A leaked list of over 50,000 phone numbers is believed to include targets marked by clients of Israeli surveillance firm NSO Group for hacking. Some of the phones were reportedly infected with its flagship malware, Pegasus.
Among the people presumed to be selected for digital surveillance are “hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers,” The Guardian reported. It also includes “close family members of one country’s ruler, suggesting the ruler may have instructed their intelligence agencies to explore the possibility of monitoring their own relatives.”
The bombshell allegations came on Sunday from members of a collective of 17 media organizations, which includes the British newspaper, based on their investigation of a leak obtained by the French outlet Forbidden Stories and the human rights group Amnesty International.
Amnesty’s Security Lab conducted a forensic analysis of some of the phones on the list, which was peer-reviewed by Citizen Lab, a group at Toronto University that has been tracking suspected cases of Pegasus infections for years. Of the 67 smartphones analyzed, evidence of successful infection was found on 23 and evidence of attempted infiltration on 14.
NSO Group disputed the conclusions of the journalistic consortium, saying that the claims that its clients often used Pegasus to spy on anyone except legitimate targets of counter-terrorism operations and investigations of serious crime, as demanded by contracts, were “false.” It called the 50,000 figure “exaggerated” and said that the accusation was based on a “misleading interpretation of leaked data.”
In particular, the Israeli firm rejected that its malware was in any way implicated in the assassination of Jamal Khashoggi, a self-exiled columnist for the Washington Post, who was killed at a Saudi consulate in Istanbul in October 2018 in what many believe was a government-sponsored murder. Riyadh blamed it on a rogue group of security agents, who were tried and sentenced for the killing. The phone of Khashoggi’s fiancee was penetrated by Pegasus just four days before his death, while the phones of his son, other family members, friends, and coworkers were found on the presumed list of targets, the investigators said.
NSO Group said that its “technology was not associated in any way with the heinous murder” of Khashoggi and was not used to “listen, monitor, track, or collect information regarding him or his family members” mentioned in an inquiry sent to the company.
Pegasus is a software suite designed to remotely take control of phones running on Android and iOS operating systems. It gives access to content on the infected device, including communications made through encrypted messengers, and can secretly turn on the microphone and cameras of the device or monitor GPS data for real-time location tracking.
Far from every number on the list was actually attacked. A source told investigators that the average number of targets per customer was 112 and that the company had 45 customers for its Pegasus spyware, corroborating the NSO Group’s assessment of the 50,000 figure. Some numbers were landlines that could not be infected by Pegasus at all.
There has long been speculation that government clients were using the powerful hacking tool for nefarious purposes, like cracking down on dissenters or harassing investigative journalists. NSO Group says it has guardrails against such abuse, including the strict terms of its contracts, a rigid vetting process that involves export licensing by the Israeli government, and internal investigations of all credible reports of misuse. The investigators say the leaked list and the forensic analysis confirms that “some NSO clients are breaching their contracts with the company.”
The suspected hacking ‘wishlist’ reportedly goes back to 2016 and consists of entries selected by NSO Group clients in 10 countries, including Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates (UAE). Clients in Mexico selected the most numbers – more than 15,000 – followed by Morocco and the UAE, each with more than 10,000 numbers.
The investigators promised a number of publications based on their analysis to be released in the coming weeks. On Sunday, The Guardian also printed a look at journalists on the list, an expose of alleged use of Pegasus by the Hungarian government, and a story about Mexican investigative journalist Cecilio Pineda Birto.
Birto’s March 2017 murder was long alleged to be linked to a Pegasus surveillance operation. His phone number was also among the presumed hacking targets. The software location-tracking features may have helped his killers to find him, investigators suspect.
If you like this story, share it with a friend!