Activists, journalists and politicians around the world have been spied on using cellphone malware developed by a private Israeli firm, it...
Activists, journalists and politicians around the world have been spied on using cellphone malware developed by a private Israeli firm, it emerged Sunday, igniting fears of widespread privacy and rights abuses.
The use of the software, called Pegasus and developed by Israel's NSO group, was exposed in a data leak containing 50,000 phone numbers that belong to people targeted by NSO's clients since 2016.
Among those clients are some of the world's most-repressive government regimes, including Hungary, Saudi Arabia, and Morocco.
One of those targeted was Hanan Elatr, the wife of Saudi-born Washington Post journalist Jamal Khashoggi, who was murdered by a Saudi hit squad in 2018.
Her phone - as well as that of a second female associate - was allegedly targeted before his death. The leak appeared to confirm Saudi involvement in the murder.
Another key figure on the list was Roula Khalaf, who became the Financial Times' first female editor last year, and according to The Guardian was selected as a potential target throughout 2018.
Analysis of the data suggests Khalaf's phone was selected as a possible target by the United Arab Emirates (UAE) while she was deputy editor at the Financial Times.
One of those targeted was Hanan Elatr, the wife of Saudi-born Washington Post journalist Jamal Khashoggi (pictured together before Khashoggi was assassinated inside the Saudi consulate in Istanbul on October 2, 2018)
Roula Khalaf (pictured), who became the Financial Times' first female editor last year, was selected as a potential target throughout 2018. Analysis of the data suggests Khalaf's phone was selected as a possible target by the United Arab Emirates (UAE) while she was deputy editor at the Financial Times
The data was initially leaked to human rights group Amnesty and not-for-profit group Forbidden Stories, which helps promote the work of persecuted reporters.
It was then shared with a consortium of other newspapers, including the likes of the Washington Post whose journalists were targeted.
If a number appears on the leaked list, then it means that phone was targeted for hacking - though it cannot be conclusively proved whether the hack was successful.
However, Amnesty did confirm that at least 15 people on the list were successfully hacked after they handed over their phones to the group to be examined.
Among those confirmed cases were Siddharth Varadarajan and Paranjoy Guha Thakurta, of Indian news site Wire, who have worked on stories about the Indian government spreading disinformation online.
Omar Radi, a Moroccan journalist who has published repeated exposes of government corruption, was also among those successfully hacked.
The data also shows that the phone of Mexican freelance journalist Cecilio Pineda Birto was also selected a month before he was murdered by gun-wielding attackers at a car wash. His phone was never found and it was not clear if it had been hacked.
Another was award-winning Azerbaijani investigative journalist Khadija Ismayilova, who was confirmed to have been hacked in 2019.
For years, she has reported on a network of corruption surrounding president Ilham Aliyev who has ruled since 2003.
As a result of her work, she has long been the target of a harassment and intimidation which has included a hidden camera being installed in her home and a 2014 arrest on alleged tax evasion and 'illegal business' offences.
'I feel guilty for the sources who sent me [information], thinking that some encrypted messaging ways are secure. They did it and they didn't know my phone was infected,' Ismayilova told The Guardian.
'My family members are also victimised, people I've been working with. People who told me their private secrets are victimised. It's not just me.'
Devices that are successfully hacked by Pegasus are effectively turned into 24-hour monitoring devices, allowing whoever sent the virus to keep constant tabs on them.
Hackers are given full access to all the phone's data, including previous text messages and contact lists, along with stored audio, video and photo files.
They are able to take over the phone's camera to record video, turn on the microphone to record audio, and can record any new calls made or received.
Hackers can even access the phone's location data to see where the owner has been and potentially who they met with. \
The revelations also appeared to confirm Saudi Arabia's involvement in the murder of Khashoggi, who until his killing in 2018 was a Saudi Arabian journalist, author, columnist for The Washington Post and critic of the Saudi regime, an NSO client.
