Research by Amnesty International and an international consortium of news organizations indicates that software made by NSO Group, an Israeli spy software maker catering to governments around the world, was used to surveil human rights activists, journalists, and government officials despite claims it’s only used for legitimate criminal investigations, the organizations say.
The spyware, dubbed Pegasus, can install itself with administrative privileges on target smartphones, enabling it to monitor calls, siphon off data, and even surreptitiously activate cameras and microphones. It accomplishes this through two means: zero-day exploits, or vulnerabilities that haven’t been publicly disclosed or fixed by software makers, and zero-click attacks, which require no interaction from the user. The reports say the spyware can be used on both Android phones and iPhones, and Amnesty researchers say it’s usually difficult for targets to know that the spyware is installed.
“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists, and crush dissent, placing countless lives in peril,” said Agnès Callamard, Secretary General of Amnesty International, in a statement, using the group’s name for the research and reporting project.
NSO Group has strenuously denied the claims, reported in internationally respected newspapers including The Washington Post, The Guardian, Le Monde, and the Süddeutsche Zeitung. The company said in a statement that its tools are only sold to “vetted” governments for use in “saving lives through preventing crime and terror acts.” Amnesty researchers said they did find phone numbers of suspected criminals among potential targets.
But the researchers, equipped with a leak of data including phone numbers of more than 50,000 potential targets, say they also found evidence that the phones of journalists based in Mexico, Azerbaijan, India, and other countries had been infected with the Pegasus spyware. Details of the leak weren’t revealed, and it’s unclear which governments were using the spyware.
Among the apparent targets were associates of Jamal Khashoggi, the Saudi dissident journalist killed in the Saudi consulate in Istanbul in 2018. The Guardian, one of the media organizations involved in the investigation, reported that the researchers found evidence that Hanan Elatr, Khashoggi’s wife, was sent malicious text messages with apparent links to Pegasus in the months before his death. Khashoggi’s fiancee, Hatice Cengiz, was also reportedly targeted and had her phone apparently infected with Pegasus spyware days after Khashoggi’s death, according to the Guardian report.
Evidence was also found that Khadija Ismayilova, an Ajerbaijani journalist who has for years been targeted, harassed, even jailed by that country’s authoritarian regime, had the software installed on her phone, The Washington Post reports. Siddharth Varadarajan, the founder of the independent Indian media outlet The Wire, also had his phone compromised by the spyware, the Post reports.
Phone operating system makers Apple and Google both told the Post they take steps to keep users safe from spyware like Pegasus, but even late-model iPhones have apparently been infected with the spyware. Activists, including Amnesty International and former National Security Agency contractor and whistleblower Edward Snowden, have called for a ban on international trade in spyware.
“Clearly, their actions pose larger questions about the wholesale lack of regulation that has created a wild west of rampant abusive targeting of activists and journalists,” Callamard said in her statement. “Until this company and the industry as a whole can show it is capable of respecting human rights, there must be an immediate moratorium on the export, sale, transfer, and use of surveillance technology.”
The media organizations have indicated that they’ll continue to report on how the software was used by governments to surveil high-profile targets.
In its statement, NSO said it’s considering a defamation suit over the reporting. The company has for years denied in media appearances and advertisements that its software is used in human rights abuses.
“Our technologies are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones,” the company said. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”