WASHINGTON DC, USA: Activists, politicians and journalists from around the world were targeted in a surveillance operation using software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak by The Guardian, the Washington Post and 15 other media outlets.
The reports released on Sunday said “authoritarian governments” abused the Pegasus software, “hacking 37 smartphones,” according to a report by the Washington Post.
According to the Guardian, the leak contains a list of more than 50,000 numbers believed to have been of interest to clients of NSO since 2016.
However, the mention of phone numbers in the leaked data does not necessarily mean that those devices were hacked, it said.
The Washington Post reported numbers on the list also belonged to heads of state and prime ministers, members of Arab royal families, diplomats and politicians, as well as activists and business executives.
The list also included journalists for media organisations around the world including Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, the Associated Press, Le Monde, Bloomberg, the Economist, Reuters and Voice of America, the Guardian said.
According to forensic analysis by Amnesty’s Security Lab, two women close to slain Saudi columnist Jamal Khashoggi were targeted with Pegasus spyware, according to the Washington Post newspaper. The phone of Khashoggi’s fiancée, Hatice Cengiz, was infected with the malware days after his murder in the Saudi consulate in Istanbul in October 2018, the paper, for whom Khashoggi wrote, reported.
Pegasus, a sophisticated surveillance tool developed by the Israeli company, infects the user’s smartphone and steals all the phone’s information, including every contact name and phone number, text message, email, Facebook message, everything from Skype, WhatsApp, Viber, WeChat and Telegram.
“The scale is staggering compared with anything we have seen before,” Bill Marczak, a research fellow at cyberspace research group Citizen Lab, said. He noted that a previous expose had uncovered the hacking of about 1,400 numbers.
The latest list did not identify the clients but the reports said many were clustered in 10 countries – Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
“The surveillance industry works under a cloud of darkness – its products are designed to deceive and skirt culpability,” Natalia Krapiva, Tech Legal Counsel at Access Now, said.
“Yet we ask ourselves, ‘how could something like this happen?’ Spyware companies simply cannot be trusted to hold themselves accountable. This story, along with the recent revelations of abuses by Cellebrite and Candiru, is another example of why we urgently need to hold these surveillance companies and the governments that use them up to the light.
“The industry has shown that it is incapable of policing itself and governments are hiding behind national security to excuse these surveillance abuses. We need regulation, transparency, and accountability and we need them now,” she said.
Amnesty International and Forbidden Stories, a Paris-based media non-profit organisation, initially had access to the leak, which they then shared with media organisations from around the world.
The military-grade spyware was reportedly licensed by the Israeli spyware firm NSO Group. The investigation discovered that the hacked phones were on a list of more than 50,000 numbers based in countries known to surveil people.
The list of numbers were shared with the Post and other media organizations by Paris-based journalism non-profit Hidden Stories and human rights group Amnesty International.
NSO Group denied the findings of the report in several statements, arguing that investigation includes “uncorroborated theories” based on “misleading interpretation of leaked data from accessible and overt basic information.”
NSO Group also said it would continue to investigate all credible claims of misuse and take appropriate action.
NSO Group’s Pegasus spyware is licensed to governments around the world and can hack a mobile phone’s data and activate the microphone, according to the report. NSO said the spyware is only used to surveil terrorists and other criminals.