Human rights activists, journalists, and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak, the Guardian reported.
The consortium’s analysis of the leaked data identified at least 10 governments believed to be NSO customers who were entering numbers into a system: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates (UAE).
Rwanda, Morocco, India, and Hungary denied having used Pegasus to hack the phones of the individuals. The governments of Azerbaijan, Bahrain, Kazakhstan, Saudi Arabia, Mexico, and the UAE did not respond to invitations to comment.
The disclosures begin on Sunday, with the revelation that the numbers of more than 180 journalists are listed in the data, including reporters, editors, and executives at the Financial Times, CNN, the New York Times, France 24, The Economist, Associated Press, and Reuters.
Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives, and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners.
The Post reported that the numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and Prime Ministers also appeared on the list.
In India, the numbers of phones belonging to hundreds of journalists, activists, opposition politicians, government officials, and business executives were on the snooping list. The list includes three major Opposition figures, one constitutional authority, two serving ministers in the Narendra Modi government, current and former heads and officials of security organizations, and scores of businesspersons, The Wire reported.
Among the numbers in the Pegasus Project database is one that was registered in the name of a sitting Supreme Court judge. However, The Wire has not been able to confirm whether the number, which the judge gave up before it was added to the list, was still being used by him for WhatsApp and other encrypted messaging apps when the number was selected. “Until such time as we are able to establish the number’s actual user during the period in question, we are withholding the name of the judge,” it said.
The Wire’s analysis of the data shows that most of the above-mentioned Indian names were targeted between 2018 and 2019 – in the run-up to the 2019 Lok Sabha general elections.
While some journalists appear to have been added to the list at more or less the same time, suggesting official interest in the group, others figure as standalone entries, perhaps for the stories they were working on at the time. And these stories are not always the obvious ones.
The investigation suggests the Hungarian government of Viktor Orban appears to have deployed NSO’s technology as part of his so-called war on the media, targeting investigative journalists in the country as well as the close circle of one of Hungary’s few independent media executives.
The investigation by the Guardian and 16 other media organizations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.
Pegasus is malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos, and emails, record calls and secretly activate microphones.
Forbidden Stories, a Paris-based media nonprofit organization, and Amnesty International initially had access to the leaked list and shared access with media partners as part of the Pegasus project, a reporting consortium.
Guardian said the presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.
Forensics analysis of a small number of phones whose numbers appeared on the leaked list also showed more than half had traces of the Pegasus spyware.
The Guardian and its media partners will be revealing the identities of people whose number appeared on the list in the coming days.
Analysis of the data suggests the NSO client country that selected the most numbers – more than 15,000 – was Mexico, where multiple different government agencies are known to have bought Pegasus. Both Morocco and the UAE selected more than 10,000 numbers, the analysis suggested.