David Pegg and Paul Lewis in London, Michael Safi in Beirut, Nina Lakhani in Ciudad Altamirano
The Guardian / July 18, 2021
Data leak and forensics suggest NSO’s surveillance tool used against journalists at some of world’s top media companies.
The editor of the Financial Times is one of more than 180 editors, investigative reporters and other journalists around the world who were selected as possible candidates for surveillance by government clients of the surveillance firm NSO Group, the Guardian can reveal.
Roula Khalaf, who became the first female editor in the newspaper’s history last year, was selected as a potential target throughout 2018.
Her number is included in a leaked list of mobile phone numbers selected for possible surveillance by clients of NSO, an Israeli firm that manufactures spyware and sells it to governments. Its principal product, Pegasus, is capable of compromising a phone, extracting all of the data stored on the device and activating its microphone to eavesdrop on conversations.
Other journalists who were selected as possible candidates for surveillance by NSO’s clients work for some of the world’s most prestigious media organizations. They include the Wall Street Journal, CNN, the New York Times, Al-Jazeera, France 24, Radio Free Europe, Mediapart, El País, Associated Press, Le Monde, Bloomberg, Agence France-Presse, the Economist, Reuters and Voice of America.
NSO has long insisted that the governments to whom it licenses Pegasus are contractually bound to only use the powerful spying tool to fight “serious crime and terrorism”.
Analysis of the leaked data suggests that Khalaf’s phone was selected as a possible target by the United Arab Emirates (UAE). At the time, Khalaf was a deputy editor at the FT. A spokesperson for the Financial Times said: “Press freedoms are vital, and any unlawful state interference or surveillance of journalists is unacceptable.”
The leaked records were initially accessed via Forbidden Stories, a nonprofit journalism organization, and Amnesty International. They shared access with the Guardian and select other media outlets as part of the Pegasus project, an international investigative collaboration.
A successful Pegasus infection gives NSO customers access to all data stored on the device. An attack on a journalist could expose a reporter’s confidential sources as well as allowing NSO’s government client to read their chat messages, harvest their address book, listen to their calls, track their precise movements and even record their conversations by activating the device’s microphone.
Reporters whose numbers appear in the data range from local freelancers, such as the Mexican journalist Cecilio Pineda Birto, who was murdered by attackers armed with guns one month after his phone was selected, through to prize-winning investigative reporters, editors and executives at leading media organizations.
In addition to the UAE, detailed analysis of the data indicates that the governments of Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda and Saudi Arabia all selected journalists as possible surveillance targets.
It is not possible to know conclusively whether phones were successfully infected with Pegasus without analysis of devices by forensic experts. Amnesty International’s Security Lab, which can detect successful Pegasus infections, found traces of the spyware on the mobile phones of 15 journalists who had agreed to have their phones examined after discovering their number was in the leaked data.
Among the journalists confirmed by analysis to have been hacked by Pegasus were Siddharth Varadarajan and Paranjoy Guha Thakurta, a co-founder and a reporter at the Indian news website the Wire. Thakurta was hacked in 2018 while he was working on an investigation into how the Hindu nationalist government of Narendra Modi was using Facebook to systematically spread disinformation among Indian people online.
“You feel violated,” Varadarajan said of the hacking of his device and the selection of his colleagues for targeting. “This is an incredible intrusion and journalists should not have to deal with this. Nobody should have to deal with this, but in particular journalists and those who are in some way working for the public interest.”
Omar Radi, a Moroccan freelance journalist and human rights activist who has published repeated exposés of government corruption, was hacked by an NSO client believed to be the government of Morocco throughout 2018 and 2019.
The Moroccan government has since accused him of being a British spy, in allegations described by Human Rights Watch as “abusing the justice system to silence one of the few remaining critical voices in Moroccan media”.
Saad Bendourou, a deputy head of mission at the Moroccan embassy in France, dismissed the consortium’s findings.
“We remind you that the unfounded allegations already published by Amnesty International and relayed by Forbidden Stories have already been the subject of an official response by the Moroccan authorities, who categorically denied such allegations,” he said.
Khadija Ismayilova: ‘It’s despicable, it’s heinous’
Khadija Ismayilova, an award-winning Azerbaijani investigative journalist, was also confirmed by technical analysis to have been hacked with Pegasus in 2019. She has spent years reporting on the network of corruption and self-enrichment that surrounds the autocratic president, Ilham Aliyev, who has ruled his country since seizing power in 2003.
She has faced a sustained campaign of harassment and intimidation in retaliation for her work. In 2012 intimate videos of her, filmed using a camera installed in her apartment without her knowledge, were published online shortly after she received a letter warning her to “behave or be defamed”.
In 2014 she was arrested on charges of alleged tax evasion, “illegal business” offences, and the “incitement to suicide” of a still-living colleague. She was released from a jail sentence of seven and a half years following an appeal, though remained subject to a travel ban as well as an asset freeze preventing her from accessing her own bank account until recently.
