you blame an Israeli company for aiding the nation’s security forces in doing their duties?
Candiru can also tell the United States that it was in negotiations to sell its products to Ghana in 2020, but called off the deal, according to a person involved, because of concrete information about the intent to use Candiru’s tools for spying on the regime’s political rivals just before the elections.
Shortly after the negotiations with Ghana were canceled, the country’s Daily Post newspaper reported that 14 cyber experts from Candiru’s competitor, offensive cyber firm Quadream – which we will discuss more later – and publicly-traded Verint, which has its own similar cyber products – landed in Ghana at the invitation of the ruling party to aid in political operations against the government’s opponents, the report said.
Even with all these explanations, the company expects nothing to change. Even if Candiru can prove to the Americans that it has done nothing wrong – and most of all it has nothing to do with Hulio – its cash flow is far from ideal, and it is hard to bring in new customers when Washington has stamped the Mark of Cain onto your forehead. Not to mention that employees, who are offensive cyber companies’ most important resource, are already looking elsewhere for new jobs where the future seems much more promising.
The situation at NSO is even worse than at Candiru. NSO has been the focus of innumerable reports of human rights violations in recent years. According to the reports, the company’s Pegasus spyware was used to hack the mobile phones of journalists and dissidents in Morocco, Mexico, India, the UAE and Saudi Arabia, among others. The company gained international notoriety after the murder of Saudi journalist and dissident Jamal Khashoggi in 2018; according to CitizenLab, the Saudis used Pegasus to spy on his close associates. NSO denied any connection to the surveillance of Khashoggi. That didn’t stop the flood of reports, which peaked in July with the international “Pegasus Project.”
A consortium of journalists, coordinated by a French NGO called Forbidden Stories, got its hand on a list of 50,000 numbers that presumably served as potential Pegasus hacking targets. They used the word “potential” because the consortium, which included Amitai Ziv, then a journalist at TheMarker, had no proof that all the phones were actually infected Pegasus.
Evidence of actual hacking was found on several dozen of the phones on the list that were checked. The project made waves to the point of causing a diplomatic incident between Israel and France, due to a report that President Emmanuel Macron was on the list.
In addition to Macron’s phone, another 1,000 targets were identified based on the numbers on the list. These included two more presidents (in Iraq and South Africa), a series of incumbent and former prime ministers (including in Yemen, Lebanon, Uganda, Kazakhstan, Algeria and Belgium) and one king – the King of Morocco. Some 190 journalists were identified as well. NSO denied that the list is connected to it in any way.
Candiru’s logo, as seen in its offices in Shalom Tower, Tel Aviv, in 2018. Ofer Vaknin
All this bad PR is accompanied by huge lawsuits against the company by Facebook and Apple in the United States for hacking their products and devices; a debt of $500 million hanging over the company’s investors; and Moody’s credit rating agency’s downgrade of the company by two levels to Caa2, putting its bonds in junk territory.
Last week, a report came out that seems to be the final nail in NSO’s coffin. Considering how many nails there are, maybe it should be called the last nail at the moment. Reuters reported that Pegasus was used to hack the phones of nine U.S. diplomats in Uganda. Uganda and Rwanda, both NSO clients, are the immediate suspects.
In the past, NSO’s line of defense focused on denying the accusations. In 2019, the company announced that it was adopting a code of ethics and establishing an internal ethics committee that presumably examines every contract for potential human rights violations. This committee – how surprising – did not block the company from continuing to work with Saudi Arabia after Khashoggi’s murder, as well as with a long list of other toxic regimes.
The line of defense the company is expected to use in an attempt to reverse the U.S. decision will likely be completely different: “The State of Israel sent us.” You don’t need a source in NSO’s negotiating rooms to know that many of the dubious regimes among NSO’s clients are those that warmed relations with Israel in recent years as part of the Abraham Accords and the anti-Iran alliance.
NSO’s offices in 2014. Ofer Vaknin
NSO had operations in the UAE, Morocco and Bahrain – Israel’s partner to the Abraham Accords – and even in Uganda, where then-Prime Minister Benjamin Netanyahu and Sudan’s top general Abdel Fattah al-Burhan met for the first time in public in February 2020. That October, Sudan signed a historic normalization agreement with Israel.
