Investigation finds NSO Group spyware sold to governments used against activists, politicians & journalists; company denies allegations
In July 2021 the Pegasus project, a reporting consortium of 17 media partners, began publishing an investigation into a trove of data linked to the surveillance technology company NSO Group. The data was initially accessed by Paris-based nonprofit media organisation Forbidden Stories and Amnesty International, and contains more than 50,000 phone numbers that are believed to have been identified as those of people of interest by clients of NSO since 2016. It suggests extensive abuse of NSO's hacking software that can surveil entire phone activity, Pegasus, by governments to target figures including human rights activists, journalists, and lawyers. The company insists that Pegasus is only intended for use against criminals and terrorists.
Among those whose numbers are contained in the data are hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers. More than 180 journalists are listed, including reporters, editors and executives at the Financial Times, CNN, the New York Times, France 24, the Economist, Associated Press and Reuters.
While the presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack, the reporting consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts. Its analysis identified at least 11 governments believed to be NSO customers who were entering numbers into a system: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, Togo, and the United Arab Emirates.
Amnesty International's Security Lab conducted forensic analysis of 67 smartphones where attacks were suspected, of which it found 23 were successfully infected and 14 showed signs of attempted penetration. These included the phones of family members of murdered Saudi journalist Jamal Khashoggi.
In response to the disclosures, Amazon Web Services shut down its infrastructure and accounts linked to NSO Group. Apple, whose iPhone smartphones were penetrated by Pegasus according to Amnesty's analysis, has condemned the cyber-attacks and defended its security standards, but faces pressure to do more to track and anticipate threats.
The Pegasus project revelations come just days after new research by the Citizen Lab finds another secretive surveillance technology company, Candiru, has developed tools used to target civil society, and reporting by the Committee to Protect Journalists finds further evidence the police in Botswana have been using Cellebrite's surveillance tools to target journalists. Civil society organisations have condemned the widespread abuse of surveillance technology, with Access Now calling for urgent action to hold the surveillance industry and governments accountable, and Reporters Without Borders announcing its intention to purse legal action against those responsible.