The UN has demanded closer regulation of surveillance tech following extensive phone-hacking revelations.
Activists, journalists and politicians around the world have been spied on using cellphone malware developed by a private Israeli firm, it emerged Sunday.
The use of the software, called Pegasus and developed by Israel’s NSO group, was exposed in a data leak containing 50,000 phone numbers that belong to people targeted by NSO’s clients since 2016.
Among those clients are some of the world’s most-repressive government regimes, including Hungary, Saudi Arabia and Morocco.
But Hungary and Morocco have both denied using Pegasus spyware.
UN Rights Chief Michelle Bachelet said in a statement on Monday that the reports about the Pegasus spyware ‘confirm the urgent need to better regulate the sale, transfer and use of surveillance technology and ensure strict oversight and authorisation’.
UN Rights Chief Michelle Bachelet said in a statement on Monday that the reports about the Pegasus spyware ‘confirm the urgent need to better regulate the sale, transfer and use of surveillance technology and ensure strict oversight and authorisation’
Bachelet described the revelations as ‘extremely alarming’, saying they ‘seem to confirm some of the worst fears about the potential misuse of surveillance technology.’
She recalled that the UN had repeatedly flagged the dangers of authorities using surveillance tools to hack phones and computers of legitimate journalists, activists and political opponents in the name of public safety.
‘Use of surveillance software has been linked to arrest, intimidation and even killings of journalists and human rights defenders,’ she added, also warning that broad use of such technologies could lead to self-censorship.
The UN High Commissioner for Human Rights said surveillance measures can only be justified ‘in narrowly defined circumstances, with a legitimate goal’ such as ‘investigations into serious crimes and grave security threats.’
‘If the recent allegations about the use of Pegasus are even partly true, then that red line has been crossed again and again with total impunity.’
Bachelet said companies involved in developing and distributing surveillance technologies should ensure their technologies are not used to violate human rights.
Meanwhile Hungary and Morocco have both denied using Pegasus spyware.
Hungarian Foreign Minister Peter Szijjarto denied Monday media reports that Budapest used software to infiltrate the smartphones of journalists and other public figures.
‘The government has no knowledge of this type of data collection,’ Szijjarto told a press conference, adding that Hungary’s intelligence agency did not use the Pegasus software ‘in any way’.
Morocco also ‘categorically rejects’ claims its intelligence services had used Israeli spyware Pegasus to monitor critics at home and abroad, a government statement said today.
Rabat said it had ‘never acquired computer software to infiltrate communication devices’ and denied it had ‘infiltrated the phones of several national and international public figures and heads of international organisations through computer software’.
One of those targeted was Hanan Elatr, the wife of Saudi-born Washington Post journalist Jamal Khashoggi (pictured together before Khashoggi was assassinated inside the Saudi consulate in Istanbul on October 2, 2018)
Roula Khalaf (pictured), who became the Financial Times’ first female editor last year, was selected as a potential target throughout 2018. Analysis of the data suggests Khalaf’s phone was selected as a possible target by the United Arab Emirates (UAE) while she was deputy editor at the Financial Times
Pegasus: How powerful spyware used to hack journalists works
Pegasus is a powerful piece of ‘malware’ – malicious computer software – developed by Israeli security firm NSO Group.
This particular form of malware is known as ‘spyware’, meaning it is designed to gather data from an infected device without the owner’s knowledge and forward it on to a third party.
While most spyware is limited in scope – harvesting data only from specific parts of an infected system – Pegasus appears much more powerful, allowing its controller near-unlimited access to and control over an infected device.
This includes accessing contact lists, emails, and text messages, along with stored photos, videos and audio files.
Pegasus can also be used to take control of the phone’s camera or microphone to record video and audio, and can access GPS data to check where the phone’s owner has been.
And it can also be used to record any new incoming or outgoing phone calls.
Early versions of the virus infected phones using crude ‘phishing’ attacks in which users are conned into downloading the virus on to their own phones by clicking on a malicious link sent via text or email.
