Report reveals which countries are using Circles Technologies’ invasive spyware

Canada’s The Citizen Lab detected the Israeli-founded and NSO linked company’s fingerprints in use by a wide range of rights-violating regimes

Omer Kabir 21:0201.12.20
From a Guatemalan spy agency to the Thai military and all the way to the Supreme Council on National Security of the United Arab Emirates, as well as another two dozen countries and organizations: a new report by the University of Toronto’s The Citizen Lab exposes the international activities of offensive cyber company Circles Technologies, a low profile company founded by Israelis and possessing close business ties to the Israeli NSO Group, and according to multiple reports is even under its control or under that of NSO’s founders.


“We hope that this report enables people to ask more precise questions and perhaps even improve the regulation of the field, which today operates as if it were the wild west,” Dr. Bill Marczak, from the University of California in Berkley and a senior research fellow at The Citizen Lab, who authored the report told Calcalist. The Citizen Lab’s research team also included John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert.


Tal Dilian (left) and Bill Marczak. Photo: Amit Shaal and Orel Cohen Tal Dilian (left) and Bill Marczak. Photo: Amit Shaal and Orel Cohen
Circles Technologies was founded by Tal Dilian, a former commander of the IDF’s Intelligence Corps Technological Units, and developed technology that can “track any phone in six seconds with just its number,” as Dilian told Forbes. Other partners in the company include Eric Banoun, who Calcalist previously exposed as a middleman in sales of NSO’s Pegasus spyware to various countries. According to a report by Forensic News from April, documents from Cyprus, where Circles was registered attest that the company was acquired by NSO in 2014 through a Luxembourg-registered subsidiary.


Unlike NSO’s spyware programs, the most notorious of them being Pegasus, which once installed on a target’s phone collects all the available data on it and can even remotely take control of its camera, microphone, and more, Circles’ system is based on the cellular network and allows the attacker to link into the cellular infrastructure in the target’s proximity or connect to a separate network called Circles Cloud, which is patched into cellular infrastructures all over the world. The connection allows attackers to monitor calls, text messages, and device location, though not to access data that is saved on the device, and even track encoded data (such as messages relayed over Whatsapp) and operate the device remotely. On the other hand, Circles’ technology does not require direct access to the device itself or any actions by the user to install the spyware. It leaves no traces on the phone and can be deployed on a wider scale.


Up until now, all known details about Circles Technologies was based on public documents such as court proceedings, or information relayed by internal sources as part of journalistic investigations. In 2016, for example, the Nigerian newspaper Premium Times reported that several of the country’s regional governors had purchased Circles’ platform and one of them even had it installed in his mansion. Documents that were filed as part of a lawsuit against NSO in Israel, revealed that Circles allegedly has several clients based in the UAE. The Citizen Lab report, however, for the first time provides a technical analysis of Circles’ activities in 25 countries.


The investigation was based on identifying ranges of IP addresses (unique identifiers associated with individual computers or linked servers) that belonged to Circles and which the investigators located via public databases. The researchers fed the addresses into a dedicated search engine called Shodan that scans the web and identifies computers and various other devices based on their IP address. “We wanted to see if there was anything interesting about these ranges of Circles’ IP addresses,” Marczak said. “We found more than a dozen IP addresses that had Check Point firewalls configured on them (a standard defensive product that Check Point markets to companies all over the world. The company has no connections to Circles’ or NSO’s spying activities, O.K.). The firewalls display public information such as the name that the person who set up the firewall gave it as well as the name of the management server that the person who set up the firewall gave it.”.


The firewall’s had the administration server configured with a website called that we were able to attribute to Circles. That domain name was linked to Circles, in part by emails leaked by the company. At that stage, the researchers searched on Shodan and other specialized web crawlers to see if there were other Check Point firewalls in which was included in the management server name. The search revealed 240 different IP addresses, some of which included data that was fed by the organizations or states that operate the firewall. The researchers ended up with a list of organizations that connected to Circles’ domain name, which led them to the conclusion that they use the company’s spyware system.


