An Israeli surveillance firm’s spyware has been used by oppressive regimes to carry out human rights violations on a global scale, according to a widespread investigation into the spyware’s use against journalists, activists and political opponents.
The investigation, called the Pegasus Project, specifically looks into NSO Group’s Pegasus spyware. The firm has been accused in the past of selling the cyberweapon to authoritarian countries, who then use it to surveil dissidents. The probe relied on interviews and digital forensic analysis of a leaked list of more than 50,000 phones belonging to those who are believed to be of interest by NSO clients since 2016.
The global investigation is being published throughout this week, and was conducted by 17 media organizations coordinated by Forbidden Stories, a Paris-based journalism nonprofit. Amnesty International provided technical support for the investigation by carrying out forensic tests on the phones to identify evidence of the spyware.
For Pegasus to successfully allow governments to spy on people, the targets receive what’s known as a trap link to their smartphone persuading them to tap and activate. The spyware then captures and copies the phone’s most basic functions, recording from the cameras and microphone and collecting location data, call logs, messages and contacts. The infection secretly reports the information to an operative, who can use it to map out sensitive details of the target’s life.
The company only sells to military, law enforcement and intelligence agencies in 40 unnamed countries and claims to vet its clients’ human rights records before letting them use their spyware. The firm is regulated by the Israeli defense minister, who grants individual export licenses before the surveillance technology can be sold to a new country.
From the leaked data and subsequent investigations, Forbidden Stories and the affiliated media partners found potential NSO clients in almost a dozen countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo and the United Arab Emirates. Analysis of the data suggested that the NSO client country that selected the most numbers ― over 15,000 ― was Mexico, according to The Guardian, one of the affiliated news organizations. Both Morocco and the UAE selected more than 10,000 numbers.
Those involved in the Pegasus Project said the phone numbers listed in the data leak do not automatically mean they were a target of a surveillance attack, however a vast number of them belonged to people who appear to have no connection to criminality ― suggesting that some NSO clients are using the Pegasus spyware to surveil human rights activists and journalists investigating corruption, as well as political opponents and dissidents.
Amnesty International conducted a forensic analysis on the phones of a small sample of activists, journalists and lawyers whose numbers were on the leaked list. The analysis found traces of Pegasus spyware activity on more than half of the 67 iPhones examined. More than 180 journalists are listed in the data, from publications including the Financial Times, CNN, The New York Times, France 24, The Economist, The Associated Press and Reuters.
The list also includes the phone numbers of close family members of one country’s leader, suggesting that said leader may have instructed their intelligence agencies to explore the potential of surveilling their own relatives, according to The Guardian.
The probe found that the Pegasus spyware was used to target family members of The Washington Post’s Jamal Khashoggi, a Saudi journalist who was murdered in Istanbul almost three years ago by Saudi operatives. Amnesty International’s Security Lab concluded that the spyware was successfully installed on the phones of the two women closest to Khashoggi: his wife and his fiancee.
Khashoggi’s wife, Hanan Elatr, was targeted by a Pegasus user six months before her husband’s murder, although the investigation could not determine whether the attack on her Android phone was successful, according to The Post. The spyware successfully infected the iPhone of his fiancee, Hatice Cengiz, just days after the journalist’s death.
The surveillance firm has not taken adequate action to stop its spyware from being used to target political dissidents despite potentially knowing it was happening, according to Amnesty International.
“They paint a picture of legitimacy, while profiting from widespread human rights violations. Clearly, their actions pose larger questions about the wholesale lack of regulation that has created a wild west of rampant abusive targeting of activists and journalists,” said Agnes Callamard, secretary general of Amnesty International. Callamard is also the former United Nations rapporteur who investigated Khashoggi’s murder.
“Until this company and the industry as a whole can show it is capable of respecting human rights, there must be an immediate moratorium on the export, sale, transfer and use of surveillance technology,” Callamard continued.
NSO responded to media organizations involved in the Pegasus Project by saying it “firmly denies” the claims, adding that “many of them are uncorroborated theories which raise serious doubts about the reliability of your sources, as well as the basis of your story.” The firm allegedly did not confirm or deny which governments are its clients, but said it “will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations.”
In 2019, WhatsApp sued NSO, accusing it of helping government spies break into the phones of about 1,400 users that included diplomats, political dissidents, journalists and senior government officials. The app said the attack exploited WhatsApp’s video calling system in order to send malware to the phones, allowing NSO’s clients to spy on the owner, according to Reuters. NSO denied the allegations.
On Sunday, Amnesty International released the full technical details of its Security Lab’s forensic investigations as part of the Pegasus Project. The lab’s methodology report includes the evolution of Pegasus spyware attacks since 2018, with details on the cyberweapon’s infrastructure that includes more than 700 Pegasus-related domains.
“NSO claims its spyware is undetectable and only used for legitimate criminal investigations,” said Etienne Maynier, one of the lab’s technologists. “We have now provided irrefutable evidence of this ludicrous falsehood. … Our hope is the damning evidence published over the next week will lead governments to overhaul a surveillance industry that is out of control.”