50,000 phone numbers worldwide on list linked to Israeli spyware Pegasus
An Israeli firm accused of supplying spyware to governments has been linked to a list of 50,000 smartphone numbers, including those of activists, journalists, business executives and politicians around the world, according to reports Sunday.
Israel’s NSO Group and its Pegasus malware have been in the headlines since at least 2016, when researchers accused it of helping spy on a dissident in the United Arab Emirates.
Sunday’s revelations raise privacy and rights concerns, and reveal the far-reaching extent to which the private Israeli company’s software may be being misused by its clients internationally.
The extent of the use of Pegasus was reported by The Washington Post, the Guardian, Le Monde and other news outlets who collaborated on an investigation into a data leak.
The leak was of a list of more than 50,000 smartphone numbers believed to have been identified as people of interest by clients of NSO since 2016, the media outlets said.
The Post said the list was shared with the news organizations by Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International. The newspaper said the total number of phones on the list that were actually targeted or surveilled is unknown.
The Post said 15,000 of the numbers on the list were in Mexico and included those of politicians, union representatives, journalists and government critics.
The list reportedly included the number of a Mexican freelance journalist who was murdered at a carwash. His phone was never found, and it was not clear if it had been hacked.
Indian investigative news website The Wire reported that 300 mobile phone numbers used in India — including those of government ministers, opposition politicians, journalists, scientists and rights activists — were on the list.
The numbers included those of more than 40 Indian journalists from major publications such as the Hindustan Times, The Hindu and the Indian Express, as well as two founding editors of The Wire, it said.
The Indian government denied in 2019 that it had used the malware to spy on its citizens after WhatsApp filed a lawsuit in the United States against NSO, accusing it of using the messaging platform to conduct cyber espionage.
The Post said a forensic analysis of 37 of the smartphones on the list showed there had been “attempted and successful” hacks of the devices, including those of two women close to Saudi journalist Jamal Khashoggi, who was murdered in 2018 by a Saudi hit squad.
Among the numbers on the list are those of journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El Pais, the Associated Press, Le Monde, Bloomberg, The Economist, Reuters and Voice of America, the Guardian said.
The use of the Pegasus software to hack the phones of Al-Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research center at the University of Toronto, and Amnesty International.
The Post said the numbers on the list are unattributed, but the media outlets participating in the project were able to identify more than 1,000 people in more than 50 countries.
They included several members of Arab royal families, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials including heads of state, prime ministers and cabinet ministers.
The reports said many numbers on the list were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
Moroccan security services used the spyware to target around 30 French journalists and media executives, according to the investigation.
Pegasus is reportedly a highly invasive tool that can switch on a target’s phone camera and microphone, as well as access data on the device, effectively turning a phone into a pocket spy.
In some cases, it can be installed without the need to trick a user into initiating a download.
NSO issued a denial on Sunday that focused on the report by Forbidden Stories, calling it “full of wrong assumptions and uncorroborated theories,” and threatened a defamation lawsuit.
“We firmly deny the false allegations made in their report,” NSO said.
“As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi,” the company said.
“We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts,” it said.
Citizen Lab reported in December that about three dozen journalists at Qatar’s Al-Jazeera network had their mobile devices targeted by Pegasus malware.
Amnesty International reported in June of last year that Moroccan authorities used NSO’s Pegasus software to insert spyware onto the cellphone of Omar Radi, a journalist convicted over a social media post.
At the time, NSO told AFP that it was “deeply troubled by the allegations” and was reviewing the information.
Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in the Israeli hi-tech hub of Herzliya, near Tel Aviv. It says it employs hundreds of people in Israel and around the world.