Authoritarian governments around the world have targeted human rights activists, journalists and lawyers with spyware sold by the Israeli surveillance company NSO Group.
A massive data leakage analyzed by The Guardian and 16 other media communication points to the existence of a systematic and constant abuse of the spyware Pegasus. The company insists that the software is only intended for use against criminals and terrorists.
Pegasus is a malicious software that infects iPhone phones and Android devices to allow those who control it to extract messages, photos and emails, as well as secretly record calls and activate microphones.
The leak includes a list of more than 50,000 phone numbers. It is believed that they correspond to the numbers of people who since 2016 are considered of interest by NSO clients.
International Amnesty and the non-profit media organization Forbidden Stories (Forbidden stories), based in Paris, were the first to access the leaked list, before sharing it with the media associated with the Pegasus project, an information consortium.
The fact that a phone number appears in the list does not necessarily mean that the device has been infected with Pegasus or that it has been tried to hack. But the information consortium believes that it is the data of potential targets chosen by NSO’s client governments, before possible surveillance attempts.
A forensic analysis of a small number of phones on the leaked list showed that more than half of the devices had traces of Pegasus spyware.
The British newspaper The Guardian and the associated media will reveal in the coming days the identities of the people whose number appears on the list. They include hundreds of business executives, religious figures, academics, NGO employees, trade union officials and senior government officials such as ministers, presidents and prime ministers.
The list also includes the phone numbers of close relatives of a country’s ruler, suggesting that he may have instructed his spy agencies to explore the possibility of monitoring his own relatives.
The revelations began this Sunday, with the publication that the data includes the phone numbers of more than 180 journalists, including reporters, directors and executives of the Financial times, CNN, the New York Times, France 24, the Economist, Associated Press and Reuters.
The phone number of a Mexican freelance journalist, Cecilio Pineda Birto, was also on the list. He was apparently of interest to a Mexican client in the weeks leading up to his murder, when his killers managed to locate him in a car wash. His phone was not found, so a forensic analysis to determine whether or not he was infected could not be done.
The NSO company says that even if Pineda’s phone was the target of an attack, that does not mean that the information collected contributed in any way to his death. It also stresses that governments could have ascertained his whereabouts by other means. Pineda was one of 25 Mexican journalists apparently chosen to be spied on over a two-year period.
What the company says
Without a forensic analysis of mobile devices, it is impossible to know if the phones were the subject of a hacking attempt or a Pegasus hack.
NSO has always maintained that “it does not operate the systems that it sells to approved government clients, and that it does not have access to the data of its clients’ targets.”
In statements issued through his attorneys, the company has denied “false claims” about its customers’ activities, but “will continue to investigate all credible reports of misuse and take appropriate action.” It also considers that it is not possible that the list corresponds to the “target numbers of the governments that use Pegasus” and qualifies as “exaggerated” the figure of 50,000.
Through your lawyers, NSO denied the “false allegations” about its clients’ activities. But it said it “will continue to investigate all credible allegations of misuse and will take appropriate action.” He also considered it impossible for the list to correspond to the “target numbers of governments that use Pegasus” and described the figure of 50,000 as “exaggerated”.
The company only sells to military, police and intelligence agencies in 40 countries that it does not identify. He says he rigorously reviews his clients’ human rights record before allowing them to use his spy tools.
The Israeli defense minister has strict regulation for NSO: it grants individual export licenses before the spy technology is sold to a new country.
In a transparency report NSO released a month ago, the company claimed to lead the industry when it comes to human rights. It also published excerpts from customer contracts stipulating that its products could only be used in criminal and national security investigations.
The results of the analysis
There is nothing to suggest that NSO clients did not also use Pegasus in terrorism and crime investigations. Among the numbers, the research consortium found data pertaining to suspected criminals. But the wide range of numbers on the list, with people who apparently have no connection to crime, suggests that some NSO clients are breaking their contract and spying on pro-democracy activists, journalists investigating corruption cases, opponents and others. critics of the government.
This thesis is confirmed by forensic analysis of the phones of a small sample of journalists, human rights activists and lawyers, whose numbers appeared on the leaked list. The Security Laboratory of Amnesty, a technical partner of the Pegasus Project, found traces of the Pegasus software on 37 of the 67 phones tested.
That analysis also found correlations between the time and date the number was added to the list and the start of Pegasus activity on the device. In some cases, the difference was seconds.
Amnesty International has shared its forensic analysis of four iPhones with Citizen Lab, a research group at the University of Toronto that has specialized in the study of Pegasus, which confirms the finding of remains of infection. Citizen Lab has also reviewed Amnesty International’s forensic methods and found them valid.
From Saudi Arabia to Morocco
Analysis of the leaked data carried out by the consortium has identified at least ten governments, allegedly clients of NSO, that were entering numbers into a system: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the United Arab Emirates.
Analysis of the data shows that the NSO client country with the most numbers (more than 15,000) is Mexico, where it is known that several public bodies have purchased the Pegasus software. According to the analysis, both Morocco and the United Arab Emirates selected more than 10,000 numbers.
The selected phone numbers, possibly before the spy attack, span four continents and more than 45 countries. There are more than 1,000 numbers in European countries that, according to the analysis, were chosen by NSO clients.
The presence of a phone number does not imply that there was an attempt to infect the phone. NSO assures that there are other possible reasons for the numbers to be included in the list.
Rwanda, Morocco, India and Hungary have denied using Pegasus to hack the phones of the people on the list. The governments of Azerbaijan, Bahrain, Kazakhstan, Saudi Arabia, Mexico, the United Arab Emirates and Dubai have not responded to requests for comment.
Project Pegasus is likely to lead to discussions of government espionage in several countries suspected of using this technology. According to the investigation, the Government of Hungarian Prime Minister Viktor Orbán appears to have deployed NSO technology in its war against the media, targeting investigative journalists and the inner circle of one of Hungary’s few independent media executives.
The leaked data and forensic analysis also suggest that Saudi Arabia and its close ally, the United Arab Emirates, used the NSO spy tool to attack the phones of people close to Jamal Khashoggi, the murdered journalist of the Washington Post, in the months after his death. According to the leak, the Turkish prosecutor investigating Khashoggi’s death was also among the target candidates.
Pegasus lets you take control
Claudio Guarnieri, Head of the Security Laboratory at Amnesty International, says that once Pegasus infects a phone, the NSO client can take control of the device, accessing a person’s messages, calls, photos and emails, activating secretly cameras or microphones, and even reading the content of encrypted messaging applications such as WhatsApp, Telegram and Signal.
Because the program also gives access to GPS and sensors in the phone’s hardware, Guarnieri says, NSO customers can even get a person’s location history and track their position, in real time and with pinpoint accuracy. If you are traveling in a car, for example, they can know the speed and direction of travel.
The latest advancements in NSO software allow you to penetrate phones with “zero click” attacks. That is, the phone can get infected even if the user does not click on a malicious link.
Guarnieri has evidence that NSO has taken advantage of the vulnerabilities associated with iMessage, installed by default on iPhones, and that it is capable of penetrating even iPhones updated with the latest version of iOS. His team discovered infection attempts, as well as successful Pegasus infections, on phones as recent as the last month.
Apple says: “Security researchers agree that the iPhone is the most secure consumer mobile device on the market.”
NSO has refused to give details about its clients and the people they target. But a knowledgeable source says that each client has an average of 112 goals per year. Also, that the company sells its Pegasus spyware to 45 customers.
Translated by Francisco de Zárate.
With input from Michael Safi, Dan Sabbagh, Nina Lakhani, Shaun Walker, Angelique Chrisafis, Martin Hodgson.