Human rights and press freedom activists are up in arms about a new report on NSO Group, the notorious Israeli hacker-for-hire company. The report, by a global media consortium, expands public knowledge of the target list used in NSO’s military-grade spyware. According to the report, that now not only includes journalists, rights activists and opposition political figures, but also people close to them.
The groups decried on Monday the virtual absence of regulation of commercial surveillance tools. If the allegations of widespread targeting by NSO’s Pegasus spyware are even partly true, U.N. High Commissioner for Human Rights Michelle Bachelet said in a statement, a “red line has been crossed again and again with total impunity.”
NSO Group has been long accused of unethical hacking. What’s new
The new investigation, based on leaked data of unspecified origin, builds significantly on previous efforts. Paris-based journalism non-profit Forbidden Stories and the human rights group Amnesty International obtained the data they say indicate potential targets for surveillance by NSO’s clients.
Journalists from the consortium combed through a list of more than 50,000 cellphone numbers, identifying more than 1,000 individuals in 50 countries. They include 189 journalists, 85 human rights activists and several heads of state. Among the journalists were employees of The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde and The Financial Times.
Amnesty was able to examine the smartphones of 67 people on the list, and found attempted or successful Pegasus infections on 37. It found that the phone of Washington Post journalist Jamal Khashoggi’s fiancee, Hatice Cengiz, was infected just four days after he was killed in the Saudi Consulate in Istanbul in 2018. Amnesty also found Pegasus on the phones of the co-founders of the Indian independent online outlet The Wire and repeat infections on the phones of two Hungarian investigative journalists with the outlet Direkt36.
The list of potential targets included Roula Khalaf, the editor of the Financial Times.
Fifty people close to Mexico’s president, Andres Manuel Lopez Obrador, were also on the potential target list. They include his wife, children, aides and cardiologist. Lopez Obrador was in opposition at the time. A Mexican reporter whose phone number was added to the list in that time period, Cecilio Pineda, was assassinated in 2017.
After Mexico, the largest share of potential targets were in the Middle East, where Saudi Arabia is reported to be among NSO clients. Also on the list were numbers in France, Azerbaijan, Kazakhstan and Pakistan, Morocco and Rwanda.
According to the The Committee to Protect Journalists, few effective barriers exist to prevent autocratic governments from using sophisticated surveillance technology to attempt cowing or silencing a free press.
What does NSO say?
NSO denies ever maintaining a list of “potential, past or existing targets.” It claims to sell only to “vetted government agencies” for use against terrorists and major criminals, and denies any association with Khashoggi’s murder. The company does not disclose its clients and claims it has ”no visibility” into the data. Security researchers contest that claim, saying the company directly manages the high-tech spying.
There is no doubt NSO’s software deployment creates various logs and other data that the company can access, said John Scott-Railton, a researcher with Citizen Lab, the University of Toronto-based watchdog that has been tracking Pegasus abuses since 2016.
Amnesty has not identified the source of the leak or how the data was authenticated to protect the safety of its source. Citizen Lab vetted Amnesty’s methodology for confirming Pegasus’ infections and deemed it sound. Scott-Railton said he had no doubt the leaked data “contains intent to target.”
A phone number’s presence in the data does not necessarily mean an attempt was made to hack a device, said Amnesty, which found Pegasus infection traces on the cellphones of 15 journalists on the list.
Amnesty says the malware is so effective that it can hack even the latest models of Apple’s iPhone operating system, going undetected as it vacuums up personal and location data and seizes control of device microphones and cameras. In a statement, Apple head of security engineering Ivan Krstić did not directly address Amnesty’s claim, instead emphasizing the rarity of such targeted attacks and the company’s dedication to the security of its users.
Does Israel condone this activity?
Asked about its approvals of NSO’s exports, Israel’s Defense Ministry said in a statement that it “approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counter terrorism.” It said national security and strategic considerations are taken into account.
Last year, an Israeli court dismissed an Amnesty lawsuit seeking to strip NSO of its export license, citing insufficient evidence.
Citizen Lab and Amnesty have since 2016 primarily documented NSO targeting of rights activists, dissidents and journalists including dozens of Al-Jazeera employees. But the new list significantly widens the scope of potential targets to include members of Arab royal families, diplomats and business executives, according to the consortium, which includes The Washington Post, The Guardian, Le Monde and Sueddeutsche Zeitung.
Can anyone be targeted? How can infection be thwarted?
No one not involved in sensitive information-gathering outside the U.S. needs to worry much. Customers of NSO Group’s malware and other commercial surveillance tools typically focus on high-profile targets.
But those in NSO’s crosshairs may not be able to avoid infection. Its methods of infection often don’t require user interaction, such as clicking on a link in a text message.
One such “zero-click” option exploited a flaw in WhatsApp, the popular encrypted mobile-messaging service. WhatsApp and its parent company Facebook sued NSO in San Francisco federal court in 2019.
The WhatsApp suit accuses NSO Group of targeting some 1,400 WhatsApp users. Until this week, that was the largest number of potential targets of the Israeli company’s spyware amassed in one place.