On July 18, Forbidden Stories, a Paris-based nonprofit organization, and the London-based human rights group Amnesty International collaborated with more than 80 journalists from 17 media houses to unveil the Pegasus Project, which exposed “the potential hacking and infestation of some 50,000 mobile phones belonging to journalists, opposition leaders, human rights activists and lawyers.”
Pegasus refers to Pegasus spyware created by the Israeli developer NSO Group. The firm has marketed its software to authoritarian regimes and other governments as the “best-in-class technology to help government agencies detect and prevent terrorism and crime.”
The spyware has the ability to obtain “complete access to the (mobile phone) device’s messages, emails, media, microphone, camera, calls and contacts.”
Amnesty International’s Security Lab developed software that reportedly can find traces of a Pegasus attack on Apple and Android phones. The lab found traces on 37 out of 67 phones whose numbers were on the larger list of 50,000 leaked to Forbidden Stories.
The consortium reported that targeted phones included French President Emmanuel Macron, Pakistani Prime Minister Imran Khan, and murdered Saudi journalist Jamal Khashoggi’s wife, Hanan Elatr. A phone belonging to Khashoggi’s fiance, Hatice Cengiz, was penetrated, according to The Washington Post, which collaborated on the Pegasus project.
The NSO group denied the findings from the Pegasus Project and released an initial statement that addressed Khashoggi:
“We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in your inquiry.”
This statement is unsubstantiated, as the NSO Group did not provide direct evidence refuting the claim about Khashoggi’s wife and fiance beyond saying it “was made without validation.”
Khashoggi was a prominent Saudi journalist and columnist for the Post, and a critic of Saudi Crown Prince Mohammed bin Salman. He died in October 2018 after entering the Saudi consulate in Istanbul to obtain divorce documents so he could marry Cengiz.
After a six-month investigation, the United Nations human rights special rapporteur concluded that Saudi Arabia was responsible Khashoggi’s murder. In February, U.S. intelligence officials said they believed bin Salman approved the killing and named 18 participants.
Bin Salman has denied ordering the killing. The Saudis eventually sentenced five people to death for the murder, but last year a court commuted the sentences to 20 years in prison.
As part of the Pegasus Project, the Guardian said Amnesty International’s Security Lab had established that Pegasus spyware was successfully installed on the phone of Cengiz just four days after his murder.
According to the Pegasus reports, Cengiz’s phone was constantly targeted between September 2017 and April 2018, along with phones belonging to Khashoggi’s son Abdullah and Elatr.
The Pegasus Project listed the Saudis among 11 NSO Group clients, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Togo and the United Arab Emirates.
The governments of most of the listed countries have come under harsh criticism and have issued statements denying any misuse of the software to spy on their citizens.
On July 21, the NSO group issued a second statement denying claims made in the Pegasus Project report. “The list [of 50,000 numbers] is not a list of targets or potential targets of Pegasus. The numbers in the list are not related to the NSO group. Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false,” the statement read.
“NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.”
Compare that to The Washington Post’s Pegasus reporting:
“Thirty-seven targeted smartphones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found. The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 phones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance attempts, in some cases as brief as a few seconds.”
“The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats and military and security officers, as well as 10 prime ministers, three presidents and one king. The purpose of the list could not be conclusively determined.”
The NSO Group’s CEO, Shalev Hulio, told the Post the company would stop doing business with any country that used its product improperly.
“We are checking every allegation, and if some of the allegations are true, we will take stern action, and we will terminate contracts like we did in the past,” he said. “If anybody did any kind of surveillance on journalists, even if it’s not by Pegasus, it’s disturbing.”
In its July 21 statement, however, the company said it would no longer respond to media inquiries about the controversy.