NSO Group, a private Israeli firm that sells surveillance technology to governments worldwide, insists that its Pegasus spyware is used only to “investigate terrorism and crime.” Leaked data, however, reveals that the company’s hacking tool “has been used to facilitate human rights violations around the world on a massive scale.”
That’s according to an investigative report published Sunday by the Pegasus Project, a media consortium of more than 80 journalists from 17 news outlets in 10 countries. The collaborative endeavor was coordinated by Forbidden Stories, a Paris-based media nonprofit, with technical assistance from Amnesty International, which conducted “cutting-edge forensic tests” on smartphones to identify traces of the military-grade spyware.
The Guardian, one of the newspapers involved in the analysis, reported that “Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls, and secretly activate microphones.” The Washington Post, another partner in the investigation, noted that the tool “can infect phones without a click.”
A massive data leak turned up a list of more than 50,000 phone numbers that, according to the Post, “are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of… NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry.”
More phone numbers were based in Mexico than any other country, with over 15,000 on the list, “including those belonging to politicians, union representatives, journalists, and other government critics,” the Post noted.
As The Guardian reported: “The phone number of a freelance Mexican reporter, Cecilio Pineda Birto, was found in the list, apparently of interest to a Mexican client in the weeks leading up to his murder, when his killers were able to locate him at a carwash. His phone has never been found so no forensic analysis has been possible to establish whether it was infected.”
Other nations that either had large shares of numbers on the list or were deemed to be potential government clients of NSO include: France, Hungary, Turkey, Morocco, Togo, Algeria, Rwanda, Saudi Arabia, the United Arab Emirates (UAE), Dubai, Qatar, Bahrain, Yemen, India, Pakistan, Azerbaijan, and Kazakhstan.
While “the presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack,” The Guardian noted, the consortium believes that “the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.”
Amnesty’s Security Lab analyzed a small sample of phones belonging to activists, journalists, and lawyers whose numbers appeared on the leaked list. Of the 67 phones examined, traces of Pegasus spyware were found on 37 devices, including 23 that had been successfully infected and 14 with signs of attempted hacking.
“NSO claims its spyware is undetectable and only used for legitimate criminal investigations,” Etienne Maynier, a technologist at Amnesty’s Security Lab, said in a statement. “We have now provided irrefutable evidence of this ludicrous falsehood.”
According to the Post:
The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.
The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials—including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.
Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London, and Al Jazeera in Qatar.
The newspaper added that Amnesty found evidence of NSO’s spyware being used by Saudi Arabia and UAE to target the phones of close associates of Post columnist Jamal Khashoggi before and after he was brutally murdered by Saudi operatives in 2018.
“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists, and crush dissent, placing countless lives in peril,” Agnès Callamard, Secretary General of Amnesty International, said in a statement.
“These revelations,” Callamard continued, “blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations.”
Callamard emphasized that “[NSO’s] actions pose larger questions about the wholesale lack of regulation that has created a wild west of rampant abusive targeting of activists and journalists.”
“Until this company and the industry as a whole can show it is capable of respecting human rights,” she added, “there must be an immediate moratorium on the export, sale, transfer, and use of surveillance technology.”
NSO, for its part, issued a statement denying “false claims” in the report, including those related to Khashoggi. Attorneys for the company argued that the Pegasus Project’s investigation was based on “wrong assumptions” and “uncorroborated theories.” The company claimed that it is pursuing a “life-saving mission” to stamp out crime.
The Guardian noted that while the consortium “found numbers in the data belonging to suspected criminals… the broad array of numbers in the list belonging to people who seemingly have no connection to criminality suggests some NSO clients are breaching their contracts with the company, spying on pro-democracy activists and journalists investigating corruption, as well as political opponents and government critics.”
According to the Post, “After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.”
In response, Callamard stressed that “the number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling [the] public narrative, resisting scrutiny, and suppressing any dissenting voice.”
“These revelations must act as a catalyst for change,” said Callamard. “The surveillance industry must no longer be afforded a laissez-faire approach from governments with a vested interest in using this technology to commit human rights violations.”
The human rights expert demanded that NSO “immediately shut down clients’ systems where there is credible evidence of misuse.” She added that “the Pegasus Project provides this in abundance.”
NSO stated that it “will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations.”
Timothy Summers, a former cyber security engineer at a U.S. intelligence agency and now director of IT at Arizona State University, told the Post that Pegasus “is nasty software.” One could use the technology, said Summers, to “spy on almost the entire world population.”
The Guardian noted that the Pegasus Project “will be revealing the identities of people whose number appeared on the list in the coming days.”
Amnesty’s Maynier said that “our hope is the damning evidence published over the next week will lead governments to overhaul a surveillance industry that is out of control.”