BOSTON — Human rights and press freedom activists are up in arms about a new report on NSO Group, the notorious Israeli hacker-for-hire company. The report, by a global media consortium, expands public knowledge of the target list used in NSO’s military-grade spyware. According to the report, that now not only includes journalists, rights activists and opposition political figures, but also people close to them.
The groups have decried the virtual absence of regulation of commercial surveillance tools. If the allegations of widespread targeting by NSO’s Pegasus malware are even partly true, U.N. High Commissioner for Human Rights Michelle Bachelet said in a statement, a “red line has been crossed again and again with total impunity.”
Here’s what you need to know about this issue.
NSO GROUP HAS LONG BEEN ACCUSED OF UNETHICAL HACKING. WHAT’S NEW?
The new investigation, based on leaked data of unspecified origin, builds significantly on previous efforts. Paris-based journalism nonprofit Forbidden Stories and the human rights group Amnesty International obtained the data and say that it people potential targeted for surveillance by NSO’s clients.
Journalists from the consortium combed through a list of more than 50,000 cellphone numbers, identifying more than 1,000 individuals in 50 countries. They include 189 journalists, 85 human rights activists and several heads of state. Among the journalists were employees of The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde and The Financial Times.
Amnesty was able to examine the smartphones of 67 individuals on the list, finding evidence of an attempted or successful Pegasus infection on 37. Its investigators found that the phone of Washington Post journalist Jamal Khashoggi’s fiancee, Hatice Cengiz, was infected just four days after he was killed in the Saudi Consulate in Istanbul in 2018. They found Pegasus on the phones of the co-founders of the Indian independent online outlet The Wire and repeat infections on the phones of two Hungarian investigative journalists with the outlet Direkt36.
The list of potential targets included Roula Khalaf, the editor of the Financial Times.
Fifty people close to Mexico’s president, Andres Manuel Lopez Obrador, were also on the potential target list. They include his wife, children, aides and cardiologist. Lopez Obrador was in opposition at the time. A Mexican reporter whose phone number was added to the list in that time period, Cecilio Pineda, was assassinated in 2017.
After Mexico, the largest share of potential targets were in the Middle East, where Saudi Arabia is reported to be among NSO clients. Also on the list were numbers in France, Azerbaijan, Kazakhstan and Pakistan, Morocco and Rwanda.
According to the The Committee to Protect Journalists, there are few effective barriers to prevent autocratic governments from using sophisticated surveillance technology to attempt cowing or silencing a free press.
WHAT DOES NSO SAY?
NSO denies ever maintaining a list of “potential, past or existing targets.” It claims to provide its services only to “vetted government agencies” for use against terrorists and major criminals, and denies any association with Khashoggi’s murder. But the company does not disclose its clients and claims it has ”no visibility” into the data. Security researchers who have studied NSO’s activity contest that claim, saying the company directly manages the high-tech spying.
There is no doubt that the NSO software deployment creates various logs and other data that the company can access, said John Scott-Railton, a researcher with Citizen Lab, the University of Toronto-based watchdog that has been tracking Pegasus abuses since 2016.
Amnesty has not identified the source of the leak or how the data was authenticated to protect the safety of its source. Citizen Lab vetted Amnesty’s methodology for confirming Pegasus’ infections and deemed it sound. Scott-Railton said he had no doubt the leaked data “contains intent to target.”
A phone number’s presence in the data does not necessarily mean an attempt was made to hack a device, said Amnesty, which found Pegasus infection traces on the cellphones of 15 journalists on the list.
Amnesty says the malware is so effective that it can hack even the latest models of Apple’s iPhone operating system, going undetected as it vacuums up personal and location data and seizes control of device microphones and cameras. In a statement, Apple head of security engineering Ivan Krstić did not directly address Amnesty’s claim, instead emphasizing the rarity of such targeted attacks and the company’s dedication to the security of its users.
DOES ISRAEL CONDONE THIS ACTIVITY?
Asked about its approvals of NSO’s exports, Israel’s Defense Ministry said in a statement that it “approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counter terrorism.” It said national security and strategic considerations are taken into account.
Last year, an Israeli court dismissed an Amnesty lawsuit seeking to strip NSO of its export license, citing insufficient evidence.
Citizen Lab and Amnesty have since 2016 primarily documented NSO targeting of rights activists, dissidents and journalists including dozens of Al-Jazeera employees. But the new list significantly widens the scope of potential targets to include members of Arab royal families, diplomats and business executives, according to the consortium, which includes The Washington Post, The Guardian, Le Monde and Sueddeutsche Zeitung.
CAN ANYONE BE TARGETED? HOW CAN INFECTION BE THWARTED?
No one not involved in sensitive information-gathering outside the U.S. needs to worry much. Customers of NSO Group’s malware and other commercial surveillance tools typically focus on high-profile targets.
But those in NSO’s crosshairs may not be able to avoid infection. Its methods of infection often don’t require user interaction, such as clicking on a link in a text message.
One such “zero-click” option exploited a flaw in WhatsApp, the popular encrypted mobile-messaging service. WhatsApp and its parent company Facebook sued NSO in San Francisco federal court in 2019.
The WhatsApp suit accuses NSO Group of targeting some 1,400 WhatsApp users. Until this week, that was the largest number of potential targets of the Israeli company’s spyware amassed in one place.
AP correspondents Josef Federman in Jerusalem and Geir Moulsen in Berlin contributed to this report.