Thirty-seven smartphones of journalists, human rights activists, business executives and two women related to the murdered Saudi journalist Jamal Khashoggi were targeted by ‘military-grade spyware’ Pegasus, licensed by an Israeli company to various governments, according to a Research by a consortium of media organizations, including The Washington Post, published Sunday.
The Washington Post reported Sunday that the phones were “on a list of more than 50,000 numbers that are concentrated in countries known to monitor their citizens” and are known to be clients of the company, NSO Group, whose spyware apparently is licensed to track down terrorists and major criminals.
The newspaper reported that through the investigation, which was also carried out with the help of Amnesty International and Forbidden Stories, a non-profit journalistic organization based in Paris, the media “were able to identify more than 1,000 people in more from 50 countries through investigations and interviews on four continents: various members of the Arab royal family, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials, including cabinet ministers, diplomats and military and security officials. The numbers of various heads of state and prime ministers also appeared on the list.”
The phone numbers of reporters working abroad for Citizen Free Press, Globe Live Media, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, France’s Le Monde, the UK’s Financial Times and Qatar’s Al Jazeera are among the numbers on the list, which dates back to 2016, according to The Washington Post.
The newspaper did not name the reporters in its article. The newspaper reported that “the list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or monitored”.
Citizen Free Press has not independently verified the findings of the Pegasus Project investigation, which was hosted by Forbidden Stories.
In a lengthy statement to Citizen Free Press on Sunday, the NSO Group flatly denied the investigation’s findings, saying in part that it sells its “technologies solely to vetted government intelligence and law enforcement agencies for the sole purpose of saving lives by preventing crime and terrorist acts”.
“NSO does not operate the system and has no visibility into the data,” the company said, saying it will continue to investigate “all credible claims of misuse and take appropriate action based on the results” of such investigations.
NSO also said its systems “are used every day to crack down on pedophile, sexual and drug trafficking networks, locate missing and abducted children, locate survivors trapped under collapsed buildings, and protect airspace from disruptive penetration by dangerous drones”.
The Washington Post reported that while many of the phone numbers on the list were from the Middle East, including Qatar and the United Arab Emirates, “the highest number was in Mexico, where more than 15,000 numbers, including those for politicians, union representatives, journalists and other critics of the government were on the list.”
Other countries, including India, Pakistan, Azerbaijan, Kazakhstan, France and Hungary, are also represented on the list, according to the newspaper.
The investigation found that “the numbers of about a dozen Americans working abroad were discovered on the list, in all but one case while using phones registered on foreign cellular networks,” the newspaper said. “The consortium was unable to perform forensic analysis on most of these phones.”
The newspaper noted that NSO “has said for years that its product cannot be used to monitor US phones” and added that the investigation “found no evidence of successful penetration of spyware on phones with the US country code”.
The spyware, which was developed a decade ago with the help of former Israeli cyber spies, is designed to easily circumvent typical smartphone privacy measures, “like strong passwords and encryption,” according to The Washington Post, which said it can “attack phones without any warning to users” and “read anything on a device that a user can, while also stealing photos, recordings, location logs, communications, passwords, call logs, and social media posts.”
The newspaper further noted that “spyware can also activate cameras and microphones for real-time surveillance.”
Pegasus spyware can initiate the attack in several different ways, the newspaper said, including through “a malicious link in an SMS text message or an iMessage.”
Some spyware companies use “zero click” attacks, according to the newspaper, that deliver spyware simply by sending a message to the user’s phone that produces no notification. Users don’t even need to touch their phones for infections to start.
In the Khashoggi case, the newspaper said spyware had targeted the two women closest to the late Washington Post journalist, who was murdered in October 2018.
“His fiancée Hatice Cengiz’s phone was infected with success in the days after his murder and (his) wife, Hanan Elatr, whose phone was attacked by someone using Pegasus in the months leading up to his murder. Amnesty could not determine if the attack was successful,” said the daily.
NSO denied in its statement that its technology was used in connection with Khashoggi’s murder, saying that “our technology was not used to eavesdrop, monitor, track or collect information about him or his family members named in the investigation”.
Travis M. Andrews is a features writer for The Washington Post. He joined The Post in 2016 as a reporter for Morning Mix. He was previously a travel and culture editor for Southern Living magazine, a contributing pop culture reporter for Mashable and the Week, and a contributing editor for the Syfy blog Dvice. He also has freelanced for magazines, including Esquire, GQ and Time. He is the author of the coming book “Because He’s Jeff Goldblum,” a semi-rumination and semi-ridiculous look at the career of the enigmatic actor and an exploration of the shifting nature of fame in the 21st century, to be published in November by Plume.