A UAE agency put Pegasus spyware on phone of Jamal Khashoggis wife months before his murder, new forensics show
Emirates flight attendant Hanan Elatr surrendered her two Android cellphones, laptop and passwords when security agents surrounded her at the Dubai airport. They drove her, blindfolded and in handcuffs, to an interrogation cell on the edge of the city, she said. There, she was questioned all night and into the morning about her fiance, Saudi journalist Jamal Khashoggi.
The next day, at 10:14 a.m. on April 22, 2018, while her devices were still in official custody, someone opened the Chrome browser on one of the Androids.
They tapped in the address of a website "https://myfiles[.]photos/1gGrRcCMO", on the phone's keyboard, fumbling over the tiny keys, making two typos, and then pressed "go," according to a new forensic analysis by cybersecurity expert Bill Marczak of Citizen Lab. The process took 72 seconds.
The website sent the phone a powerful spyware package, known as Pegasus, according to the new analysis.
Over the next 40 seconds, the phone sent 27 status reports from its web browser to the website's server, updating the progress it was making installing the spyware.
The spyware had been developed by an Israeli firm, NSO Group, for what it says is use against terrorists and criminals. The website was configured by NSO for a United Arab Emirates customer, said Marczak, whose research group is based at the University of Toronto and devoted to uncovering cyberespionage.
The new analysis provides the first indication that a UAE government agency placed the military-grade spyware on a phone used by someone in Khashoggi's inner circle in the months before his murder.
"We found the smoking gun on her phone," said Marczak, who examined Elatr's two Androids at The Washington Post's and her request. Emirati authorities returned them to her several days after her release.
Marczak said he could see the Android trying to install Pegasus, but he could not determine whether the spyware had successfully infected the phone, which would enable Pegasus to steal its contents and turn on its microphone. But he said the UAE operator did not type the website address in a second time, which would ordinarily be expected in the event of a failed first attempt.
Elatr's phone was confiscated just after she and Khashoggi had gotten engaged and were in a long-distance relationship. Because both traveled frequently, with Elatr based in Dubai and Khashoggi in Washington, they often discussed travel and meeting plans in the United States and abroad using apps on their phones, according to Elatr and her phone records.
Marczak discovered the https://myfiles[.]photos address in 2017 while researching the presence of Pegasus spyware on global networks. By scanning the internet, Citizen Lab was able to identify a network of computers and more than a thousand web addresses used to deliver Pegasus spyware to the phones of targets in 45 countries, according to group's landmark "Hide and Seek" report. The methodology has been used by other cyber-researchers to identify Pegasus hacks worldwide.
The researchers found a particular set of web addresses, including https://myfiles[.]photos, associated with Pegasus targets primarily in the UAE.
Working with an international journalism consortium led by the Paris-based nonprofit Forbidden Stories, The Washington Post reported in July that an unknown operator employing Pegasus sent five SMS text messages over an 18-day period in November 2017 and a sixth one on April 15, 2018, according to an analysis by Amnesty International's Security Lab of Elatr's Androids. The research could not determine if the texts resulted in Pegasus being installed inside the phone.
Marczak's research advances the understanding of what happened to Elatr's phone by identifying a UAE agency operator in the process of trying to install Pegasus on the device while she was in UAE custody. He also found forensic data indicating her Android was also trying to install Pegasus.
Following The Post's report in July, NSO Group chief executive Shalev Hulio said a thorough check of the firm's client records showed none had used Pegasus to attack the phones of Khashoggi or Elatr before a Saudi hit team murdered him in Istanbul on Oct. 2, 2018.
"Regarding the wife of Saudi journalist Jamal Khashoggi . . . We checked and she was not a target," Hulio told an Israeli technology publication in July. "There are no traces of Pegasus on her phone because she was not a target."
After The Post's most recent reporting, NSO's attorney, Thomas Clare, said, "NSO Group conducted a review which determined that Pegasus was not used to listen to, monitor, track, or collect information about Ms. Elatr. The Post's continued efforts to falsely connect NSO Group to the heinous murder of Mr. Khashoggi are baffling."
Clare said the premise was "deeply flawed" and the details "make no sense from a technical standpoint." He said Pegasus is installed remotely and that it would therefore be "completely unnecessary and make no sense" that a human would type the address of a Pegasus-linked website into a target's phone.
That capability is described in NSO's own marketing materials, first published in an unauthorized leak in 2014. The documents were filed as an exhibit in an ongoing lawsuit WhatsApp brought against NSO in 2019, alleging that Pegasus used the WhatsApp messaging service to infect phones. The materials state, "When physical access to the device is an option, the Pegasus agent can be manually injected and installed in less than five minutes."
Clare acknowledged that the spyware uses SMS texts to send website links that deliver Pegasus attacks. But he said that "technological safeguards prevent" this method from being used six times in an 18-day period. The NSO marketing materials say that "the system operator can choose to send a regular text message (SMS) or an email, luring the target to open it . . . although the target clicked the link they will not be aware that software is being installed on their device."
