An investigation by a Paris-based non-profit and Amnesty International uncovered military-grade spyware licensed by an Israeli tech firm that was used to tap cell phones of journalists, human rights defenders, national leaders, and even kings across the world.
The software, called Pegasus, created by Israeli’s NSO Group, was uncovered by Forbidden Stories, a French investigative journalist team who found more than 50,000 global phone numbers across 50 countries had been targeted by the spyware as it quietly observed every conversation and user action on its victims devices since at least 2016.
The investigation, dubbed the Pegasus Project, found the spyware has been using multiple high-level zero-day exploits to install itself on devices with neither the user’s knowledge nor consent, “Once installed, it allows clients to take complete control of the device, including accessing messages from encrypted messaging apps like WhatsApp and Signal, and turning on the microphone and camera,” reads the report.
The Project notes that while NSO Group claims the spyware is licensed only to government clients for the express purposes of collecting data “from the mobile devices of specific individuals, suspected to be involved in serious crime and terror,” devices from many high level walks of life, such as journalists, doctors, lawyers, academics, and union leaders were were infected and being actively observed by NSO Group’s clients.
A journalistic silencer
The Project found some of its own colleagues and journalists it had collaborated with on previous projects were in the list, along with hundreds others of investigative reporters around the world. Project Pegasus summed up the concern succinctly, “For NSO Group’s government clients, Pegasus is the perfect weapon to ‘kill the story’. Invasive surveillance of journalists and activists is not simply an attack on those individuals – it is a way to deprive millions of citizens of independent information about their own governments.”
“When they hack a journalist’s phone, they are able to extract the most sensitive information that it holds. What was that journalist working on? Who are their sources? Where are they stashing their documents? Who are their loved ones? What private information could be used to blackmail and defame them?”
The Project met with many of the victims found in the leak and analyzed their devices in conjunction with Amnesty International’s Security Lab. The findings were peer reviewed by Canada’s Citizen Lab and uncovered an ever-evolving array of methodologies used to install the spyware on a target’s device, even on the newest and most highly patched iPhones.
Khadija Ismayilova, an Azerbaijani investigative reporter who was tracked by Pegasus for more than three years told Forbidden Stories, “We’ve been recommending each other this tool or that tool, how to keep [our phones] more and more secure from the eyes of the government.”
“And yesterday I realized that there is no way. Unless you lock yourself in [an] iron tent, there is no way that they will not interfere into your communications.”
“I feel guilty for the messages I’ve sent. I feel guilty for the sources who sent me [information] thinking that some encrypted messaging ways are secure and they didn’t know that my phone is infected,” said Ismayilova.
Israeli state-sanctioned spycraft
The Project commented on the nature of the entities licensing NSO’s Pegasus, “The project shines a harsh light on the business of NSO Group, which, despite claiming it vets its clients based on their human rights track records, decided to sell its product to authoritarian regimes such as Azerbaijan, the United Arab Emirates and Saudi Arabia.”
“Insiders disclosed the important role played by the Israeli Ministry of Defense when it came to picking NSO Group’s clients. Multiple sources corroborated the fact that Israeli authorities pushed for Saudi Arabia to be added to the list of customers despite NSO Group’s hesitations.”
NSO Group vehemently denied any wrongdoing.
On July 20, Washington Post found multiple Presidents, Prime Ministers, and former Prime Ministers were among the 50,000 numbers surveilled by Pegasus’s licensees.
The list is comprised of six sitting Presidents and Prime Ministers:
- France’s Emmanuel Macron
- Iraq’s Barham Salih
- South Africa’s Cyril Ramaphosa
- Pakistan’s Imran Khan
- Egypt’s Mostafa Madbouly
- Morocco’s Saad-Eddine El Othmani.
Seven former Prime Ministers, who were infected while they were still in power:
- Yemen’s Ahmed Obeid bin Daghr
- Lebanon’s Saad Hariri
- Uganda’s Ruhakana Rugunda
- France’s Édouard Philippe
- Kazakhstan’s Bakytzhan Sagintayev
- Algeria’s Noureddine Bedoui
- Belgium’s Charles Michel.
And even a King:
- Morocco’s Mohammed VI.
The Post explained how it ascertained the veracity of the list, “The Post and its partner news organizations in 10 countries confirmed the ownership of these numbers and others cited in this article through public records, journalists’ contact books and queries to government officials or other close associates of the potential targets — though in some cases it was not possible to determine whether the phone numbers were active ones or former ones. The Post confirmed five of the numbers itself. The rest were confirmed by its partners.”
On July 19, The Guardian found more than 15,000 judges, politicians, activists, and teachers in Mexico, a North American distribution hub for Chinese-made fentanyl whose notoriously violent cartels are now closely linked with the Chinese Communist Party’s Triad mafia, were also infected with the surveillance tool.
The report states the Mexican government was NSO Group’s first client. Mexican targets are the number one group in the Project Pegasus dataset.
More than governments
On July 22, The Guardian found the Dalai Lama’s inner circle was compromised. The outlet said the culprit was India, rather than the Chinese Communist Party, relying on comments from an unnamed “former staffer with the Tibetan administration” who said, “India wants to make sure that Tibetans don’t strike a deal with the Chinese that involves the Dalai Lama going back to Tibet.”
“The Dalai Lama himself has said several times that he maintains connections to the Chinese leadership through ‘old friends’…India is very aware of this and they want to make sure that no deals are made without their knowing or involvement.”
Washington Post also found a phone number confirmed to be a former staffer of World Health Organization leader Tedros Adhanom, while on July 21, in a separate article, The Guardian found Telegram founder Pavel Durov, a Russian billionaire, included in the database.
In both cases, NSO Group denied the figures were targets of entities licensing Pegasus while vigorously attacking the credibility of both Forbidden Stories’ and Amnesty’s findings and forensic methodologies.
On July 22, Amnesty International published a statement affirming the veracity of its forensic analysis and its database, “Amnesty International categorically stands by the findings of the Pegasus Project, and that the data is irrefutably linked to potential targets of NSO Group’s Pegasus spyware.”
“The false rumours being pushed on social media are intended to distract from the widespread unlawful targeting of journalists, activists and others that the Pegasus Project has revealed.”