In the past month or so, there was a front page story on HN about NSO and a journalist, detailing evidence that NSO-controlled servers served up the exploit to the journalist's phone. This suggests that the NSO group has less of an arms-length relationship with their clients than they let on. It seems that at least for some clients, they're running some variant on exploits-as-a-service.
That still doesn't mean they knew about this. How would they even know it were American phones? Its very possible it were some IPhone with a Ugandan sim card. How do you know who's using it - do the Ugandans tell you? It's a very real possibility NSO servers simply show some Ugandan number.
I have no more knowledge on this than anyone here but I don't find it realistic NSO would take this chance.
Mitigating but not exonerating. (Also, unknown and possibly unknowable.) NSO are still selling cyberweapons hitting the United States. If they didn't give a shit about keeping an eye on their kit, that's a negligent gap in oversight by Jerusalem.
It's a good thing we have a talking-not-shooting relationship with Israel. The U.S. would be within its rights to launch a proportional counterattack were that not the case. If Israel doesn't deal with this properly, there's a decent chance we'll see calls for criminal penalties and targeted sanctions.
I didn't say that they knew. I was saying "This wasn't done by NSO knowingly." isn't necessarily true. I think I was pretty clear about the fuzziness of the evidence as it relates to this specific case.
