“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice,” Amnesty quoted its secretary-general, Agnes Callamard, as saying.
The consortium’s findings build on extensive work by cybersecurity researchers, primarily from the University of Toronto-based watchdog Citizen Lab. NSO targets identified by researchers beginning in 2016 include dozens of Al-Jazeera journalists and executives, New York Times Beirut bureau chief Ben Hubbard, Moroccan journalist and activist Omar Radi and prominent Mexican anti-corruption reporter Carmen Aristegui. Her phone number was on the list, the Post reported.
Among more than two dozen previously documented Mexican targets are proponents of a soda tax, opposition politicians, human rights activists investigating a mass disappearance and the widow of a slain journalist. In the Middle East, the victims have mostly been journalists and dissidents, allegedly targeted by the Saudi and United Arab Emirates governments.
The consortium’s “Pegasus Project” reporting bolsters accusations that not just autocratic regimes but democratic governments, including India and Mexico, have used NSO Group’s Pegasus spyware for political ends. Its members, who include Le Monde and Sueddeutsche Zeitung of Germany, are promising a series of stories based on the leak.
Pegasus infiltrates phones to vacuum up personal and location data and surreptitiously control the smartphone’s microphones and cameras. In the case of journalists, that lets hackers spy on reporters’ communications with sources.
The program is designed to bypass detection and mask its activity. NSO Group’s methods to infect its victims have grown so sophisticated that researchers say it can now do so without any user interaction, the so-called “zero-click’ option.
In 2019, WhatsApp and its parent company Facebook sued NSO Group in US federal court in San Francisco, accusing it of exploiting a flaw in the popular encrypted messaging service to target – with missed calls alone – some 1400 users. NSO Group denies the accusations.
The Israeli company was sued the previous year in Israel and Cyprus, both countries from which it exports products. The plaintiffs include Al-Jazeera journalists, as well as other Qatari, Mexican and Saudi journalists and activists who say the company’s spyware was used to hack them.
Several of the suits draw heavily on leaked material provided to Abdullah Al-Athbah, editor of the Qatari newspaper Al-Arab and one of the alleged victims. The material appears to show officials in the United Arab Emirates discussing whether to hack into the phones of senior figures in Saudi Arabia and Qatar, including members of the Qatari royal family.
NSO Group does not disclose its clients and says it sells its technology to Israeli-approved governments to help them target terrorists and break up paedophile rings and sex- and drug-trafficking rings. It says its spyware is neither designed nor licensed for use against human rights activists or journalists. It says it has helped save thousands of lives in recent years. It denies its technology was in any way associated with Khashoggi’s murder.
NSO Group also denies involvement in elaborate undercover operations uncovered by The AP in 2019 in which shadowy operatives targeted NSO critics including a Citizen Lab researcher to try to discredit them.
Last year, an Israeli court dismissed an Amnesty International lawsuit seeking to strip NSO of its export license, citing insufficient evidence.
Amnesty spokesman Gil Naveh said of the company: “They are the most dangerous cyber weapon that we know of, and they’re not being properly overseen.”
NSO Group is far from the only merchant of commercial spyware. But its behaviour has drawn the most attention, and critics say that is with good reason.
Last month, it published its first transparency report, in which it says it has rejected “more than $US300 million in sales opportunities as a result of its human rights review processes.” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a strident critic, tweeted: “If this report was printed, it would not be worth the paper it was printed on.”
A new, interactive online data platform created by the group Forensic Architecture with support from Citizen Lab and Amnesty International catalogs NSO Group’s activities by country and target. The group partnered with filmmaker Laura Poitras, best known for her 2014 documentary Citzenfour about NSA whistleblower Edward Snowden, who offers video narrations.
Since 2019, the UK private equity firm Novalpina Capital has controlled a majority stake in NSO Group. Earlier this year, Israeli media reported the company was considering an initial public offering, most likely on the Tel Aviv Stock Exchange.