Political dissidents, human rights activists and journalists are being spied on by malware sold to authoritarian regimes, a media investigation has revealed.
The “Pegasus” probe is based on a list of more than 50,000 mobile phone numbers believed to be targeted by the malware by the Israel-based NSO Group and leaked to the Paris-based nonprofit Forbidden stories and human rights group Amnesty International.
The military-grade malware infects phones, allowing the operator to access messages, photos, emails, and location data as well as surreptitiously control the device”s microphones and cameras.
A consortium of 16 media organisations were able to identify more than 1,000 individuals in 50 countries who were allegedly selected for potential surveillance by NSO clients.
‘A tool to intimidate’
These include more than 600 politicians and officials, dozens of business executives and human rights activists, several heads of states and over 180 journalists, including Cecilio Pineda, a Mexican journalist who extensively covered crime, social issues and corruption. He was shot dead in March 2017.
Journalists working for The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde and The Financial Times, also featured on the list. At least five Hungarian journalists are also believed to have been spied on by the authorities.
People close to Jamal Khashoggi, the Saudi Washington Post columnist brutally murdered at the Saudi embassy in Istanbul in October 2018, are also on the list. They include his fiancé, Hatice Elatr, his son, Abdullah, and wife, Hanan Elatr.
“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attacks activists and crush dissent, placing countless lives in peril,” Agnes Callamard, Secretary General of Amnesty International, said in a statement.
“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling the pubic narrative, resisting scrutiny, and suppressing any dissenting voice,” she added.
Numbers mostly from Middle East and Mexico
NSO Group denied that it has ever maintained “a list of potential, past or existing targets.” In a separate statement, it called the Forbidden Stories report “full of wrong assumptions and uncorroborated theories.”
The company reiterated its claims that it only sells to “vetted government agencies” for use against terrorists and major criminals and that it has no visibility into its customers’ data. Critics call those claims dishonest — and have provided evidence that NSO directly manages the high-tech spying. They say the repeated abuse of Pegasus spyware highlights the nearly complete lack of regulation of the private global surveillance industry.
The source of the leak — and how it was authenticated — was not disclosed. While a phone number’s presence in the data does not mean an attempt was made to hack a device, the consortium said it believed the data indicated potential targets of NSO’s government clients.
The most numbers on the list, 15,000, were for Mexican phones, with a large share in the Middle East. NSO Group’s spyware has been implicated in targeted surveillance chiefly in the Middle East and Mexico. Saudi Arabia is reported to be among NSO clients. Also on the lists were phones in countries including France, Hungary, India, Azerbaijan, Kazakhstan and Pakistan.
NSO targeted by lawsuits
The consortium’s “Pegasus Project” reporting bolsters accusations that not just autocratic regimes but democratic governments, including India and Mexico, have used NSO Group’s Pegasus spyware for political ends.
In 2019, WhatsApp and its parent company Facebook sued NSO Group in U.S. federal court in San Francisco, accusing it of exploiting a flaw in the popular encrypted messaging service to target — with missed calls alone — some 1,400 users. NSO Group denies the accusations.
The Israeli company was sued the previous year in Israel and Cyprus, both countries from which it exports products. The plaintiffs include Al-Jazeera journalists, as well as other Qatari, Mexican and Saudi journalists and activists who say the company’s spyware was used to hack them.
NSO Group also denies involvement in elaborate undercover operations uncovered by The AP in 2019 in which shadowy operatives targeted NSO critics including a Citizen Lab researcher to try to discredit them.
Last year, an Israeli court dismissed an Amnesty International lawsuit seeking to strip NSO of its export license, citing insufficient evidence.
NSO Group is far from the only merchant of commercial spyware. But its behavior has drawn the most attention, and critics say that is with good reason.