Outrage grew on Monday in the wake of an in-depth investigation by 17 major international news organizations that claimed Israeli spyware firm NSO Group sold cellphone malware used to target journalists, activists and politicians in dozens of countries.
The Amnesty International human rights group said that the revelations of the probe into use of the Pegasus software showed the need for limits to be placed on the use of the technology.
“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice,” said Amnesty secretary-general Agnes Callamard.
“These revelations must act as a catalyst for change. The surveillance industry must no longer be afforded a laissez-faire approach from governments with a vested interest in using this technology to commit human rights violations,” said Callamard.
The use of Pegasus was reported on Sunday by The Washington Post, Le Monde, Die Zeit, the Guardian, Haaretz, PBS Frontline and other news outlets that collaborated on an investigation into a data leak of more than 50,000 cellphone numbers obtained by the Paris-based journalism nonprofit Forbidden Stories and Amnesty International and shared with 17 news organizations.
From that list, journalists were able to identify more than 1,000 individuals in 50 countries who were allegedly selected by NSO clients for potential surveillance, including people targeted by the governments of Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates.
Opposition lawmakers in Hungary’s parliament on Monday demanded an inquiry, with Janos Stummer from the right-wing party Jobbik saying that the surveillance described by the investigation is “not permissible in a state governed by the rule of law.”
The head of Facebook-owned WhatsApp, the messaging company already suing NSO in a US court, tweeted that the use of the spyware must be stopped.
“NSO’s dangerous spyware is used to commit horrible human rights abuses all around the world and it must be stopped,” tweeted Will Cathcart. “Human rights defenders, tech companies and governments must work together to increase security and hold the abusers of spyware accountable.”
Cathcart concluded by saying the report was “a wake up call for security on the internet.”
“We need more companies, and, critically, governments, to take steps to hold NSO Group accountable. Once again, we urge a global moratorium on the use of unaccountable surveillance technology now. It’s past time,” Cathcart said.
Edward Snowden, the former US intelligence contractor who revealed in 2013 that the US government was spying on its citizens, said “the leak is going to be the story of the year.”
Meanwhile, the former UN Special Rapporteur on freedom of expression called for an end to the sale or transfer of spyware.
“What’s the solution to an out-of-control spyware industry? Start with a global moratorium on sale/transfer,” tweeted David Kaye.
The software installs itself on a phone without requiring users to click a link, and gives the hacker complete access to the entire contents of the phone, as well as the ability to use its cameras and microphone undetected.
Rwanda, Morocco, India and Hungary denied having used the software to hack individuals, while other countries did not respond to the Pegasus Project’s requests for comment.
According to the reporting, people across over 50 countries were traced to numbers on the list, including several heads of state and prime ministers, Arab royal family members, business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials.
The Washington Post reported that journalists who appeared on the list worked for news outlets including CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde, the Financial Times, and Al Jazeera.
AP’s director of media relations, Lauren Easton, said the company is “deeply troubled to learn that two AP journalists, along with journalists from many news organizations” are on the list of potential targets for Pegasus infection. She said the AP was investigating to try to determine if its two staffers’ devices were compromised by the spyware.
The Project conducted forensic analysis on 37 smartphones from numbers included on the list, finding that they were infected by the spyware, with a correlation between timestamps that appeared on the list and the time the phones were hit with the malware.
Amnesty also reported that its forensic researchers had determined that Pegasus spyware was successfully installed on the phone of Post journalist Jamal Khashoggi’s fiancée, Hatice Cengiz, just four days after Khashoggi was killed in the Saudi Consulate in Istanbul in 2018.
The company had previously been implicated in other spying on Khashoggi.
“I am deeply shocked that I have been targeted while I was in such pain waiting to find out what had happened to Jamal. This was the worst time of my life and yet the killers were spying on me. They have no shame. They must be brought to justice,” tweeted Cengiz.
Mexican phones represented the largest group of numbers on the list, 15,000, with another large share in the Middle East. Saudi Arabia is reported to be among NSO clients. Also on the lists were phones in countries including France, Hungary, India, Azerbaijan, Kazakhstan and Pakistan.
Indian investigative news website The Wire reported that 300 cellphone numbers used in India — including those of government ministers, opposition politicians, journalists, scientists and rights activists — were on the list.
The Indian government denied in 2019 that it had used the malware to spy on its citizens.
The Guardian wrote that the investigation suggests “widespread and continuing abuse” of Pegasus, which NSO says is intended for use against criminals and terrorists.
NSO refuses to reveal which countries have purchased the software, and it denied the majority of the claims made in the Pegasus Project reporting. NSO “firmly denies false claims made in your report which many of them are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story,” the organization said.
NSO, a leader in the growing and largely unregulated private spyware industry, has previously pledged to police for abuses of its software. Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, the Herzliya-based firm employs hundreds of people in Israel and around the world.
NSO Group denied in an emailed statement that the data on which the report was based was leaked from its servers “since such data never existed on any of our servers.” It called the report “full of wrong assumptions and uncorroborated theories.”
New Israel Fund’s executive director in Israel, Mickey Gitzin, said Monday that the Pegasus report was “just the tip of the iceberg,” noting the government’s role in approving export licenses for such spy tech.
“This is the tip of the iceberg regarding the use of Israeli technologies for the benefit of such acts. Many of the technologies need the approval of the Defense Ministry, and the level of regulation in the area in Israel is almost zero,” Gitzin tweeted.
The Guardian claimed that Defense Minister Benny Gantz “closely regulates NSO” and approves each individual export license before the surveillance software is sold to a new country.
NSO denied that the government had any role beyond the Defense Ministry’s export control regime.
On Khashoggi, NSO said that “our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is being made without validation.”
Not all of the 50,000 people on the list are believed to have all been targeted by Pegasus, according to The Guardian, but reporters believe the list is “indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.” The news outlets said they would release the names of further individuals who were hacked by Pegasus in the coming days.
NSO Group has repeatedly been accused of violating human rights and selling its software to repressive governments that use it to surveil and target civilians and dissidents. It has been the target of multiple ongoing lawsuits.
WhatsApp is suing NSO Group in US court, accusing it of using the Facebook-owned messaging service to conduct cyber-espionage on journalists, human rights activists, and others. Amnesty International has sued the company in an Israeli court in an attempt to prevent it from selling its technology abroad, especially to repressive regimes.