Written by Patrick Howell O'Neill

At 3:15 a.m. on Thursday, March 20, masked men rushed into Ahmed Mansoor’s family home and took him into custody.

An internationally-renowned human rights activist from the United Arab Emirates, Mansoor and his family were left without explanation as to why he was being taken away. However, they are accustomed to this type of situation.

Mansoor has been a constant target of government pressure for a decade, including being jailed for eight months in 2011 for “insulting officials.” The pressure often takes the form of an endless stream of cyberattacks and surveillance. The March incident was no different, as police confiscated all of his electronic devices, many of which have been the target of repeated government-sponsored hacking. Mansoor’s unparalleled history of being hacked has led observers to label him the most spied upon man in the world.

“They’re really, really trying to get this guy as much as they can,” Citizen Lab researcher Bill Marczak told CyberScoop, adding that Mansoor had faced an average of two attacks per month over the last five years. “Maybe they failed to spy on him, so they decided to take him in the old-fashioned way and get information out of him that way.”

Three months after Mansoor’s arrest, he remains in custody for “harming national unity and social harmony.”

Six days before the government relied on the “old-fashioned way” of gathering information from Mansoor, the UAE played host to an event featuring companies who handsomely profit off groups looking to spy on targets like Mansoor. The event, formally known as ISS World, has become the marquee show for governments looking for elite tech tools as a way to tamp down on dissent.

The endless hacking of Mansoor has for years been enabled and directly carried out by a who’s who of ISS World exhibitors. FinFisher, which hacked into Mansoor’s emails in 2011, is a German company that sells its wares at ISS World every year. Hacking Team, which targeted Mansoor’s devices in 2012, also participates in the show. NSO Group, the billion-dollar company that tried to hack Mansoor’s iPhone in 2016 on behalf of the UAE, is a premiere sponsor of ISS World events.

A Golden Opportunity

For a long time, only the critics called ISS World the “Wiretapper’s Ball.”

It was a name meant with scorn for a hacking and surveillance industry trade show with a global reach. Since it debuted in 2002 with less than 50 attendees, the Intelligence Support Systems World Conference has expanded to bring thousands of prominent spies, police, hackers and powerful bureaucrats together to spend money on some of the latest and greatest in retail spying kits. Now event attendees and industry adherents occasionally use the nickname ironically when they describe the multimillion-dollar franchise.

The conference’s stop in the UAE capital of Dubai, ISS World Middle East, took place over three days in early March. The conference — along with the entire surveillance industry — has boomed in profits and influence over the last five years because, according to ISS World founder Jerry Lucas, countries around the world are ever-increasingly worried about homegrown uprisings.

At first, the 2011 Arab Spring seemed to be a disaster for the surveillance and hacking industry.

Driven in large part by the democratization of information and the rapid adoption of social media, upheaval in places like Egypt, Libya and Tunisia uncovered governments’ buying and deploying of spying kits from vendors who regularly exhibit at ISS World events. The information made its way to media, and the mainstream was introduced to the modern spying industry. The spying and hacking companies were painted as villains in lawsuits.

In the end, however, the Arab Spring turned out to be a lightning rod for the spyware market. Fearful of movement politics taking hold in their own countries, regimes around the world now spend billions of dollars every year on surveillance and hacking tools sold at shows like ISS World. In 2013, Lucas said that international fear of the Arab Spring directly led to the industry’s massive boom.

The post-Arab Spring world has been, for the participants in the Wiretappers’ Ball, a much-welcomed return to the massively profitable days of a decade ago. After 9/11, the Bush administration’s spying and security programs drove revenues up by the millions across the board for ISS World attendees who landed a wave of big new contracts from American intelligence agencies suddenly flush with cash. The 2008 recession and anti-Bush political backlash momentarily threatened those profits, but the Arab Spring opened up a rich global market like it never had been before.

High Profits, Low Profile

ISS World is populated and sponsored by a mix of major billion-dollar military contractors as well as many smaller, specialized outfits that deal largely in products like zero-day software vulnerabilities, malware and deep packet inspection. The other part of ISS World’s audience contains an array of governments, armed with increasing budgets, ready to buy offensive hacking and surveillance tools.

