Omer Benjakob; 30–38 minutes
A Haaretz investigation reveals that Israeli cyber companies developed technology that exploits the advertising system at the heart of the online economy to monitor civilians, hack into their phones and computers, and spy on them. This terrifying capability, against which no defense currently exists, has already been sold to a nondemocratic country.
We’re being monitored. It’s a universally acknowledged truth about this digital age. Technology firms and advertisers know almost everything about us: where we are, what we buy, which apps we download and how we use them, our search histories and past purchases, even our sexual orientation and what fetishes we’re into. There’s only one thing that advertisers don’t or aren’t supposed to have access to: our identity. The world of ads and the data behind them is meant to be anonymous.
We’ve all been there. We read the post of a friend who just got back from vacation, and a few hours later an ad for a hotel pops up on our screen, and similar ones hound us for days, following us across websites and social media – but few of us have any idea how or why this happens.
Whenever we open an application or a website on our phone, without our noticing, a rapid process of mass negotiation takes place, and a complex and aggressive market embodying the whole economy of the internet plays out: In a split second – a fraction of the moment that elapses until the page we want opens – an automatic bidding process occurs between hundreds of thousands of different advertisers. They are fighting to advertise exactly to us at this exact moment in time. The more accurate the information the advertisers have about us, the more segmented and targeted the data, the greater the chances that we’ll actually click – and thus the price of the ad increases.
But some have the ability to take advantage of that fraction of a second to perform a much more malicious mission: to send people a distinctive, seemingly innocent, ad that contains advanced spyware. Though the ad looks completely standard, it is in fact a cyberweapon that is capable of infiltrating our phone or computer.
In the past, it was believed that only state intelligence organizations had this capacity. It exploits the world of digital advertising, which is supposed to be completely anonymous, to bypass the security mechanisms of Apple, Google and Microsoft and install advanced spyware on our devices.
“These capabilities can turn any ad into a kind of digital bullet,” says a source familiar with the technology.
The new technology has also begun to trickle out into the commercial defense market. An investigation by Haaretz Magazine and the paper’s National Security & Cyber digital investigation desk has discovered that in the shadow of the coronavirus pandemic – when certain tools were developed and deployed to track the spread of the virus – a new and disturbing cyber and espionage industry has come into being in Israel. A number of Israeli firms have developed technologies that are capable of exploiting advertising to collect data and monitor citizens. Hundreds of thousands – if not millions – of people can be monitored in this way.
The investigation, which is based on interviews with over 15 sources from Israel’s offensive cyber, security systems and defense industries, further reveals that a small group of elite companies have taken things a step further: They have created technology that use ads for offensive purposes and injecting spyware. As millions of ads compete for the right to penetrate our screens, Israeli firms are clandestinely selling technology that transforms these ads into tools of surveillance – or even into weapons that are capable of penetrating our computers or phones.
One of these companies is Insanet, whose existence is being made public here for the first time. As its name suggests, it possesses insane capabilities, according to sources in the industry. Founded by a number of well-known entrepreneurs in the fields of offensive cyber and digital intelligence, the company is owned by former ranking members of the defense establishment, including a past head of the National Security Council, Dani Arditi. The investigation reveals that the company has developed technology that exploits ads both for tracking and for infection. It’s not by chance that the company has named their product Sherlock.
The company’s personnel also succeeded in obtaining authorization from the Defense Ministry to sell their technology globally. Insanet has already sold the capability to one country that is not a democracy.
According to the findings of the investigation, this is the first case in the world where a system of this sort is being sold as technology, as opposed to a service. Another Israeli firm, Rayzone, has developed a similar product and this year received approval in principle to sell it to its clients in Western countries, though in practice this has not happened yet.
What’s most disturbing is that currently there are no defenses against these technologies, and it’s not clear whether they can be blocked at all. Over the years, tech firms like Apple and Google have blocked hundreds of breaches through which spyware like Pegasus was able to infiltrate devices. Just this week, Apple’s digital wallet was exploited to send a message to users’ iPhones containing an image with a malicious code. That security breach was blocked. But even the smartest and most advanced defenses of Apple, Google and Microsoft currently lack the capacity to block this sort of infection. Until today, their advertising systems, which have countless defense mechanisms in place, were considered completely safe.
