On March 2, 2017, Mexican journalist Cecilio Pineda took out his mobile phone and in a Facebook live broadcast spoke about alleged collusion between state and local police and the leader of a drug cartel. Two hours later, he was dead – shot at least six times by two men on a motorcycle, Anadolu Agency reported.
It was a few weeks later that Forbidden Stories – a global network of journalists engaged in investigations – confirmed that not just Pineda, but also the state prosecutor who investigated the case, Xavier Olea Pelaez, were the targets of Israel's Pegasus spyware in the weeks and months before his murder.
Pineda's phone was also never found, as it had disappeared from the crime scene by the time the authorities had arrived.
Two weeks after Washington Post columnist Jamal Khashoggi was killed in the Saudi Consulate in Istanbul, Turkey in October 2018, the digital rights organization Citizen Lab reported that a close friend of Khashoggi, Omar Abdulaziz, had been targeted with Pegasus software developed by NSO Group Technologies — an Israeli technology firm.
New revelations from Forbidden Stories and its partners have found that Pegasus spyware was successfully installed on the mobile phone of Khashoggi's fiancée, Hatice Cengiz, just four days after his murder. The phone of Khashoggi's son, Abdullah, was selected as a target of an NSO client based on the consortium's analysis of the leaked data.
Overall, the phones of 180 journalists around the world are claimed to have been selected as targets by clients of NSO Group Technologies. Its spyware Pegasus enables the remote surveillance of smartphones.
Forbidden Stories, which conducted investigations along with Amnesty International's Security Lab, found that the phones of many politicians, civil society activists and even judges were being monitored in many countries, breaching privacy laws.
According to Forbidden Stories, they had access to a leak of more than 50,000 records of phone numbers belonging to journalists, politicians, officials, activists and even judges that NSO clients had selected for surveillance.
The forensic analyses of their phones – conducted by Amnesty International's Security Lab and peer-reviewed by the Canadian organization Citizen Lab – were able to confirm infection or attempted infection with NSO Group's spyware in 85% of cases.
"The numbers vividly show the abuse is widespread, placing journalists' lives, those of their families and associates in danger, undermining freedom of the press and shutting down critical media," said Agnes Callamard, secretary-general of Amnesty International.
NSO Group, in a written response to Forbidden Stories, said the consortium's reporting was based on "wrong assumptions" and "uncorroborated theories" and reiterated that the company was on a "life-saving mission".
"The alleged amount of leaked data of more than 50,000 phone numbers cannot be a list of numbers targeted by governments using Pegasus," it added.
NSO Group maintains that its technology is used exclusively by intelligence agencies to track criminals and terrorists. According to NSO Group's Transparency and Responsibility report released in June this year, the company has 60 clients in 40 countries around the world.
Pegasus "is not a mass surveillance technology and only collects data from the mobile devices of specific individuals suspected to be involved in serious crime and terror," NSO Group wrote in the report.
In India, the phone of Paranjoy Guha Thakurta, an investigative journalist and author of several books, was hacked in 2018.
Quoting Thakurta, Forbidden Stories said he was targeted when he was working on an investigation into the finances of the famous Ambani business group.
"The purpose of getting into my phone and looking at who are the people I'm speaking to would be to find out who are the individuals who have been providing information to me and my colleagues," he said.
Thakurta is one of at least 40 Indian journalists selected as targets of an NSO client in India, based on the consortium's analysis of the leaked data.
The phones of two of the three cofounders of the independent online news outlet The Wire – Siddharth Varadarajan and MK Venu – were both infected by Pegasus, with Venu's phone hacked as recently as July.
Top journalists targeted
Several other journalists who work for or have contributed to the independent news outlet The Wire– including columnist Prem Shankar Jha, investigative reporter Rohini Singh, diplomatic editor Devirupa Mitra and contributor Swati Chaturvedi – were all selected as targets, according to the records accessed by Forbidden Stories and its partners.
"It was alarming to see so many names of people linked to The Wire, but then there are lots of people not linked to the Wire," said Varadarajan, whose phone was compromised in 2018.
Addressing parliament on Monday, Information Technology Minister Ashwini Vaishnaw said there is "no substance behind this sensational" claim and that "with checks and balances in place, illegal surveillance [is] not possible."
"A highly sensational story was published by a web portal last night. Many over-the-top allegations [were] made around this story. The press reports appeared a day before [the] monsoon session of parliament. This can't be a coincidence," he said.
He described these revelations as an attempt to malign Indian democracy.
The Committee to Protect Journalists (CPJ) had previously documented 38 cases of spyware – developed by software companies in four countries – used against journalists in nine countries since 2011.
How does Pegasus work?
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), was one of the first security researchers to identify and document cyber-attacks against journalists and human rights defenders in Mexico, Vietnam and elsewhere in the early 2010s.
"Back in 2011, you would receive an email, and the email would go to your computer, and the malware would be designed to install itself on your computer," she said.
But the installation of Pegasus spyware on smartphones has become subtler. Instead of the target having to click on a link to install the spyware, so-called "zero-click" exploits allow the client to take control of the phone without any engagement on the part of the target.
Once successfully installed on the phone, Pegasus spyware gives NSO clients complete device access and thereby the ability to bypass even encrypted messaging apps like Signal, WhatsApp and Telegram. Pegasus can be activated at will until the device is shut off. As soon as it's powered back on, the phone can be reinfected.
According to Galperin Pegasus operators can remotely record audio and video, extract data from messaging apps, use the GPS for location tracking and recover passwords and authentication keys, among other things.
Spying governments have moved in recent years toward a more "hit and run" strategy to avoid detection, she said, infecting phones, exfiltrating the data and quickly exiting the device.
Over the years, governments the world over have moved to gather intelligence using technology instead of humans. In the past, they developed spyware tools in-house until private spyware companies like NSO Group, FinFisher and Hacking Team stepped in to sell their products to governments, according to Galperin.
In June 2021, French spyware company Amesys was charged with "complicity in acts of torture" for selling its spyware to Libya from 2007-2011. According to plaintiffs, in that case, information gleaned through digital surveillance was used to identify and hunt down opponents of deposed dictator Muammar Gaddafi, who were later tortured in prison.
The revelations stemming from this international collaborative investigation have thrown into question the safeguards put in place to prevent misuse of cyber weapons like Pegasus and, more specifically, NSO Group's commitment to creating "a better, safer world."