“Private Israeli Spyware Used to Hack Cellphones of Journalists, Activists Worldwide”

From a Washington Post story by Dana Priest, Craig Timberg, and Souad Mekhennet headlined “Private Israeli spyware used to hack cellphones of journalists, activists worldwide”:

Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners.

The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of the Israeli firm, NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry….

The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.

Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group, had access to the list and shared it with the news organizations, which did further research and analysis. Amnesty’s Security Lab did the forensic analyses on the smartphones.

The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.

Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.

The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.

The media consortium, titled the Pegasus Project, analyzed the list through interviews and forensic analysis of the phones, and by comparing details with previously reported information about NSO. Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.

For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared backup copies of data on four iPhones with Citizen Lab, which confirmed that they showed signs of Pegasus infection. Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, also conducted a peer review of Amnesty’s forensic methods and found them to be sound.

In lengthy responses before publication, NSO called the investigation’s findings exaggerated and baseless. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.

After publication, NSO chief executive Shalev Hulio expressed concern in a phone interview with The Post about some of the details he had read in Pegasus Project stories Sunday, while continuing to dispute that the list of more than 50,000 phone numbers had anything to do with NSO or Pegasus.

“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”

He said that in the past 12 months NSO had terminated two contracts over allegations of human rights abuses, but he declined to name the countries involved….

Forbidden Stories organized the media consortium’s investigation, and Amnesty provided analysis and technical support but had no editorial input. Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked. After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.

More than 50,000 smartphone numbers appear on a list of phones concentrated in countries known to engage in surveillance on their citizens and also known to have been clients of NSO Group, an Israeli firm that is a worldwide leader in cybersurveillance. The numbers span more than 50 countries around the globe.

The greatest number was in Mexico, where more than 15,000 numbers, including those belonging to politicians, union representatives, journalists and other government critics, were on the list.

A large share of numbers were in the Middle East, including in Qatar, the UAE, Bahrain and Yemen. The UAE, Saudi Arabia and Bahrain are reported to be among NSO clients.

In India, the numbers of phones belonging to hundreds of journalists, activists, opposition politicians, government officials and business executives were on the list, as were numbers in several other countries in the region, including Azerbaijan, Kazakhstan and Pakistan.

More than 1,000 French numbers were on the list. In Hungary, numbers associated with at least two media magnates were among hundreds on the list, and the phones of two working journalists were targeted and infected, forensic analysis showed.

Beyond the personal intrusions made possible by smartphone surveillance, the widespread use of spyware has emerged as a leading threat to democracies worldwide, critics say. Journalists under surveillance cannot safely gather sensitive news without endangering themselves and their sources….

“This is nasty software — like eloquently nasty,” said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it “one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”

NSO said in a statement that it did not operate the spyware it licensed to clients and did not have regular access to the data they gather. The company also said its technologies have helped prevent attacks and bombings and broken up rings that trafficked in drugs, sex and children. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” NSO said. “Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims.”…

Thomas Clare, a libel attorney hired by NSO, said that the consortium had “apparently misinterpreted and mischaracterized crucial source data on which it relied” and that its reporting contained flawed assumptions and factual errors.

“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes,” Clare wrote.

In response to follow-up questions, NSO called the 50,000 number “exaggerated” and said it was far too large to represent numbers targeted by its clients. Based on the questions it was being asked, NSO said, it had reason to believe that the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies.”…

Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills. The Israeli Defense Ministry must approve any license to a government that wants to buy it, according to previous NSO statements.

“As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end-use/end user certificates provided by the acquiring government,” a spokesperson for the Israeli defense establishment said Sunday. “In cases where exported items are used in violation of export licenses or end-use certificates, appropriate measures are taken.”

The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.

“We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” the company said. “It is technologically impossible and reaffirms the fact your sources’ claims have no merit.”

Apple and other smartphone manufacturers are years into a cat-and-mouse game with NSO and other spyware makers.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists and others seeking to make the world a better place,” said Ivan Krstić, head of Apple Security Engineering and Architecture….

Some Pegasus intrusion techniques detailed in a 2016 report were changed in a matter of hours after they were made public, underscoring NSO’s ability to adapt to countermeasures.

Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.

“There is just nothing from an encryption standpoint to protect against this,” said Claudio Guarnieri, a.k.a. “Nex,” the Amnesty Security Lab’s 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.

That sense of helplessness makes Guarnieri, who often dresses head-to-toe in black, feel as useless as a 14th-century doctor confronting the Black Plague without any useful medication. “Primarily I’m here just to keep the death count,” he said.

The attack can begin in different ways. It can come from a malicious link in an SMS text message or an iMessage. In some cases, a user must click on the link to start the infection. In recent years, spyware companies have developed what they call “zero-click” attacks, which deliver spyware simply by sending a message to a user’s phone that produces no notification. Users do not even need to touch their phones for infections to begin.

Many countries have laws pertaining to traditional wiretapping and interception of communications, but few have effective safeguards against deeper intrusions made possible by hacking into smartphones. “This is more devious in a sense because it really is no longer about intercepting communications and overhearing conversation. … This covers all of them and goes way beyond that,” Guarnieri said. “It has raised a lot of questions from not only human rights, but even national constitutional laws as to is this even legal?”

Clare, NSO’s attorney, attacked the forensic examinations as “a compilation of speculative and baseless assumptions” built on assumptions based on earlier reports. He also said, “NSO does not have insight into the specific intelligence activities of its customers.”