This is a story about technology that bypasses the security and privacy restrictions of Apple and Google, and infiltrates phones through a sophisticated use of advertising information. It’s an investigation into how advertisements turned into tools of war on the digital battlefield. A story about the dangerous connection between the world of espionage and the private market, and a perfect example of what is referred to as “surveillance capitalism”: how information collected for commercial ends is exploited by states for intelligence purposes and morphs, with a little help from Israeli high-tech entrepreneurs, into a security product, where it is liable to become a weapon against private citizens.
In the beginning there was the banner. In 1994, AT&T bought the first ad on the internet from the website HotWired. “Have you ever clicked your mouse right HERE?” the clever come-on for the company’s services asked, and answered its own question with an assertive “You will.” The copy did the trick. According to the information the site collected for its new advertisers, almost half of those who saw the ad rendered the prophecy self-fulfilling.
Thirty years down the line, we’re still clicking – but the world of digital advertising has changed completely. Today, ads we see on our smartphone are anything but random: They know a great deal about us and can, for instance, geolocate us down to street level – if not to within a few meters – and crossmatch the information with our search history.
Digital advertising has become a behemoth economy of hundreds of millions of dollars, thousands of companies, and tens of thousands of types of services for collecting, analyzing, segmenting and optimizing data for targeting. Referred to collectively as “AdTech,” a vast secondary economy has also sprung up around digital advertising for mobile devices and the applications that run on them, in which advertisers compete for our screen time in complex and automatic bidding processes fed and informed by our data.
As has been noted countless times: If it’s free, we’re the product. And the ad exchanges (called DSPs, or demand-side platforms) and the ad data markets behind them are the place where the product that is us is sold as a commodity.
But all this data information doesn’t serve only advertisers. A few years ago, people discovered that data collected for advertising and commercial needs could also be used for other ends, and that these exchanges can also be used for geotracking, surveillance of our location. This is the little-known field of AdInt (ad intelligence). Its aim is to convert data and information collected for advertising purposes into intelligence.
“In a certain sense, Google and Apple created an espionage market,” explains a person in the AdInt industry, referring to the two companies whose operating systems power most smartphones. “They just hoped that people wouldn’t understand that the information that advertisers collect can also be intelligence gold. Another way to think of it is that Apple and Google are themselves a type of espionage firm. There are simply some who know how to exploit that.”
This isn’t an attempt to breach a device via the back door, but to allow something to enter it cleverly through a front window, a window that is wide open thanks to the world of advertising that sustains the entire internet economy.
In light of its potential sensitivity, advertising information, especially information related to our smartphones, is supposed to be anonymous. Every smartphone has a unique advertising ID number, which ostensibly is impossible to crossmatch with our phone number or our name. The aim is clear: to prevent ad data from being used to spy on people, and not allow advertisers to exploit our private information. The European Union’s digital privacy law, known as GDPR (General Data Protection Regulation), prohibits this explicitly.
But even anonymous information that is compliant with such privacy laws can be extremely valuable from an intelligence perspective. For example, with the aid of advertising technology, it’s possible to digitally mark all the cellphones belonging to people who passed through a particular airport at a specific time. This simple advertising tool can be used, for example, to conduct contact tracing and monitor infection chains during a pandemic. First, all the ad-IDs of devices that were in the airport are collected. That’s a simple operation: Each time we pick up our phone and open an app that displays ads, the phone transmits where we are to the advertisers in order to improve the effectiveness of the ads they send us. Mapping these identifiers creates a list of people who were in the airport at a certain time. The advertisers may not know the names of these people, but they can be profiled as part of a target audience – which can be continuously targeted. They are bombarded with ads, and through these ads, their dispersal across the world can be tracked.
This is how, in the shadow of the coronavirus crisis, a new industry of mass AdInt came into being. A company founded by Eric Banoun, one of the pioneers of offensive cyber in Israel, offered the Shin Bet security service an ad-based surveillance and monitoring service. As Gur Megiddo reported in TheMarker, the idea was to reverse-engineer information about users in large ad networks for intelligence purposes. In this case, the aim was to engage in mass monitoring to track the spread of the pandemic.