Toward the end of his tenure, Netanyahu had hoped to take relations with Saudi Arabia out of the closet and finagle an even larger diplomatic achievement. Saudi Arabia is probably the most well-known of NSO’s clients. “Just like the rivalry with Iran is a bargaining chip in the geopolitical game, cybertech, which cannot be exported without government approval, is also a bargaining chip,” said a cybertech industry source.
If until now the theory about Israeli cyber diplomacy was a matter for journalistic analysis and investigation, this theory received a stamp of approval earlier this month from the former head of the Defense Ministry’s Export Control Division, Eli Pincu. At a convention of the Meitar Law Offices, he defended NSO and called on the Israeli government to defend it, as reported by Haaretz journalist Avi Bar-Eli. “If a company that helped the country’s interest in any way enters the U.S. blacklist for that reason … Isn’t the State of Israel obligated to support it, to defend it, to deal with the issue for it?” stated Pincu at a conference.
The inheritors waiting to pounce
If cyber industry predictions that NSO and Candiru have reached their ends are correct, the question remains as to who will inherit them. There are two smaller players left on the playing field in Israel, ready to pounce on the major clients. The first is Quadream, founded by two former NSO employees, Guy Geva and Nimrod Reznik.
The company’s product is similar to NSO’s, but cyber market middlemen say its prices are lower. TheMarker revealed Quadream’s existence in June, also naming two of the company’s client countries: Saudi Arabia and Ghana (where Quadream apparently inherited the business opportunity Candiru passed up). Quadream did not respond to the report in TheMarker.
The newest competitor is also considered the most promising: Paragon, founded in 2019 by Idan Nurick, Igor Bogudlov and Liad Avraham, all graduates of Unit 8200. The company specializes in hacking messaging apps such as Messenger, WhatsApp and Signal. The three founders were able to recruit another founder, a senior member of the intelligence community – the former commander of their unit, Ehud Schneorson – and to guarantee an investment from an equally well-connected investor, former Prime Minister Ehud Barak, who is on the company’s board of directors. Another investor is the Battery Ventures fund.
To date, Paragon has focused on developing its product, and it’s unclear whether it currently has any paying clients. But several industry sources say its competitors – both those that are dying and the one that’s alive – are struggling to compete with Paragon in recruiting talented vulnerability assessors. Paragon is therefore considered likely to succeed.
The company’s declarations about preserving human rights go much further than those by NSO over the years. In a Forbes magazine report revealing Paragon’s existence, which the company claims it did not initiate, an anonymous source from Paragon promised, “Authoritarian or undemocratic regimes won’t be clients.”
The company has a closed list of about 40 potential client countries, most of them Western democracies and countries where hacking messaging apps requires court approval. However, TheMarker has discovered that the list includes Singapore. Although it may not have a poor human rights record like Saudi Arabia, Singapore does fit the definition of an “undemocratic regime.” Paragon declined to comment.
Like Candiru, both Paragon and Quadream blame NSO founder Hulio for the fact that their names were even published in the press. In the case of Paragon, it’s clear what likely annoyed Hulio: Eran Gorev, NSO’s former chairman, owned a small portion of Paragon for a few months, until his shares were transferred to an Israeli lawyer to hold in trust. Gorev is now the nemesis of the hotheaded Hulio. Gorev and Francisco Partners parted ways with Hulio when he and Lavie, along with a group of investors they had recruited, bought back control of the company from Francisco Partners in 2019.
It’s wrong to assume that NSO and Candiru are passing the phone hacking market to their two competitors in Israel. There are apparently quite a few players we’ve never heard of on the playing field. Intelligence sources mention companies with ties to the Russian and Chinese governments, which are happy to serve the dictatorships in Africa and the Gulf, and to cut the accompanying diplomatic coupon.
Furthermore, many market players say U.S. weapons manufacturers will try to enter the field in the near future. Should the United States take over the phone hacking industry, this will likely extricate Candiru and NSO from the mess: They can liquidate, selling their platforms to a large American company.
“I want to see anyone in Washington talk about Lockheed Martin the way they’re beating up on Israeli companies,” says an Israeli cybertech source. “Look at the senators’ donor lists, Democrat or Republican, and you’ll understand why they’re allowed [to do what Israel can’t],” he added in such an insulted tone that one might think he’d just discovered that an African dictator had hacked his own telephone.
NSO stated in response: “We hope that the two companies will be dropped from the U.S. blacklist quickly and the truth will emerge regarding why they were put on the list, instead of discussing bizarre accusations and speculations that are detached from reality and don’t merit a response.”
Candiru declined to respond.
