By Frank Bajak and Joseph Krauss JerusalemSecurity researchers have disclosed that spyware from the notorious Israeli hacker-for-hire company NSO Group was detected on the cellphones of six Palestinian human rights activists, half affiliated with groups that Israel’s defence minister controversially claimed were involved in terrorism. The revelation made on Monday marks the first known instance of Palestinian activists being targeted by the military-grade Pegasus spyware.
A successful Pegasus infection surreptitiously gives intruders access to everything a person stores and does on their phone, including real-time communications.
It’s not clear who placed the NSO spyware on the activists’ phones, said the researcher who first detected it, Mohammed al-Maskati of the nonprofit Frontline Defenders. The hacking began in July 2020, according to researchers.
Shortly after the first two intrusions were identified in mid-October, Israeli Defence Minister Benny Gantz declared six Palestinian civil society groups to be terrorist organisations.
Israel has provided little evidence publicly to support the terrorism designation, which the Palestinian groups say aims to dry up their funding and muzzle opposition to Israeli military rule. Three of the hacked Palestinians work for the civil society groups. The others do not, and wish to remain anonymous, Frontline Defenders says.
The forensic findings were independently confirmed by security researchers from Amnesty International and the University of Toronto’s Citizen Lab in a joint technical report.
Asked about the allegations its software was used against the Palestinian activists, NSO Group said in a statement that it does not identify its customers for contractual and national security reasons, is not privy to whom they hack and sells only to government agencies for use against “serious crime and terror.”
Speaking on condition of anonymity, an Israeli defence official said in a brief statement that the designation of the six organisations was based on solid evidence and that any claim it is related to the use of NSO software is unfounded.
It’s not known precisely when or how the phones were violated, the security researchers said. But four of the six hacked iPhones exclusively used SIM cards issued by Israeli telecom companies with Israeli +972 area code numbers, said the Citizen Lab and Amnesty researchers. That led them to question claims by NSO Group that exported versions of Pegasus cannot be used to hack Israeli phone numbers. NSO Group has also said it doesn’t target US numbers.
Among those hacked was Ubai Aboudi, a 37-year-old economist and US citizen. He runs the seven-person Bisan Center for Research and Development in Ramallah, in the Israeli-occupied West Bank, one of the six groups Gantz slapped with terrorist designations on October 22.
The other two hacked Palestinians who agreed to be named are researcher Ghassan Halaika of the Al-Haq rights group and attorney Salah Hammouri of Addameer, also a human rights organisation. The other three designated groups are Defence for Children International-Palestine, the Union of Palestinian Women’s Committees and the Union of Agricultural Work Committees.
Aboudi said he lost “any sense of safety” through the “dehumanising” hack of a phone that is at his side day and night and holds photos of his three children. He said his wife, the first three nights after learning of the hack, “didn’t sleep from the idea of having such deep intrusions into our privacy.”
The researchers’ examination of Aboudi’s phone determined it was infected by Pegasus in February.
Aboudi served a 12-month sentence last year after being convicted of charges of involvement in the PFLP but denies ever belonging to the group.
The executive director of Frontline Defenders, Andrew Anderson, said the NSO Group cannot be trusted to ensure its spyware is not used illegally by its customers and says Israel should face international reproach if it does not bring the company to heel.
Al-Maskati, the researcher who discovered the hacks, said he was first alerted on October 16 by Halaika, whose phone was determined to have been hacked in July 2020. Al-Haq engages in sensitive communications with the International Criminal Court, among others, involving alleged human rights abuses.
“As human rights defenders living under occupation, we expect it was the (Israeli) occupation,” Halaika said when asked who he believed was behind the hack.
The phone of the third named hacking victim, Hammouri, was apparently compromised in April, the researchers said. A dual French national living in Jerusalem, Hammouri previously served a seven-year sentence for security offenses, and Israel considers him a PFLP operative, allegations he denies.
After Halaika alerted him, Al-Maskati said he scanned 75 phones of Palestinian activists, finding the six infections. He could not determine how the phones were hacked, he said, though the timeline of evidence encountered indicated the use of a so-called “iMessage zero-click” exploit NSO Group used on iPhones. The exploit is highly effective, requiring no user intervention, as phishing attempts typically do.
A snowballing of new revelations about the hacking of public figures – including Hungarian investigative journalists, the fiancee of slain Saudi journalist Jamal Khashoggi and an ex-wife of the ruler of Dubai – has occurred since a consortium of international news organisations reported in July on a list of possible NSO Group surveillance targets.
NSO Group denied ever maintaining such a list.