Military-grade spyware leased by the Israeli firm NSO Group to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and the two women closest to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners led by the Paris-based journalism nonprofit Forbidden Stories.
Forbidden Stories and Amnesty International, a human rights group, had access to a list of more than 50,000 numbers and shared it with the news organizations, which did further research and analysis. Amnesty’s Security Lab did forensic examination of the phones. Thirty-seven targeted smartphones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.
Here are key takeaways from the investigation:
1. Apple iPhone shown to be vulnerable: The discovery on a list of phone numbers of 37 smartphones that had been either penetrated or attacked with Pegasus spyware fuels the debate over whether Apple has done enough to ensure the security of its devices, popular the world over for their reputation for resisting hacking attempts. Thirty-four of the 37 were iPhones. In September, Apple released a software update to fix the iMessage security flaw exploited by NSO Group’s Pegasus surveillance tool. In the months since, Apple has sued NSO Group in federal court, asking that NSO be prohibited from abusing Apple’s software.
2. NSO Group at the center of a global debate: The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses. NSO chief executive Shalev Hulio said in a lengthy late-night interview that he would “shut Pegasus down” if there were a better way to help governments deliver security. But he acknowledged that NSO’s ability to investigate abuse is crippled by its policy of having no visibility into clients’ activities. The United States sanctioned the company in November after determining that its phone-hacking tools had been used by foreign governments to “maliciously target” government officials, activists, journalists, academics and embassy workers around the world. A month later it was revealed that 11 U.S. diplomats’ phones had been hacked by Pegasus spyware.
3. Politicians, journalists, activists found on list: The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats and military and security officers, as well as 10 prime ministers, three presidents and one king. The purpose of the list could not be conclusively determined.
4. New details of hacking carry worldwide implications: Among the 37 phones confirmed to have been targeted, 10 were in India and another five in Hungary, most linked to journalists, activists or businesspeople. The finding will add to concerns about extralegal government surveillance conducted with private spyware in both countries. Hundreds more numbers from India and Hungary appear on the broader global list. A third country, Mexico, was home to nearly one-third of the numbers of the list, adding to questions about its past use of Pegasus software. Each country says it acts legally in carrying out any surveillance activity.
5. A princess raced to escape: In the years since commandos dragged Princess Latifa, a daughter of Dubai’s ruler, from her getaway yacht in the Indian Ocean in 2018, her friends and associates have wondered: How had her careful escape plan been foiled? A new investigation shows that in the days after she went missing, her phone number and those of friends were added to a list that also includes numbers of phones targeted by the powerful Pegasus spyware. Numbers for the ruler’s estranged wife, Princess Haya, and members of her legal and security team were also entered into the list when she fled later to London. The surveillance of the princesses was among the reasons the spyware’s owner, NSO Group, terminated Dubai’s contract, a person familiar with the company’s operations told The Post.