A Saudi dissident living in Canada was likely spied on by Israeli phone-hacking technology, according to a Monday report.
The Herzliya-based NSO Group uses its controversial Pegasus spyware program to turn smartphones into listening devices. It has been accused of selling the technology to countries, including Saudi Arabia, who use it to spy on dissidents, journalists, and others.
The Citizen Lab, a group of academics from Toronto University, said it has “high confidence” that the Israeli technology was used to spy on 27-year-old Omar Abdulaziz, an outspoken Saudi dissident who sought asylum in Canada.
The hacking came at the same time as an escalating spat between Canada and Saudi Arabia after Ottawa criticized Riyadh’s human rights record. In response Saudi Arabia expelled Canada’s ambassador.
According to Citizen Lab, Abdulaziz, a frequent critic of Saudi Arabia human rights abuses who fled to Canada and now studies in Quebec, had his phone infected after clicking on a link masquerading as a tracker for a package he ordered, but was actually a Pegasus exploit link.
“Pegasus would have allowed the operators to copy Abdulaziz’s contacts, private family photos, text messages, and live voice calls from popular mobile messaging apps. The operators could have even activated his phone’s camera and microphone to capture activity, such as conversations, taking place in his home,” the group said in its report.
Pegasus infects individuals by sending them text messages tempting them to click an attached link.
When an unwitting target clicks the link, Pegasus is downloaded onto the device and infects it. The software can track calls and contacts, collect passwords, read text messages and emails, record calls, and trace the whereabouts of the user.
The NSO Group has insisted in the past that it sells its software to clients on the condition that it be used only against crime and terrorism, and has shirked responsibility in cases where it was allegedly used for civil rights abuses.
The identification of Abdulaziz came after Citizen Lab said it had identified 45 countries where individuals were targeted by the Pegasus spyware by at least 33 suspected NSO customers.
It also noted a “significant expansion of Pegasus usage” in Gulf states, including UAE, Bahrain, and Saudi Arabia.
Shalev Hulio, one of the founders of NSO, told Citizen Lab, “Our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws.”
According to the researchers, the operator thought to have infected Abdulaziz’s phone, named KINGDOM, was the same who had targeted Saudi dissident Yahya Assiri and an Amnesty International researcher.
“In addition to suspected infections in Saudi Arabia, KINGDOM appeared to be actively monitoring targets in Bahrain, Canada, Egypt, France, Iraq, Jordan, Lebanon, Morocco, Qatar, Turkey, and the UK,” Citizen Lab said. It said the operator was thought to be linked to the Saudi government.
Last month, Amnesty International accused Saudi Arabia of targeting its workers with WhatsApp messages containing links to malicious sites used to infect phones with the Pegasus software.
This was “a digital attack on our staff member’s privacy rights and on our role as a human rights organization. While secret surveillance may have legitimate uses by states in some contexts – this attack against us is not one,” Amnesty International wrote in a blog post.
“Even more disturbing is the fact that we identified over 600 domains that represent potential threats to human rights defenders and civil society actors in countless other countries around the world,” the group added.
In 2016, Israel’s Yedioth Ahronoth daily first reported that the Defense Ministry had given the NSO Group permission to sell the software to an Arab company, which went on to target a prominent UAE rights activist. But the scope of the government’s involvement had not been known.
Mike Murray, a researcher with Lookout, a San Francisco-based smartphone security company, called Pegasus at the time “one of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
Mexico was scandalized last year by claims that opposition politicians, journalists, and human rights defenders in the country had been targeted by the government using the software.
The NSO Group has said in the past that its mission is to provide “authorized governments with technology that helps them combat terror and crime.”
“The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner,” the statement read. “Specifically, the products may only be used for the prevention and investigation of crimes.”
The company said that it “does not operate the software for its clients, it just develops it.”
Israeli companies have been criticized in the past for selling software to monitor internet and phone communication to regimes with poor human rights records, including in Uzbekistan and Kazakhstan, as well as Colombia, Trinidad and Tobago, Uganda, Panama, and Mexico, according to the NGO Privacy International.