An in-depth investigation by 17 major international news organizations published Sunday claims that the embattled Israeli cyber firm NSO Group has sold cellphone malware used to target journalists, activists and politicians in dozens of countries.
The use of the software, called Pegasus and developed by Israel’s NSO group, was reported on by The Washington Post, Le Monde, Die Zeit, the Guardian, Haaretz, PBS Frontline and many other news outlets who collaborated on an investigation into a data leak, alongside French journalism nonprofit Forbidden Stories and Amnesty International.
The global investigation is titled the Pegasus Project.
The reporting focused on Pegasus, a spyware tool sold by NSO that it says is being used by dozens of governmental clients. The analysis carried out on a leaked list of 50,000 phone numbers found that the list included people targeted by the governments of Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates.
According to the Guardian, several opponents of authoritarian Hungarian Prime Minister Viktor Orban were targeted using Pegasus.
The software installs itself on a phone without requiring users to click a link, and gives the hacker complete access to the entire contents of the phone, as well as the ability to use its cameras and microphone undetected.
Rwanda, Morocco, India and Hungary denied having used the software to hack individuals, while other countries did not respond to the Pegasus Project’s requests for comment.
According to the reporting, more than 1,000 people across over 50 countries were traced to numbers on the list, including several heads of state, and prime ministers, Arab royal family members, business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials.
The Washington Post reported that journalists who appeared on the list worked for news outlets including CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde, the Financial Times, and Al Jazeera.
The Project conducted forensic analysis on 37 smartphones from numbers included on the list, finding that they were infected by the spyware, with a correlation between timestamps that appeared on the list and the time the phones were hit with the malware.
Amnesty also reported that its forensic researchers had determined that NSO Group’s flagship Pegasus spyware was successfully installed on the phone of Post journalist Jamal Khashoggi’s fiancee, Hatice Cengiz, just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The company had previously been implicated in other spying on Khashoggi.
The list also included the number of a Mexican freelance journalist who was later murdered at a carwash. His phone was never found and it was not clear if it had been hacked.
The most numbers on the list, 15,000, were for Mexican phones, with a large share in the Middle East. NSO Group’s spyware has been implicated in targeted surveillance chiefly in the Middle East and Mexico. Saudi Arabia is reported to be among NSO clients. Also on the lists were phones in countries including France, Hungary, India, Azerbaijan, Kazakhstan and Pakistan.
Among more than two dozen previously documented Mexican targets are proponents of a soda tax, opposition politicians, human rights activists investigating a mass disappearance and the widow of a slain journalist. In the Middle East, the victims have mostly been journalists and dissidents, allegedly targeted by the Saudi and United Arab Emirates governments.
The Guardian wrote that the investigation suggests “widespread and continuing abuse” of Pegasus, which NSO says is intended for use against criminals and terrorists.
NSO refuses to reveal which countries have purchased the software, and it denied the majority of the claims made in the Pegasus Project reporting. NSO “firmly denies false claims made in your report which many of them are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story,” the organization said.
NSO, a leader in the growing and largely unregulated private spyware industry, has previously pledged to police for abuses of its software.
NSO Group denied in an emailed statement that the data on which the report was based was leaked from its servers “since such data never existed on any of our servers.” It called the Forbidden Stories report “full of wrong assumptions and uncorroborated theories.”
The Guardian claimed that Israeli Defense Minister Benny Gantz “closely regulates NSO” and approves each individual export license before the surveillance software is sold to a new country. In its response, NSO stated that “you falsely claim that the Israeli government monitors the use of our customers’ systems, which is the type of conspiracy theory that our critics peddle,” adding: “Regarding export licenses, NSO is subject to various export control regimes including the Israeli MoD, similar to existing regulations in other democratic countries.”
On Khashoggi, NSO said that “our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is being made without validation.”
The full list of 50,000 people are not believed to have all been targeted by Pegasus, according to The Guardian, but reporters believe the list is “indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.” The news outlets said they would release the names of further individuals who were hacked by Pegasus in the coming days.
NSO Group has repeatedly been accused of violating human rights and selling its software to repressive governments who use it to surveil and target civilians and dissidents. It has been the target of multiple ongoing lawsuits.
WhatsApp is suing NSO Group in US court, accusing it of using the Facebook-owned messaging service to conduct cyber-espionage on journalists, human rights activists, and others. Amnesty International has sued the company in an Israeli court in an attempt to prevent it from selling its technology abroad, especially to repressive regimes.
In 2018, Amnesty claimed one of its employees was targeted by NSO’s malware, saying a hacker tried to break into the staffer’s smartphone using a WhatsApp message about a protest in front of the Saudi Embassy in Washington as bait.
Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in Herzliya, near Tel Aviv. It says it employs 600 people in Israel and around the world.