An in-depth investigation by 17 major international news organizations claims that the embattled Israeli cyber firm NSO Group has sold cellphone malware used to target journalists, activists and politicians in dozens of countries.
The use of the software, called Pegasus and developed by Israel’s NSO group, was reported on by The Washington Post, Le Monde, Die Zeit, the Guardian, Haaretz, PBS Frontline and many other news outlets who collaborated on an investigation into a data leak, alongside French journalism nonprofit Forbidden Stories and Amnesty International.
The global investigation is titled the Pegasus Project.
The reporting focused on Pegasus, a spyware tool sold by NSO that it says is being used by dozens of governmental clients. The analysis carried out on the leaked list of phone numbers found that the list included people targeted by the governments of Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates.
According to the Guardian, several opponents of authoritarian Hungarian Prime Minister Viktor Orban were targeted using Pegasus.
The software works by baiting users into clicking a link, whereupon it installs itself and gives the hacker complete access to the entire contents of the phone, as well as the ability to use its cameras and microphone undetected.
Rwanda, Morocco, India and Hungary denied having used the software to hack individuals, while other countries did not respond to the Pegasus Project’s requests for comment.
According to the reporting, more than 1,000 people across over 50 countries were traced to numbers on the list, including heads of state, and prime ministers, Arab royal family members, business executives, human rights activists, journalists, politicians and government officials.
The Washington Post reported that journalists who appeared on the list worked for news outlets including CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde, the Financial Times, and Al Jazeera.
The Project conducted forensic analysis on 37 smartphones from numbers included on the list, finding that they were infected by the spyware, with a correlation between timestamps that appeared on the list and the time the phones were hit with the malware.
Among the numbers found on the list were two belonging to women close to Saudi-born journalist Jamal Khashoggi, who was murdered by a Saudi hit squad in 2018.
The list also included the number of a Mexican freelance journalist who was later murdered at a carwash. His phone was never found and it was not clear if it had been hacked.
The Guardian wrote that the investigation suggests “widespread and continuing abuse” of Pegasus, which NSO says is intended for use against criminals and terrorists.
NSO refuses to reveal which countries have purchased the software, and it denied the majority of the claims made in the Pegasus Project reporting. NSO “firmly denies false claims made in your report which many of them are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story,” the organization said.
NSO, a leader in the growing and largely unregulated private spyware industry, has previously pledged to police for abuses of its software.
The Guardian claimed that Israeli Defense Minister Benny Gantz “closely regulates NSO” and approves each individual export license before the surveillance software is sold to a new country. In its response, NSO stated that “you falsely claim that the Israeli government monitors the use of our customers’ systems, which is the type of conspiracy theory that our critics peddle,” adding: “Regarding export licenses, NSO is subject to various export control regimes including the Israeli MoD, similar to existing regulations in other democratic countries.”
On Khashoggi, NSO said that “our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is being made without validation.”
The full list of 50,000 people are not believed to have all been targeted by Pegasus, according to The Guardian, but reporters believe the list is “indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.” The news outlets said they would release the names of further individuals who were hacked by Pegasus in the coming days.
NSO Group has repeatedly been accused of violating human rights and selling its software to repressive governments who use it to surveil and target civilians and dissidents. It has been the target of multiple ongoing lawsuits.
WhatsApp is suing NSO Group in US court, accusing it of using the Facebook-owned messaging service to conduct cyber-espionage on journalists, human rights activists, and others. Amnesty International has sued the company in an Israeli court in an attempt to prevent it from selling its technology abroad, especially to repressive regimes.
In 2018, Amnesty claimed one of its employees was targeted by NSO’s malware, saying a hacker tried to break into the staffer’s smartphone using a WhatsApp message about a protest in front of the Saudi Embassy in Washington as bait.
Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in Herzliya, near Tel Aviv. It says it employs 600 people in Israel and around the world.