Cyber defense

Is Israeli spyware a dying sector?

The closure of QuaDream is further evidence of the shrinking of the world-leading Israeli cyber espionage industry. Most of the Israeli companies that were active in the field have closed or left the sector in the last year, also due to the restriction of export permits by the Ministry of Defense

The situation at QuaDream has not been good for several months. The Israeli developer of spy software was among the significant players in the field in Israel and in general, when according to sources it did business mainly with Arab and African countries. Its spyware had similar penetration and information extraction capabilities to NSO's Pegasus, but unlike it, it managed to stay relatively under the radar, operating without the international exposure and frequent criticism of its activities that have accompanied NSO in recent years.
Everything changed after NSO and Candiru were blacklisted by the U.S. Department of Commerce in November 2021. The inclusion of two Israeli spy developers on the list, which prohibits American companies from doing business with them without special permission, was effectively a harsh indictment against the two companies, and indirectly against all of the Israeli offensive cyber industry. The Defense Export Controls Agency (DECA) in the Ministry of Defense panicked, and if previously marketing and export licenses were handed out generously, often due to Israel's political interests, this generosity has now turned into real stinginess.
1 View gallery
הגנה מפני מתקפת סייבר עשויה לחסוך לארגונים נזקים כלכליים עצומים
הגנה מפני מתקפת סייבר עשויה לחסוך לארגונים נזקים כלכליים עצומים
Cyber defense
(Photo: Adobe Stock )
Asian countries? No. Africa? No way. And how about the Gulf countries for whom the sale of spyware helped to grease relations and promote the signing of the Abraham Accords? Not so relevant anymore. Only requests for export to distinct Western democracies, mainly in Europe, were approved. From an export field of more than 100 countries, the field was reduced to less than 40.
For QuaDream, which did its business outside of Europe, it was a death sentence. "They were based on the more problematic market," a senior source in the Israeli spyware industry told Calcalist. "The problem was with new export permits. They didn't get them, business dried up and they felt they ran out of air."
In the months before the closure, QuaDream suffered a slow and steady death. The number of employees was gradually reduced and dropped from about 70 employees at the peak to 35 on the eve of the closure, with the remaining employees also working at a reduced capacity.
Then came a joint report by Microsoft and Citizen Lab at the University of Toronto, which exposed QuaDream’s activities and the use of its spyware against civil society activists, journalists and politicians in Latin America, Asia, Europe and the Middle East. A week later, QuaDream ceased operations, leaving its offices with only two employees to guard the computers and hardware. "This report was the death knell," said an industry source. "Everyone realized they were being disgraced, and they decided it was an excellent reason to shut down before the company was blacklisted."

