By Jeph Ajobaju, Chief Copy Editor
Tel Aviv has raised a team to investigate allegations about Pegasus developed by NSO Group, an Israeli firm whose software is licensed by governments in more than 50 countries to spy on some 50,000 telephone numbers used by critics and activists.
Those targeted include journalists, politicians, and business executives. Phone numbers used by two Dubai princesses have also been found on the list.
Several journalists from 17 news outlets worked together to expose evidence of industrial-scale spying on people, including Princess Latifa, the daughter of the ruler of Dubai, and Princess Haya Bint al-Hussain, his former wife.
The BBC reports that in February, its Panorama programme broadcast a secret video from Latifa in which she said she was being held as a hostage and feared for her life. Haya meanwhile fled Dubai in 2019 saying she feared for her life.
The UAE has denied the allegations of both women.
Their numbers are apparently on a list of phone numbers of people believed to be of interest to clients of NSO Group, according to the BBC.
The list was leaked to major news outlets.
Dubai princesses as possible targets
The discovery of the princesses’ phone numbers on the list – and those of some acquaintances – has raised questions about whether they could have been the possible target of a government client of the group.
Amnesty International has issued a statement alleging that the find implicates NSO Group “in the catalogue of human rights violations” inflicted on the two women.
It calls for regulation to rein in “an unchecked surveillance industry”.
NSO has denied any wrongdoing.
It says Pegasus is intended for use against criminals and terrorists, and is made available only to military, law enforcement and intelligence agencies with good human rights records.
The original investigation which led to the reports – by Paris-based NGO Forbidden Stories and Amnesty International – was “full of wrong assumptions and uncorroborated theories”, NSO said.
The reports are part of a series of news articles suggesting thousands of prominent people have been targeted.
A senior Israeli official confirmed to the BBC that the Israeli government had set up a team to examine allegations about the Pegasus software.
A tip of the iceberg
CNN reports that the revelations are only just beginning.
The consortium began to publish its findings on July 18. The stories indicate that numerous members of the media were “possible candidates for surveillance,” as The Guardian (UK) put it.
Forensic tests affirmed the presence of spyware on some phones. More will be coming out in the days ahead.
The participating news outlets are dubbing this the “Pegasus Project,” teeing off the name of the spyware, Pegasus, which licensed by NSO Group to track terrorists and major criminals.
How has the spyware been used? Has it been abused? Those are two of the key questions, says CNN.
First things first…
How did this investigation begin? Washington Post executive editor Sally Buzbee explained it in a letter from the editor on July 18.
“The project was conceived by Forbidden Stories, a Paris-based journalism nonprofit, which, along with Amnesty International, a human rights group, had access to records that formed the basis of our reporting: a list of more than 50,000 cellphone numbers concentrated in countries known to surveil their citizens and also known to have been clients of NSO Group,” Buzbee wrote.
“Although the purpose of the list could not be conclusively determined, it is a fascinating document.”
Amnesty’s Security Lab was able to examine 67 smartphones.
“Of those, 23 were successfully infected and 14 showed signs of attempted penetration,” WaPo reported. “For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced.”
WaPo interviewed some of the affected individuals, including Siddharth Varadarajan, co-founder of The Wire, a nonprofit news outlet in India.
“This is an incredible intrusion, and journalists should not have to deal with this,” he said after learning that his phone was infected. “Nobody should have to deal with this.”
WaPo reports that “Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.”
There’s a whole lot of uncertainty associated with this, as Devan Cole noted in a story for CNN.com. But Amnesty’s secretary-general, Agnes Callamard, came out swinging.
“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice,” Callamard said.
WaPo adds that “After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.”
Out in the open…
CNN says it has not independently verified the findings of the Pegasus Project probe.
The 17 participating outlets are Forbidden Stories, The Washington Post, Le Monde, Süddeutsche Zeitung, Die Zeit, The Guardian, Daraj, Direkt36, Le Soir, Knack, Radio France, The Wire, Proceso, Aristegui Noticias, the Organized Crime and Corruption Reporting Project, Haaretz and PBS “Frontline.”
For an overview of the findings thus far, “Frontline” is running a live blog linking to major stories from the other partners.
Here’s the key quote from Dana Priest, one of the bylines on the WaPo report, who is also featured in a “Frontline” report.
“For the first time,” Priest said, “we’ve been able to give readers a sense of just how enormous the private and unregulated spying business has become.
“It’s been a unique, and actually thrilling, experience to work with so many foreign journalists to pool our sources and resources to bring this difficult story out in the open, where it should be.”
Response from NSO Group
Quoting from Devan Cole’s story: “In a lengthy statement to CNN [on July 18], NSO Group strongly denied the investigation’s findings, saying in part that it sells its ‘technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts.'”
NSO Group said it “does not operate the system and has no visibility to the data” and will continue to investigate “all credible claims of misuse and take appropriate action based on the results” of such investigations.
It also said its systems “are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.”
Hacking journalists and activists around the world
The Washing Post reports that 17 smartphones owned by journalists, human rights activists, business executives and two women connected to the slain Saudi journalist Jamal Khashoggi were targeted by Pegagus, a “military-grade spyware”.
Through the investigation, the outlets “were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials – including cabinet ministers, diplomats, and military and security officers.
“The numbers of several heads of state and prime ministers also appeared on the list …. The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled.”
While many of the numbers on the list were in the Middle East, including Qatar and the UAE, “the greatest number was in Mexico, where more than 15,000 numbers, including those belonging to politicians, union representatives, journalists and other government critics, were on the list.”
Other countries, including India, Pakistan, Azerbaijan, Kazakhstan, France and Hungary, are also represented on the list, according to the newspaper.
The investigation found that the “numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks.
“The consortium could not perform forensic analysis on most of these phones.”
The Washington Post noted that NSO “has said for years that its product cannot be used to surveil American phones” and added that the probe “did not find evidence of successful spyware penetration on phones with the US country code.”
Pegasus attacks without warning
The spyware, developed a decade ago with the help of Israeli ex-cyberspies, easily circumvents typical smartphone privacy measures, “like strong passwords and encryption.”
It can “attack phones without any warning to users” and “read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts.
“Spyware also can activate cameras and microphones for real-time surveillance.”
Pegasus can initiate the attack in a number of different ways, the newspaper said, including through “a malicious link in an SMS text message or an iMessage.”
Some spyware companies use “zero-click” attacks which deliver spyware simply by sending a message to a user’s phone that produces no notification.” “Users ” of such attacks “do not even need to touch their phones for infections to begin.”
In the case of Khashoggi, the newspaper said the spyware had targeted the two women closest to the late Washington Post journalist, who was killed in October 2018.
“The phone of his fiancée, Hatice Cengiz, was successfully infected during the days after his murder … and (his) wife, Hanan Elatr, whose phone was targeted by someone using Pegasus in the months before his killing.
“Amnesty was unable to determine whether the hack was successful,” the Post said.
NSO denied in its statement that its technology was used in connection with Khashoggi’s murder, saying “our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in the inquiry.”