The Pegasus Project’s findings are similar to previous discoveries by Amnesty, Citizen Lab and news organizations worldwide, but the new reporting offers a detailed view of the personal consequences and scale of surveillance and its abuses….

Some expressed outrage even at the suggestion of spying on journalists.

A reporter for the French daily Le Monde working on the Pegasus Project recently posed such a question to Hungarian Justice Minister Judit Varga during an interview about the legal requirements for eavesdropping:

“If someone asked you to tape a journalist or an opponent, you wouldn’t accept this?”

“What a question!” Varga responded. “This is a provocation in itself!” A day later, her office requested that this question and her answer to it “be erased” from the interview.

In the past, NSO has blamed its client countries for any alleged abuses. NSO released its first “Transparency and Responsibility Report” last month, arguing that its services are essential to law enforcement and intelligence agencies trying to keep up with the 21st century.

“Terror organizations, drug cartels, human traffickers, pedophile rings and other criminal syndicates today exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications.

“These technologies provide criminals and their networks a safe haven, allowing them to ‘go dark’ and avoid detection, communicating through impenetrable mobile messaging systems. Law enforcement and counterterrorism state agencies around the world have struggled to keep up.”…

 A person familiar with NSO operations who spoke on the condition of anonymity to discuss internal company matters noted that in the last year alone NSO had terminated contracts with Saudi Arabia and Dubai in the United Arab Emirates over human rights concerns.

“Pegasus is very useful for fighting organized crime,” said Guillermo Valdes Castellanos, head of Mexico’s domestic intelligence agency CISEN from 2006 to 2011. “But the total lack of checks and balances [in Mexican agencies] means it easily ends up in private hands and is used for political and personal gain.”…

Today’s thriving international spyware industry dates back decades but got a boost after the unprecedented 2013 disclosure of highly classified National Security Agency documents by contractor Edward Snowden. They revealed that the NSA could obtain the electronic communications of almost anyone because it had secret access to the transnational cables carrying Internet traffic worldwide and data from Internet companies such as Google and giant telecommunications companies such as AT&T.

Even U.S. allies in Europe were shocked by the comprehensive scale of the American digital spying, and many national intelligence agencies set out to improve their own surveillance abilities. For-profit firms staffed with midcareer retirees from intelligence agencies saw a lucrative market-in-waiting free from the government regulations and oversight imposed on other industries.

The dramatic expansion of end-to-end encryption by Google, Microsoft, Facebook, Apple and other major technology firms also prompted law enforcement and intelligence officials to complain they had lost access to the communications of legitimate criminal targets. That in turn sparked more investment in technologies, such as Pegasus, that worked by targeting individual devices.

“When you build a building, you want to make sure the building holds up, so we follow certain protocols,” said Ido Sivan-Sevilla, an expert on cyber governance at the University of Maryland. By promoting the sale of unregulated private surveillance tools, “we encourage building buildings that can be broken into. We are building a monster. We need an international norms treaty that says certain things are not okay.”

Without international standards and rules, there are secret deals between companies like NSO and the countries they service.

The unfettered use of a military-grade spyware such as Pegasus can help governments to suppress civic activism at a time when authoritarianism is on the rise worldwide. It also gives countries without the technical sophistication of such leading nations as the United States, Israel and China the ability to conduct far deeper digital cyberespionage than ever before….

The fear of widespread surveillance impedes the already difficult mechanics of civic activism.

“Sometimes, that fear is the point,” said John Scott-Railton, a senior researcher at Citizen Lab, who has researched Pegasus extensively. “The psychological hardship and the self-censorship it causes are key tools of modern-day dictators and authoritarians.”

When Siddharth Varadarajan, co-founder of the Wire, an independent online outlet in India, learned that Security Lab’s analysis showed thathis phone had been targeted and penetrated by Pegasus, his mind immediately ran through his sensitive sources. He thought about a minister in Prime Minister Narendra Modi’s government who had displayed an unusual concern about surveillance when they.

The minister first moved the meeting from one location to another at the last moment, then switched off his phone and told Varadarajan to do the same.

Then “the two phones were put in a room and music was put on in that room … and I thought: ‘Boy, this guy is really paranoid. But maybe he was being sensible,'” Varadarajan said in a recent interview.

When forensics showed his phone had been penetrated, he knew the feeling himself. “You feel violated, there’s no doubt about it,” he said. “This is an incredible intrusion, and journalists should not have to deal with this. Nobody should have to deal with this.”

About this project

Priest reported from Ankara, Istanbul and Washington, Timberg from Washington and Mekhennet from Berlin. Michael Birnbaum in Budapest, Mary Beth Sheridan in Mexico City, Joanna Slater in New Delhi, Drew Harwell and Julie Tate in Washington, and Miranda Patrucic from the Organized Crime and Corruption Reporting Project in Sarajevo contributed to this report.

Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International had access to a list of phone numbers concentrated in countries known to surveil their citizens and also known to have been clients of NSO Group. The two nonprofits shared the information with The Washington Post and 15 other news organizations worldwide that have worked collaboratively to conduct further analysis and reporting over several months. Forbidden Stories oversaw the Pegasus Project, and Amnesty International provided forensic analysis but had no editorial input.

More than 80 journalists from Forbidden Stories, The Washington Post, Le Monde, Süddeutsche Zeitung, Die Zeit, the Guardian, Daraj, Direkt36, Le Soir, Knack, Radio France, the Wire, Proceso, Aristegui Noticias, the Organized Crime and Corruption Reporting Project, Haaretz and PBS Frontline joined the effort.



Speak Your Mind