Private Israeli spyware used to hack cellphones of journalists, activists worldwide

• NSO Group’s Pegasus spyware, licensed to governments around the globe, can infect phones without a click

Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners.

The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of the Israeli firm, NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.

The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled.

But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.

Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group, had access to the list and shared it with the news organizations, which did further research and analysis.

Amnesty’s Security Lab did the forensic analyses on the smartphones.

The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers.

The numbers of several heads of state and prime ministers also appeared on the list.

Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.

The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals.

The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.

The media consortium, titled the Pegasus Project, analyzed the list through interviews and forensic analysis of the phones, and by comparing details with previously reported information about NSO.

Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.

For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced.

Fifteen of the phones were Android devices, none of which showed evidence of successful infection.

However, unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared backup copies of data on four iPhones with Citizen Lab, which confirmed that they showed signs of Pegasus infection. Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, also conducted a peer review of Amnesty’s forensic methods and found them to be sound.

In lengthy responses before publication, NSO called the investigation’s findings exaggerated and baseless.

It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.

After publication, NSO chief executive Shalev Hulio expressed concern in a phone interview with The Post about some of the details he had read in Pegasus Project stories Sunday, while continuing to dispute that the list of more than 50,000 phone numbers had anything to do with NSO or Pegasus.

“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”

He said that in the past 12 months NSO had terminated two contracts over allegations of human rights abuses, but he declined to name the countries involved.

“Every allegation about misuse of the system is concerning me,” he said. “It violates the trust that we give customers. We are investigating every allegation.”

NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations.

The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.

Forbidden Stories organized the media consortium’s investigation, and Amnesty provided analysis and technical support but had no editorial input. Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked.

After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.

More than 50,000 smartphone numbers appear on a list of phones concentrated in countries known to engage in surveillance on their citizens and also known to have been clients of NSO Group, an Israeli firm that is a worldwide leader in cybersurveillance. The numbers span more than 50 countries around the globe.

The greatest number was in Mexico, where more than 15,000 numbers, including those belonging to politicians, union representatives, journalists and other government critics, were on the list.

A large share of numbers were in the Middle East, including in Qatar, the UAE, Bahrain and Yemen. The UAE, Saudi Arabia and Bahrain are reported to be among NSO clients.

In India, the numbers of phones belonging to hundreds of journalists, activists, opposition politicians, government officials and business executives were on the list, as were numbers in several other countries in the region, including Azerbaijan, Kazakhstan and Pakistan.

More than 1,000 French numbers were on the list. In Hungary, numbers associated with at least two media magnates were among hundreds on the list, and the phones of two working journalists were targeted and infected, forensic analysis showed.

Beyond the personal intrusions made possible by smartphone surveillance, the widespread use of spyware has emerged as a leading threat to democracies worldwide, critics say. Journalists under surveillance cannot safely gather sensitive news without endangering themselves and their sources. Opposition politicians cannot plot their campaign strategies without those in power anticipating their moves.

Human rights workers cannot work with vulnerable people — some of whom are victims of their own governments — without exposing them to renewed abuse.

▪︎Read key takeaways from the Pegasus Project

For example, Amnesty’s forensics found evidence that Pegasus was targeted at the two women closest to Saudi columnist Khashoggi, who wrote for The Post’s Opinions section. The phone of his fiancee, Hatice Cengiz, was successfully infected during the days after his murder in Turkey on Oct. 2, 2018, according to a forensic analysis by Amnesty’s Security Lab.

Also on the list were the numbers of two Turkish officials involved in investigating his dismemberment by a Saudi hit team. Khashoggi also had a wife, Hanan Elatr, whose phone was targeted by someone using Pegasus in the months before his killing. Amnesty was unable to determine whether the hack was successful.

“This is nasty software — like eloquently nasty,” said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it “one could spy on almost the entire world population. …

There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”

In response to detailed questions from the consortium before publication, NSO said in a statement that it did not operate the spyware it licensed to clients and did not have regular access to the data they gather. The company also said its technologies have helped prevent attacks and bombings and broken up rings that trafficked in drugs, sex and children.

“Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” NSO said. “Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims.”

The company denied that its technology was used against Khashoggi, or his relatives or associates.

“As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is being made without validation.”

Thomas Clare, a libel attorney hired by NSO, said that the consortium had “apparently misinterpreted and mischaracterized crucial source data on which it relied” and that its reporting contained flawed assumptions and factual errors.

“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes,” Clare wrote.

