The U.S. Federal Bureau of Investigation has admitted it has used software by iPhone hacking tool maker NSO Group, after an investigation discovered it was unwittingly doing so.
In April, a report from the New York Times determined that a contractor had bought and used a spying tool produced by NSO Group, specifically for use by the U.S. government. At the time, the White House claimed it didn't know of a contract, and tasked the FBI to find out who was using it.
It turns out the FBI's answer after the investigation was itself.
Contractor Riva Networks signed a deal in November 2021, reported The New York Times on Monday, days after the White House placed NSO Group on the Commerce Department blacklist. The tools from the Israeli security firm were effectively blocked from purchase by US businesses at that point.
However, the FBI contracted Riva networks, which in turn led to the use of an NSO tool as part of an investigation, which the FBI said occurred unwittingly.
FBI director Christopher Wray terminated the contract with the contractor in April after the discovery was made.
Contractor to blame
The FBI hasn't explained why this situation occurred, but the tool in use was not the infamous Pegasus, but one called "Landmark." Rather than hacking phones directly, Landmark instead is able to narrow down and track the location of a device.
In 2021, a senior FBI official provided numbers based in Mexico for Riva to search for, under a fugitive apprehension program. The FBI allegedly thought that Riva was using an in-house geolocation tool, rather than NSO software.
A later investigation found that Riva started using Landmark in 2021 without telling the FBI, and withheld the detail in its November 2021 contract renewal. This despite the FBI telling Riva and other contractors in 2021 that NSO products were off-limits.
In a statement, the FBI says it is tasked with locating fugitives around the world who are charged in U.S. courts, and that the FBI regularly contracts with companies for technological assistance in these matters.
"The F.B.I. has not employed foreign commercial spyware in these or any other operational endeavor," the FBI adds. "This geolocation tool did not provide the F.B.I. access to an actual device, phone or computer."
The FBI says it will "continue to lawfully utilize authorized tools to protect Americans and bring criminals to justice."
While the dealings with Riva concerned Landmark, the FBI and Riva's relationship did extend to Pegasus at one point. In 2019 to 2021, the FBI used Riva to pay for Pegasus and to test it out.
After considerable internal debate and owning Pegasus hardware at a Riva facility in New Jersey, it decided in 2021 to not use any NSO Group spyware. The FBI deems Pegasus as inactive, as it declined to renew a license for the tool.
This may not even be the last of reports relating to Riva and NSO's tools. Riva Networks has a number of government agency contracts beyond the FBI, including the Defense Department, the Drug Enforcement Administration, and the Air Force Research Laboratory.