An Israeli company’s spyware was used in attempted and successful hacks of 37 smartphones belonging to journalists, government officials and human rights activists around the world, according to an investigation by 17 media organizations published on Sunday.
One of the organizations, the Washington Post, said the Pegasus spyware licensed by Israel-based NSO Group also was used to target phones belonging to two women close to Jamal Khashoggi, a Washington Post columnist murdered at a Saudi Consulate in Turkey in 2018, before and after his death.
The Guardian, another of the media outlets, said the investigation suggested “widespread and continuing abuse” of NSO’s hacking software, described as malware that infects smartphones to enable the extraction of messages, photos and emails; record calls and secretly activate microphones.
The investigation, which Reuters did not independently confirm, did not reveal who attempted the hacks or why.
The program is designed to bypass detection and mask its activity. NSO Group’s methods to infect its targets have grown so sophisticated that researchers say it can now do so without any user interaction, the so-called “zero-click” option.
The company issued a statement on its website denying the reporting by the 17 media partners led by the Paris-based journalism non-profit Forbidden Stories.
“The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the ‘unidentified sources’ have supplied information that has no factual basis and are far from reality,” the company said in the statement.
“After checking their claims, we firmly deny the false allegations made in their report,” the statement said.
NSO said its technology was not associated in any way with Khashoggi’s murder.
The company also reiterated its claims that it only sells to “vetted government agencies” for use against terrorists and major criminals and that it has no visibility into its customers’ data. Critics call those claims dishonest and have provided evidence that NSO directly manages the high-tech spying. They say the repeated abuse of Pegasus spyware highlights the nearly complete lack of regulation of the private global surveillance industry.
In a statement, rights group Amnesty International decried what it termed “the wholesale lack of regulation” of surveillance software.
“Until this company (NSO) and the industry as a whole can show it is capable of respecting human rights, there must be an immediate moratorium on the export, sale, transfer and use of surveillance technology,” the rights group said in a statement.
The targeted phone numbers were on a list provided by Forbidden Stories and Amnesty International to the 17 media organizations. It was not clear how the groups obtained the list.
The numbers on the list were not attributed, but reporters identified more than 1,000 people spanning more than 50 countries, the Washington Post said. They included several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials – including several heads of state and prime ministers.
The Guardian said the numbers of more than 180 journalists were listed in the data, including reporters, editors and executives at the Financial Times, CNN, New York Times, the Economist, Associated Press, Reuters, the Wall Street Journal, and Le Monde.
NSO Group’s spyware has been implicated in targeted surveillance chiefly in the Middle East and Mexico. Saudi Arabia is reported to be among NSO clients. Also on the lists were phones in countries including France, Hungary, India, Azerbaijan, Kazakhstan and Pakistan.
“We are deeply troubled to learn that two AP journalists, along with journalists from many news organizations, are among those who may have been targeted by Pegasus spyware,” said Director of AP Media Relations Lauren Easton.
Last month, NSO Group published its first transparency report, in which the company said it had rejected “more than $300 million in sales opportunities as a result of its human rights review processes.” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a strident critic, tweeted: “If this report was printed, it would not be worth the paper it was printed on.”
Since 2019, the U.K. private equity firm Novalpina Capital has controlled a majority stake in NSO Group. Earlier this year, Israeli media reported the company was considering an initial public offering, most likely on the Tel Aviv Stock Exchange.
Last week, Microsoft said it had blocked tools developed by the Israeli company, issued a software update, and worked with the Citizen Lab at the University of Toronto to investigate the NSO Group.
“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Microsoft said in an online post.
Thursday’s disclosure by Microsoft was part of what the company said was a broader effort to “address the dangers” caused by hacker-for-hire companies.