An Israeli firm accused of supplying spyware to governments has been linked to a list of tens of thousands of smartphone numbers, including those of activists, journalists, business executives and politicians around the world, according to reports.
The NSO Group and its Pegasus malware – capable of switching on a phone’s camera or microphone, and harvesting its data – have been in the headlines since 2016, when researchers accused it of helping spy on a dissident in the United Arab Emirates.
Sunday’s revelations – part of a collaborative investigation by The Washington Post, The Guardian, Le Monde and other media outlets – raise privacy concerns and reveal the far-reaching extent to which the private firm’s software could be misused.
France said Monday it was outraged over allegations that Morocco's intelligence services used Israeli malware to spy on dozens of French journalists, calling revelations in the media "extremely shocking".
The investigation showed Morocco among a dozen countries that used the software Pegasus, with Rabat allegedly spying on critics of the kingdom both in Morocco and in former colonial power France.
"These are extremely shocking acts and, if proven, are extremely serious," government spokesman Gabriel Attal told French public radio.
“We are extremely attached to freedom of the press, so it’s very serious if there were manipulations aiming to undermine the freedom of journalists, their freedom to investigate, to inform,” he said.
Among those targeted was the French investigative news site Mediapart and the satirical weekly Le Canard enchaîné, both of which have reported on rights abuses in Morocco.
They announced on Monday that they planned to file criminal complaints over the alleged intrusions.
"The spying on my phone and that of my colleague @LenaBred leads directly to the Moroccan intelligence services, as part of the crackdown on independent journalism and social movements," Mediapart's founder Edwy Plenel tweeted.
Attal said France was "extremely attached to press freedom" and that any attempt to curtain journalists' freedom to report the news was "very serious".
"There will of course be investigations and explanations will be requested," he said.
Earlier this week, the Indian government – which in 2019 denied using the malware to spy on its citizens, following a lawsuit – reiterated that “allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever.”
The Post said a forensic analysis of 37 of the smartphones on the list showed there had been “attempted and successful” hacks of the devices, including those of two women close to Saudi journalist Jamal Khashoggi, who was murdered in 2018 by a Saudi hit squad.
Among the numbers on the list are those of journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, El Pais, the Associated Press, Le Monde, Bloomberg, The Economist, and Reuters, The Guardian said.
The use of the Pegasus software to hack the phones of Al Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research center at the University of Toronto, and Amnesty International.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty originally shared the leak with the newspapers.
The Post said the numbers on the list were unattributed, but other media outlets participating in the project were able to identify more than 1,000 people in more than 50 countries.
They included several members of Arab royal families, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials–including heads of state, prime ministers and cabinet ministers.
Many numbers on the list were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
Pegasus is a highly invasive tool that can switch on a target’s phone camera and microphone, as well as access data on the device, effectively turning a phone into a pocket spy. In some cases, it can be installed without the need to trick a user into initiating a download.
NSO issued a denial on Sunday that focused on the report by Forbidden Stories, calling it “full of wrong assumptions and uncorroborated theories,” and threatening a defamation lawsuit.
“We firmly deny the false allegations made in their report,” NSO said.
It said it was “not associated in any way” with the Khashoggi murder, adding that it sells “solely to law enforcement and intelligence agencies of vetted governments”.
Roughly three dozen journalists at Qatar’s Al-Jazeera network had their phones targeted by Pegasus malware, Citizen Lab reported in December, while Amnesty said in June the software was used by Moroccan authorities on the cellphone of Omar Radi, a journalist convicted over a social media post.
Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in the Israeli hi-tech hub of Herzliya, near Tel Aviv.
(FRANCE 24 with AFP)