The firm is called Intelos and its product is called AdHoc. It’s marketed to law enforcement agencies and business clients alike. The company’s products are not considered to be security-related and are therefore not regulated. There’s a whole industry of similar companies.
Overall, anonymous geo-surveillance via ads is not currently under Defense Ministry supervision since it’s based solely on proprietary information that can be acquired commercially. However, these technologies can also be used for security aims, such as for surveilling suspected targets, even without knowing personal information about them. One can imagine, for example, an advertising campaign that is geared toward an audience of nuclear scientists of Iranian origin between the ages of 35 and 65 who passed through the airport in Tehran over the past year. After these individuals are profiled and receive the first ads, they can continue to be targeted over time; the technology can pinpoint where they traveled and when.
Indeed, what started as mass contact tracing expanded rapidly into additional areas of homeland security. For example, according to documents obtained by Haaretz, the Israeli firm Cobwebs, which specializes in open source intelligence, offers civilian technology that can locate a mobile device. The company illustrates this capability through a potential target in Iran, where one can see how the program tracks the target’s movements in the street.
The example of Iran underscores the unique intelligence value AdInt posses: Whereas most types of digital intel and offensive cyber are based on direct access to information, networks and infrastructures – data that only a state supposedly possesses – AdInt is based on information that is considered open and that can be located from sources that are considered commercial. In this case, they are just fused together for intelligence needs.
The information can be acquired from difference proprietary databases – for example those linked to advertisers or DSPs – or by more creative methods. In order to find someone’s location, for instance, you don’t need anything more than the information that’s accessible through the cellular ad exchange.
According to sources in the industry, the name of the game in AdInt is fusion, or crossmatching of a large number of sources of information. Even the very act of participating in the bidding process can provide geographical information to an advertiser – be it a genuine advertiser or one used by intel firms.
“In order to have real AdInt, a huge advertising infrastructure is required,” says an industry source. “You need to be connected somehow to the various ad systems in order to do what Apple and Google absolutely don’t want you to be capable of doing: to track people or use advertising profiles for infections.”
For this reason, companies in this field are generally connected to ad firms. In some cases they actually operate an ad firm of their own or work with one, which provides both a cover for their intelligence activity and access to the information they need.
The investigation shows that there are a number of Israeli firms that are offering intel of this sort to many different kinds of clients. One such company is Rayzone, which is considered a pioneer in the field and actually coined the term AdInt. Its product, called Echo, is not under state supervision because it too makes use of information that is considered open. It’s sold to private bodies, but an official Israeli body also showed interest in purchasing it for the purpose of attempting to surveil Palestinians in Israel.
“In a certain sense, Google and Apple created an espionage market,” explains a person in the AdInt industry. “They just hoped that people wouldn’t understand that the information that advertisers collect can also be intelligence gold. ”
Other companies offer less advanced products. One of them, Bsightful, markets its capabilities to those in the private advertising world. According to sources in this field, the company’s activity is based on cross-matching browsing data and other sources of commercially available information that can be purchased, mined or otherwise extracted from the web. The company was acquired by another cyber firm, Cognyte, which offers similar capabilities – but to states and armed forces. In other words, the same information and the same technologies, only with different uses: one commercial, the other for intel.
But some companies don’t make use of ads only for surveillance. They go a step further, creating tools that use ads to penetrate phones and computers.
How does this work? An advertising profile for the target audience is compiled. After that, an ad campaign tailored to the audience is created, and it is bombarded with ads, thus allowing mass geo-surveillance. Next, the spyware or malware is placed into a campaign.
With the aid of an advertiser or an ad infrastructure, the infected ad is uploaded into the ad exchange and the bidding begins – until the target receives the ad and the malicious code infiltrates the device.
Sources in the industry say it was clear to them from the outset that the technology would quickly become a slippery slope. “AdInt is a legitimate field, as long as it remains within the realms of general tracking,” one such source says. “Those who turn it into a weapon are playing with fire. All that’s needed is one snafu, one case of abuse, for the entire capability to be burned.”
