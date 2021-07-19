The media consortium analyzed the list through interviews and forensic analysis of the phones, and by comparing details with previously reported information about NSO. Amnesty's Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.

For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty's detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared backup copies of data on four iPhones with Citizen Lab, which confirmed that they showed signs of Pegasus infection. Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, also conducted a peer review of Amnesty's forensic methods and found them to be sound.

In lengthy responses, NSO called the investigation's findings exaggerated and baseless. It also said it does not operate the spyware licensed to its clients and "has no insight" into their specific intelligence activities.

NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.

Forbidden Stories organized the media consortium's investigation, titled the Pegasus Project, and Amnesty provided analysis and technical support but had no editorial input. Amnesty has openly criticized NSO's spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked. After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.

Beyond the personal intrusions made possible by smartphone surveillance, the widespread use of spyware has emerged as a leading threat to democracies worldwide, critics say. Journalists under surveillance cannot safely gather sensitive news without endangering themselves and their sources. Opposition politicians cannot plot their campaign strategies without those in power anticipating their moves. Human rights workers cannot work with vulnerable people - some of whom are victims of their own governments - without exposing them to renewed abuse.

For example, Amnesty's forensics found evidence that Pegasus was targeted at the two women closest to Saudi columnist Khashoggi, who wrote for The Post's Opinions section. The phone of his fiancee, Hatice Cengiz, was successfully infected during the days after his murder in Turkey on Oct. 2, 2018, according to a forensic analysis by Amnesty's Security Lab. Also on the list were the numbers of two Turkish officials involved in investigating his dismemberment by a Saudi hit team. Khashoggi also had a wife, Hanan Elatr, whose phone was targeted by someone using Pegasus in the months before his killing. Amnesty was unable to determine whether the hack was successful.

"This is nasty software - like eloquently nasty," said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it "one could spy on almost the entire world population. … There's not anything wrong with building technologies that allows you to collect data; it's necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody."

In response to detailed questions from the consortium, NSO said in a statement that it did not operate the spyware it licensed to clients and did not have regular access to the data they gather. The company also said its technologies have helped prevent attacks and bombings and broken up rings that trafficked in drugs, sex and children. "Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds," NSO said. "Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims."

The company denied that its technology was used against Khashoggi, or his relatives or associates.

"As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is being made without validation."

The company added: "NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a customers' system, something NSO has proven its ability and willingness to do, due to confirmed misuse, done it multiple times in the past, and will not hesitate to do again if a situation warrants."

Thomas Clare, a libel attorney hired by NSO, said that the consortium had "apparently misinterpreted and mischaracterized crucial source data on which it relied" and that its reporting contained flawed assumptions and factual errors.

"NSO Group has good reason to believe that this list of 'thousands of phone numbers' is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes," Clare wrote.

In response to follow-up questions, NSO called the 50,000 number "exaggerated" and said it was far too large to represent numbers targeted by its clients. Based on the questions it was being asked, NSO said, it had reason to believe that the consortium was basing its findings "on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies."

The term HLR, or Home Location Register, refers to a database that is essential to operating cellular phone networks. Such registers keep records on the networks of cellphone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. HLR lookup services operate on the SS7 system that cellular carriers use to communicate with each other. The services can be used as a step toward spying on targets.

Telecommunications security expert Karsten Nohl, chief scientist for Security Research Labs in Berlin, said that he does not have direct knowledge of NSO's systems but that HLR lookups and other SS7 queries are widely and inexpensively used by the surveillance industry - often for just tens of thousands of dollars a year.

"It's not difficult to get that access. Given the resources of NSO, it'd be crazy to assume that they don't have SS7 access from at least a dozen countries," Nohl said. "From a dozen countries, you can spy on the rest of the world."

Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills. The Israeli Defense Ministry must approve any license to a government that wants to buy it, according to previous NSO statements.

The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.

"We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers," the company said in its statement. "It is technologically impossible and reaffirms the fact your sources' claims have no merit."

Apple and other smartphone manufacturers are years into a cat-and-mouse game with NSO and other spyware makers.

"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals," said Ivan Krstić, head of Apple Security Engineering and Architecture. "While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."

