2023: Mexico’s former public security chief convicted in U.S. drug case
https://www.pbs.org/newshour/world/mexicos-former-public-security-chief-convicted-in-u-s-drug-case
I present here extracts from the Pegasus book to introduce the software/malware birth story:
Yet building the case to prove the use of NSO Pegasus, the bribery by cartels to locate their opponents using the malware, took decades…..
First of all, these particulars were very hard to check in 2019. The head of Felipe Calderón’s war on the cartels was just then being publicly accused of taking bribes from the drug lords he claimed he was trying to eradicate, so the former Mexican president wasn’t picking up his phone to talk to reporters. NSO employees were effectively muzzled. No European police official was willing to go on the record admitting that they licensed and operated Pegasus spyware. Then, too, Shalev’s recounting of the NSO story was filigreed with fine little narrative gems—and they were exclusive! Which meant that while the stories were often too good to be true, they were also too good to leave entirely untold, or to leave for another writer to tell instead. So even really good and well-informed reporters such as Bergman and a few others would just put them in quotes and add a clause or two of their own to serve as the written equivalent of an arched eyebrow. The already harried NSO press team did have to occasionally do some cleanup in the aftermath of a Shalev interview. The boss was not well versed in the technical specs of the Pegasus system, or the intricacies of high finance, or the fine points of the laws and regulations that governed the cybersurveillance industry in Israel and abroad. But he did exhibit a genius for controlling the narrative. Shalev Hulio, it must be admitted, tells a very good story. His story of the origins of NSO may be his best. It starts out as a kind of buddy movie: starring him and his best pal, Omri Lavie. They were both born around 1980, into the false hopes that followed the Camp David Accords and the Israel-Egypt Peace Treaty, and raised with the whiff of peril always in the air. (Between 1993 and 1995 alone, there were fourteen separate suicide bombings in Israel, leaving eighty-six dead.) They were similar boys. Smart enough but undisciplined. Shalev and Omri met in the mid-1990s while both were studying arts and theater at a high school in Haifa (after Shalev washed out of a program for gifted students because of congenital misbehavior)……….
Shalev and Omri, founders of NSO…. by the spring of 2011, Shalev and Omri had a product to take to market. They called it Pegasus, Shalev says, “because what we built was actually a Trojan horse we sent flying through the air to devices.”……Claudio Guarnieri ……internet security researcher trying to identify new cybersurveillance tools and to call out their purveyors……..“I think NSO was the first company that was solely focused on one thing and one thing only, which was mobile,” says Claudio, looking back a decade later. “At the time that was a bit premature. But I think that they were seeing that that’s where the market really was going to be……..If a start-up spyware company wished to go bowling for dollars in 2011, there was no better place than Mexico. The lights in the alley were on twenty-four hours a day, and there were plenty of open lanes, because President Felipe Calderón was already five years into a ferocious battle with the Mexican drug cartels.
‘Pegasus’ Laurent Richard, Sandrine Rigaud
The Pegasus book goes on to describe the timing of Calderon acquiring Pegasus malware:
in December 2006. The new president of Mexico sent 6,500 troops into the fight and quickly expanded the combatants to include more than 20,000 soldiers and federal police. Calderón did not waver, even as the death toll mounted—almost 7,000 Mexicans were killed in 2008 alone. That was the same year the United States decided to join its neighbor’s fight, sending military and law enforcement agents to Mexico to help coordinate. Better than that, the Americans poured money over the border and into the newly minted “Merida Initiative.”
The US Congress appropriated $1.5 billion to aid Calderón and his fighters over the next three years, which meant that even after the Mexican military and police forces upgraded their weaponry and hardware, there was plenty left over for the latest in digital technology: malware capable of monitoring and tracking the cartels and their abettors. Procurement officers from Mexican military, law enforcement, and intelligence agencies had real money to spend on cutting-edge spyware tools. NSO was a little late to the first frame of the contest. A handful of Israeli tech companies had already closed deals for spyware in Mexico, as had Gamma Group, based in the UK or Germany or the British Virgin Islands (it was hard to tell). Hacking Team, the presumed world leader in this blossoming field of cybermercenaries, headquartered in Claudio’s hometown of Milan, Italy, also had its sights on this spectacular, and spectacularly complicated, market. For a new and uninitiated private cybersurveillance vendor like NSO, simply deciphering the tangle of Mexican government acronyms could be head spinning.
Book, Laurent Richard, Sandrine Rigaud
Then the link to the vital middle man:
The NSO team was fortunate to find just the right guide through the maze of la Plaza del Mercado Vigilancia Cibernética: a man known as “Mr. Lambo” (he favored expensive Italian roadsters) or “El Chino” (he was of Japanese descent, but close)—Jose Susumo Azano Matsura…….Azano saw the potential of NSO, this new entrant into the “Intrusion as a Service” industry, right away. STDi reportedly paid NSO $500,000 for the exclusive right to resell its Pegasus technology, and Shalev armed Azano and his team with a set of talking points to take to potential customers in the Mexican government. That document is a perfect little snapshot of the promise of NSO’s earliest technology, which was ambitious right from the start. The Pegasus system, according to this document from 2011, provided a “tactical active approach” for breaking through the wall of encryption built into the most common mobile phones on the market, BlackBerrys and Androids.