Despite unprecedented financial success, the retail spying and hacking industry keeps an extraordinarily low profile. Even within the cybersecurity industry at large, the entities involved stay mum. For the public, which is directly affected by the products and policy the industry drives, these companies are mysteries. Little is known, less is talked about, and not a lot of light gets in. For investors, the firms are a source of sure returns.

What has turned into a global phenomenon originated in Washington, D.C., but has since branched out to all corners of the world. Hundreds of representatives from dozens of countries and private interests attend every event, whether they are based in Europe, Asia, Latin America or elsewhere.

Each event is different and, according to people who have actually attended, the shows in Eastern Europe and the Middle East are by far the most interesting. The companies and governments are more aggressive in sales and purchases, the rule of law bends further than other areas of the world, and the potential for vast misuse of the products sold is closer to a guarantee than a hypothetical scenario.

The UAE has played host to the ISS World Middle East conference since 2009, when a roster of full of Western-based companies pitched Middle Eastern governments on their retail spy kits. The show’s makeup is considerably more diverse these days as companies from every continent pitch their wares.

The UAE’s involvement is hardly unique. Countries like Morocco and Ethiopia have used Hacking Team products to spy on and attack reporters, according to researchers at the University of Toronto.

On top of government officials participating, private companies with headquarters in host nations also play a prominent role. DarkMatter, a firm based in Dubai, was the headline sponsor of the 2017 event. The firm considers themselves the premiere purveyor of surveillance and hacking tools to the local Emrati government, boasting about their ties to the country’s royalty in recruitment efforts obtained by CyberScoop.

A Booming Global Industry

America is big and yet boring for the global spyware industry.

Once the flagship of the ISS World franchise, the annual Washington, D.C., show is now described by attendees as significant but tame version of the event. The Dubai show is more freewheeling and boisterous, and the rules or public scrutiny take a distant back seat to sales and government-defined security.

ISS World Europe, held annually in Prague, is a headline affair. It’s generally bigger than every other ISS World show. Prague shares the outlandish character of Dubai, according to attendees, but has the advantage that it attracts even more of the best talent in Europe to sell offensive hacking products.

One of those companies, NSO Group, came to prominence in 2016 when the UAE used its products to hack Ahmed Mansoor. In keeping with its almost universal avoidance of public spotlights, NSO Group kept its head down as a global controversy came and went over the summer months. It’s widely regarded as one of the most potent actors in the offense industry.

Under a different name, NSO Group was the top-level diamond sponsor of ISS World Europe 2016, simply going by “Q.”

“Our mission is to provide law enforcement and intelligence agencies the strategic and tactical capabilities needed to ensure the success of their activities, anywhere they operate,” the company’s sales pitch states. “Our technology is target-centric and service provider-independent. It enables governments to identify, locate and gather valuable intelligence from people of interest without engagement and without compromising their identity. Q is the definitive tool for combating terrorism and crime, thus preserving national and personal security.”

The phrase “without compromising their identity” was written before NSO Group and UAE’s latest role in the hacking of human rights activists was outed in global media.

“Combatting terrorism and crime” is, of course, a subjective endeavor depending on who is defining what constitutes a crime. The phrase “lawful intercept,” used in the marketing material of all these firms, really just means that a government is paying the bills, multiple attendees of ISS World have said.

The issue is hardly black and white. Nearly every government has legitimate security challenges to deal with, including those states that deal in oppression or corruption. Many ISS World exhibitors have proven, however, that if free speech or dissent is illegal in a country, perhaps the most important consideration is who is signing the checks.

And those checks to tend to be big. If NSO Group’s rumored client list to true, countries from Turkey to Thailand have and will continue to spend money to procure the company’s tools. Even if activists like Mansour figure out they are being targeted, it may not take much to have companies who take part in ISS World to switch up their tech and keep business coming in.

Privately, NSO Group is up for sale at a price around $1 billion. The firm’s technologists have told business associates that Mansoor’s discovery of Pegasus, a find that burned three zero-day vulnerabilities, disrupted operations for only 30 minutes before the next zero-days were put into rotation.

This story is part of ongoing reporting where CyberScoop looks at the companies, countries and individuals that make the private spying and hacking business increasingly profitable and important. If you want to speak with CyberScoop, contact Patrick Howell O’Neill.