But researchers say the software has become much more sophisticated, exploiting vulnerabilities in common phone apps to launch so-called ‘zero-click’ attacks which can infect devices without the user doing anything.
For example, in 2019 WhatsApp revealed that 1,400 people had been infected by NSO Group software using a so-called ‘zero day’ fault – a previously unknown error – in the call function of the app.
Users were infected when a call was placed via WhatsApp to their phones, whether they answered the call or not.
More recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones.
Apple says it is continually updating its software to prevent such attacks, though human rights group Amnesty says it has uncovered successful attacks on even the most up-to-date iOS systems – carried out this month.
NSO Group says that Pegasus can also be installed on devices using wireless transceivers located near the target, or can be booted directly on to the device if it is stolen first.
A joint investigation by several Western media outlets said Sunday that numerous activists, journalists, executives and politicians around the world had been spied on using the software developed by Israeli firm NSO.
One of those targeted was Hanan Elatr, the wife of Saudi-born Washington Post journalist Jamal Khashoggi, who was murdered by a Saudi hit squad in 2018.
Her phone – as well as that of a second female associate – was allegedly targeted before his death. The leak appeared to confirm Saudi involvement in the murder.
Another key figure on the list was Roula Khalaf, who became the Financial Times’ first female editor last year, and according to The Guardian was selected as a potential target throughout 2018.
Analysis of the data suggests Khalaf’s phone was selected as a possible target by the United Arab Emirates (UAE) while she was deputy editor at the Financial Times.
The data was initially leaked to human rights group Amnesty and not-for-profit group Forbidden Stories, which helps promote the work of persecuted reporters.
It was then shared with a consortium of other newspapers, including the likes of the Washington Post whose journalists were targeted.
If a number appears on the leaked list, then it means that phone was targeted for hacking – though it cannot be conclusively proved whether the hack was successful.
However, Amnesty did confirm that at least 15 people on the list were successfully hacked after they handed over their phones to the group to be examined.
Among those confirmed cases were Siddharth Varadarajan and Paranjoy Guha Thakurta, of Indian news site Wire, who have worked on stories about the Indian government spreading disinformation online.
Omar Radi, a Moroccan journalist who has published repeated exposes of government corruption, was also among those successfully hacked.
The data also shows that the phone of Mexican freelance journalist Cecilio Pineda Birto was also selected a month before he was murdered by gun-wielding attackers at a car wash. His phone was never found and it was not clear if it had been hacked.
Another was award-winning Azerbaijani investigative journalist Khadija Ismayilova, who was confirmed to have been hacked in 2019.
For years, she has reported on a network of corruption surrounding president Ilham Aliyev who has ruled since 2003.
As a result of her work, she has long been the target of a harassment and intimidation which has included a hidden camera being installed in her home and a 2014 arrest on alleged tax evasion and ‘illegal business’ offences.
‘I feel guilty for the sources who sent me [information], thinking that some encrypted messaging ways are secure. They did it and they didn’t know my phone was infected,’ Ismayilova told The Guardian.
‘My family members are also victimised, people I’ve been working with. People who told me their private secrets are victimised. It’s not just me.’
Devices that are successfully hacked by Pegasus are effectively turned into 24-hour monitoring devices, allowing whoever sent the virus to keep constant tabs on them.
Hackers are given full access to all the phone’s data, including previous text messages and contact lists, along with stored audio, video and photo files.
They are able to take over the phone’s camera to record video, turn on the microphone to record audio, and can record any new calls made or received.
Hackers can even access the phone’s location data to see where the owner has been and potentially who they met with.
The revelations also appeared to confirm Saudi Arabia’s involvement in the murder of Khashoggi, who until his killing in 2018 was a Saudi Arabian journalist, author, columnist for The Washington Post and critic of the Saudi regime, an NSO client.
Based on leaked data and forensic analysis of phones, media outlets have found new evidence that the shows the company’s spyware was use in an attempt to monitor people close to the journalist before and after his death.