In response to follow-up questions, NSO called the 50,000 number “exaggerated” and said it was far too large to represent numbers targeted by its clients. Based on the questions it was being asked, NSO said, it had reason to believe that the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies.”

The term HLR, or Home Location Register, refers to a database that is essential to operating cellular phone networks. Such registers keep records on the networks of cellphone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. HLR lookup services operate on the SS7 system that cellular carriers use to communicate with each other. The services can be used as a step toward spying on targets.

Telecommunications security expert Karsten Nohl, chief scientist for Security Research Labs in Berlin, said that he does not have direct knowledge of NSO’s systems but that HLR lookups and other SS7 queries are widely and inexpensively used by the surveillance industry — often for just tens of thousands of dollars a year.

“It’s not difficult to get that access. Given the resources of NSO, it’d be crazy to assume that they don’t have SS7 access from at least a dozen countries,” Nohl said.

“From a dozen countries, you can spy on the rest of the world.”

Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills.

The Israeli Defence Ministry must approve any license to a government that wants to buy it, according to previous NSO statements.

“As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end-use/end user certificates provided by the acquiring government,” a spokesperson for the Israeli defence establishment said Sunday. “In cases where exported items are used in violation of export licenses or end-use certificates, appropriate measures are taken.”

The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.

“We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” the company said in its statement. “It is technologically impossible and reaffirms the fact your sources’ claims have no merit.”

▪︎How Pegasus works

Target: Someone sends what’s known as a trap link to a smartphone that persuades the victim to tap and activate — or activates itself without any input, as in the most sophisticated “zero-click” hacks.

Infect: The spyware captures and copies the phone’s most basic functions, NSO marketing materials show, recording from the cameras and microphone and collecting location data, call logs and contacts.

Track: The implant secretly reports that information to an operative who can use it to map out sensitive details of the victim’s life.
Read more about why it’s hard to protect yourself from hacks.

Apple and other smartphone manufacturers are years into a cat-and-mouse game with NSO and other spyware makers.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists and others seeking to make the world a better place,” said Ivan Krstić, head of Apple Security Engineering and Architecture. “For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market.

Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Some Pegasus intrusion techniques detailed in a 2016 report were changed in a matter of hours after they were made public, underscoring NSO’s ability to adapt to countermeasures.

Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts.

Spyware also can activate cameras and microphones for real-time surveillance.

“There is just nothing from an encryption standpoint to protect against this,” said Claudio Guarnieri, a.k.a. “Nex,” the Amnesty Security Lab’s 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.

That sense of helplessness makes Guarnieri, who often dresses head-to-toe in black, feel as useless as a 14th-century doctor confronting the Black Plague without any useful medication. “Primarily I’m here just to keep the death count,” he said.

The attack can begin in different ways. It can come from a malicious link in an SMS text message or an iMessage. In some cases, a user must click on the link to start the infection. In recent years, spyware companies have developed what they call “zero-click” attacks, which deliver spyware simply by sending a message to a user’s phone that produces no notification. Users do not even need to touch their phones for infections to begin.

Many countries have laws pertaining to traditional wiretapping and interception of communications, but few have effective safeguards against deeper intrusions made possible by hacking into smartphones. “This is more devious in a sense because it really is no longer about intercepting communications and overhearing conversation. …

This covers all of them and goes way beyond that,” Guarnieri said. “It has raised a lot of questions from not only human rights, but even national constitutional laws as to is this even legal?”

Clare, NSO’s attorney, attacked the forensic examinations as “a compilation of speculative and baseless assumptions” built on assumptions based on earlier reports. He also said, “NSO does not have insight into the specific intelligence activities of its customers.”

The Pegasus Project’s findings are similar to previous discoveries by Amnesty, Citizen Lab and news organizations worldwide, but the new reporting offers a detailed view of the personal consequences and scale of surveillance and its abuses.

The consortium analyzed the list and found clusters of numbers with similar country codes and geographical focus that align with previous reporting and additional research about NSO clients overseas. For example, Mexico has been previously identified in published reports and documents as an NSO client, and entries on the list are clustered by Mexican country code, area code and geography. In several cases, clusters also contained numbers from other countries.

In response to questions from reporters,
spokespeople for the countries with clusters either denied Pegasus was used or denied that their country had abused their powers of surveillance.

Hungarian Prime Minister Viktor Orban’s office said any surveillance carried out by that nation is done in accordance with the law. (The Washington Post)