The groups decried on Monday the virtual absence of regulation of commercial surveillance tools. If the allegations of widespread targeting by NSO’s Pegasus spyware are even partly true, U.N. High Commissioner for Human Rights Michelle Bachelet said in a statement, a “red line has been crossed again and again with total impunity.”
BOSTON (AP) — Human rights and press freedom activists are up in arms about a new report on NSO Group, the notorious Israeli hacker-for-hire company. The report, by a global media consortium, expands public knowledge of the target list used in NSO’s military-grade spyware. According to the report, that now not only includes journalists, rights activists and opposition political figures, but also people close to them.
Here’s what you need to know about this issue.
The new investigation, based on leaked data of unspecified origin, builds significantly on previous efforts. Paris-based journalism nonprofit Forbidden Stories and the human rights group Amnesty International obtained the data they say indicate potential targets for surveillance by NSO’s clients.
Journalists from the consortium combed through a list of more than 50,000 cellphone numbers, identifying more than 1,000 individuals in 50 countries. They include 189 journalists, 85 human rights activists and several heads of state. Among the journalists were employees of The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde and The Financial Times.
Amnesty was able to examine the smartphones of 67 people on the list, and found attempted or successful Pegasus infections on 37. It found that the phone of Washington Post journalist Jamal Khashoggi’s fiancee, Hatice Cengiz, was infected just four days after he was killed in the Saudi Consulate in Istanbul in 2018. Amnesty also found Pegasus on the phones of the co-founders of the Indian independent online outlet The Wire and repeat infections on the phones of two Hungarian investigative journalists with the outlet Direkt36.
The list of potential targets included Roula Khalaf, the editor of the Financial Times.
Fifty people close to Mexico’s president, Andres Manuel Lopez Obrador, were also on the potential target list. They include his wife, children, aides and cardiologist. Lopez Obrador was in opposition at the time. A Mexican reporter whose phone number was added to the list in that time period, Cecilio Pineda, was assassinated in 2017. After Mexico, the largest share of potential targets were in the Middle East, where Saudi Arabia is reported to be among NSO clients. Also on the list were numbers in France, Azerbaijan, Kazakhstan and Pakistan, Morocco and Rwanda.
¯¯¯ NSO denies ever maintaining a list of “potential, past or existing targets.” It claims to sell only to “vetted government agencies” for use against terrorists and major criminals, and denies any association with Khashoggi’s murder. The company does not disclose its clients and claims it has “no visibility” into the data. Security researchers contest that claim, saying the company directly manages the high-tech spying.
There is no doubt NSO’s software deployment creates various logs and other data that the company can access, said John Scott-Railton, a researcher with Citizen Lab, the University of Toronto-based watchdog that has been tracking Pegasus abuses since 2016. Amnesty has not identified the source of the leak or how the data was authenticated to protect the safety of its source. Citizen Lab vetted Amnesty’s methodology for confirming Pegasus’ infections and deemed it sound. Scott-Railton said he had no doubt the leaked data “contains intent to target.”
A phone number’s presence in the data does not necessarily mean an attempt was made to hack a device, said Amnesty, which found Pegasus infection traces on the cellphones of 15 journalists on the list. Amnesty says the malware is so effective that it can hack even the latest models of Apple’s iPhone operating system, going undetected as it vacuums up personal and location data and seizes control of device microphones and cameras. In a statement, Apple head of security engineering Ivan Krstic did not directly address Amnesty’s claim, instead emphasizing the rarity of such targeted attacks and the company’s dedication to the security of its users.