Some Pegasus intrusion techniques detailed in a 2016 report were changed in a matter of hours after they were made public, underscoring NSO's ability to adapt to countermeasures.

Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.

"There is just nothing from an encryption standpoint to protect against this," said Claudio Guarnieri, a.k.a. "Nex," the Amnesty Security Lab's 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.

That sense of helplessness makes Guarnieri, who often dresses head-to-toe in black, feel as useless as a 14th-century doctor confronting the Black Plague without any useful medication. "Primarily I'm here just to keep the death count," he said.

The attack can begin in different ways. It can come from a malicious link in an SMS text message or an iMessage. In some cases, a user must click on the link to start the infection. In recent years, spyware companies have developed what they call "zero-click" attacks, which deliver spyware simply by sending a message to a user's phone that produces no notification. Users do not even need to touch their phones for infections to begin.

Many countries have laws pertaining to traditional wiretapping and interception of communications, but few have effective safeguards against deeper intrusions made possible by hacking into smartphones. "This is more devious in a sense because it really is no longer about intercepting communications and overhearing conversation. … This covers all of them and goes way beyond that," Guarnieri said. "It has raised a lot of questions from not only human rights, but even national constitutional laws as to is this even legal?"

Clare, NSO's attorney, attacked the forensic examinations as "a compilation of speculative and baseless assumptions" built on assumptions based on earlier reports. He also said, "NSO does not have insight into the specific intelligence activities of its customers."

The Pegasus Project's findings are similar to previous discoveries by Amnesty, Citizen Lab and news organizations worldwide, but the new reporting offers a detailed view of the personal consequences and scale of surveillance and its abuses.

The consortium analyzed the list and found clusters of numbers with similar country codes and geographical focus that align with previous reporting and additional research about NSO clients overseas. For example, Mexico has been previously identified in published reports and documents as an NSO client, and entries on the list are clustered by Mexican country code, area code and geography. In several cases, clusters also contained numbers from other countries.

In response to questions from reporters, spokespeople for the countries with clusters either denied Pegasus was used or denied that their country had abused their powers of surveillance.

Hungarian Prime Minister Viktor Orban's office said any surveillance carried out by that nation is done in accordance with the law.

"In Hungary, state bodies authorized to use covert instruments are regularly monitored by governmental and non-governmental institutions," the office said. "Have you asked the same questions of the governments of the United States of America, the United Kingdom, Germany or France?"

Moroccan authorities responded: "It should be recalled that the unfounded allegations previously published by Amnesty International and conveyed by Forbidden Stories have already been the subject of an official response from the Moroccan authorities, who have categorically rejected these allegations."

Vincent Biruta, Rwanda's foreign affairs minister, also denied the use of Pegasus.

"Rwanda does not use this software system, as previously confirmed in November 2019, and does not possess this technical capability in any form," Biruta said. "These false accusations are part of an ongoing campaign to cause tensions between Rwanda and other countries, and to sow disinformation about Rwanda domestically and internationally."

Carmen Aristegui, one of the most prominent investigative journalists in Mexico, is routinely threatened for exposing the corruption of the nation's politicians and cartels. She was previously revealed as a Pegasus target in several media reports. (Bernardo Montoya/AFP/Getty Images)

Some expressed outrage even at the suggestion of spying on journalists.

A reporter for the French daily Le Monde working on the Pegasus Project recently posed such a question to Hungarian Justice Minister Judit Varga during an interview about the legal requirements for eavesdropping:

"If someone asked you to tape a journalist or an opponent, you wouldn't accept this?"

"What a question!" Varga responded. "This is a provocation in itself!" A day later, her office requested that this question and her answer to it "be erased" from the interview.

In the past, NSO has blamed its client countries for any alleged abuses. NSO released its first "Transparency and Responsibility Report" last month, arguing that its services are essential to law enforcement and intelligence agencies trying to keep up with the 21st century.

"Terror organizations, drug cartels, human traffickers, pedophile rings and other criminal syndicates today exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications.

"These technologies provide criminals and their networks a safe haven, allowing them to 'go dark' and avoid detection, communicating through impenetrable mobile messaging systems. Law enforcement and counterterrorism state agencies around the world have struggled to keep up."