Governments around the world have been found to have used spyware called Pegasus – made by Israel’s NSO Group – to spy on civilians including journalists and human rights activists, according to reports under The Pegasus Project launched on Monday, July 19.
The Pegasus Project is a collaborative investigative report by a consortium of 17 international media outlets led by journalism nonprofit Forbidden Stories, with technical assistance from Amnesty International’s Security Lab.
The ongoing reports stem from a leak obtained by Forbidden Stories and Amnesty International that contains 50,000 records of phone numbers linked to individuals targeted by governments in countries known be clients of NSO Group. Where possible, Security Lab’s performs forensics on a device suspected to be infected with the spyware to confirm the listing.
Among the 50,000, 180 journalists were tagged in the leaks working at prestigious media companies, including the Wall Street Journal, CNN, the New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, Associated Press, Le Monde, Bloomberg, Agence France-Presse, the Economist, Reuters and Voice of America.
Azerbaijan had about 48 journalists in the list, said to be critics of repression and corruption. India and Morocco had 38 journalists each while the United Arab Emirates had 12.
When the device of a target is successfully infected through app vulnerabilities or malicious links, the Pegasus spyware is able to exfiltrate all data on the device. This allows governments to read confidential messages, discover a reporter’s sources, listen to calls, see their photos, track their movements, and record conversations by activating the microphone.
“Knowing that a country can so easily penetrate your phone, it inevitably means that you have to always be thinking about your phone as a potential surveillance device,” American investigative journalist Bradley Hope, then of the Wall Street Journal at the time of his inclusion in the government surveillance list, told The Guardian. “It will just remind me that at any time I could be carrying around a vulnerability with me.”
In a separate report, PBS’ Frontline honed in on another surveillance victim: Hatice Cengiz, the fiancée of murdered Saudi journalist Jamal Khashoggi.
In the short video report, Frontline, through Security Labs’ assistance, verified Cengiz’s phone had been infected with Pegasus, with traces of activity around the time that Khashoggi was murdered on October 2, 2018.
Analyzing Cengiz’s two devices, one old and one new, a tech expert at Security Lab said, “The new one seems clean to me. The old one however has some traces that seem consistent with what we’ve seen.”
“So on the 6th of October 2018, [that day] seems to have been [when the device was] first compromised, with some additional traces on the 9th and then the 12th – which as you know, obviously, is pretty timely within the context [of the Khashoggi murder] obviously.”
The NSO Group has denied the claims against its government clients, including any association with the Khashoggi murder, and said that in the past it had shut off client access to Pegasus in the event of violative acts, and would continue to investigate claims of misuse.
“The NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” said the company.