The findings uncovered by The Citizen Lab reveal that among the countries that make use of the company’s platform are some with a dubious history when it comes to protecting human and civil rights. In Chile, for example, the researchers identified a Circles system used by the country’s premier law enforcement agency, the PDI, which in the past purchased surveillance systems from other companies like Hacking Team. Chile’s law enforcement agencies have a long history of human and civil rights violations and in the past were able to intercept calls and WhatsApp message exchanges of journalists and opposition leaders. It’s important to note that several western democratic countries such as Australia, Belgium, and Denmark have also made use of the system. Those countries apparently use it as part of counter-terrorism or grievous crime investigations and operate under court-sanctioned regulations.


In Guatemala, the system was reportedly used by the DIGICI, Guatemala’s civilian intelligence agency. A local paper reported in 2018 that Israeli weapon dealers sold the agency a variety of spying systems, including those developed by NSO and Circles. According to the report, the agency used these systems to spy on journalists, businessmen and political rivals of the local regime.


Mexico has a long history as one of NSO's most notable clients and in the past, it was reported many times that the government used the company’s systems to spy on journalists, human rights activists, and family members of drug cartel victims. The Citizen Lab researchers uncovered in the country a system developed by Circles that is in use by the Mexican navy.


A report by human rights organization Front Line Defenders revealed in 2018 that Nigeria implemented a mass spying program against citizens via the country’s telecom infrastructure. According to The Citizen Lab, there are currently two Circles systems that are being used in Nigeria, one by the Nigerian Defence Intelligence Agency and another by an unknown source.


Circles’ systems are also in wide use in Thailand, being used by the local army and by the narcotics department in the Thailand police. One of the army units using a Circle’s product, the Royal Thai Army Internal Security Operations Command, was accused in the past of torturing activists. In June of this year, the New York Times reported that at least nine Thai exiles, notable critics of the army and the Thai royal family, were kidnapped from the countries in which they were living.


The UAE, which recently established full diplomatic ties with Israel, has been mentioned several times in the past as a client of NSO and reportedly used the company’s spying software to spy on the Qatar royal family, as well as a Saudi prince and the Prime Minister of Lebanon. Three Circles systems were identified in the country, including one being used by the country’s security council.


Additional countries in which the system was used include Ecuador, El Salvador, Equatorial Guinea, Honduras, Indonesia, and Kenya. The system has also been active in Israel, but that may be the result of the fact the company’s development center is in the country rather than spying activity.


“The publication of this report is the first step on the road to making the company accountable for the use being made of the system,” said Marczak. “As soon as you know what the company does, people can ask more solid questions like, do certain deals need to be investigated or should the company receive an export license. This provides more information for the efforts being made so that this industry takes responsibility for the way their products are being used.


“What is important in this report is that we provide the scientific method to a problem for which most of the available information comes from second-hand rumors. It is important to create accurate information, to be able to attribute the activity to certain companies and governments. This is very valuable information for social rights organizations, decision-makers, and other stakeholders. What I love the most about this job is that we receive very trustworthy and accurate results. This is a challenging industry to research. It is based on secrecy, and the ability to provide credible results is important in the efforts to bring transparency to the tracking industry.”


Aren’t you afraid that exposing this activity will bring the company more attention and help it recruit additional clients?


“If we were only reporting on how effective their spying tool is then maybe it would increase their sales. But if you look at 2016, we exposed an unknown breach that NSO was exploiting and that disrupted the company’s activity. Perhaps there was also an effect of increasing the NSO’s profile, but they could have also done that without us. The disruption caused to the company by our exposure had a positive effect.


“When the founders of NSO bought back the control of their company, there was a report on Bloomberg that its valuation dropped due to the reports of the unlawful use of the company’s products. There is evidence that our work at The Citizen Lab has an effect and informs people of what these systems are being used for and caused them to push the company to take steps that rectify some of them.”


Circles said in response: “NSO and Circles are separate companies within the same corporate family, both of which lead their industries in a commitment to ethical business and adhere to strict laws and regulations in every market in which they operate. As we have previously stated, Circles is involved in search and rescue and tactical geolocation technology.


“We cannot comment on a report we have not seen. Given Citizen Lab’s track record, we imagine this will once again be based on inaccurate assumptions and without a full command of the facts. As ever, we find ourselves being asked to comment on an unpublished report from an organization with a predetermined agenda."