When The New York Times reported in April that a contractor had purchased and deployed a spying tool made by NSO, the contentious Israeli hacking firm, for use by the U.S. government, White House officials said they were unaware of the contract and put the F.B.I. in charge of figuring out who might have been using the technology.
After an investigation, the F.B.I. uncovered at least part of the answer: It was the F.B.I.
The deal for the surveillance tool between the contractor, Riva Networks, and NSO was completed in November 2021. Only days before, the Biden administration had put NSO on a Commerce Department blacklist, which effectively banned U.S. firms from doing business with the company. For years, NSO’s spyware had been abused by governments around the world.
This particular tool, known as Landmark, allowed government officials to track people in Mexico without their knowledge or consent.
The F.B.I. now says that it used the tool unwittingly and that Riva Networks misled the bureau. Once the agency discovered in late April that Riva had used the spying tool on its behalf, Christopher A. Wray, the F.B.I. director, terminated the contract, according to U.S. officials.
But many questions remain. Why did the F.B.I. hire this contractor — which the bureau had previously authorized to purchase a different NSO tool under a cover name — for sensitive information-gathering operations outside the United States? And why was there apparently so little oversight?
It is also unclear which, if any, government agencies besides the F.B.I. might have worked with Riva Networks to deploy the spying tool in Mexico. Two people with direct knowledge of the contract said cellphone numbers in Mexico were targeted throughout 2021, 2022 and into this year — far longer than the F.B.I. says the tool was used.
The episode further illustrates how, even as the White House tries to crack down on foreign spyware firms, NSO continued to find ways to make money off its tools.
Riva Networks and its chief executive, Robin Gamble, did not respond to several requests for comment on the F.B.I.’s accusations. When a Times reporter went to an address the company lists in some public records, a person who answered said he had never heard of Mr. Gamble. He refused to provide his name before closing the door.
The F.B.I., according to several U.S. officials, had hired the New Jersey-based Riva Networks to help track suspected drug smugglers and fugitives in Mexico because the company was able to exploit vulnerabilities in the country’s cellphone networks to covertly track mobile phones.
A senior F.B.I. official said that in early 2021, the bureau gave Riva Networks several phone numbers in Mexico to target as part of its fugitive apprehension program. The official, who like others in this article spoke on the condition of anonymity to discuss sensitive details, said that the bureau thought Riva Networks was using an in-house geolocation tool.
In the investigation that the F.B.I. began after The Times article, the bureau found that at some point in 2021 Riva began using Landmark, the NSO tool, without informing the bureau, the official said. Riva renewed its contract with NSO in November 2021 without telling the F.B.I., the official said.
The bureau told its contractors, including Riva, that they could not use NSO products in 2021, the official said, adding that no data from Landmark ever made it back to the F.B.I. — at least based on what Riva Networks told the agency.
“As part of our mission, the F.B.I. is tasked with locating fugitives around the world who are charged in U.S. courts, including for violent crimes and drug trafficking,” the agency said in a statement. “To accomplish this, the F.B.I. regularly contracts with companies who can provide technological assistance to locate these fugitives who are hiding abroad.”
The statement added: “The F.B.I. has not employed foreign commercial spyware in these or any other operational endeavors. This geolocation tool did not provide the F.B.I. access to an actual device, phone or computer. We will continue to lawfully utilize authorized tools to protect Americans and bring criminals to justice.”
A senior White House official told The Times that because Landmark is an NSO product, its use by the government is banned under a new executive order that restricts federal agencies from using spying tools made by some foreign hacking companies. But U.S. officials say that government use of geolocation tools in general does not violate the executive order.
It is not unusual for the F.B.I., as well as other law enforcement agencies, to use contractors that provide technologies such as breaking into phones after a terrorist attack. The intelligence community also relies on contractors for certain abilities.
The Times has sued the F.B.I. under the Freedom of Information Act for documents related to the bureau’s purchase of NSO tools and has also sought documents about the bureau’s relationship with Riva Networks. In a court filing this week, government lawyers argued that the F.B.I. should not have to turn over information about Riva Networks because “the vendors at issue either already do, or may in the future, offer other products that are or can be used for investigative purposes.”
The Biden administration blacklisted NSO after years of scandal associated with its primary hacking tool, Pegasus, which authoritarian governments and democracies alike have used to spy on journalists, human rights activists and political dissidents.
The White House declined to comment on whether it would push for penalties against Riva Networks.
Government databases show that Riva Networks has had numerous lucrative contracts with government agencies, including the Defense Department, the F.B.I. and the Drug Enforcement Administration. As recently as October, the company was awarded a contract for work with the Air Force Research Laboratory.
Marc DeNofio, a spokesman for the laboratory, said the work had largely been completed, but “Riva is still active as there are still some support hours remaining on their effort.”
The F.B.I.’s relationship with the company also goes back several years. In fact, the bureau used Riva Networks to purchase Pegasus, which penetrates phones and extracts their contents without users’ knowledge. The bureau paid more than $5 million to test the spyware from 2019 to 2021, and officials discussed using it as part of their investigations before ultimately deciding against it.
The testing took place at one of Riva’s facilities in New Jersey, where the Pegasus system remains. The F.B.I. official said Pegasus was inactive because the bureau did not renew a license for its software.
When it purchased Pegasus, the bureau used a cover name for Riva Networks, Cleopatra Holdings, according to two people familiar with the contract. That name was also used in the November 2021 contract between Riva Networks and NSO for the purchase of Landmark, according to a copy reviewed by The Times.
Mr. Gamble, Riva’s chief executive, even signed the contract for Landmark under a pseudonym, William Malone, according to those people.
Unlike Pegasus, Landmark does not penetrate and extract data from cellphones. Instead, it tracks the location of individual people based on which cell tower their phone is communicating with.
Tracking a single person can result in hundreds or thousands of individual Landmark queries, or attempts to determine location at any given time.
In 2017, Saud al-Qahtani, a senior adviser to Saudi Arabia’s crown prince, used Landmark to track dissidents as part of the kingdom’s brutal campaign to crack down on its perceived enemies. Mr. Qahtani has also been identified as the person who orchestrated the killing of the Washington Post columnist Jamal Khashoggi in 2018.
In March, the White House issued an executive order restricting federal agencies from using spyware tools that have been abused by governments. Days later, a group of countries at the Summit for Democracy signed a joint statement of their commitment to reining in the abuses of hacking tools.
Then, weeks ago, the Biden administration blacklisted two companies that are at the center of a political scandal in Athens over the use of spyware against politicians and journalists. Both companies are controlled by an Israeli former general who has promoted them as competitors to NSO.
Despite growing attention by governments in the West to the dangers of commercial spyware, the tools continue to proliferate with new firms — which employ Israeli cyberintelligence veterans, some of whom worked for NSO — stepping in to fill the void from NSO’s blacklisting .
An investigation by Microsoft and Citizen Lab, a research organization based at the University of Toronto, recently linked malware produced by QuaDream, an Israeli firm, to hackings in numerous countries of journalists, political opposition figures and at least one worker for a nongovernmental organization.
QuaDream, like NSO and other commercial spyware firms, “employs complicated and opaque corporate practices that may be designed to evade public scrutiny and accountability,” the investigation found.