The case of QuaDream is not unusual. It may be the last and biggest company to close for now, but by no means the only one. The Israeli spyware industry, which is considered the leader in the world not only in the quality of its products and their hacking capabilities, but also in the scope and number of companies operating here, has undergone an accelerated shrinking process over the past year, and in fact most of the players who were here on the eve of the blacklisting of NSO and Candiru no longer exist, or have changed their business focus. According to the source, if in 2021 there were 18 companies that submitted applications to DECA to market abroad, in 2022 there were only six such companies.
The secrecy that characterizes the field - most of the companies operate under complex organizational structures, through shell companies and intermediaries and using multiple names, and of course without media coverage - makes it difficult to form a complete picture of the status of the companies that have closed and those that remain.
However, industry sources and previous reports indicate that before QuaDream there were other companies that closed, some of them smaller, such as Nemesis, Insight, which closed in early 2022, and Ace Labs (part of Cognyte, formerly Verint's security division), which closed last June and laid off dozens of employees.
Other companies did not close, but changed their business focus. KELA moved from cyber espionage to defensive cyber intelligence and works mainly with banks on threat detection on the Dark Web. Cyberbit, formerly controlled by Elbit, has stopped its offensive cyber activities and is focusing mainly on cyber defense.
As far as is known, as of today, only three significant players remain in the field of spyware development and marketing: NSO, which made a significant round of cuts in August; Candiru, which since its introduction to the blacklist has suffered from a continuous crisis and has lost 12 of 30 researchers, with most of them moving to companies abroad; and Paragon, which according to sources is not in trouble because it primarily approached clients in Europe. Wintego is also still active, but is considered relatively small and is also in difficulties.
Two more players can be added to this list, which do not develop spyware but operate in tangential fields and also require DECA’s export approval: Cellebrite which produces hardware that hacks into a phone through a physical connection (as opposed to spyware that can be implanted remotely); and Blue Ocean, which according to an industry source does not develop spyware but identifies security weaknesses and also provides clients, mainly the Singapore secret service, access to its weakness researchers.
"Companies that went for the easy money, in the neighboring countries or other dictatorships that are ready to pay a lot of money and quickly, have closed," an industry source told Calcalist. "They experienced a lot of difficulties in light of the tightening of export procedures. QuaDream is the most significant one that was closed, but smaller companies were closed before it." However, the source warns against placing all the blame on DECA’s change of procedures. "QuaDream's closure is a significant event, it's the first one that was a big success before their market dried up. As for the other companies, you can't just blame the export approvals. They didn't have great success, and there were internal conflicts."
Not everyone in the industry agrees. Another senior source says that DECA's severe export restrictions were a significant factor in the closure of companies. "I was at the Ministry of Defense meetings. Everyone was very annoyed, they said 'without permits we cannot survive’. Everyone was talking about moving abroad," he said.
The first source also admits that for companies that were not previously active in Western democracies, entering there is now more complex than before. "It's a more difficult market (compared to countries in Africa or the Middle East.). The regulation is more complex in these countries, and it has gotten a lot worse in the last two years."
There is an overwhelming consensus in the industry that the change in DECA policy was made in response to pressure by President Biden's administration, which marked the global spy software industry, and in particular the Israeli one, as a target against the backdrop of a series of reports on the misuse of these software in recent years, mainly by countries in the Middle East and Africa, but in some cases also in Eastern and even Western Europe. The administration's public activity began with the blacklisting of NSO, Candiru and several other foreign companies, and culminated in a presidential order published in March that prohibits government entities from using commercial spyware "that poses a security risk to the U.S. government." On the less public side, Israel was pressured to change its permissive export policy in the field, when in the background is the implicit threat of sanctions including personal sanctions.
But there is disagreement in the industry as to the motives of the Biden administration and the extent to which the Ministry of Defense has buckled under the pressure. "There is a deliberate move here by the Biden administration, which recognized that Israel behaved as an irresponsible regulator and demands that it be responsible," said a senior official. "The problem is that the Israeli regulator was not responsible, and reacted with hysteria after the Biden administration tightened the screws; partly by protecting companies like NSO that worked according to its regulation. DECA was simply a horrible regulator. The American determination to put things in order is welcome, and simply met the companies in a bad situation. The market is changing for the better. Selling to dictatorships is not right, and on the other hand, democracies need these tools. This is a tremendous opportunity for Israel, which is one of the few places in the world that knows how to build this technology."
On the other hand, there are sources who believe that the Biden administration has ulterior motives. According to them, the pressures exerted on Israel do not come from motives of protecting human rights but from a desire to clear the playing field in favor of American companies. According to sources in the field, in the last year dozens of new companies were established in the U.S. in the field of offensive cyber while at the same time existing companies entered into activity in this field. A list of companies includes names such as: Raytheon, Leidos, Eqlipse Technologies, Boldend, Siege Technologies, Kyrus Technologies, Oceans Edge and ManTech. At the same time, the US Defense Ministry's Cyber Command requested an $89.4 million budget just this week for the development of an offensive cyber platform.
Many parties fear that the damage to the industry in Israel means a significant leakage of knowledge in this field to other countries. Already now, there are companies founded by Israelis that employ mainly Israeli vulnerability researchers who previously established their activities outside of Israel. Cyprus and Greece are particularly popular, partly because of the geographical proximity. These companies enjoy all the advantages of access to Israeli vulnerability researchers, without the limitations of DECA. One of the most prominent of them is Tal Dilian's Intellexa.
Also in the cases of the local companies that were closed, it is possible that some of them simply transferred the activity to another country. And even if not, there is a very good chance that their employees went to work for the company abroad. According to sources, the annual salary of a vulnerability researcher abroad can reach a million dollars a year - an amount that local players who are fighting for their existence simply cannot afford. The meaning of this brain drain is first of all the transfer of dangerous technologies that were previously under the supervision, however problematic, of the Ministry of Defense, to countries where the supervision is much looser or non-existent, and therefore their misuse can be more widespread. In addition, the Israeli spy tech that is sold to countries abroad is built so that it will not be possible to use it to attack targets in Israel and the U.S.
The Ministry of Defense's said in response: "The Defense Export Control Agency has recently carried out extensive work, together with the Ministry of Defense, the Ministry of Foreign Affairs and the National Security Council, in order to improve the supervision of the export of controlled cyber products, with the aim of producing more precise instructions for controlled cyber exporters, while reducing the risk of improper use of these systems and providing effective tools to ensure compliance with the terms of the license on the part of the purchaser."
First published: 15:17, 20.04.23