Military-grade spyware leased by the Israeli firm NSO Group to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and the two women closest to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners led by the Paris-based journalism nonprofit Forbidden Stories.
Forbidden Stories and Amnesty International, a human rights group, had access to a list of more than 50,000 numbers and shared it with the news organizations, which did further research and analysis. Amnesty’s Security Lab did forensic examination of the phones.
Here are key takeaways from the investigation:
1. Phones identified from a sprawling list: Thirty-seven targeted smartphones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found. The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 phones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance attempts, in some cases as brief as a few seconds.
2. Politicians, journalists, activists found on list: The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials — including cabinet ministers, diplomats and military and security officers, as well as several heads of state and prime ministers. The purpose of the list could not be conclusively determined.
3. Company says it polices its clients for abuses: The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses. NSO Chief Executive Shalev Hulio said Sunday that he was “very concerned” by The Post’s reports. “We are checking every allegation, and if some of the allegations are true, we will take stern action, and we will terminate contracts like we did in the past.” He added, “If anybody did any kind of surveillance on journalists, even if it’s not by Pegasus, it’s disturbing.”