A consortium of global journalists recently made the shocking claim that Pegasus – spyware developed by the Israeli cyber surveillance firm the NSO Group- is being used by national governments to covertly spy on thousands of unsuspecting mobile phone users across the globe.
According to multiple reports, a “massive data leak” initially provided to Paris-based media nonprofit Forbidden Stories and Amnesty International revealed more than 50,000 phone numbers believed to be potential targets for cyber-surveillance by clients of NSO Group since 2016. The list was shared with more than 80 journalists from 17 media organizations in 10 countries, calling themselves The Pegasus Project.
Investigation of the target list reportedly showed Pegasus had potentially been used to spy on tens-of-thousands of people in more than 50 countries, including journalists, human rights activists, religious figures, academics, union officials, business executives, attornies, members of several royal families, politicians and government officials – including cabinet ministers, presidents, and prime ministers.
The Guardian, which participated in The Pegasus Project, said more than 180 journalists had been discovered as possible targets for surveillance, including reporters and editors from the Wall Street Journal, CNN, the New York Times, Al Jazeera, Associated Press, Reuters, Voice of America, Le Monde, El Pais, among many other world press outlets.
On Sunday, July 18, The Guardian said, “its media partners will be revealing the identities of people whose number appeared on the list in the coming days.”
In a public statement issued on its website, NRO Group gave a full-throated rebuke of the allegations, calling the reports “full of wrong assumptions and uncorroborated theories.”
The spyware in question, Pegasus, can be covertly installed on both iOS or Android mobile devices. Once infected, Pegasus reportedly allows keystroke monitoring of all communications, such as texts, emails, or web searches, along with location tracking of a device and phone calls. The spyware additionally grants covert access to a phone’s microphone and camera, turning it into a persistent surveillance device.
According to Amnesty International, in-depth forensic analysis of Pegasus shows the spyware can successfully perform “zero-click” attacks on a mobile phone, including the latest versions of Android and iOS 14.6 operating systems. Unlike most malware attacks, which require an unsuspecting target to click on a link, “zero-click” attacks require no interaction from a user for malicious software to infect a device.
In a public release, NSO Group, headquartered in Herzliya, Israel, said the company only “sells it [sic] technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts.”
Israel classifies Pegasus as a weapon, and the export of it must be approved by the Israeli government.
Human rights and privacy advocacy groups have long disputed NSO’s claims that Pegasus is only used for combating terrorism and crime, citing numerous examples of the spyware being used by authoritarian governments to monitor journalists, activists, and political rivals.
In 2019, Facebook sued NSO, claiming Pegasus was being used in India to surveil WhatsApp communications of users, including activists, journalists, and other bureaucrats.
The Pegasus Project says they identified over 1,000 Indian phone numbers among the list of 50,000 potential targets in this latest leak. India’s main opposition Congress party accused Indian Prime Minister Narendra Modi of “treason and an inexcusable dismantling of national security” over the suspected use of spyware against reporters, government critics, and cabinet ministers.
In 2018, Montreal-based Saudi dissident Omar Abdulaziz filed a lawsuit against NSO, claiming the company allowed Saudi Arabia to use Pegasus to spy on his communications with journalist Jamal Khashoggi. A staunch critic of the Saudi government living in self-imposed exile in the U.S., in 2018, Khashoggi was killed and dismembered inside the Saudi consulate in Istanbul when he attempted to obtain documents related to his planned marriage.
In February 2021, the U.S. Office of Director of National Intelligence published a report saying the American Intelligence Community had concluded Saudi Crown Prince Muhammad bin Salman had approved the operation to have Khashoggi murdered.
For its part, NSO Group denies Pegasus was associated with any surveillance of Khashoggi leading up to his murder. “We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members,” a statement by NSO reads.
Challenging NSO’s claim that their sophisticated spyware is only sold to “vetted governments for the sole purpose of saving lives through preventing crime and terror acts,” a previous investigative series by Forbidden Stories, The Cartel Project, reported that corrupt Mexican state and federal officials were helping drug cartels gain access to Pegasus to target journalists and criminal rivals.
The Guardian reports that freelance Mexican reporter Cecilio Pineda Birto’s phone number was one of at least 25 Mexican journalists selected as candidates for Pegasus surveillance through 2016-2017. Pineda, a critic of state police and local politicians, accusing them of working with a violent Mexican crime boss known as “El Tequilero,” was shot and killed at a carwash in Ciudad Altamirano, Mexico, in March 2017.
NSO reportedly told The Guardian “that even if Pineda’s phone had been targeted, it did not mean data collected from his phone contributed in any way to his death, stressing governments could have discovered his location by other means.”
Media members of The Pegasus Project caution that just because a phone number appears on the leaked list of NSO targets does not automatically mean that an associated device was infected with Pegasus or subject to an attempted hack.
A previously leaked NSO brochure on Pegasus claims the spyware “leaves no traces whatsoever.” However, a forensic analysis by Amnesty International on a small number of mobile phones whose numbers appeared on the list of NSO surveillance candidates found that more than half showed traces of Pegasus spyware. An independent peer review by Citizen Lab confirmed Amnesty International’s findings.
An open-source “Mobile Verification Toolkit,” which works on iOS and Android devices, allows one to look for any “indicators of compromise” known to be used by NSO to deliver Pegasus spyware. Amnesty International has published detailed technical notes on how they used the toolkit to find traces of Pegasus, along with making available known indicators of compromise on its GitHub page.
NSO Group says they “firmly deny the false allegations” made in recent reports about their software and claim the company is considering a defamation lawsuit.
NSO says they have “good reason” to believe that the claimed list of possible Pegasus targets was based on a misleading interpretation of publicly available home location registers (HLR) or central databases that contain details of each mobile phone subscriber connected to the global mobile network.
“The claims that the data was leaked from our servers is a complete lie and ridiculous, since such data never existed on any of our servers,” reads the statement by NSO.
Major nations, such as the United States, Russia, or China, typically only employ their own in-house developed tools for electronic surveillance. However, the rise of private intelligence and cyberarms companies has given smaller governments, private corporations, or frankly anyone with enough money, the ability to have similarly sophisticated spy tools at their disposal.
“It’s an industry that’s largely undocumented and has very flexible ethical norms,” former anti-corruption prosecutor, Aaron Sayne, told Financial Times about the world of private intelligence.
“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists, and crush dissent, placing countless lives in peril,” said Agnès Callamard, Secretary General of Amnesty International.
“Clearly, their actions pose larger questions about the wholesale lack of regulation that has created a wild west of rampant abusive targeting of activists and journalists. Until this company and the industry as a whole can show it is capable of respecting human rights, there must be an immediate moratorium on the export, sale, transfer, and use of surveillance technology.”
Follow and connect with author Tim McMillan on Twitter: @LtTimMcMillan or encrypted email: LtTimMcMillan@protonmail.com