State players and tech giants have long been engaged in a game of cat-and-mouse. Fifteen years ago, when we all switched to mobile phones, intelligence bodies lost the ability to eavesdrop on people via landlines. The mobile devices became smarter and – more importantly – more encrypted.
Even though Apple, Google and Meta usually cooperate with security bodies’ legal requests for information, especially in the United States and the European Union, they do not allow them full access to our calls or our devices. There is both a technical and political reason for this: Technically, end-to-end encryption works; it can’t be breached. Politically, big tech companies don’t want to allow states to use our phones for surveillance, even if it’s legal, mainly in light of cases where surveillance was abused to target journalists, critics of the government and human rights activists.
But the world’s intelligence bodies nonetheless crave access to our devices, and the offensive cyber industry has long offered an array of solutions precisely for countries that aren’t capable of developing these capabilities on their own. It started a little more than a decade ago with hacking and surveillance via cellular networks, continued in the form of breaches via wireless internet (WiFi), and progressed to browsers, smartphone apps and malware-infested text messages.
The most advanced capabilities, which have been reported in recent years and have drawn severe criticism, are those that were developed by Israeli firms such as NSO and Candiru. With the aid of their spyware, of which the best known is NSO’s Pegasus, devices like iPhones can be breached via zero-click exploits – in other words, a person’s device is infected without them knowing about it or even taking any action.
Spyware like Pegasus hacks smartphones by exploiting security vulnerabilities in the iPhone operating system. But we’re talking about something different here. This isn’t an attempt to breach a device via the backdoor, but to allow something to enter it cleverly through a front window, a window that is wide open thanks to the world of advertising that sustains the entire internet economy.
De facto, this technology creates a new “vector” into the device for those who are capable of developing spyware by themselves, or for existing clients of companies such as NSO. If, as some say, Pegasus is the nuclear bomb of the digital age, these new capabilities can be likened to the guided missile on which the digital nuclear warhead is delivered.
Insanet has succeeded in obtaining authorization from the Defense Ministry to sell their technology globally. It has already sold the capability to one country that is not a democracy.
It’s with good reason that a number of Israeli cyber companies have tried in recent years to develop the offensive technology that exploits ads not only for surveillance but also for spyware infection. Indeed, the past five years have seen an arms race in the cyber industry, in which companies such as Candiru, Paragon, Nemesis, Quadream and NSO itself have taken part.
According to sources, NSO also created an offensive product, called Truman, that utilized ads. However, like most of these firms, NSO was unable to obtain a permit to sell the software. Only Insanet has been able to sell its product.
Insanet was founded in 2019 by two groups of entrepreneurs. The first, composed of veteran cyber entrepreneurs, among them Ariel Eisen, Roy Lemkin and Dani Arditi, came up with the necessary investment. The three, who are known as marketers of companies such as NSO (in the past) and Paragon (currently) in Western Europe and in Asia, enjoy stellar ties with intelligence and security bodies in Israel as well as in those parts of the world.
The second group consisted of young entrepreneurs, some of them with a background in Israel’s military cyber units, who supplied the idea. Before Insanet, they founded an ad-tech company, which they sold several years ago.
Drawing on the experience the latter group had acquired both in the Israeli defense establishment and in the advertising industry, they developed Sherlock, a tool that exploits the ad system to hack computers and cellular devices.
To market the product, the company examined possible cooperation with other offensive cyber firms. A Candiru marketing document from 2019, which was revealed in 2020 by Amitai Ziv in TheMarker, offered Sherlock to a potential client along with the company’s PC spyware.
The document showed that this was a very expensive capability: The use of Sherlock for an infection would cost the client an extra 6 million euros ($6.7 million).
The document also revealed that Sherlock could breach Windows-based computers as well as iPhones and Androids. Until now, different companies have specialized in breaching different devices. Candiru focused on PCs, NSO could hack iPhones, and its competitors specialized in Androids. But with this system, as the documents show, every device could effectively be breached.
