Cyber surveillance weapon used to target journalists, activists
Military-grade spyware, sold by an Israeli firm called NSO Group to governments for tracking terrorists and criminals, has been used to facilitate human rights violations around the world on a massive scale.
This was revealed by a major investigation led by the Paris-based journalism non-profit Forbidden Stories and Amnesty International, which probed an “unprecedented leak” of over than 50 000 phone numbers chosen for surveillance by customers of the NSO Group, along with more than 17 media partners, including The Wire, Le Monde, The Guardian, Washington Post, Die Zeit and Suddeutsche Zeitung.
The investigation suggests ongoing and extensive abuse of the spyware named Pegasus, which NSO insists is only meant to be used against criminals and terrorists.
Pegasus is malware that infects iPhones and Android devices, allowing its operators to gain full control of the device, including extracting messages, photos and e-mails, as well as recording calls and activating microphones without the owner’s knowledge.
Forbidden Stories and Amnesty International shared the list with media partners as part of the Pegasus Project.
“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril,” says Agnès Callamard, secretary general of Amnesty International.
Those on the list have been identified as people of interest by clients of NSO as far back as 2016, spanning more than 45 countries across four continents.
Forensic analysis of a small percentage of phones whose numbers appeared on the list also revealed that more than half contained traces of the Pegasus spyware.
In the days to come, the media partners say they intend to reveal the identities of individuals whose numbers appeared on the list, which, according to The Guardian, includes hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers.
Also on the list were over 180 journalists from the Financial Times, CNN, The New York Times, France 24, The Economist, Associated Press and Reuters.
In addition, the investigation revealed the hacking tool was used to spy on Hatice Cengiz, the fiancée of murdered Saudi journalist Jamal Khashoggi. A video published by Frontline, an investigative journalism Web site, shows how the tool was found on her phone, and is evidence that it was used to target one of the people closest to Khashoggi around the time of his death.
Without a forensic examination of the mobile devices in question, it cannot be confirmed whether they were successfully hacked.
In statements issued by its legal representatives, the NSO Group insists it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.
It strongly denied “false claims” made about the activities of its clients, but said it would “continue to investigate all credible claims of misuse and take appropriate action”. It also said the list could not be a list of numbers “targeted by governments using Pegasus”, and called the 50 000 figure “exaggerated”.
Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, says attack attribution in the cases reported is incredibly complex and unreliable.
Firstly, legitimate end-customers could have shared the cyber tool with their foreign partners in exchange for valuable data, zero-day exploits or sophisticated spyware, which is a widespread practice.
“Security teams in charge of such data and intelligence sharing are not necessarily experts in human rights protection and may negligently or unknowingly share the software with some grey- or even black-listed jurisdictions,” he adds.
In addition, Kolochenko says individual security analysts, who are employed by the trusted countries, may occasionally break internal rules and unlawfully share the spyware with unauthorised third-parties, as anti-insider security controls have low technical efficiency in such environments.
“Finally, legitimate end-customers could have been hacked and compromised, eventually exposing access to the software to unauthorised threat actors.”
Either way, he says legal action against NSO is more than likely futile, and any media hype around the alleged incident gives the company publicity.