Clare said the marketing materials "are outdated and do not necessarily provide accurate descriptions of the software's capabilities and limitations as of 2018."
The Israeli Ministry of Defense requires NSO to get its approval before selling Pegasus to a foreign country to ensure the sale is in Israel's national interest. NSO says it has sold Pegasus to 60 government agencies in 40 countries.
NSO said it has no visibility into the real-time targeting of individuals by its clients after it licenses its software to them. But the firm can demand access to customer records to investigate allegations of abuse. The company has said it has shut down five clients in the past several years and foregone millions of dollars in revenue because of its concern for human rights. It also said its technology has saved many lives by enabling law enforcement agencies to catch terrorists and criminals.
"There is one thing I want to say: We built this company to save life. Period," Hulio told The Post in July.
He said of the reports of the attacks on journalists and other abuse: "It's horrible. I am not minimizing it. But this is the price of doing business. . . . This technology was used to handle literally the worst this planet has to offer. Somebody has to do the dirty work."
The international investigation found that authoritarian governments have used Pegasus against journalists, human rights defenders, diplomats, lawyers and pro-democracy opposition leaders. New revelations continue to roll out. France found traces of the spyware on the phones of five ministers. The U.S. State Department announced that indications of Pegasus were found on the phones of 11 employees in Uganda. After initial denials, Hungary admitted it used the spyware.
Countries have responded forcefully. The United States, Britain and France each spoke with high-level Israel officials to express their consternation. The Biden administration blacklisted NSO Group from receiving access to certain U.S. technologies last month, adding it to an "entities list" reserved for companies whose activities are "contrary to the national security or foreign policy interests of the United States." NSO said it was "dismayed" by the move and is seeking its reversal. Apple is suing NSO to prevent it from targeting iPhones with Pegasus in the future.
"I'm glad governments are beginning to understand that the lack of regulation can lead to deadly consequences," said Randa Fahmy, Elatr's Washington-based pro bono attorney.
The UAE, a federation of monarchies in the Persian Gulf, has been one of NSO's most notorious clients. It has used Pegasus against anti-regime activists, journalists and even a royal princess attempting to escape her father, the international media investigation and others have found. In October, a British court revealed that NSO Group ended its contract with the UAE because Dubai's ruler had used it to hack the phones of his ex-wife and her lawyer, a member of Britain's House of Lords.
The UAE continues to deny all allegations against it. The UAE Embassy in Washington did not respond to multiple requests for comment. In the past, the UAE has denied allegations that it used Pegasus against human rights activists and other civil society figures.
The UAE is a longtime ally of Saudi Arabia. In 2013, the two countries signed a mutual security agreement promising cooperation on intelligence and law enforcement matters. The UAE has spied on Saudi dissidents abroad and sent them to Riyadh, according to human rights groups and a recent lawsuit filed in federal court in Portland, Ore., on behalf of an imprisoned Saudi human rights activist.
- - -
Three years ago, Hanan Elatr was a globe-trotting supervisor for the Emirates airlines. She was married to a pro-democracy icon and earning a salary that allowed her to support her mother and siblings. Today, she said, she fears for her life.
"Every day when I see the daylight, I don't know why I'm still alive, because I'm the second victim after Jamal in this tragedy," she said in a recent interview, tearing up. "I lost my life . . . I used to provide for my family and now I can't even find my own food."
She has spent most of her savings and for a time was sleeping on an air mattress in an empty apartment. At age 53, she recently moved into a basement bedroom of a stranger while waiting for her political asylum case to work its way through the system.
With the help of Rep. Jamie Raskin, D-Md., she recently received a temporary work visa. In addition to organizing her new life, she dresses in her finest clothes and high heels, does her makeup and hair and then takes the Metro or buses to job interviews at local hotels and restaurants. Last week she landed a job as a waitress for $2.70 an hour plus tips.
Elatr said she feels forgotten in the wake of Khashoggi's murder. She found out he had disappeared via Twitter after waking up from a long flight, alone in her apartment in Dubai. While she was dealing with the likelihood he had been murdered, she was also learning that he was planning to marry another woman, an accepted practice among Muslims in some countries.
His new fiancee, Hatice Cengiz, was waiting for him outside the Saudi consulate in Istanbul. He had gone there to obtain a document necessary to marry her. Instead, he was murdered with the approval of Saudi leader Mohammed bin Salman, U.S. intelligence agencies later concluded. Mohammed has denied any involvement, and some of his underlings have been convicted and sentenced for the crime.
Cengiz, whom Le Monde later dubbed the "unofficial heiress of Jamal Khashoggi," became an effective spokeswoman in front of the crowd of television cameras that gathered outside the consulate.
Elatr, meanwhile, has struggled for attention. She was Khashoggi's fourth wife, after his three divorces. Many of Khashoggi's friends in Washington did not know about his marriage to her in Virginia in June 2018.