In one instance, a person close to Khashoggi was hacked four hays after his murder, according to forensic analysis of her device confirmed by multiple organisations.
The investigation suggests Saudi Arabia and its close ally the UAE attempted to use NSO’s technology to after Khashoggi’s death to monitor both his known associates and the Turkish investigation into his murder.
The phone of Istanbul’s chief prosecutor was even selected for possible surveillance.
Intelligence agencies in the US have already confirmed that Saudi crown prince, Mohammed bin Salman was responsible for ordering the murder of Khashoggi.
Among the numbers on the list are journalists for media organisations around the world including Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, the Associated Press, Le Monde, Bloomberg, the Economist, Reuters and Voice of America.
The use of the software to hack the phones of Al-Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research centre at the University of Toronto, and Amnesty International.
The Washington Post said numbers on the list also belonged to heads of state and prime ministers, members of Arab royal families, diplomats and politicians, as well as activists and business executives.
The list did not identify which clients had entered the numbers on it. But the reports said many were clustered in 10 countries – Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
The Guardian wrote that the investigation suggests ‘widespread and continuing abuse’ of Pegasus, which NSO says is intended for use against criminals and terrorists.
A successful Pegasus hack would given NSO customers full access to all data stored on the targeted device.
By hacking a journalist’s phone, for example, the customer could view their confidential sources, their address book, listen to their calls, track their movements precisely and even record their conversation by remotely activating the microphone.
Varadarajan, who was hacked in 2018 while he was investigating how the Hindu nationalist government of Narendra Modi was using Facebook to spread disinformation among Indian citizens, told The Guardian he felt ‘violated’.
The phone number of Indian Journalist Siddharth Varadarajan, pictured in 2020, was among those on the Pegasus list. Varadarajan and Paranjoy Guha Thakurta, of Indian news site Wire, have worked on stories about the Indian government spreading disinformation online
Azerbaijani investigative journalist Khadija Ismayilova was confirmed to have been hacked in 2019. She has reported on a network of corruption surrounding president Ilham Aliyev who has ruled since 2003
Mexican freelance journalist Cecilio Pineda Birto (pictured) was also selected a month before he was murdered by gun-wielding attackers at a car wash in 2017. His phone was never found and it was not clear if it had been hacked
‘This is an incredible intrusion and journalists should not have to deal with this,’ he said. ‘Nobody should have to deal with this, but in particular journalists and those who are in some way working for the public interest.’
Also included on the leaked records was a UK-based phone number belonging to American investigative journalist Bradley Hope, who at the time of his number being selected was working for the Wall Street Journal.
In 2018, Hope and his colleague Tim Wright contacted parties that would be named in their book about the 1MDB corruption scandal involving theft of $4.5bn from the state of Malaysia.
The released Pegasus records show that around the same time, one of NSO’s government clients began selecting Hope’s phone as a potential surveillance target, with his number being included on the list until the spring of 2019.
‘I think probably the number one thing that anyone targeting my phone would want to know is: who are my sources?’ Hope said to The Guardian. ‘They would want to know who it is that is providing this insight.’
Since then, Hope said that he regularly changes his mobile device, updates the operating system, and does not take his phone into high-risk countries such as the UAE, believed to be the government that selected him as a target.
Amnesty International and Forbidden Stories, a Paris-based media non-profit organisation, initially had access to the leak, which they then shared with media organisations.
NSO, a leader in the growing and largely unregulated private spyware industry, has previously pledged to police for abuses of its software.
It called the allegations exaggerated and baseless, according to The Washington Post, and would not confirm its clients’ identities.
Citizen Lab reported in December that dozens of journalists at Qatar’s Al-Jazeera network had their mobile communications intercepted by sophisticated electronic surveillance.
Amnesty International reported in June of last year that Moroccan authorities used NSO’s Pegasus software to insert spyware onto the cellphone of Omar Radi, a journalist convicted over a social media post.