Based on leaked data and forensic analysis of phones, media outlets have found new evidence that the shows the company's spyware was use in an attempt to monitor people close to the journalist before and after his death.
In one instance, a person close to Khashoggi was hacked four hays after his murder, according to forensic analysis of her device confirmed by multiple organisations.
The investigation suggests Saudi Arabia and its close ally the UAE attempted to use NSO's technology to after Khashoggi's death to monitor both his known associates and the Turkish investigation into his murder.
The phone of Istanbul's chief prosecutor was even selected for possible surveillance.
Intelligence agencies in the US have already confirmed that Saudi crown prince, Mohammed bin Salman was responsible for ordering the murder of Khashoggi.
Among the numbers on the list are journalists for media organisations around the world including Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El PaÃs, the Associated Press, Le Monde, Bloomberg, the Economist, Reuters and Voice of America.
The use of the software to hack the phones of Al-Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research centre at the University of Toronto, and Amnesty International.
The Washington Post said numbers on the list also belonged to heads of state and prime ministers, members of Arab royal families, diplomats and politicians, as well as activists and business executives.
The list did not identify which clients had entered the numbers on it. But the reports said many were clustered in 10 countries - Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
The Guardian wrote that the investigation suggests 'widespread and continuing abuse' of Pegasus, which NSO says is intended for use against criminals and terrorists.
A successful Pegasus hack would given NSO customers full access to all data stored on the targeted device.
By hacking a journalist's phone, for example, the customer could view their confidential sources, their address book, listen to their calls, track their movements precisely and even record their conversation by remotely activating the microphone.
Varadarajan, who was hacked in 2018 while he was investigating how the Hindu nationalist government of Narendra Modi was using Facebook to spread disinformation among Indian citizens, told The Guardian he felt 'violated'.
The phone number of Indian Journalist Siddharth Varadarajan, pictured in 2020, was among those on the Pegasus list. Varadarajan and Paranjoy Guha Thakurta, of Indian news site Wire, have worked on stories about the Indian government spreading disinformation online
Azerbaijani investigative journalist Khadija Ismayilova was confirmed to have been hacked in 2019. She has reported on a network of corruption surrounding president Ilham Aliyev who has ruled since 2003
Mexican freelance journalist Cecilio Pineda Birto (pictured) was also selected a month before he was murdered by gun-wielding attackers at a car wash in 2017. His phone was never found and it was not clear if it had been hacked
'This is an incredible intrusion and journalists should not have to deal with this,' he said. 'Nobody should have to deal with this, but in particular journalists and those who are in some way working for the public interest.'
Also included on the leaked records was a UK-based phone number belonging to American investigative journalist Bradley Hope, who at the time of his number being selected was working for the Wall Street Journal.
In 2018, Hope and his colleague Tim Wright contacted parties that would be named in their book about the 1MDB corruption scandal involving theft of $4.5bn from the state of Malaysia.
The released Pegasus records show that around the same time, one of NSO's government clients began selecting Hope's phone as a potential surveillance target, with his number being included on the list until the spring of 2019.
'I think probably the number one thing that anyone targeting my phone would want to know is: who are my sources?' Hope said to The Guardian. 'They would want to know who it is that is providing this insight.'
Since then, Hope said that he regularly changes his mobile device, updates the operating system, and does not take his phone into high-risk countries such as the UAE, believed to be the government that selected him as a target.
Amnesty International and Forbidden Stories, a Paris-based media non-profit organisation, initially had access to the leak, which they then shared with media organisations.
NSO, a leader in the growing and largely unregulated private spyware industry, has previously pledged to police for abuses of its software.
It called the allegations exaggerated and baseless, according to The Washington Post, and would not confirm its clients' identities.
Citizen Lab reported in December that dozens of journalists at Qatar's Al-Jazeera network had their mobile communications intercepted by sophisticated electronic surveillance.
Amnesty International reported in June of last year that Moroccan authorities used NSO's Pegasus software to insert spyware onto the cellphone of Omar Radi, a journalist convicted over a social media post.
No comments