Investigations into a massive data leak have found that authoritarian governments have used hacking software, Pegasus, sold by Israeli surveillance company NSO Group, to target human rights activists, journalists, government officials, and lawyers around the world.
Pegasus, a piece of malware that attacks both iOS and Android devices, allows its owners to remotely extract files such as messages, photos, emails, and recordings, as well as secretly activate microphones.
Over 50 thousand phone numbers are contained in the leak. These numbers are believed to be those of people of interest who have been contacted by NSO clients since 2016.
Amnesty International and Paris-based nonprofit media organization Forbidden Stories initially accessed the leaked list. Then, they shared it with media partners as part of the Pegasus project, which facilitates the reporting procedure further.
In the coming days, The Guardian and its media partners will reveal the identities of people whose numbers appeared on the list. Among them are hundreds of business leaders, religious leaders, academics, NGO employees, union officials, and government officials, like cabinet ministers, presidents, and prime ministers.
Among the 180 journalists whose names are revealed in the data are those from the Financial Times, CNN, the New York Times, France 24, The Economist, Associated Press, and Reuters.
As a result of the Consortium analysis of the leaked data, it has been revealed that at least 10 countries have been the client of NSO and using the Pegasus to enter numbers of their desired suspect. Among these countries are India, the United Arab Emirates, the Kingdom of Saudi Arabia, Mexico, Azerbaijan, Bahrain, Kazakhstan, Morocco, Rwanda, and Hungary.
The phone number of Cecilio Pineda Birto, a freelance Mexican reporter, was found in the list. He was apparently a subject to a Mexican client in the weeks before his murder, when he was identified at a car wash by his killers. However, since his device was never found, forensic analysis cannot determine whether it was infected by Pegasus or not.
NSO maintains that even though Pineda’s phone may have been targeted, the data on it has no impact on the fact that he died. Along those lines, governments could have discovered Pineda’s location in other ways. In two years, he was reportedly selected as one of at least 25 candidates for surveillance.
Despite the allegations, NSO has denied them and explained that the 50,000 figure was exaggerated and could not be the list of numbers “targeted by governments using Pegasus.”
A spokesperson for NSO Group told the Guardian,
“It will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations.”
NSO’s surveillance technology is closely regulated by the Israeli Ministry of Defense, which issues export licenses before it sells to foreign countries. The company sells spy tools only to security agencies and military units in 40 unnamed countries and claims to thoroughly vet its customers’ human rights records before allowing them to use its spy tools.