Media Consortium Reveals Extent of Pegasus Spyware Reach

A consortium of media outlets dubbed the Pegasus Project found that Israeli surveillance firm NSO Group licensed its military-grade spyware Pegasus to governments that used it to hack 37 smartphones of business executives, human rights activists and journalists. Two women close to murdered Saudi journalist Jamal Khasghoggi were also reportedly targeted. Amnesty International and journalism non-profit Forbidden Stories shared a list of 50,000 phone numbers that dates to 2016 and included the 37 targets. New evidence also suggests that thousands of iPhones worldwide may have been compromised. 

The Washington Post, a Pegasus Project participant, reports that, “Amnesty’s Security Lab did the forensic analyses on the smartphones … [and] reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials.”

It adds that, “several heads of state and prime ministers also appeared on the list.” Journalists on the list included those working for “CNN, the Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.”

According to Amnesty International, new evidence “has revealed a massive wave of attacks by cyber surveillance company NSO Group’s customers on iPhones, potentially affecting thousands of Apple users worldwide.”

“Apple prides itself on its security and privacy features, but NSO Group has ripped these apart,” explained Danna Ingleton, deputy director of Amnesty Tech. “Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised.”

“These attacks have exposed activists, journalists and politicians all over the world to the risk of having their whereabouts monitored, and their personal information and used against them,” she added. “This is a global concern — anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”

NSO’s own licensing agreement states that Pegasus is “intended only for use in surveilling terrorists and major criminals … [calling] into question pledges by the Israeli company to police its clients for human rights abuses.”

Amnesty’s Security Lab also scrutinized 67 smartphones which were suspected of having been hacked. Twenty-three were “successfully infected and 14 showed signs of attempted penetration.” Tests were inconclusive for the remaining 30 phones; of them 15 were Android devices, “none of which showed evidence of successful infection … [but] unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work.”

NSO “called the investigation’s findings exaggerated and baseless … [and] said it does not operate the spyware licensed to its clients,” but company chief executive Shalev Hulio “expressed concern … about some of the details he had read in Pegasus Project stories … while continuing to dispute that the list of more than 50,000 phone numbers had anything to do with NSO or Pegasus.”

Hulio added that, in the past year, NSO “had terminated two contracts over allegations of human rights abuses.” “Every allegation about misuse of the system is concerning [to] me,” he said. “It violates the trust that we give customers.”

NSO said its customers are “60 intelligence, military and law enforcement agencies in 40 countries.” The Pegasus Project found “many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.” Citizen Lab senior research fellow Bill Marczak “found evidence that all 10 have been clients of NSO.”

Pegasus can overcome iPhone and Android defenses and “familiar privacy measures like strong passwords and encryption offer little help.” It can steal “photos, recordings, location records, communications, passwords, call logs and social media posts [and] activate cameras and microphones for real-time surveillance.”

“There is just nothing from an encryption standpoint to protect against this,” said Amnesty Security Lab’s researcher Claudio Guarnieri.

Related:
See How 17 News Outlets Are Coming Together to Expose Pegasus Spyware (Video), CNN, 7/19/21
Israeli Spyware Maker Is in Spotlight Amid Reports of Wide Abuses, The New York Times, 7/19/21
Massive Data Leak Reveals Israeli NSO Group’s Spyware Used to Target Activists, Journalists, and Political Leaders Globally, Amnesty International, 7/18/21
Amazon Web Services Bans Accounts Linked with Pegasus Spyware, The Verge, 7/19/21
Despite the Hype, iPhone Security No Match for NSO Spyware, The Washington Post, 7/19/21
What Is Pegasus Spyware and How Does It Hack Phones?, The Guardian, 7/18/21
This Tool Tells You if NSO’s Pegasus Spyware Targeted Your Phone, TechCrunch, 7/19/21