“This is a very dangerous new development,” explains Donncha Ó Cearbhaill, who heads the Amnesty Tech Security Lab, the human rights group’s technological unit. “The described capability could allow attackers to target individuals based on demographic and behavioral characteristics collected by ad networks [and thus] target people from a specific ethnic group or retarget individuals who have visited an independent media website critical of the government.”
Despite concerns, Insanet’s product was sold legally, with the authorization of the State of Israel. The company initially received a relatively wide go-ahead from the Defense Ministry, at least in terms of sensitive cyberarms. With that approval, Insanet was able to complete at least one major deal.
Subsequently, however, the permit was significantly reduced. Sources in the industry say that the change in policy was connected to three genuine fears: fear that the capabilities would leak, fear of American anger, and fear of the fury of the tech giants, who are in any case on the warpath against the Israeli cyber industry (Facebook and Apple, for example, are suing NSO).
Insanet’s authorization was curtailed, but Sherlock can now be sold as an offensive military product – albeit under highly restrictive conditions and only to Western states. Even to present it to a potential client in the West, a specific permit must be obtained from the Defense Ministry, and it’s not always given.
The case of Insanet and the spillover of this technology into the public defense market is a classic Israeli story: a cutting-edge technological spirit of entrepreneurship that challenges – not to say exploits – obsolete oversight mechanisms that can’t keep pace with the world’s inexhaustible appetite for advanced digital espionage technologies. People in the industry are worried that the ability to restrain the use of these potentially dangerous technologies is rapidly diminishing. Some of them are convinced that the industry is already out of control.
For some years, entrepreneurs in the field have tested those who are in charge of supervising them in the Defense Ministry. There is a debate raging around the question of whether AdInt, much of which relies on open sources of information, is a civilian or military technology.
To date, companies that identified themselves as operating solely on a basis of open sources, for civilian clients, were not subject to any state supervision. In contrast, cyber companies were tightly supervised by the Defense Ministry.
People in the industry are worried that the ability to restrain the use of these potentially dangerous technologies is rapidly diminishing. Some of them are convinced that the industry is already out of control.
However, the boundaries aren’t always clear and the restrictions didn’t always work. For example, after NSO was denied authorization to export its product in this field and the company’s personnel were forbidden from even telling potential clients about its existence, the firm examined the possibility of embedding the technology within Pegasus. Other companies may have made similar attempts.
The limitations placed on the permit granted to Insanet did not stop the company or its competitors. In the months after its activity was restricted, the company held talks with offensive cyber firms that had been denied authorization. One idea that was discussed was to join forces and overcome the regulatory hurdle: If Israel wouldn’t allow a product of this kind to be sold as a standalone system, maybe it would permit the capabilities to be bundled with spyware that had already been approved for export. Talks in this vein were held with Paragon, Nemesis and Candiru, and a concrete request was submitted to the Defense Ministry involving an integrated product. That’s the background to Sherlock’s appearance in Candiru’s marketing document. However, these moves also failed to obtain the state’s approval.
Yet over time, the defense establishment increasingly realized that it was no longer possible to keep the cat in the bag. The state, which had permitted the increasingly advanced AdInt industry to operate based solely on open proprietary data, had all but lost the capacity to restrain the offensive market that tried to hitch a ride on its back.
Accordingly, once the writ was given to Insanet, to avoid allegations of favoritism, the Defense Ministry decided this year to also grant Rayzone authorization to sell an active hacking product.
The case of Rayzone illustrates the aggressiveness of the arms race that was underway in this field. For years Rayzone refrained from creating any offensive product and limited itself to intel based on geo-tracking through the cellular network and to monitoring of unencrypted communication. In other words, even if it’s impossible to track someone and maybe even listen to a conversation or see messages, it is possible to see who’s speaking with whom, from where and when. Those are capabilities that are subject to supervision and are based on the collection of data that is considered sensitive and not open.
However, in response to the emergence of the market and the demand by clients hungry for the new capabilities, the company developed, in addition to its geo-surveillance product Echo, an offensive tool that enables ad-based spyware infection. Even though it was one of the first to submit a request, it was only this year that the Defense Ministry granted authorization in principle to sell the product.