Her phone was almost certainly hacked by agents of the Aliyev regime, according to analysis of the leaked data. The same NSO customer also selected as surveillance candidates more than 1,000 other Azerbaijani phones, many belonging to Azerbaijani dissidents, as well two of Ismayilova’s lawyers.
“I feel guilty for the sources who sent me [information], thinking that some encrypted messaging ways are secure. They did it and they didn’t know my phone was infected,” Ismayilova said.
“My family members are also victimized, people I’ve been working with. People who told me their private secrets are victimized. It’s not just me.”
She said she was angry with those who “produce all of these tools and sell them to the bad guys like the Aliyev regime. It’s despicable, it’s heinous … When the video was exposed, it was just me. Now I don’t know who else has been exposed because of me, who else is in danger because of me.”
Bradley Hope: ‘Your phone is a potential surveillance device’
Also listed in the leaked records is a UK phone number belonging to the American investigative journalist Bradley Hope, who lives in London. At the time of his selection he was an employee at the Wall Street Journal.
In spring 2018 Hope and his colleague Tom Wright were fact-checking a draft of a book on 1MDB, a corruption scandal involving the theft of $4.5bn from the state of Malaysia. Central to the allegations were Najib Razak, the country’s prime minister, and a businessman named Jho Low.
Part of their investigation also concerned the possibility that some of the money had been spent on a luxury yacht, called the Topaz, for Sheikh Mansour, the deputy prime minister of the UAE and a senior member of the Abu Dhabi royal family.
As part of standard journalistic practice, Hope and Wright contacted parties who would be named in their book and offered them an opportunity to comment.
The records reveal that around the same time, one of NSO’s government clients – believed to be the UAE – began selecting Hope’s mobile phone as a possible surveillance candidate.
His number was included on the list until at least the spring of 2019, during which time Hope and Wright continued to report on new disclosures in the 1MDB corruption investigation. Wright’s phone number does not appear in the list.
Hope no longer has access to his phone so the Guardian was unable to carry out an analysis, although checks on his current device found no suggestion he was currently being monitored.
“I think probably the number one thing that anyone targeting my phone would want to know is: who are my sources?” Hope said. “They would want to know who it is that is providing this insight.”
He suggested that one possibility was that the country might have been interested in him because it was trying to calculate where, if anywhere, he stood in relation to the vast and sprawling regional rivalry between the UAE and its neighbour Qatar.
Hope said he had already adopted various digital security countermeasures, including regularly replacing his phone handset, updating operating systems and not bringing electronic devices into high-risk jurisdictions such as the UAE.
“Knowing that a country can so easily penetrate your phone, it inevitably means that you have to always be thinking about your phone as a potential surveillance device,” he said. “It will just remind me that at any time I could be carrying around a vulnerability with me.”
Other prominent journalists whose phones were selected by NSO’s clients include Gregg Carlstrom, a Middle East reporter at the Economist, whose Egyptian and Qatari phone numbers were selected as possible targets by an NSO client, believed to the UAE.
Prominent media executives, including Edwy Plenel, the founder of the French online investigative outlet Mediapart, were also selected.
‘There are not enough safeguards’
Carlos Martínez de la Serna, a program director at the nonprofit Committee to Protect Journalists, said the use of spyware to attack journalists and their sources was becoming an increasingly serious issue for his organization.
“Putting surveillance on a journalist has a very strong, chilling effect. Our devices are key in the reporting activity, and it exposes the journalist’s contacts, it exposes the journalist’s sources, exposes the journalist’s materials,” he said. “It targets the journalistic activity in a way that almost fully impedes it in situations where journalists are being threatened.”
Martínez said there was an urgent need for countries to begin regulating companies exporting surveillance capabilities, particularly where reporters were likely to be at risk. “There are not enough safeguards about the export of the software,” he said. “Spyware has been sold directly to governments with terrible press freedom records, which is hard to understand.”
NSO Group’s lawyers said the company “does not have access to the data of its customers’ targets”. However, they disputed that the numbers in the leak revealed the identities of NSO client’s surveillance targets, suggesting they may instead be part of a larger list of numbers used by their customers “for other purposes” that are legitimate and have nothing to do with surveillance or with NSO.
NSO denied “false claims” made about the activities of its clients, but said that it would “continue to investigate all credible claims of misuse and take appropriate action”. It said that in the past it had shut off client access to Pegasus where abuse had been confirmed.
The company added: “NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”
David Pegg is a reporter at The Guardian
Paul Lewis is The Guardian’s head of investigations
Michael Safi is an international correspondent for The Guardian, based in the Middle East
Nina Lakhani is environmental justice reporter for Guardian US
Quick Guide
What is in the Pegasus project data?
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organization, and Amnesty International initially had access to the list and shared access with 16 media organizations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organized into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies”.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
