Military-grade spyware leased by an Israeli firm – NSO Group – may have been used by authoritarian governments across the world to hack the cell phones of journalists, lawyers, activists and politicians, new leaked data suggests.
An investigation led by the Paris-based nonprofit Forbidden Stories and Amnesty International, who shared the data with several media partners, has identified 50,000 “people of interest” who may have been targeted with NSO spyware known as Pegasus, which the company says is supposed to be used against criminals and terrorists.
Forbidden Stories called this a “new global weapon to silence journalists” and claims that “at least 180 journalists around the world have been selected as targets by clients of the cyber surveillance company NSO Group”. These include reporters, editors and executives at the Financial Times, CNN, The New York Times, France 24, The Economist, the Associated Press and Reuters.
Among the list were also two women who were close to the murdered Saudi journalist Jamal Khashoggi, the investigations revealed.
And the consortium’s analysis of the leaked data identified at least 10 governments believed to be NSO customers who were entering numbers into a system: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the United Arab Emirates (UAE).
NSO Group denied that the 50,000 were targeted with Pegasus spyware and said that the investigation published late on Sunday was “full of wrong assumptions and uncorroborated theories”. It did not deny that some of the data was genuine, but said the numbers may have been used by its clients for other purposes.
Pegasus infects iPhones and Android devices without the user knowing that the spyware has been installed – it can be installed without a click – and helps secretly activate the phone’s microphone, extracts messages, photos, emails and call log details.
A specific number’s presence on the list of 50,000 does not necessarily reveal “whether a device was infected with Pegasus or subject to an attempted hack”, noted the Guardian, one of the media partners given access to the leaked list. However, it added, “the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts”.
The consortium sought to verify the list by contacting a number of those involved and running forensic checks on their phones. Amnesty International Security Lab’s forensic analyses found results that were “consistent with past analyses of journalists targeted through NSO’s spyware, including the dozens of journalists allegedly hacked in the UAE and Saudi Arabia and identified by Citizen Lab in December of last year”.
Claudio Guarnieri, director of Amnesty International’s Security Lab, said: “There are a bunch of different pieces, essentially, and they all fit together very well. There’s no doubt in my mind that what we’re looking at is Pegasus because the characteristics are very distinct and all of the traces that we see confirm each other.”
In India, the investigation revealed that at least 40 Indian journalists as well as opposition leaders, two serving government ministers and a sitting Supreme Court justice were selected as targets of an NSO client “that appears to be the Indian government,” according to the analysis of the leaked data.
The Indian government issued a lengthy statement on Sunday in which it neither confirmed nor denied being a client of NSO Group, but rejected the suggestion that it had ever illegally intercepted data and called the right to privacy “a fundamental right”. “The allegations regarding government surveillance on specific people have no concrete basis or truth associated with it whatsoever,” it said.
According to NSO Group’s Transparency and Responsibility report, released in June 2021, the company has 60 clients in 40 countries around the world. And the company maintains that Pegasus is “not a mass surveillance technology, and only collects data from the mobile devices of specific individuals, suspected to be involved in serious crime and terror”.
The consortium said it would publish more details of the identities of individuals whose numbers were included on the leaked list in the coming days.