Some in Israel are now considering the possibility of placing the whole field of open-source, ad-based intel under Defense Ministry supervision. In recent months, talks have been underway about revising the regulations governing this field.
Another reason for the potential change of policy in this specific sphere stems from the response to a more sweeping change by the Defense Ministry. After years of the industry being promoted as part of Prime Minister Benjamin Netanyahu’s so-called cyber diplomacy, it is now at odds with the state.
A little less than two years ago, Israel decided to accede to U.S. pressure to rein in the offensive cyber industry. From a list of more than 100 potential client countries, export of cyberarms was now permitted to slightly less than 40, most of them in the West. As a result, a number of Israeli companies whose livelihood derived from clients in other, less democratic parts of the globe shut down.
The move partially succeeded in cooling off the field, but had problematic implications for the local cyber arms industry: Firms shut down and dozens of Israelis were incentivized to relocate to Europe and the U.S. – where a thriving offensive cyber industry started to come into being at Israel’s expense, as headhunters tried to poach the best Israeli hackers – but also to Asia, far from Israeli regulators. One such firm is Defense Prime, which is based in the United States but is owned by Israelis. The company recruited Israeli cyber personnel this year, including from the defense establishment itself.
Another unintended effect of the regulatory crunch on cyber is that other firms started to change their business model and switched to trading not in spyware, but in “exploits” (the actual ploys employed to hack devices) and vulnerabilities. They have banks of various breaches ready for sale to firms like NSO and others, which the spyware needs in order to go on infecting devices, even after earlier breaches are blocked by Apple or Google. A number of companies offer such wares and operate from Singapore, Italy, Spain and the U.S., and employ top Israelis in senior positions in this field.
The defense establishment is genuinely worried that these technological abilities will also be sold by foreign firms that are not subject to supervision at all. Accordingly, in the hope of keeping the new field in Israel, and under supervision, it was decided this year to try to regulate the industry, also with the aim of trying to appease local cyber firms angry at the crunch their lucrative field has experienced over the past 20 months.
It’s long been known that states have surveillance capabilities and that they can use them against their own citizens, even in the age of encrypted smartphones. In recent years, the public has learned that non-Western countries – in Africa, Asia, Central America and the Arab world – also possess these abilities, not because they were able to develop them independently, but because they acquired them in the private international digital arms market.
These capabilities, created in no small part by Israeli firms, were originally intended to prevent terrorism and serious crime, are also being abused, notably by illiberal, undemocratic countries that have little experience with such advanced technologies. As with arms, alongside the regulated, legal market, darker and less supervised markets also form, through which technologies – be it arms or digital arms – are sold to dubious countries to which even Israel prohibits selling, and perhaps even to private bodies. Sources in the industry warn that this time, too, as occurred with offensive cyber, there are liable to be similar consequences.
Haaretz received the following responses from the companies described in this article, all of which were asked for comments:
Insanet stated: “Insanet is an Israeli company, which operates with full and absolute obligation to Israeli law and to its strict regulatory directives.”
Rayzone stated: “In recent years the bulk of Rayzone’s activity has been focused on two central realms, namely: big data analysis and broad solutions in the sphere of cyber defense for a range of clients in Israel and internationally, among them governments and commercial clients. As a private company, Rayzone Group is committed to secrecy and does not make reference to its products or its clients individually.”
Cobwebs stated: “The company is proud to support our law enforcement clients who are coping day and night to protect us from a wide range of worldwide threats: terrorism funding, cyberattacks, exploitation of children, violent crimes, arms smuggling and human trafficking. These threats make use of local and international communications methods that undermine the ability to identify and deal with them, and require advanced technology to cope with issues such as open intelligence and big data analysis. Cobwebs does not comment on commercial ties with clients. From the aspect of privacy, we wish to note that we operate only according to the law and are meticulous about [abiding by] strict regulations such as the GDPR in the European Union.”
The Defense Ministry, NSO, Candiru, Paragon, AdHoc, Bsightful and Cognyte chose not to respond to this investigative report.