Concerns that phone-hacking software may have been used to spy on political opponents spark fury
Revelations about the use of spying tools sold to governments by NSO Group sparked furious political rows across the world on Monday after evidence emerged to suggest the surveillance firm’s clients may have sought to target their political opponents.
Amid growing concern over the apparent abuse of NSO’s powerful phone-hacking spyware, Pegasus, Amazon confirmed it already had cut some of its ties to the Israeli surveillance company. The stock price of Apple dipped amid worries about the privacy and security of its handsets.
NSO claims its surveillance tools are sold to carefully vetted government clients who are only permitted to use them for legitimate investigations into crime and terrorism. However, the Pegasus project, a consortium of media outlets including the Guardian, revealed that:
What is in the Pegasus project data?
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies”.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
At least 50 people close to Mexico’s president, Andrés Manuel López Obrador – including his wife, children, aides and doctor – were included in the list of possible targets when he was an opposition politician.
Rahul Gandhi, the most prominent political rival of the Indian prime minister, Narendra Modi, was twice selected as a potential target in leaked phone number data.
Carine Kanimba, the American daughter of Paul Rusesabagina, the imprisoned Rwandan activist who inspired the film Hotel Rwanda, has been victim of multiple attacks using NSO spyware, according to a forensic analysis of her mobile phone, although Rwanda denies it has the NSO technology.
Whistleblower Edward Snowden said he feared Pegasus was potentially so powerful that it and spyware like it should be banned from international sale. “If they find a way to hack one iPhone, they’ve found a way to hack all of them,” Snowden said, arguing spyware should be treated in a similar way to nuclear weapons where trade in the technology is heavily restricted.
Apple’s stock price fell 2.4% by lunchtime amid concerns that NSO’s Pegasus software can infiltrate and take over the latest versions of iPhones without a single click from their owner. The spyware software, which can also infect Android devices using different exploits, can secretly extract and monitor the contents of a device, potentially turning on its microphone for surveillance purposes.
Apple insists it leads the industry in security innovation and insists iPhones are “the safest, most secure consumer mobile device on the market”.
Amazon said it had stopped providing network services for NSO once it had learned of potential abuses of its technology, confirming it “acted quickly to shut down the relevant infrastructure and accounts”.
What is the Pegasus project?
The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.
Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.
Meanwhile, the revelations about possible political espionage prompted a backlash in numerous countries.
The former Mexican president Felipe Calderón said he was subject to “an unjustifiable violation of [one’s] rights” when he learned he may have been selected for potential targeting, not long after his wife, Margarita Zavala, announced a run for president with the rightwing National Action party in 2015. Zavala and members of her campaign team were also selected for potential targeting, according to the leaked data.
In Hungary, where Viktor Orbán’s government stands accused of using NSO’s hacking software against journalists, opposition MPs said they would convene an extraordinary meeting of parliament’s national security committee to discuss the allegations.
“If any part of this is true, even half of it, it’s one of the deepest national security scandals I have seen,” said opposition MP Péter Ungár, who sits on the committee.
In response, Hungary’s deputy prime minister, Katalin Novák, said she “would not like to comment on press rumours”, while the foreign minister, Péter Szijjártó, said Hungarian foreign intelligence did not use Pegasus, and he was “not aware” as to whether domestic agencies used it.
European leaders also voiced anxiety about the deployment of NSO in Europe, with one calling for MEPs to hold their own inquiry. “No more ‘deeply concerned’… the EU has a dictatorship growing inside of it,” wrotethe MEP, former Belgian prime minister and longtime Orbán critic, Guy Verhofstadt, on Twitter, in response to the Pegasus project allegations. “We need a full inquiry by the European parliament!”
“Freedom of the press is a core value of the European Union,” said the European Commission chief, Ursula von der Leyen, on Monday while on a visit to Prague. She said if the allegations were true, “it is completely unacceptable”.
In India, the opposition Congress party accused Narendra Modi’s government of being the “deployer and executor” of a “spying racket”.
Gandhi said: “If your information is correct, the scale and nature of surveillance you describe goes beyond an attack on the privacy of individuals. It is an attack on the democratic foundations of our country. It must be thoroughly investigated and those responsible be identified and punished.”
The Indian government denied any wrongdoing. IT minister Ashwini Vaishnaw denied the “over-the-top” media reports, which he described as “an attempt to malign Indian democracy and its well-established institutions”. But a few hours later it emerged that Vaishnaw was also among those whose numbers had been selected as a potential target, back in 2017, before he was an elected MP.
NSO Group has always said it does not have access to the data of its customers’ targets. In statements issued through it lawyers, NSO said that the Pegasus project reporting consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the leaked data could not be a list of numbers “targeted by governments using Pegasus”.
In his first public comments since media the disclosures began, Shalev Hulio, the founder and chief executive of NSO, said he continued to dispute that the leaked data “has any relevance to NSO”, but added that he was “very concerned” about the reports and promised to investigate them all. “We understand that in some circumstances our customers might misuse the system,” he said.