Human rights activists, journalists, and lawyers from around the world have been targeted by phone malware sold to authoritarian governments by an Israeli surveillance company, according to media reports.
They are on a list of some 50,000 phone numbers believed to be of interest to the company’s clients, which was leaked to major news organizations.
It is not clear where the list came from, nor how many of the calls were actually hacked.
NSO denies wrongdoing
It said the software was intended for use against criminals and terrorists and was only available to the armed forces, law enforcement agencies, and intelligence services of countries with good human rights records.
He said the original investigation that led to the reports, conducted by Paris-based NGO Forbidden Stories and human rights group Amnesty International, was “full of false assumptions and unfounded theories”.
But it added that it would “continue to investigate all credible allegations of abuse and take appropriate action”.
The Washington Post, The Guardian, Le Monde and 14 other media outlets around the world published allegations on Sunday about the use of the software, known as Pegasus.
Pegasus infected iPhone and Android devices, allowing operators to extract messages, photos, and emails, record phone conversations, and secretly activate microphones and cameras.
What do we know about the target?
Media working on the investigation say they have identified more than 1,000 people from more than 50 countries whose numbers are listed.
They include politicians and heads of state, business leaders, activists, and several members of the Arab royal family. Also on the list are more than 180 journalists from organizations such as CNN, the New York Times, and Al Jazeera.
Many of them are concentrated in 10 countries. Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates, the reports said.
When contacted by media involved in the investigation, spokespeople for these countries denied using the Pegasus system or abusing their surveillance powers.
It is unclear how many of the devices on the list were actually attacked, but forensic analysis of 37 of the phones showed hacking “attempts and successes”, according to the Washington Post.
They include people close to Saudi journalist Jamal Khashoggi, who was murdered and his body mutilated in October 2018 while visiting the Saudi consulate in Istanbul, Turkey.
The investigation found that spyware was installed on his fiancée’s phone days after his murder, and that his wife’s phone was targeted by spyware between September 2017 and April 2018.
The NSO group claimed that its technology “has no connection to this heinous murder”.
The investigation found that Mexican journalist Cecilio Pineda Birto’s phone was also listed twice, including the month before his murder.
His mobile phone was missing from the scene and therefore could not be examined by forensics, but the ONS said that even if his phone had been targeted, this did not mean that the data collected was linked to his murder.
The mobile phones of two Hungarian investigative journalists, Andras Szabo and Szabolcs Panyi, were found to be infected with spyware.
Mr Panyi told Forbidden Tales that learning of the hack was “devastating”.
“Some people in this country consider an ordinary journalist as dangerous as a suspected terrorist,” he said.
A spokesperson for the Hungarian government told The Guardian that they were “not aware of any alleged data collection”.
In India, more than 40 journalists, three opposition leaders and two ministers from Prime Minister Narendra Modi’s government are reportedly on the list.
More details about who was targeted are expected to be released in the coming days.
WhatsApp sued NSO in 2019, claiming the company was behind a cyber attack that affected 1,400 Pegasus phones. At the time, NSO denied any wrongdoing, but the company was banned from using WhatsApp.
The accusations are not new, but what is new is the scale of the incidents allegedly targeting innocent people. The list includes the phone numbers of nearly 200 journalists from 21 countries, and more names are expected to be revealed.
There are many unknowns surrounding these allegations, including where the list came from and how many of the phone numbers were actively spied on. NSO Group has come out again and denied all allegations, but this is a blow to a company that is actively trying to improve its reputation.
Only a fortnight ago they published their first “transparency report” detailing their human rights policies and commitments. Amnesty International treated the 32-page document as a “sales brochure”.
While the latest allegations will further damage the company’s image, they will not hurt it financially. Few private companies can produce the kind of intrusive spying tools NSO sells, and it is clear that this largely unregulated software market is booming.