"Nobody knew her. Jamal had kept it a secret," said Sarah Leah Whitson, a longtime human rights advocate and the executive director of Democracy for the Arab World Now (DAWN), a Mideast-focused organization founded by Khashoggi. "I don't know what was going on in his head."
Amnesty International's initial steps to help Elatr as far back as May are still tangled in bureaucracy and miscommunication seven months later, according to correspondence between the organization and Elatr's attorney. The organization said it has been overwhelmed by surges in refugees and said that "unfortunately there were unexpected delays" in handling Elatr's case, but it intends to reconnect with her to complete a review of the matter.
In Turkey, Cengiz's life has been demolished, too, she told The Post in an interview in Istanbul this summer. Turkey has assigned her constant bodyguards, and safety considerations prevent her from traveling in the region and remaining in her academic position.
"In the case of both Hanan and Hatice, their lives have been completely upended. Both have paid a tremendous price," said Whitson. "Hanan has been interrogated and harassed by the UAE and is in dire financial straits and Hatice," too, is suffering.
- - -
On the evening of April 21, 2018, Elatr had finished a 15-hour flight from Toronto to the UAE, weary and ready for bed, when she entered immigration as usual at Dubai International Airport. She immediately noticed a cluster of official-looking men staring at her. She knew that Khashoggi was a target because of his human rights advocacy. She rushed to the bathroom to call her sister.
"Something is not right," she remembers telling her in the toilet stall. She quickly deleted WhatsApp, which she and Khashoggi used to communicate. When she came out of the restroom, a large man trapped her on one side and the sole woman in the group on the other. "Walk with us quietly and behave," the man whispered.
She felt sick and began shaking uncontrollably, she said. The agents drove her to her home, blindfolded and in handcuffs, to search for documents and computers, according to her sworn affidavit in her asylum case. Three friends of Elatr's have given her lawyers affidavits attesting that Elatr recounted the same facts to them soon after she was released.
Then they drove her to the Al Awir Central Jail, a large high-security complex, on the edge of the city. She was fingerprinted. Agents took a DNA swab from her mouth. They photographed her face from various angles. And then more intense questions about Khashoggi began late at night and into the morning.
She recalled them asking: What are Jamal's activities? Who is Jamal's network? What is Jamal's income? How is Jamal's health? She answered every question, she said. She said she told them there was no network preparing to topple the Gulf monarchies. Yes, Khashoggi wanted political activists freed from Saudi prisons. Yes, he favored democracy and respect for human rights in the Arab world. But the royal families should have roles, too, like those in Britain and Sweden. When the agents left her alone, she slid onto the floor to sleep.
The agents brought her back to her house after 17 hours, but she was put under house arrest for 10 days. The interrogations and months-long stints of house arrests continued over the next year, as did phone harassment by her intelligence agency handler, who called himself Mohammed Abdu, she said. Elatr's siblings in Dubai and Egypt also were interrogated and had their passports confiscated when they tried to travel to see their ailing mother or visit Elatr.
Unbeknown to Elatr, the Emiratis had been using Pegasus to try to spy on her as far back as November 2017, according to Amnesty's Security Lab. It was a period of telephonic courtship between two people always on the go, as she traveled for the airlines and he gave speeches and met associates in Europe and Turkey.
The profilers designed fake SMS messages to get her to click on a link and infect her phones: They tempted her with a flower bouquet she would receive at home with one click, photos from her sister Mona if she would click on another link, a package waiting at the office of a common Emirati carrier, if she would click on yet another.
The beginning of April was a big week for Elatr and Khashoggi. He had proposed to her on April 3, she said, and gave her an engagement ring. Pegasus was used in an attack on one of her phones again on April 15, 2018, with an SMS message using the "myfiles[.]photos" website address, the same one the agent would type into one of the Androids a week later.
The couple continued to meet and communicate by phone, using multiple new apps that Khashoggi told Elatr he hoped would make it harder for him to be surveilled. Just past midnight on Sept. 7, their last in-person meeting, she texted him after she had landed in New York City. They planned to stay together at the Sheraton Hotel.
Three weeks later she sent him her flight schedule, which had her arriving at Dulles International Airport on an Oct. 20 flight to Washington, where they planned to meet again.
On Sept. 30, Khashoggi was in Turkey arranging to marry Cengiz but sent Elatr birthday greetings from two phones. One message read: "Bless you, happy birthday, may you be well and happy this year."
On Oct 1, at 2:12 a.m., she replied: "I appreciate it a lot and hope you are well and happy . . . from the plane back to Dubai."
The next day he was murdered.
Elatr intends to ask Turkish authorities for his phones. The authorities have refused to release them or to publicly share what they have learned. As relations warm between Turkey and Saudi Arabia and the UAE, Elatr doubts she will ever get answers.
"I feel very devastated that I might be the tool to watching Jamal," Elatr recently told The Post. "I want to know how many countries were watching my husband move and what were the tools used against my husband."