These devices, the NSO talking points lamented, had become “a secure and convenient method for communication for all kinds of criminal activities, which is difficult to monitor today.”
Book, Laurent Richard, Sandrine Rigaud
Then the first real deployment of Pegasus:
The Pegasus system offered a soup-to-nuts solution. The first step was injection: finding a vulnerability in the phone’s operating system that opened the door for Pegasus users to surreptitiously plant the spyware on the phone. Step two was configuring the software so it could successfully monitor, collect, and prepare all data for retrieval. This data included all contacts and calendar entries, all email, voicemail, and instant messages, all system files, as well as current and past geolocation. The earliest Pegasus system, according to the talking points anyway, had the ability to remotely turn on the microphone to monitor “environmental voice interception”—which is to say any live conversation within earshot of the phone. It could also remotely activate the mobile phone’s camera for capturing snapshots. Step three was data retrieval, wherein Pegasus would exfiltrate the contents of the phone and place them in one of the end user’s servers, ready for archiving, mining, and analysis. The Pegasus system, as offered, included NSO-provided hardware, software, maintenance, and training for the various sorts of operators needed across the platform. There was an array of “infection vectors” to choose from, each tailored to a target’s device and operating system; “front-end consoles,” where government-paid operatives executed the initial infection and configured the Trojan horse malware for monitoring and the exfiltration; “anonymizers” to hide the end user’s real IP address and “camouflage” its activities on the internet; firewalls and virtual private networks (VPN) for added security and convenience; and “rackable servers” for storing the growing mass of data retrieved from the targets. As a rule, NSO figured 2 terabytes was a good starting point, enough to monitor four hundred different mobile phones—at 50 megabytes of data retrieved per target per day—for an entire year. But NSO also encouraged Azano and his team at STDi to assure potential buyers that “this cluster of servers can grow with the Customer future needs seamlessly.” NSO technicians would do the entirety of the initial setup, maintain the hardware, upgrade the software as needed, monitor the system in real time for any malfunction, and be available to troubleshoot. They would also train the ops who worked on the front-end consoles. For the “attack” and “configuration” agents, NSO recommended local people with degrees in criminology, anthropology, or psychology, an “ability to provide unique insight into target psyche” and to “work under pressure, in non-standard hours.” End users could count on up to six weeks of dedicated time from NSO talent to get the system up and running and the operators properly schooled. NSO looked good to Azano, another sluicing river of income for STDi. Azano, meanwhile, looked good to Shalev and Omri. NSO’s new reseller provided instant intelligence in Mexican commercial traditions. Mr. Lambo, for instance, was schooled in the operative custom of mordida (the bite); knew which officials in the chain had to get a cut of any big sale, what size cut would be deemed acceptable, and how to make sure it was safely and secretly dispersed. Azano also provided connections; he knew the generals who made the final decisions at SEDENA, the admirals at SEMAR, the supervisors at CISEN and the PF, and the top prosecutors at the PGR. Azano’s contacts apparently went all the way to the top, to the Office of the President, to Felipe Calderón himself. On May 25, 2011, just weeks after Azano signed on to market NSO’s spyware system, Shalev Hulio got an email from one of his NSO operatives: “Mr. Azano notifies me that the demo to the Secretary of Defense and the President will take place next Friday. They called me after confirmation, and they asked me to do my best to be there on Tuesday, since the Secretary of Defense requested a demonstration the day before (Thursday) and for the President on Friday.” Neither Calderón, nor his SecDef, nor Azano himself has confirmed that the scheduled demo actually happened, but six weeks later, in July, STDi closed a deal with SEDENA—the first major sale in the history of NSO. The contract was reportedly worth a little over $15 million, which more or less launched NSO as a viable company. When Shalev finally told the story of that first deal, not long before Forbidden Stories and the Security Lab got access to the leaked data, he didn’t dwell on Azano (who was at the time in a US prison) and STDi. He talked about the general he met in Mexico City, and the assurances the military man gave Shalev and Omri about the way their powerful new cybersurveillance tool would be used and all the good it would do. “The country had decided to establish a separate new body—a branch of the military—to deal with the drug issue,” Shalev remembered, in another of his uncheckable stories. “This body would include spotless individuals with no history of corruption who would undergo a polygraph test. Then we met with the general, the head of that branch. He said: ‘You fit us like a glove. We will base our entire drug-fighting apparatus on your new technology. This is how the biggest situation room—not just in the region but one of the biggest in the world—will fight crime and drugs.’ And to them, we agreed to sell.”
Book, Laurent Richard, Sandrine Rigaud
borderslynn 