The notorious Israeli spyware developed by the NSO Group, Pegasus, is at the centre of an international scandal involving the alleged phone hacking of more than 180 journalists, lawyers, and human rights activists from across the world, targeted for the purpose of snooping by authoritarian regimes including the UAE and Saudi Arabia. The scale of the hacking, however, uncovered from leaked data, is likely to be much higher.
As many as 50,000 phone numbers were said to have been selected for surveillance using the Israeli snooping technology, according to details of the investigation uncovering the hacking by the Pegasus Project, a ground-breaking collaboration by more than 80 journalists from 17 media organisations in ten countries. The group's work was co-ordinated by Forbidden Stories, a Paris-based non-profit media organisation, and Amnesty International.
Amongst the targets were some of the world's top media companies including the Financial Times, the Wall Street Journal, CNN, the New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, Associated Press, Le Monde, Bloomberg, Agence France-Presse, the Economist, Reuters and Voice of America. Further details on who was targeted are expected to emerge over the coming days.
NSO Group gained notoriety following the killing of Saudi Journalist Jamal Khashoggi almost three years ago. Members of his inner circle were targeted by the Israeli spyware which has become the weapon of choice for autocrats against critics and opposition figures. A successful Pegasus infection allows access to all data stored on the device. An attack on a journalist for example could expose a reporter's confidential sources as well as allowing NSO's government client to read their messages, harvest their address book, listen to their calls, track their precise movements and even record their conversations by activating the device's microphone and camera.
In the years since the killing of Khashoggi, the dangers of the NSO Group's spyware were highlighted by human rights organisations. They warned that Pegasus was being used to target rights activists, journalists, and government officials in such diverse locations as Mexico, Morocco, and India. An Al Jazeera documentary also revealed that the Israeli firm was secretly selling its spyware to Bangladesh through a criminal gang.
Despite widespread knowledge of the nefarious use of NSO Group's technology, the scale of the hacking has come as a surprise with the potential that as many as 50,000 phone numbers were being subjected to snooping. This figure was found on a potential list of targets in the leaked data and doesn't necessarily mean that every single phone was subjected to a successful hacking operation.
The investigation by Forbidden Stories and Amnesty International identified at least ten governments believed to be NSO customers: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the United Arab Emirates (UAE). They are considered to be amongst some of the most authoritarian regimes in the world.
The Pegasus Project lays bare how NSO's spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists, and crush dissent, placing countless lives in peril
said Agnès Callamard, secretary-general of Amnesty International.
Callamard previously worked as a UN investigator who led the inquiry into Khashoggi's killing. Her report concluded that there was "credible evidence" that Saudi Crown Prince Mohammed Bin Salman and senior Saudi officials were responsible for killing the journalist, who lived in exile in America.
Dismissing the Israeli firm's claim that the hacking has been exaggerated, Callamard said: "These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it's clear its technology facilitates systemic abuse. They paint a picture of legitimacy while profiting from widespread human rights violations."